Freeze break: update iptables
Patrick Uiterwijk
puiterwijk at redhat.com
Wed Feb 25 14:05:35 UTC 2015
+1
----- Original Message -----
> So, currently our iptables config is generated by a template in
> ansible. In that template we add in all the ip's of staging hosts on
> the production hosts (to make sure we block them all from talking to
> production and possibly causing problems) (except for a small list of
> production hosts that allow staging for various reasons).
>
> So, the consequence of this is that when we add a new staging host
> (like we did yesterday with ipsilon01.stg) all the production hosts
> need to add that ip to their list to block.
>
> So, I'd like to run:
>
> ansible-playbook master -t iptables -l \*.phx2.\*
>
> This will update the iptables config on phx2 hosts and restart
> iptables. It will add:
>
> +# ipsilon01.stg.phx2.fedoraproject.org
> +-A INPUT -s 10.5.126.35 -j REJECT --reject-with icmp-host-prohibited
>
> This will have 2 effects:
>
> 1) Will make sure that ipsilon01.stg cannot talk to production and
> cause any issue (not that it normally would).
>
> 2) My ansible check/diff report will be a ton smaller and I can see if
> there's any real changes pending to hosts instead of being lost in the
> list of pending iptables changes. ;)
>
> kevin
>
> _______________________________________________
> infrastructure mailing list
> infrastructure at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/infrastructure
More information about the infrastructure
mailing list