Search domains in our environment (Proposal)

Mike McGrath mmcgrath at redhat.com
Thu Dec 20 01:50:43 UTC 2007


seth vidal wrote:
> On Wed, 2007-12-19 at 19:24 -0600, Mike McGrath wrote:
>   
>> seth vidal wrote:
>>     
>>> On Wed, 2007-12-19 at 18:54 -0500, Anand Capur wrote:
>>>   
>>>       
>>>>         The reason for all of this is the firewall in place at the PHX
>>>>         colo. If
>>>>         that wasn't there we wouldn't need any of the games at all. We
>>>>         could 
>>>>         just have foo.fedoraproject.org be resolveable from anywhere
>>>>         and
>>>>         foo.vpn.fedoraproject.org just mean 'go over the vpn to get to
>>>>         it'. 
>>>>         
>>>>         seth 'big fan of simple networking' vidal
>>>>         -sv
>>>>
>>>> +1, but do we still need the firewall for other things?
>>>>     
>>>>         
>>> So the firewall is something that came with the space. It's red hat's
>>> firewall and I don't think we have any choice for the hosts inside phx.
>>>
>>> In general, I'm a much bigger fan of hosts-based firewalling and
>>> clamping down on exposure paths that way than an edge firewall for a
>>> network. In this case it would also make our setup a good bit simpler if
>>> we didn't have the edge firewall at all.
>>>   
>>>       
>> Just so my stance on this is also public.  In general I also agree that 
>> it is good to remove the PHX firewall from the mix.  The biggest being 
>> IP space.  (think about the builders and such).  There's also a firewall 
>> there that we could re-implement ourselves.  While long term I do want 
>> to re-think our interactions with PHX but I can't say for sure exactly 
>> what that will be.  If, for example, we got funding to host all 
>> non-buildsystem stuff in our new German colo, many of these problems 
>> might go away.
>>
>> I'd very much like to research the alternatives but for now I think the 
>> search domain method would suit us well.
>>
>>     
>
> option 2:
>
>  all hosts we maintain are written in /etc/hosts or hosts.db or
> something comparable specific to the site.
>
> that would keep mitm down to a minimum, too, but it means keeping that
> file current.
>
>   
Does search in resolv.conf work with multiple /etc/hosts entries.  If so 
we could do that though, like DNS, we'd need to maintain multiple 
hostnames / ip's.  If that doesn't work then we'd have to maintain 
multiple /etc/hosts files.

    -Mike




More information about the infrastructure mailing list