Closed
Bug 1233746
Opened 10 years ago
Closed 10 years ago
Internet access via rsync from releng puppetmasters
Categories
(Infrastructure & Operations Graveyard :: NetOps: DC ACL Request, task)
Infrastructure & Operations Graveyard
NetOps: DC ACL Request
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: dustin, Assigned: dcurado)
References
Details
The puppetmasters often need to use rsync to update repo mirrors; see https://wiki.mozilla.org/ReleaseEngineering/PuppetAgain/Packages
So on fw1.releng, that's
zone srv address all-releng-puppet
zone vpc addresses releng-puppet1.srv.releng.use1 and
releng-puppet1.srv.releng.usw2
to anywhere on tcp/873.
|
Assignee | |
Comment 1•10 years ago
|
||
working on this
Assignee: network-operations → dcurado
Status: NEW → ASSIGNED
QA Contact: jbarnell → dcurado
|
|
Assignee | |
Comment 2•10 years ago
|
||
Here's are the two security policies I have put into place:
Policy: puppet--rsync, action-type: permit, State: enabled, Index: 11, Scope Policy: 0
Policy Type: Configured
Sequence number: 4
From zone: srv, To zone: untrust
Source addresses:
releng-puppet2: 10.26.48.50/32
releng-puppet1: 10.26.48.45/32
Destination addresses:
any-ipv4: 0.0.0.0/0
any-ipv6: ::/0
Application: rsync
IP protocol: tcp, ALG: 0, Inactivity timeout: 1800
Source port range: [0-0]
Destination port range: [873-873]
and
Policy: puppet--rsync, action-type: permit, State: enabled, Index: 64, Scope Policy: 0
Policy Type: Configured
Sequence number: 5
From zone: vpc, To zone: untrust
Source addresses:
releng-puppet1.srv.releng.usw2: 10.132.48.16/32
releng-puppet1.srv.releng.use1: 10.134.48.16/32
Destination addresses:
any-ipv4: 0.0.0.0/0
any-ipv6: ::/0
Application: rsync
IP protocol: tcp, ALG: 0, Inactivity timeout: 1800
Source port range: [0-0]
Destination port range: [873-873]
For some reason I thought that releng had ended the practice of default routing out of their VPCs towards SCL3.
Please let me know if there any problems. Thanks.
Status: ASSIGNED → UNCONFIRMED
Change Request: --- → routine
Ever confirmed: false
|
Reporter | |
Comment 3•10 years ago
|
||
We have been considering it, and there's nothing blocking doing so, but given that we're moving most of our load out of our VPC anyway, it's not a high priority.
[root@releng-puppet2.srv.releng.scl3.mozilla.com dmitchell]# nc -vz us.archive.ubuntu.com 873
Connection to us.archive.ubuntu.com 873 port [tcp/rsync] succeeded!
success!
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
|
||
Updated•3 years ago
|
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•