Re: Search domains in our environment (Proposal)

[Mike McGrath <mmcgrath@xxxxxxxxxx>]

seth vidal wrote:
> On Wed, 2007-12-19 at 19:24 -0600, Mike McGrath wrote:
>   
> > seth vidal wrote:
> >     
> > > On Wed, 2007-12-19 at 18:54 -0500, Anand Capur wrote:
> > >   
> > >       
> > > >         The reason for all of this is the firewall in place at the PHX
> > > >         colo. If
> > > >         that wasn't there we wouldn't need any of the games at all. We
> > > >         could 
> > > >         just have foo.fedoraproject.org be resolveable from anywhere
> > > >         and
> > > >         foo.vpn.fedoraproject.org just mean 'go over the vpn to get to
> > > >         it'. 
> > > >         
> > > >         seth 'big fan of simple networking' vidal
> > > >         -sv
> > > >
> > > > +1, but do we still need the firewall for other things?
> > > >     
> > > >         
> > > So the firewall is something that came with the space. It's red hat's
> > > firewall and I don't think we have any choice for the hosts inside phx.
> > >
> > > In general, I'm a much bigger fan of hosts-based firewalling and
> > > clamping down on exposure paths that way than an edge firewall for a
> > > network. In this case it would also make our setup a good bit simpler if
> > > we didn't have the edge firewall at all.
> > >   
> > >       
> > Just so my stance on this is also public.  In general I also agree that 
> > it is good to remove the PHX firewall from the mix.  The biggest being 
> > IP space.  (think about the builders and such).  There's also a firewall 
> > there that we could re-implement ourselves.  While long term I do want 
> > to re-think our interactions with PHX but I can't say for sure exactly 
> > what that will be.  If, for example, we got funding to host all 
> > non-buildsystem stuff in our new German colo, many of these problems 
> > might go away.
> >
> > I'd very much like to research the alternatives but for now I think the 
> > search domain method would suit us well.
> >
> >     
>
> option 2:
>
>  all hosts we maintain are written in /etc/hosts or hosts.db or
> something comparable specific to the site.
>
> that would keep mitm down to a minimum, too, but it means keeping that
> file current.
>
>   
Does search in resolv.conf work with multiple /etc/hosts entries.  If so 
we could do that though, like DNS, we'd need to maintain multiple 
hostnames / ip's.  If that doesn't work then we'd have to maintain 
multiple /etc/hosts files.

   -Mike

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list