Page MenuHomePhabricator
Create Task
Maniphest T160994

Create the failoid service as fallback for the DNS discovery
Closed, ResolvedPublic
Actions

Description

  • Create one Ganeti instance in eqiad and one in codfw
  • Ensure that they hosts are not listening on ports 80 and 443

Details

SubjectRepoBranchLines +/-
Failoid: reject all TCP trafficoperations/puppetproduction+5 -14
Failoid: add service to reject connectionsoperations/puppetproduction+37 -0
Add entries for failoid VMsoperations/puppetproduction+11 -2
Add entries for ganeti instances for failoidoperations/dnsmaster+4 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Volans created this task.Mar 21 2017, 1:52 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 21 2017, 1:52 PM
Volans renamed this task from Create the nulloid service as fallback for the DNS discovery to Create the failoid service as fallback for the DNS discovery.Mar 21 2017, 2:33 PM
gerritbot subscribed.Mar 21 2017, 2:36 PM

Change 343877 had a related patch set uploaded (by Volans):
[operations/dns] Add entries for ganeti instances for failoid

https://gerrit.wikimedia.org/r/343877

gerritbot added a project: Patch-For-Review.Mar 21 2017, 2:36 PM
gerritbot added a comment.Mar 21 2017, 3:17 PM

Change 343877 merged by Volans:
[operations/dns] Add entries for ganeti instances for failoid

https://gerrit.wikimedia.org/r/343877

gerritbot added a comment.Mar 21 2017, 3:37 PM

Change 343890 had a related patch set uploaded (by Volans):
[operations/puppet] Add entries for failoid VMs

https://gerrit.wikimedia.org/r/343890

gerritbot added a comment.Mar 21 2017, 4:46 PM

Change 343917 had a related patch set uploaded (by Volans):
[operations/puppet] Failoid: add service to reject connections

https://gerrit.wikimedia.org/r/343917

gerritbot added a comment.Mar 21 2017, 5:01 PM

Change 343890 merged by Volans:
[operations/puppet] Add entries for failoid VMs

https://gerrit.wikimedia.org/r/343890

Volans updated the task description. (Show Details)Mar 21 2017, 6:37 PM
gerritbot added a comment.Mar 23 2017, 1:56 PM

Change 343917 merged by Volans:
[operations/puppet@production] Failoid: add service to reject connections

https://gerrit.wikimedia.org/r/343917

Volans closed this task as Resolved.Mar 23 2017, 2:04 PM
Volans updated the task description. (Show Details)

Service up and running on roentgenium and tureis with puppet role failoid, refusing connections to ports 80 and 443.

gerritbot added a comment.Mar 23 2017, 3:40 PM

Change 344406 had a related patch set uploaded (by Volans):
[operations/puppet@production] Failoid: reject all TCP traffic

https://gerrit.wikimedia.org/r/344406

gerritbot added a comment.Mar 23 2017, 3:46 PM

Change 344406 merged by Volans:
[operations/puppet@production] Failoid: reject all TCP traffic

https://gerrit.wikimedia.org/r/344406

Volans added a comment.Mar 23 2017, 3:53 PM

Given that there are a lot of services on non-standard ports and the lvs_services configuration had multiple instances for each discovery entry with different ports (http/https) and the mapping will just be a hieradata structure convention, we agreed to instead reject all TCP traffic on failoid as a last rule for iptables.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits