Page MenuHomePhabricator

allow bast2002 to connect to mgmt network
Closed, ResolvedPublic

Description

The parent task T196665 is for replacing bast2001 with bast2002.

This has happened in puppet. The new host has the same role and has been added to network::constants.

It can be used as a jump host to get to other servers just fine.

But.. it can not connect to the mgmt network.

This has been reported by @Papaul and i could also confirm it with the test host cobalt.mgmt.eqiad.wmnet.

If i proxy via bast2001 i can get there, if i proxy via bast2002 i can NOT connect.

This does not seem to be anything i can influence in puppet as opposed to the ferm rules that already changed.

Please check in router ACLs and allow bast2002 the same as exisiting rules for 2001.

You can add it in parallell or also just replace 2001 with 2002 since we want to decom the old host anyways.

Event Timeline

Dzahn triaged this task as Medium priority.Mar 27 2019, 1:50 PM
Dzahn created this task.
Dzahn updated the task description. (Show Details)

FYI: Please note that even when the ACL is setup, bastions allow SSH proxy but not HTTPS proxy. Alternatively, you can setup proxy via cumin servers to get both.

This should be fixed (making bast2002 like bast2001), just providing info for a work around until it is. =]

@RobH I can't confirm this. I can proxy via bast2002 just like i can via bast2001. Using "ssh -D 8081 bast2002.wikimedia.org and setting my browser's proxy settings to SOCKS5 and "localhost:8081". My IP is then shown as 208.80.153.54 (bast2002).

Mentioned in SAL (#wikimedia-operations) [2019-04-15T18:58:22Z] <XioNoX> update mr1-* security policies - T219384

I think @RobH's comment was about the fact that bast hosts are not allowed to reach mgmt's http/https, but only ssh.
On the other hand, cumin hosts are allowed to.

Anyway, firewall updated. I replaced bast2001 with bast2002.