- Create one Ganeti instance in eqiad and one in codfw
- Ensure that they hosts are not listening on ports 80 and 443
Description
Details
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | Qgil | T153007 Technical Collaboration annual plan FY2017-18 | |||
Resolved | Qgil | T159313 Draft WMF annual plan program about technical events | |||
Resolved | Qgil | T149300 Future of the Wikimedia Developer Summit | |||
Resolved | • Rfarrand | T153996 Wikimedia Developer Summit 2017: Feedback Survey | |||
Resolved | • Rfarrand | T141926 Wikimedia Developer Summit 2017 | |||
Resolved | Qgil | T141938 Prepare a program for Wikimedia Developer Summit 2017 to effectively address current high level movement needs | |||
Resolved | greg | T147937 Facilitate Wikidev'17 main topic "How to manage our technical debt" | |||
Resolved | Joe | T154658 Prepare and improve the datacenter switchover procedure | |||
Resolved | Joe | T149617 Integrating MediaWiki (and other services) with dynamic configuration | |||
Resolved | None | T156100 DNS: dynamically generate entries for service discovery | |||
Resolved | Volans | T160994 Create the failoid service as fallback for the DNS discovery |
Event Timeline
Change 343877 had a related patch set uploaded (by Volans):
[operations/dns] Add entries for ganeti instances for failoid
Change 343877 merged by Volans:
[operations/dns] Add entries for ganeti instances for failoid
Change 343890 had a related patch set uploaded (by Volans):
[operations/puppet] Add entries for failoid VMs
Change 343917 had a related patch set uploaded (by Volans):
[operations/puppet] Failoid: add service to reject connections
Change 343917 merged by Volans:
[operations/puppet@production] Failoid: add service to reject connections
Service up and running on roentgenium and tureis with puppet role failoid, refusing connections to ports 80 and 443.
Change 344406 had a related patch set uploaded (by Volans):
[operations/puppet@production] Failoid: reject all TCP traffic
Change 344406 merged by Volans:
[operations/puppet@production] Failoid: reject all TCP traffic
Given that there are a lot of services on non-standard ports and the lvs_services configuration had multiple instances for each discovery entry with different ports (http/https) and the mapping will just be a hieradata structure convention, we agreed to instead reject all TCP traffic on failoid as a last rule for iptables.