Freeze Break Request: iptables rule for fedmsg+copr

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



We're looking to publish fedmsg messages from the copr backend.  The
node that lives on is in the cloud and so will need to follow the same
route as the secondary arch compose nodes.  We have an inbound fedmsg
relay running on busgateway01, port 9941, and haproxy proxies
connections to it from hub.fedoraproject.org, port 9941.

We have that external port firewalled to only allow connections from
the secondary arch compose nodes, and the copr backend!

I only discovered today, as we went to test this for the first time,
that the IP listed in manifests/services/proxy.pp is incorrect.

I'd like to make this change to set it straight:

diff --git a/manifests/services/proxy.pp b/manifests/services/proxy.pp
index 01b39d3..529b242 100644
--- a/manifests/services/proxy.pp
+++ b/manifests/services/proxy.pp
@@ -1012,7 +1012,7 @@ if $puppetEnvironment == 'staging'{
         tcpPorts => [ 80, 443, 873, 8080, 6081, 9939, 9940],
         custom => [
             # Allow copr-be.cloud to talk to the inbound relay.
-            '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.142 -j ACCEPT',
+            '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.131 -j ACCEPT',
             # Also, ppc-composer.qa.fedoraproject.org (secondary arch)
             '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.181.33 -j ACCEPT',
             # Also, s390-hub01.qa.fedoraproject.org (secondary arch)


This is potentially high impact in that it will be distributed to all of
our proxies (which everything depends on).  On the other hand, it is a
really simple change that only modifies the last chunk of that ip address.

Can I get two +1's?

-Ralph

Attachment: pgpwtDBVwwSpS.pgp
Description: PGP signature

_______________________________________________
infrastructure mailing list
infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux