Closed Bug 1392820 Opened 8 years ago Closed 8 years ago

Roll out hostbased firewall ssh/vnc logging to SCL3 for anything under puppet control

Categories

(Infrastructure & Operations :: RelOps: Puppet, task)

Product:
Infrastructure & Operations
Component:
RelOps: Puppet
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: dividehex, Assigned: dividehex)

References

Details

Attachments

(16 files, 1 obsolete file)

Enable firewalling for scl3 logaggrogators, rejh and aws_managers
2.35 KB, patch
dhouse
: review+
dividehex
: checked-in+
Details | Diff | Splinter Review
Enable fw on scl3 try builders
1.79 KB, patch
dhouse
: review+
dividehex
: checked-in+
Details | Diff | Splinter Review
Enable fw on slaveapi
778 bytes, patch
dhouse
: review+
dividehex
: checked-in+
Details | Diff | Splinter Review
enabled fw on scl3 tc workers
3.10 KB, patch
Details | Diff | Splinter Review
enable fw on scl3 osx taskcluster workers
1.64 KB, patch
dhouse
: review+
dividehex
: checked-in+
Details | Diff | Splinter Review
enable fw on scl3 buildbot test slaves (osx and linux)
743 bytes, patch
dhouse
: review+
dividehex
: checked-in+
Details | Diff | Splinter Review
Enable fw on sl3 osx bb build slaves
695 bytes, patch
dhouse
: review+
dividehex
: checked-in+
Details | Diff | Splinter Review
enable fw on releng-puppet1.srv.releng.scl3
835 bytes, patch
dhouse
: review+
dividehex
: checked-in+
Details | Diff | Splinter Review
enable fw on releng-puppet2.srv.releng.scl3
1.93 KB, patch
dhouse
: review+
dividehex
: checked-in+
Details | Diff | Splinter Review
Add buildbot_master profile and allow for port ranges
9.80 KB, patch
dhouse
: review+
catlee
: feedback+
dividehex
: checked-in+
Details | Diff | Splinter Review
make sure bb slaves and tc generic workers allow slaveapi ssh access
2.10 KB, patch
dhouse
: review+
Callek
: feedback+
dividehex
: checked-in+
Details | Diff | Splinter Review
rename $all_bb to $all_bb_masters for clarity
8.38 KB, patch
dhouse
: review+
Details | Diff | Splinter Review
Enable fw on scl3 buildbot masters w/allow all by default
8.18 KB, patch
dhouse
: review+
dividehex
: checked-in+
Details | Diff | Splinter Review
Enable logging of ssh connections that fall to default deny
1.35 KB, patch
dhouse
: review+
dividehex
: checked-in+
Details | Diff | Splinter Review
Remove firewall training wheels on subset of scl3 bb masters
2.44 KB, patch
mtabara
: review+
Details | Diff | Splinter Review
Enabled default deny policy on scl3 bb masters
6.57 KB, patch
rail
: review+
dividehex
: checked-in+
Details | Diff | Splinter Review
Similar to bug 1387251, let's start rolling out hostbased firewalls to systems in scl3. We'll start with: log-aggregator[1,2,3].srv.releng.scl3.mozilla.com aws-manager[1,2].srv.releng.scl3.mozilla.com rejh[1,2].srv.releng.scl3.mozilla.com
Comment on attachment 8900015 [details] [diff] [review] Enable firewalling for scl3 logaggrogators, rejh and aws_managers Review of attachment 8900015 [details] [diff] [review]: ----------------------------------------------------------------- Looks good. Thanks for including scl3 for rejh.
Attachment #8900015 - Flags: review?(dhouse) → review+
Summary: Roll out hostbased firewall ssh/vnc logging to MDC1 for anything under puppet control → Roll out hostbased firewall ssh/vnc logging to SCL3 for anything under puppet control
Attachment #8900483 - Flags: review?(dhouse)
Attachment #8900483 - Flags: review?(dhouse) → review+
Attachment #8900497 - Flags: review?(dhouse)
Attachment #8900497 - Flags: review?(dhouse) → review+
This has already been enabled on the tc workers in mcd1 which have been running in production now since Fri.
Attachment #8901951 - Flags: review?(dhouse)
Attachment #8901951 - Attachment is obsolete: true
Attachment #8901951 - Flags: review?(dhouse)
Attachment #8901952 - Flags: review?(dhouse)
<patch fail> Let's try that one more time.
Attachment #8901955 - Flags: review?(dhouse)
Attachment #8901952 - Flags: review?(dhouse)
Attachment #8901955 - Flags: review?(dhouse) → review+
Attachment #8903255 - Flags: review?(dhouse) → review+
Attachment #8904663 - Flags: review?(dhouse)
Attachment #8904663 - Flags: review?(dhouse) → review+
Attachment #8905102 - Flags: review?(dhouse) → review+
Also enabled ssh logging
Attachment #8908263 - Flags: review?(dhouse)
Attachment #8908263 - Flags: review?(dhouse) → review+
Pushed a quick fix; wrong roll name. https://hg.mozilla.org/build/puppet/rev/ae81e2f6d90fb476b2c9c0ecc460e584498459f9 https://hg.mozilla.org/build/puppet/rev/da4ae117d427c6f4dafe60b5a33c3f3218c1aba5 diff --git a/modules/fw/manifests/profiles/distinguished_puppetmaster.pp b/modules/fw/manifests/profiles/distinguished_puppetmaster.pp --- a/modules/fw/manifests/profiles/distinguished_puppetmaster.pp +++ b/modules/fw/manifests/profiles/distinguished_puppetmaster.pp @@ -4,25 +4,25 @@ class fw::profiles::distinguished_puppetmaster { case $::fqdn { /.*\.mdc1\.mozilla\.com/: { include ::fw::roles::bacula_from_mdc1_bacula_host include ::fw::roles::puppetmaster_from_all_releng - include ::fw::roles::puppetmaster_sync_from_all_releng + include ::fw::roles::puppetmaster_sync_from_all_puppetmasters include ::fw::roles::ssh_from_anywhere_logging include ::fw::roles::nrpe_from_nagios } /.*\.scl3\.mozilla\.com/: { include ::fw::roles::bacula_from_scl3_bacula_host include ::fw::roles::puppetmaster_from_all_releng - include ::fw::roles::puppetmaster_sync_from_all_releng + include ::fw::roles::puppetmaster_sync_from_all_puppetmasters include ::fw::roles::ssh_from_anywhere_logging include ::fw::roles::nrpe_from_nagios } default: { # Silently skip other DCs } } }
Comment on attachment 8909568 [details] [diff] [review] Add buildbot_master profile and allow for port ranges The use of port ranges looks good; nicely applied to pf and iptables. And I think the "8000-8999" format is more clear than "8000:8999"
Attachment #8909568 - Flags: review?(dhouse) → review+
Blocks: 1401229
Attachment #8909568 - Flags: feedback?(catlee)
Comment on attachment 8909568 [details] [diff] [review] Add buildbot_master profile and allow for port ranges :catlee, before I start rolling out the buildbot master profile to the scl3 masters, could you take a look at the profile and make sure is correct? Particularly, apps.pp, networks.pp, buildbot_master_from_various.pp and buildbot_master.pp It was modeled after the aws security groups but I'm would like to get a second pair of eyes on it for a sanity check. ps. feel free to pass the buck to anyone else :-)
Attachment #8910037 - Flags: review?(dhouse)
Attachment #8910037 - Flags: feedback?(bugspam.Callek)
Comment on attachment 8910037 [details] [diff] [review] make sure bb slaves and tc generic workers allow slaveapi ssh access Review of attachment 8910037 [details] [diff] [review]: ----------------------------------------------------------------- I am pretty sure this is all that is needed for slaveapi ssh access's. We can do more if needed in followups.
Attachment #8910037 - Flags: feedback?(bugspam.Callek) → feedback+
Attachment #8910037 - Flags: review?(dhouse) → review+
Comment on attachment 8909568 [details] [diff] [review] Add buildbot_master profile and allow for port ranges Review of attachment 8909568 [details] [diff] [review]: ----------------------------------------------------------------- lgtm. I did find the 'all_bb' name confusing. Would calling it 'all_bb_masters' make more sense?
Attachment #8909568 - Flags: feedback?(catlee) → feedback+
(In reply to Chris AtLee [:catlee] from comment #27) > Comment on attachment 8909568 [details] [diff] [review] > Add buildbot_master profile and allow for port ranges > > Review of attachment 8909568 [details] [diff] [review]: > ----------------------------------------------------------------- > > lgtm. > > I did find the 'all_bb' name confusing. Would calling it 'all_bb_masters' > make more sense? Totally would make sense
Attachment #8910516 - Flags: review?(dhouse) → review+
Attachment #8911251 - Flags: review?(dhouse) → review+
This will help us find ssh connections being denied as we move forward with enforcing jumphost usage.
Attachment #8911924 - Flags: review?(dhouse)
Attachment #8911924 - Flags: review?(dhouse) → review+
Attachment #8912767 - Flags: review?(mtabara) → review+
This patch can be reverted if things go south. It will put back the 'allow all default' policy.
Attachment #8914891 - Flags: review?(rail)
Attachment #8914891 - Flags: review?(rail) → review+
Calling this R/F
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: