Page MenuHomePhabricator

WMCS public range diffscan
Open, LowPublic

Description

Following up from an IRC discussion.

185.15.56.0/23 is used/reserved for WMCS dynamic public IPs, which mean that ports on that range will often be opening/closing.

To reduce the mail noise sent to root@wikimedia.org, it has been suggested to only send notification about that range to cloud-admin.

The current way diffscan is deployed makes it impossible to have two different instances of diffscan running in parallel, it should be easy though to change it (after all, it's a cronjob, a text file, and a python script).

Even easier (at least as a short/medium time solution) is to:

1/ Remove 185.15.56.0/23 from the current (root@) diffscan instance
2/ Add a 2nd instance of diffscan (on a separate host) to scan 185.15.56.0/23
For that, once a host has been selected (probably not worth creating a VM only for that), the diffscan profile needs to be applied to the VM (via horizon), and then the following Hiera facts need to be applied to that VM:

profile::diffscan::ipranges:
  - 185.15.56.0/23
profile::diffscan::emailto: xxxxxx@wikimedia.org
profile::diffscan::groupname: Labs-to-public-v4    <-- no space or special characters, will be in the email's subject

Similar to https://github.com/wikimedia/puppet/blob/production/hieradata/labs.yaml#L131-L138

Event Timeline

ayounsi triaged this task as Low priority.Oct 10 2018, 4:20 PM
ayounsi created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 10 2018, 4:20 PM

Change 465654 had a related patch set uploaded (by Ayounsi; owner: Ayounsi):
[operations/puppet@production] Diffscan, don't scan the WMCS public range

https://gerrit.wikimedia.org/r/465654

Change 465654 merged by Ayounsi:
[operations/puppet@production] Diffscan, don't scan the WMCS public range

https://gerrit.wikimedia.org/r/465654