Hi folks, So after a few weeks of testing, the new firewall based on nft seems to be ready. I did switch a few servers on a test firewall (chrono.rht.gluster.org) without any trouble so far. So I plan to switch the 2 HA main firewall (masa and mune) to use nft instead of firewalld sometime in the next 2 weeks, depending on how fast I can recover from Flock and where in the world I will be by then. Switching to the new firewall would permit to have: - better management of the firewall (using 1 single file, instead of the ctulhuan horror of using 75 call to firewalld ansible module) - a more modern stack (see https://developers.redhat.com/blog/2018/08/1 0/firewalld-the-future-is-nftables/ ) - more locked down internal network (which in turn would make easier to detect a future attack, especially if we start to sign packages, etc). In practice, this should be pretty transparent for the users, but if you see any network issue on a builder in the int.rht.gluster.org domain, please tell us along the date so we can investigate. People interested can see the config file on https://github.com/gluster /gluster.org_ansible_configuration/blob/master/roles/nftables/templates /nftables.conf Is there a time that should be avoided for the deploy, even if it should only impact various internal infra servers, and the various internal builders ? We later still plan to move some services inside the internal lan, like postgres, jenkins, etc, but that's out of scope for this change. -- Michael Scherer Sysadmin, Community Infrastructure and Platform, OSAS
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Gluster-devel mailing list Gluster-devel@xxxxxxxxxxx https://lists.gluster.org/mailman/listinfo/gluster-devel
