Open up flows for plan-b-bugzilla-stage replication back to scl3

RESOLVED FIXED

Status

Infrastructure & Operations
NetOps: DC ACL Request
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: gozer, Assigned: sheeri)

Tracking

Details

(Reporter)

Description

2 years ago
Cleaner rework of bug 1204119:

Flows for MySQL replication between AWS stage and SCL3:

The flows should allow bi-directionnal mysql traffic on tcp/3306

SCL3 Stage DBs:
  bugzilla1.stage.db.scl3.mozilla.com(10.22.70.43)
  bugzilla2.stage.db.scl3.mozilla.com(10.22.70.44)

AWS:

us-east-1:
  StagePrivateSubnetAZ1Cidr(10.162.14.96/27)
  StagePrivateSubnetAZ2Cidr(10.162.14.128/27)
  StagePrivateSubnetAZ3Cidr(10.162.14.160/27)

us-west-2:
  StagePrivateSubnetAZ1Cidr(10.164.14.96/27)
  StagePrivateSubnetAZ2Cidr(10.164.14.128/27)
  StagePrivateSubnetAZ3Cidr(10.164.14.160/27)

Comment 1

2 years ago
marking as assigned.
Status: NEW → ASSIGNED

Comment 2

2 years ago
Sheeri - please let me know when it is safe to configure the security policies to allow stage DBs in SCL3 talk to stage DBs in AWS?
Thank you.
Flags: needinfo?(scabral)
(Reporter)

Updated

2 years ago
Depends on: 1214394
(Assignee)

Comment 3

2 years ago
Replication user 'repl' is configured to only use SSL, so it's safe to configure the security policies for bugzilla stage dbs in scl3 to talk to AWS stage dbs now.
Flags: needinfo?(scabral)

Comment 4

2 years ago
These security policies have been put into place.

Policy: allow-nubis-stage-mysql, action-type: permit, State: enabled, Index: 150, Scope Policy: 0
  Policy Type: Configured
  Sequence number: 2
  From zone: db, To zone: vpc
  Source addresses:
    bugzilla2.stage.db.scl3: 10.22.70.44/32
    bugzilla1.stage.db.scl3: 10.22.70.43/32
  Destination addresses:
    us-west-2-stage-3: 10.164.14.160/27
    us-west-2-stage-2: 10.164.14.128/27
    us-west-2-stage-1: 10.164.14.96/27
    us-east-1-stage-3: 10.162.14.160/27
    us-east-1-stage-2: 10.162.14.128/27
    us-east-1-stage-1: 10.162.14.96/27
  Application: mysql
    IP protocol: tcp, ALG: 0, Inactivity timeout: 1800
      Source port range: [0-0]
      Destination port range: [3306-3306]

and

Policy: allow-nubis-stage-mysql, action-type: permit, State: enabled, Index: 165, Scope Policy: 0
  Policy Type: Configured
  Sequence number: 2
  From zone: vpc, To zone: db
  Source addresses:
    us-west-2-stage-3: 10.164.14.160/27
    us-west-2-stage-2: 10.164.14.128/27
    us-west-2-stage-1: 10.164.14.96/27
    us-east-1-stage-3: 10.162.14.160/27
    us-east-1-stage-2: 10.162.14.128/27
    us-east-1-stage-1: 10.162.14.96/27
  Destination addresses:
    bugzilla2.stage.db.scl3: 10.22.70.44/32
    bugzilla1.stage.db.scl3: 10.22.70.43/32
  Application: mysql
    IP protocol: tcp, ALG: 0, Inactivity timeout: 1800
      Source port range: [0-0]
      Destination port range: [3306-3306]

and the diff:
dcurado@fw1.ops.scl3.mozilla.net> show configuration | compare rollback 1 | no-more
[edit security policies from-zone db to-zone vpc]
      policy allow-mysql-to-nubis-prod { ... }
+     /* 1214356 */
+     policy allow-nubis-stage-mysql {
+         match {
+             source-address [ bugzilla1.stage.db.scl3 bugzilla2.stage.db.scl3 ];
+             destination-address planb-stage;
+             application mysql;
+         }
+         then {
+             permit;
+         }
+     }
[edit security policies from-zone vpc to-zone db]
      policy allow-mysql-from-nubis-prod { ... }
+     /* 1214356 */
+     policy allow-nubis-stage-mysql {
+         match {
+             source-address planb-stage;
+             destination-address [ bugzilla1.stage.db.scl3 bugzilla2.stage.db.scl3 ];
+             application mysql;
+         }
+         then {
+             permit;
+         }
+     }
[edit security zones security-zone db address-book]
       address bugzilla8.db.scl3 { ... }
+      address bugzilla1.stage.db.scl3 10.22.70.43/32;
+      address bugzilla2.stage.db.scl3 10.22.70.44/32;
Status: ASSIGNED → UNCONFIRMED
Ever confirmed: false
(Reporter)

Updated

2 years ago
Assignee: dcurado → scabral
(Reporter)

Comment 5

2 years ago
Flows verified working, now, all that's missing is the MySQL ACLs. :sheeri?

ubuntu@ip-10-162-14-146:~$ telnet 10.22.70.44 3306
Trying 10.22.70.44...
Connected to 10.22.70.44.
Escape character is '^]'.
FHost '10.162.14.146' is not allowed to connect to this MySQL server
Connection closed by foreign host.
ubuntu@ip-10-162-14-146:~$ telnet 10.22.70.43 3306
Trying 10.22.70.43...
Connected to 10.22.70.43.
Escape character is '^]'.
FHost '10.162.14.146' is not allowed to connect to this MySQL server
Connection closed by foreign host.
(Assignee)

Comment 6

2 years ago
Added MySQL ACLs to the repl user with the STAGE password from these hosts:
10.162.13.96/255.255.255.224
10.162.13.128/255.255.255.224
10.162.13.160/255.255.255.224

10.164.13.96/255.255.255.224
10.164.13.128/255.255.255.224
10.164.13.160/255.255.255.224

Did not require any SSL, as they are going over a VPN pipe now.

Resolving, I think that's all that was left here.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
(Reporter)

Comment 7

2 years ago
(In reply to Sheeri Cabral [:sheeri] from comment #6)
> Added MySQL ACLs to the repl user with the STAGE password from these hosts:

Hosts look like the wrong ones:

us-east-1:
  StagePrivateSubnetAZ1Cidr(10.162.14.96/255.255.224)
  StagePrivateSubnetAZ2Cidr(10.162.14.128/255.255.224)
  StagePrivateSubnetAZ3Cidr(10.162.14.160/255.255.224)

us-west-2:
  StagePrivateSubnetAZ1Cidr(10.164.14.96/255.255.224)
  StagePrivateSubnetAZ2Cidr(10.164.14.128/255.255.224)
  StagePrivateSubnetAZ3Cidr(10.164.14.160/255.255.224)
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: FIXED → ---
(Assignee)

Comment 8

2 years ago
ack, I did .13. instead of .14.

Fixed, here's what I have now:

mysql> select user,host from mysql.user where user='repl' and ssl_type='';
+------+-------------------------------+
| user | host                          |
+------+-------------------------------+
| repl | 10.162.14.96/255.255.255.224  |
| repl | 10.162.14.128/255.255.255.224 |
| repl | 10.162.14.160/255.255.255.224 |
| repl | 10.164.14.96/255.255.255.224  |
| repl | 10.164.14.128/255.255.255.224 |
| repl | 10.164.14.160/255.255.255.224 |
+------+-------------------------------+
6 rows in set (0.00 sec)
Status: REOPENED → RESOLVED
Last Resolved: 2 years ago2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.