Page MenuHomePhabricator
Create Task
Maniphest T165136

Ferm rules for labstore1004/1005 NFS hosts
Closed, ResolvedPublic
Actions

Description

labstore1004/1005 don't use base::firewall

Details

SubjectRepoBranchLines +/-
labstore: finish setting up the firewall on the old primary clusteroperations/puppetproduction+1 -0
role::labs::nfs::secondary: Add Ferm rules for DRBDoperations/puppetproduction+8 -0
labstore: fix rsync rule for miscoperations/puppetproduction+5 -4
labstore: initial ferm rules shared by all labstore hostsoperations/puppetproduction+40 -0
labstore: rsync server on misc (dumps hosting)operations/puppetproduction+12 -2
Add ferm service for rpc.mountd on labstoreoperations/puppetproduction+6 -0
Add ferm service for rpc.statd on labstoreoperations/puppetproduction+12 -0
Configure fixed lock manager ports for labstore NFS serversoperations/puppetproduction+8 -0
labstore: set commented base::firewalloperations/puppetproduction+14 -0
Customize query in gerrit

Related Objects

Event Timeline

MoritzMuehlenhoff created this task.May 12 2017, 8:48 AM
Restricted Application added a project: Cloud-Services. · View Herald TranscriptMay 12 2017, 8:48 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
MoritzMuehlenhoff added a comment.May 12 2017, 8:50 AM

And labstore::misc will also need to configure a static rpcdmountd port (already done for labstore::secondary)

gerritbot subscribed.May 12 2017, 8:54 AM

Change 353508 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Add initial class for ferm rules shared by all labstore hosts

https://gerrit.wikimedia.org/r/353508

gerritbot added a project: Patch-For-Review.May 12 2017, 8:54 AM
MoritzMuehlenhoff added a comment.May 12 2017, 4:42 PM

Here's a breakdown of the current NFS port configuration for labstore and what needs to change:

rpc.mountd:
dumps: 32767
labstore1003: 38466
labstore1004: 38466
labstore1005: 38466
labstore2003: dynamic
labstore2004: dynamic
-> The port can be made static via RPCMOUNTDOPTS in /etc/default/nfs-kernel-server:

statd:
dumps: 32765
labstore1003: 55659
labstore1004: 55659
labstore1005: 55659
labstore2003: dynamic
labstore2004: dynamic
-> The port can be made static via STATDOPTS in /etc/default/nfs-common

lockd udp:
dumps: 32768
labstore1003: dynamic
labstore1004: dynamic
labstore1005: dynamic
labstore2003: dynamic
labstore2004: dynamic
-> The port can be made static via /etc/modprobe.d

lockd udp:
dumps: 32768
labstore1003: dynamic
labstore1004: dynamic
labstore1005: dynamic
labstore2003: dynamic
labstore2004: dynamic
-> The port can be made static via /etc/modprobe.d

lockd tcp:
dumps: 32769
labstore1003: dynamic
labstore1004: dynamic
labstore1005: dynamic
labstore2003: dynamic
labstore2004: dynamic
-> The port can be made static via /etc/modprobe.d

portmapper:
dumps: 111
labstore1003: 111
labstore1004: 111
labstore1005: 111
labstore2003: 111
labstore2004: 111

gerritbot added a comment.May 18 2017, 1:20 PM

Change 354226 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Add ferm service for rpc.statd on labstore

https://gerrit.wikimedia.org/r/354226

gerritbot added a comment.May 31 2017, 9:30 AM

Change 356347 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Add ferm service for rpc.mountd on labstore

https://gerrit.wikimedia.org/r/356347

gerritbot added a comment.Jun 7 2017, 8:10 AM

Change 357562 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Configure fixed lock manager ports for labstore NFS servers

https://gerrit.wikimedia.org/r/357562

chasemp triaged this task as Medium priority.Oct 6 2017, 2:48 PM
chasemp removed a project: Cloud-Services.
gerritbot added a comment.Oct 6 2017, 2:49 PM

Change 382718 had a related patch set uploaded (by Rush; owner: cpettet):
[operations/puppet@production] labstore: set base::firewall comment with notice

https://gerrit.wikimedia.org/r/382718

gerritbot added a comment.Oct 6 2017, 3:01 PM

Change 382718 merged by Rush:
[operations/puppet@production] labstore: set commented base::firewall

https://gerrit.wikimedia.org/r/382718

gerritbot added a comment.Nov 15 2017, 7:23 PM

Change 357562 merged by Rush:
[operations/puppet@production] Configure fixed lock manager ports for labstore NFS servers

https://gerrit.wikimedia.org/r/357562

gerritbot added a comment.Nov 15 2017, 8:10 PM

Change 354226 abandoned by Rush:
Add ferm service for rpc.statd on labstore

Reason:
added to 353508

https://gerrit.wikimedia.org/r/354226

gerritbot added a comment.Nov 15 2017, 8:10 PM

Change 356347 abandoned by Rush:
Add ferm service for rpc.mountd on labstore

Reason:
added to 353508

https://gerrit.wikimedia.org/r/356347

chasemp added a comment.Nov 15 2017, 8:11 PM

cc'd from the patch

Totally should be a profile but all of this storage code needs refactoring and for now I don't want to separate this bit from the rest of the logic, which means role for now. I don't think profile/wmcs/nfs is where we want this to end up, etc.

