Freeze break: update iptables
Kevin Fenzi
kevin at scrye.com
Wed Feb 25 13:59:16 UTC 2015
So, currently our iptables config is generated by a template in
ansible. In that template we add in all the ip's of staging hosts on
the production hosts (to make sure we block them all from talking to
production and possibly causing problems) (except for a small list of
production hosts that allow staging for various reasons).
So, the consequence of this is that when we add a new staging host
(like we did yesterday with ipsilon01.stg) all the production hosts
need to add that ip to their list to block.
So, I'd like to run:
ansible-playbook master -t iptables -l \*.phx2.\*
This will update the iptables config on phx2 hosts and restart
iptables. It will add:
+# ipsilon01.stg.phx2.fedoraproject.org
+-A INPUT -s 10.5.126.35 -j REJECT --reject-with icmp-host-prohibited
This will have 2 effects:
1) Will make sure that ipsilon01.stg cannot talk to production and
cause any issue (not that it normally would).
2) My ansible check/diff report will be a ton smaller and I can see if
there's any real changes pending to hosts instead of being lost in the
list of pending iptables changes. ;)
kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20150225/daf346b1/attachment.sig>
More information about the infrastructure
mailing list