So, currently our iptables config is generated by a template in ansible. In that template we add in all the ip's of staging hosts on the production hosts (to make sure we block them all from talking to production and possibly causing problems) (except for a small list of production hosts that allow staging for various reasons). So, the consequence of this is that when we add a new staging host (like we did yesterday with ipsilon01.stg) all the production hosts need to add that ip to their list to block. So, I'd like to run: ansible-playbook master -t iptables -l \*.phx2.\* This will update the iptables config on phx2 hosts and restart iptables. It will add: +# ipsilon01.stg.phx2.fedoraproject.org +-A INPUT -s 10.5.126.35 -j REJECT --reject-with icmp-host-prohibited This will have 2 effects: 1) Will make sure that ipsilon01.stg cannot talk to production and cause any issue (not that it normally would). 2) My ansible check/diff report will be a ton smaller and I can see if there's any real changes pending to hosts instead of being lost in the list of pending iptables changes. ;) kevin
Attachment:
pgp1jZJbs2Isw.pgp
Description: OpenPGP digital signature
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
