Closed Bug 603403 Opened 14 years ago Closed 14 years ago

Please forward VNC for these two staging slaves for loan outside of build-vpn

Categories

(Infrastructure & Operations Graveyard :: NetOps, task)

Product:
Infrastructure & Operations Graveyard
Component:
NetOps
Platform:
x86
macOS
Type:
task
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: lsblakk, Assigned: ravi)

References

Details

talos-r3-xp-001 (10.250.48.231)
talos-r3-w7-001 (10.250.48.237)
Any idea when this can be completed? It's blocking the continuous-integration of Jetpack, unfortunately.
Ping?  ETA on this?
I talked to Clint Talbert today and he said that these should be accessible to me from mpt-vpn, which I do have access to. Is mpt-vpn different from build-vpn? If not, then I should be able to do it, I'll try this and report back.
mpt-vpn doesn't have access to the build network (but can with firewall changes).
Just to clarify, we *don't* need these to be world-accessible? Having access via the MPT VPN would be sufficient?
yes - just accessible in mpt-vpn is enough for this.
Oh, I see. Cool, I'll just wait for this bug to get resolved then.
We need this done soon, as Atul is chomping at the bit to figure out the issues on these machines so we can get our continuous integration infrastructure up and running and notify Firefox/Gecko developers immediately when their changes break the SDK (to avoid going through the pain we're currently going through at great cost).  Thus bumping severity.
Severity: normal → major
I re-read this bug.  Even easier - vpn to the office and we'll let that VPN into those two hosts, both of which are at the office.

Working on that.
I'll have this completed today.
Assignee: dmoore → network-operations
Status: NEW → ASSIGNED
Component: Server Operations → Server Operations: Netops
Assignee: network-operations → ravi
I was scratching my head once I got the final request.  Right now there is no restriction for the MTV VPN to reach any build host.

Web VNC is not running...

[root@mv-vpn01 openvpn]# nc -vz 10.250.48.231 5800
nc: connect to 10.250.48.231 port 5800 (tcp) failed: Connection refused
[root@mv-vpn01 openvpn]# nc -vz 10.250.48.237 5800
nc: connect to 10.250.48.237 port 5800 (tcp) failed: Connection refused

But the Java is...

[root@mv-vpn01 openvpn]# nc -vz 10.250.48.231 5900
Connection to 10.250.48.231 5900 port [tcp/*] succeeded!
[root@mv-vpn01 openvpn]# nc -vz 10.250.48.237 5900
Connection to 10.250.48.237 5900 port [tcp/*] succeeded!

I put an explicit rule in place as to not close this access off in the future by accident.

security {
    policies {
        from-zone internal to-zone build {
            /* Bug 603403 */
            policy vnc {
                match {
                    source-address office;
                    destination-address build-vnc;
                    application junos-vnc;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone build {
            address-book {
                address talos-r3-xp-001 10.250.48.231/32;
                address talos-r3-w7-001 10.250.48.237/32;
                address-set build-vnc {
                    address talos-r3-xp-001;
                    address talos-r3-w7-001;
                }
            }
        }
    }
}
applications {
    application tcp-5900 {
        protocol tcp;
        destination-port 5900;
    }
    application-set vnc-java {
        application tcp-5900;
    }
}
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
Awesome, it works for me too, thanks!
Status: RESOLVED → VERIFIED
Did the work on opening up VNC disable the Administrator account on talos-r3-w7-001?  I can't seem to log back in with RDP to change passwords back.  These slaves don't need forwarding anymore and can return to build-vpn access only.
Status: VERIFIED → REOPENED
Resolution: WORKSFORME → ---
We only changed the firewall,  nothing about the host/OS.
Status: REOPENED → RESOLVED
Closed: 14 years ago14 years ago
Resolution: --- → FIXED
Ah, ok.  Has that change been reversed now? 

The loan is done and we will be putting this back to releng-only.
The config has been pulled.
Product: mozilla.org → Infrastructure & Operations
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.