Le mardi 13 mars 2018 à 17:22 +0100, Michael Scherer a écrit : > Hi, > > So, I have been working on tightening the internal network of the > gluster community cage part of the world, e.g., all the servers in > *.int.rht.gluster.org. That's mostly internal infra servers, and > newer > non cloud builder, but I plan to later also move gerrit/jenkins and > various servers. > > The goal is to reduce IP v4 usage (cause that's limited), and > increase > security (no direct access to attack, and more difficult to later > exploit in case of compromission). > > > That's mostly non impacting people (or I would have asked for > maintainance windows) but I just switched all servers in the internal > network to use the firewall (masamune.rht.gluster.org) as a gateway > rather than IT firewall, so if anything is broken on a > *.int.rht.gluster.org server, please tell me and I will look. > > Everything is in HA, and I have done several tests and reboot during > the day without trouble. In fact, more than half of the servers were > using that. > > Right now, the firewall is not yet blocking anything, but that's > planned, server by server. > > Next steps are to prevent direct internet access (so start to use the > firewall), and provides both a web proxy and a dns server, so we can > log and control what is going on. So I made some progress here (after a rather hectic week, my fault for not staying in vacation): - we have now 2 internal DNS servers (gonna test and switch internal builders, etc once I validate them, I will likely do them by small batches) - I start to switch to nftables for the firewall (not enabled yet, I will announce in advance and do that outside of working hours) I also upgraded the firewalls from the Copenhague airport last month and proxys today to F28, but since no one complained, it show this was pretty transparent (and resilient) Next step is squid, then work on moving munin inside the lan, and postgres. (and make postgres in HA too) -- Michael Scherer Sysadmin, Community Infrastructure and Platform, OSAS
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Gluster-devel mailing list Gluster-devel@xxxxxxxxxxx http://lists.gluster.org/mailman/listinfo/gluster-devel
