Closed
Bug 1355838
Opened 8 years ago
Closed 8 years ago
[host-secrets] valid addresses fail DNS check
Categories
(Taskcluster :: Services, defect)
Taskcluster
Services
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: dustin, Assigned: dustin)
References
Details
From the logs:
::ffff:10.26.48.45 is asking for credentials
::ffff:10.26.48.45 is allowed by IP
From ip2name: Error: getHostByAddr ENOTFOUND ::ffff:10.26.48.45
::ffff:10.26.48.45 is disallowed by DNS
and, indeed:
dmitchell@releng-puppet1 ~ $ dig -x 10.26.48.45
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> -x 10.26.48.45
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17252
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;45.48.26.10.in-addr.arpa. IN PTR
;; ANSWER SECTION:
45.48.26.10.in-addr.arpa. 3600 IN PTR releng-puppet1.srv.releng.scl3.mozilla.com.
;; AUTHORITY SECTION:
48.26.10.in-addr.arpa. 300 IN NS ns1.mozilla.org.
48.26.10.in-addr.arpa. 300 IN NS ns2.mozilla.org.
;; ADDITIONAL SECTION:
ns1.mozilla.org. 60 IN A 63.245.215.5
ns2.mozilla.org. 60 IN A 63.245.218.7
;; Query time: 2 msec
;; SERVER: 10.26.75.40#53(10.26.75.40)
;; WHEN: Wed Apr 12 07:19:12 2017
;; MSG SIZE rcvd: 177
dmitchell@releng-puppet1 ~ $ dig d.2.0.3.a.1.a.0.f.f.f.f.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> d.2.0.3.a.1.a.0.f.f.f.f.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18751
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;d.2.0.3.a.1.a.0.f.f.f.f.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. IN A
;; AUTHORITY SECTION:
ip6.arpa. 300 IN SOA b.ip6-servers.arpa. nstld.iana.org. 2017032952 1800 900 604800 3600
;; Query time: 13 msec
;; SERVER: 10.26.75.40#53(10.26.75.40)
;; WHEN: Wed Apr 12 07:26:02 2017
;; MSG SIZE rcvd: 154
Basically, Mozilla IT doesn't really support IPv6 internally yet and in particular hasn't set up reverse DNS for the v4-mapped range.
John, what do you think?
Flags: needinfo?(jhford)
|
Assignee | |
Comment 1•8 years ago
|
||
John's out for a week of PTO, so I guess it's on me to solve this :)
Assignee: nobody → dustin
Flags: needinfo?(jhford)
|
|
Assignee | |
Comment 2•8 years ago
|
||
|
|
Assignee | |
Comment 3•8 years ago
|
||
As a note to myself, setting up an EC2 instance to build this RPM:
AMI ID: Fedora-Cloud-Base-25-20161108.n.1.x86_64-us-east-1-HVM-gp2-0 (ami-0092b117)
sudo dnf install git /usr/bin/rpmdev-setuptree mock
sudo usermod -a -G mock fedora
git clone https://github.com/taskcluster/taskcluster-host-secrets
cd taskcluster-host-secrets
./build-rpm.sh
|
||
Comment 4•8 years ago
|
||
https://hg.mozilla.org/build/puppet/rev/2692ea8964c0cbd721e919532b7102fcc44c7063
Bug 1355838: bump taskcluster-host-secrets to 1.1.0; a=versionbump
|
|
Assignee | |
Comment 5•8 years ago
|
||
tc-host-secrets: Fri, 14 Apr 2017 18:56:01 GMT host-secrets:api 10.26.48.45 (releng-puppet1.srv.releng.scl3.mozilla.com) receives credentials with scopes assume:project:releng:host-secrets:host:com.mozilla.scl3.releng.srv.releng-puppet1
yay!
The initscript doesn't seem to return after startup, but that's another issue for another day.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
|
||
Updated•6 years ago
|
Component: Platform and Services → Services
You need to log in
before you can comment on or make changes to this bug.
Description
•