Freeze break: update iptables
Tim Flink
tflink at redhat.com
Wed Feb 25 14:03:40 UTC 2015
On Wed, 25 Feb 2015 06:59:16 -0700
Kevin Fenzi <kevin at scrye.com> wrote:
> So, currently our iptables config is generated by a template in
> ansible. In that template we add in all the ip's of staging hosts on
> the production hosts (to make sure we block them all from talking to
> production and possibly causing problems) (except for a small list of
> production hosts that allow staging for various reasons).
>
> So, the consequence of this is that when we add a new staging host
> (like we did yesterday with ipsilon01.stg) all the production hosts
> need to add that ip to their list to block.
>
> So, I'd like to run:
>
> ansible-playbook master -t iptables -l \*.phx2.\*
>
> This will update the iptables config on phx2 hosts and restart
> iptables. It will add:
>
> +# ipsilon01.stg.phx2.fedoraproject.org
> +-A INPUT -s 10.5.126.35 -j REJECT --reject-with icmp-host-prohibited
>
> This will have 2 effects:
>
> 1) Will make sure that ipsilon01.stg cannot talk to production and
> cause any issue (not that it normally would).
>
> 2) My ansible check/diff report will be a ton smaller and I can see if
> there's any real changes pending to hosts instead of being lost in the
> list of pending iptables changes. ;)
Sounds like a good idea to me
+1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20150225/1adf3dd8/attachment.sig>
More information about the infrastructure
mailing list