Page MenuHomePhabricator

Network setup for frmon2001.frack.codfw.wmnet
Closed, ResolvedPublic

Description

host frmon2001.frack.codfw.wmnet
vlan frack-administration-codfw
IP: 10.195.0.66
MAC: d0:94:66:5f:54:16

I will make the pfw/iptables policies and update this task

Event Timeline

Restricted Application removed a project: Patch-For-Review. · View Herald TranscriptApr 19 2019, 6:10 PM

@ayounsi - the new policies are at 1555726449, let me know if you need anything else thanks

Does this need a public IP and NAT?
Is it fine to push it anytime or sync up with you?

commit 606f45371334528bbbd51a4daa17805f1fddd7e4 (HEAD -> master, origin/master, origin/HEAD)
Author: Casey Dentinger <cdentinger@wikimedia.org>
Date:   Tue Apr 23 16:23:20 2019 +0000

amend frmon fw policy

arzhel pointed out that we'd be opening https to a server with no nat
entry.  since public https uses the wildcard cert it uglified the idea
of a service url.  so the url is pointing right at frmon1001.  therefore
not opening https seems like the best approach.  that required a
slightly aberrant edit to the pfw policy, mentioning the same server in
two different groups, but it seems to generate fine.

@ayounsi i put new policies at 1556036997

Mentioned in SAL (#wikimedia-operations) [2019-04-23T22:33:52Z] <XioNoX> push firewall rule to pfw3-codfw - T221475

Mentioned in SAL (#wikimedia-operations) [2019-04-23T22:35:49Z] <XioNoX> push firewall rule to pfw3-eqiad - T221475

@ayounsi after talking to @Jgreen I'm going to redo the DNS using the wildcard cert to also have the failover cname.

Is there a public IP available for the codfw host? I would need that to make the DNS change.

Change 506707 had a related patch set uploaded (by Cdentinger; owner: Cdentinger):
[operations/dns@master] Add failover URL and public IP for frmon*

https://gerrit.wikimedia.org/r/506707

Change 506707 merged by Jgreen:
[operations/dns@master] Add failover URL and public IP for frmon*

https://gerrit.wikimedia.org/r/506707

Mentioned in SAL (#wikimedia-operations) [2019-04-29T18:22:31Z] <Jeff_Green> authdns-update for T221475

@Papaul it looks like you wired this up in T196557 but I have tried the hw addresses reported by racadm and am not seeing dhcp packets, could you assist troubleshooting?

Dzahn reassigned this task from cwdent to Papaul.Apr 29 2019, 7:35 PM
Papaul reassigned this task from Papaul to cwdent.Apr 29 2019, 8:49 PM

@cwdent the switch ports were not setup. You should be good now.

papaul@fasw-c-codfw# run show interfaces ge-[0-1]/0/16 descriptions    
Interface       Admin Link Description
ge-0/0/16       up    up   frmon2001:eth0
ge-1/0/16       up    up   frmon2001:eth1
cwdent closed this task as Resolved.Apr 30 2019, 3:20 PM

@Papaul thanks! Working :)