Page MenuHomePhabricator
Create Task
Maniphest T230980

Review switches ACL to connect from tools-bastion to dbproxy1019
Closed, ResolvedPublic
Actions

Description

dbproxy1019 will replace dbproxy1011 as one of the proxies for the wiki replicas.
The FW rules are the same between both hosts and I can connect fine from cumin1001 or cumin2001, or any other host.

However, from the tools-bastion: tools-sgebastion-07 I cannot connect, I guess there are some ACLs based on IPs allowing connections to dbproxy1011 and not to dbproxy1019?

marostegui@tools-sgebastion-07:~$ telnet dbproxy1011.eqiad.wmnet 3306
Trying 10.64.37.15...
Connected to dbproxy1011.eqiad.wmnet.
Escape character is '^]'.
Y
5.5.5-10.1.39-MariaDB
�zYfxH?@f^�??�(Gnt|3'hX^PVmysql_native_password
Connection closed by foreign host.
marostegui@tools-sgebastion-07:~$ telnet dbproxy1019.eqiad.wmnet 3306
Trying 10.64.37.28...

Related Objects
Search...

Event Timeline

Marostegui created this task.Aug 22 2019, 9:25 AM
Restricted Application added a project: SRE. · View Herald TranscriptAug 22 2019, 9:25 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
ayounsi claimed this task.Aug 23 2019, 4:25 PM

That's the change that need to be pushed to cr1/2-eqiad:

[edit firewall family inet filter labs-instance-in4 term labsdb-tcp4 from destination-address]
         10.64.37.15/32 { ... }
+        10.64.37.28/32;

I don't have access to:

ssh tools-sgebastion-07.eqiad.wmflabs 
Connection closed by UNKNOWN port 65535

Please ping me on IRC to sync up and push/test the change.

Marostegui added a comment.Aug 26 2019, 5:26 AM

Thanks @ayounsi! Let me know when you are around today so we can get this going

Stashbot added a comment.Aug 26 2019, 5:53 PM

Mentioned in SAL (#wikimedia-operations) [2019-08-26T17:53:42Z] <XioNoX> add new IP to labsdb-tcp4 on cr1/2-eqiad - T230980

ayounsi closed this task as Resolved.Aug 26 2019, 5:55 PM

Pushed as it's a very low risk change. Please reopen if it doesn't work.

Marostegui reopened this task as Open.Aug 27 2019, 5:22 AM

Re-opening and it doesn't look like it can connect:

marostegui@tools-sgebastion-07:~$ telnet dbproxy1019.eqiad.wmnet 3306
Trying 10.64.37.28...
^C

marostegui@tools-sgebastion-07:~$ telnet dbproxy1011.eqiad.wmnet 3306
Trying 10.64.37.15...
Connected to dbproxy1011.eqiad.wmnet.
Escape character is '^]'.
Y
5.5.5-10.1.39-MariaDB
                     b�Nt|3&cCe�??�TS$Udt:dh^|umysql_native_password
Connection closed by foreign host.

And from cumin1001 it works fine:

root@cumin1001:~#  telnet dbproxy1019.eqiad.wmnet 3306
Trying 10.64.37.28...
Connected to dbproxy1019.eqiad.wmnet.
Escape character is '^]'.
Y
5.5.5-10.1.39-MariaDB�b�xW,r{52;�??�oB81--;!3|8Amysql_native_password^CConnection closed by foreign host.


root@cumin1001:~#  telnet dbproxy1011.eqiad.wmnet 3306
Trying 10.64.37.15...
Connected to dbproxy1011.eqiad.wmnet.
Escape character is '^]'.
Y
5.5.5-10.1.39-MariaDB�b�Xz{|~#.\�??�gr&dDid91(s,mysql_native_password^CConnection closed by foreign host.
root@cumin1001:~#
ayounsi added a comment.Aug 27 2019, 5:36 AM
[edit firewall family inet filter cloud-in4 term labsdb from destination-address]
         10.64.37.14/31 { ... }
+        10.64.37.28/32;
[edit firewall family inet filter cloud-in4 term clouddb_return from destination-address]
         10.64.37.20/32 { ... }
+        10.64.37.28/32;
Stashbot added a comment.Aug 27 2019, 5:36 AM

Mentioned in SAL (#wikimedia-operations) [2019-08-27T05:36:49Z] <XioNoX> update cloud acls on cr1/2-eqiad - T230980

Marostegui closed this task as Resolved.Aug 27 2019, 5:38 AM

And now it works!

marostegui@tools-sgebastion-07:~$ telnet dbproxy1019.eqiad.wmnet 3306
Trying 10.64.37.28...
Connected to dbproxy1019.eqiad.wmnet.
Escape character is '^]'.
Y
5.5.5-10.1.39-MariaD�7qV8V'^'�??�FhZi%uD0b~uQmysql_native_passwordConnection closed by foreign host.
marostegui@tools-sgebastion-07:~$

Thank you!

Marostegui mentioned this in T231418: Review switches ACL to connect from tools-bastion to dbproxy1018.Aug 28 2019, 8:16 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits