Closed Bug 1233746 Opened 9 years ago Closed 9 years ago

Internet access via rsync from releng puppetmasters

Categories

(Infrastructure & Operations Graveyard :: NetOps: DC ACL Request, task)

Product:
Infrastructure & Operations Graveyard
Component:
NetOps: DC ACL Request
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: dustin, Assigned: dcurado)

References

Details

The puppetmasters often need to use rsync to update repo mirrors; see https://wiki.mozilla.org/ReleaseEngineering/PuppetAgain/Packages

So on fw1.releng, that's

  zone srv address all-releng-puppet
  zone vpc addresses releng-puppet1.srv.releng.use1 and
                     releng-puppet1.srv.releng.usw2

to anywhere on tcp/873.
working on this
Assignee: network-operations → dcurado
Status: NEW → ASSIGNED
QA Contact: jbarnell → dcurado
Here's are the two security policies I have put into place:

Policy: puppet--rsync, action-type: permit, State: enabled, Index: 11, Scope Policy: 0
  Policy Type: Configured
  Sequence number: 4
  From zone: srv, To zone: untrust
  Source addresses:
    releng-puppet2: 10.26.48.50/32
    releng-puppet1: 10.26.48.45/32
  Destination addresses:
    any-ipv4: 0.0.0.0/0
    any-ipv6: ::/0
  Application: rsync
    IP protocol: tcp, ALG: 0, Inactivity timeout: 1800
      Source port range: [0-0]
      Destination port range: [873-873]

and

Policy: puppet--rsync, action-type: permit, State: enabled, Index: 64, Scope Policy: 0
  Policy Type: Configured
  Sequence number: 5
  From zone: vpc, To zone: untrust
  Source addresses:
    releng-puppet1.srv.releng.usw2: 10.132.48.16/32
    releng-puppet1.srv.releng.use1: 10.134.48.16/32
  Destination addresses:
    any-ipv4: 0.0.0.0/0
    any-ipv6: ::/0
  Application: rsync
    IP protocol: tcp, ALG: 0, Inactivity timeout: 1800
      Source port range: [0-0]
      Destination port range: [873-873]

For some reason I thought that releng had ended the practice of default routing out of their VPCs towards SCL3.  

Please let me know if there any problems.  Thanks.
Status: ASSIGNED → UNCONFIRMED
Change Request: --- → routine
Ever confirmed: false
We have been considering it, and there's nothing blocking doing so, but given that we're moving most of our load out of our VPC anyway, it's not a high priority.

[root@releng-puppet2.srv.releng.scl3.mozilla.com dmitchell]# nc -vz us.archive.ubuntu.com 873
Connection to us.archive.ubuntu.com 873 port [tcp/rsync] succeeded!

success!
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.