On Wed, 25 Feb 2015 06:59:16 -0700 Kevin Fenzi <kevin@xxxxxxxxx> wrote: > So, currently our iptables config is generated by a template in > ansible. In that template we add in all the ip's of staging hosts on > the production hosts (to make sure we block them all from talking to > production and possibly causing problems) (except for a small list of > production hosts that allow staging for various reasons). > > So, the consequence of this is that when we add a new staging host > (like we did yesterday with ipsilon01.stg) all the production hosts > need to add that ip to their list to block. > > So, I'd like to run: > > ansible-playbook master -t iptables -l \*.phx2.\* > > This will update the iptables config on phx2 hosts and restart > iptables. It will add: > > +# ipsilon01.stg.phx2.fedoraproject.org > +-A INPUT -s 10.5.126.35 -j REJECT --reject-with icmp-host-prohibited > > This will have 2 effects: > > 1) Will make sure that ipsilon01.stg cannot talk to production and > cause any issue (not that it normally would). > > 2) My ansible check/diff report will be a ton smaller and I can see if > there's any real changes pending to hosts instead of being lost in the > list of pending iptables changes. ;) Sounds like a good idea to me +1
Attachment:
pgp5ac72E0hNX.pgp
Description: OpenPGP digital signature
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
