Search domains in our environment (Proposal)
Mike McGrath
mmcgrath at redhat.com
Thu Dec 20 01:50:43 UTC 2007
seth vidal wrote:
> On Wed, 2007-12-19 at 19:24 -0600, Mike McGrath wrote:
>
>> seth vidal wrote:
>>
>>> On Wed, 2007-12-19 at 18:54 -0500, Anand Capur wrote:
>>>
>>>
>>>> The reason for all of this is the firewall in place at the PHX
>>>> colo. If
>>>> that wasn't there we wouldn't need any of the games at all. We
>>>> could
>>>> just have foo.fedoraproject.org be resolveable from anywhere
>>>> and
>>>> foo.vpn.fedoraproject.org just mean 'go over the vpn to get to
>>>> it'.
>>>>
>>>> seth 'big fan of simple networking' vidal
>>>> -sv
>>>>
>>>> +1, but do we still need the firewall for other things?
>>>>
>>>>
>>> So the firewall is something that came with the space. It's red hat's
>>> firewall and I don't think we have any choice for the hosts inside phx.
>>>
>>> In general, I'm a much bigger fan of hosts-based firewalling and
>>> clamping down on exposure paths that way than an edge firewall for a
>>> network. In this case it would also make our setup a good bit simpler if
>>> we didn't have the edge firewall at all.
>>>
>>>
>> Just so my stance on this is also public. In general I also agree that
>> it is good to remove the PHX firewall from the mix. The biggest being
>> IP space. (think about the builders and such). There's also a firewall
>> there that we could re-implement ourselves. While long term I do want
>> to re-think our interactions with PHX but I can't say for sure exactly
>> what that will be. If, for example, we got funding to host all
>> non-buildsystem stuff in our new German colo, many of these problems
>> might go away.
>>
>> I'd very much like to research the alternatives but for now I think the
>> search domain method would suit us well.
>>
>>
>
> option 2:
>
> all hosts we maintain are written in /etc/hosts or hosts.db or
> something comparable specific to the site.
>
> that would keep mitm down to a minimum, too, but it means keeping that
> file current.
>
>
Does search in resolv.conf work with multiple /etc/hosts entries. If so
we could do that though, like DNS, we'd need to maintain multiple
hostnames / ip's. If that doesn't work then we'd have to maintain
multiple /etc/hosts files.
-Mike
More information about the infrastructure
mailing list