I am updating this with changes from https://gerrit.wikimedia.org/r/#/c/354226/2/modules/role/manifests/labs/nfs/ferm.pp and https://gerrit.wikimedia.org/r/#/c/356347/1/modules/role/manifests/labs/nfs/ferm.pp
Not ready to apply, I still have a few mysteries. Why is rsync daemon listening on labstore1003? Is conntracking here going to kill us? But I think I'm ready to merge and let's try this out on labstore1003 once that first question is answered.

gerritbot added a comment.Nov 16 2017, 2:26 PM

Change 391824 had a related patch set uploaded (by Rush; owner: cpettet):
[operations/puppet@production] labstore: rsync server on misc (dumps hosting)

https://gerrit.wikimedia.org/r/391824

gerritbot added a comment.Nov 17 2017, 3:36 PM

Change 391824 merged by Rush:
[operations/puppet@production] labstore: rsync server on misc (dumps hosting)

https://gerrit.wikimedia.org/r/391824

gerritbot added a comment.Nov 17 2017, 4:34 PM

Change 392063 had a related patch set uploaded (by Rush; owner: cpettet):
[operations/puppet@production] labstore: fix rsync rule for misc

https://gerrit.wikimedia.org/r/392063

gerritbot added a comment.Nov 20 2017, 3:34 PM

Change 392430 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] role::labs::nfs::secondary: Add Ferm rules for DRBD

https://gerrit.wikimedia.org/r/392430

gerritbot added a comment.Nov 27 2017, 7:14 PM

Change 353508 merged by Madhuvishy:
[operations/puppet@production] labstore: initial ferm rules shared by all labstore hosts

https://gerrit.wikimedia.org/r/353508

madhuvishy added a comment.Jan 5 2018, 7:32 PM

Noting that I merged https://gerrit.wikimedia.org/r/353508 and applied profile::wmcs::nfs::ferm to the new dumps distribution servers labstore1006&7, and the ferm rules seem to be working well.

GTirloni subscribed.Jan 3 2019, 4:02 PM
Phabricator_maintenance moved this task from Backlog to Acknowledged on the SRE board.Jan 26 2019, 9:15 PM
GTirloni unsubscribed.Mar 21 2019, 9:11 PM
GTirloni added a project: cloud-services-team (Kanban).Mar 23 2019, 9:24 PM
gerritbot added a comment.May 1 2019, 2:34 PM

Change 392063 abandoned by Rush:
labstore: fix rsync rule for misc

Reason:
this should be all obsolete with 1008/9 coming online

https://gerrit.wikimedia.org/r/392063

bd808 moved this task from Inbox to Doing on the cloud-services-team (Kanban) board.Jul 11 2019, 4:29 PM
bd808 moved this task from Doing to Watching on the cloud-services-team (Kanban) board.Sep 12 2019, 9:40 PM
gerritbot added a comment.Feb 18 2020, 7:10 AM

Change 392430 abandoned by Muehlenhoff:
role::labs::nfs::secondary: Add Ferm rules for DRBD

Reason:
Obsolete, a variant of this has been merged

https://gerrit.wikimedia.org/r/392430

MoritzMuehlenhoff renamed this task from Ferm rules for labstore NFS hosts to Ferm rules for labstore1004/1005 NFS hosts.Feb 21 2020, 9:20 AM
MoritzMuehlenhoff removed MoritzMuehlenhoff as the assignee of this task.
MoritzMuehlenhoff removed a project: Patch-For-Review.
MoritzMuehlenhoff updated the task description. (Show Details)
gerritbot added a comment.Feb 27 2020, 4:51 PM

Change 575296 had a related patch set uploaded (by Bstorm; owner: Bstorm):
[operations/puppet@production] labstore: finish setting up the firewall on the old primary cluster

https://gerrit.wikimedia.org/r/575296

gerritbot added a project: Patch-For-Review.Feb 27 2020, 4:51 PM
gerritbot added a comment.Feb 27 2020, 4:56 PM

Change 575296 merged by Bstorm:
[operations/puppet@production] labstore: finish setting up the firewall on the old primary cluster

https://gerrit.wikimedia.org/r/575296

Bstorm closed this task as Resolved.Feb 27 2020, 5:40 PM
Bstorm claimed this task.
Bstorm subscribed.

The cluster runs ferm rules now.

MoritzMuehlenhoff added a comment.Feb 28 2020, 7:09 AM

Awesome, thanks!

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits