On Friday, September 16, 2011 02:05:02 PM Kevin Fenzi wrote:
> To followup on myself and after an excellent suggestion from Seth...
>
> Another way to do this is to just move vpn over to bastion02, don't
> change dns or email. 'gateway' and 'bastion' stay pointed at bastion03.
>
> This means a change to the vpn client.conf on all machines, but we can
> push that out. It also means no DNS changes, which is good.
> We can also change back by just changing which machine is running
> openvpn server on it.
>
> Here's the change for that:
>
> diff --git a/manifests/nodes/bastion02.phx2.fedoraproject.org.pp
> b/manifests/nodes/bastion02.phx2.fe index 4018ec9..1a0ee7c 100644
> --- a/manifests/nodes/bastion02.phx2.fedoraproject.org.pp
> +++ b/manifests/nodes/bastion02.phx2.fedoraproject.org.pp
> @@ -1,6 +1,5 @@
> node bastion02{
> - # Moving openvpn over to bastion03
> - $enable_openvpn = false
> + $enable_openvpn = true
> include phx
> $syncFasAliases = true
> include gateway
> diff --git a/manifests/nodes/bastion03.phx2.fedoraproject.org.pp
> b/manifests/nodes/bastion03.phx2.fe index 8c5fca9..b7b0f32 100644
> --- a/manifests/nodes/bastion03.phx2.fedoraproject.org.pp
> +++ b/manifests/nodes/bastion03.phx2.fedoraproject.org.pp
> @@ -3,7 +3,7 @@ node bastion03{
> # comment out the line below when bastion02 is down or going to be
> down. # Under normal situations, only one bastion host should be
> running openvpn # or we'll end up with a split-brain problem in the
> network
> - #$enable_openvpn = false
> + $enable_openvpn = false
> include phx
> $syncFasAliases = true
> include gateway
> diff --git a/modules/openvpn/files/client.conf
> b/modules/openvpn/files/client.conf index b1b2d95..d274e72 100644
> --- a/modules/openvpn/files/client.conf
> +++ b/modules/openvpn/files/client.conf
> @@ -6,7 +6,7 @@ proto udp
>
> # Specify multiple vpn servers here
> remote gateway
> -remote bastion01
> +remote bastion02
>
> resolv-retry infinite
+1
Attachment:
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
