Page MenuHomePhabricator

Review switches ACL to connect from tools-bastion to dbproxy1019
Closed, ResolvedPublic

Description

dbproxy1019 will replace dbproxy1011 as one of the proxies for the wiki replicas.
The FW rules are the same between both hosts and I can connect fine from cumin1001 or cumin2001, or any other host.

However, from the tools-bastion: tools-sgebastion-07 I cannot connect, I guess there are some ACLs based on IPs allowing connections to dbproxy1011 and not to dbproxy1019?

marostegui@tools-sgebastion-07:~$ telnet dbproxy1011.eqiad.wmnet 3306
Trying 10.64.37.15...
Connected to dbproxy1011.eqiad.wmnet.
Escape character is '^]'.
Y
5.5.5-10.1.39-MariaDB
�zYfxH?@f^�??�(Gnt|3'hX^PVmysql_native_password
Connection closed by foreign host.
marostegui@tools-sgebastion-07:~$ telnet dbproxy1019.eqiad.wmnet 3306
Trying 10.64.37.28...

Event Timeline

Restricted Application added a project: Operations. · View Herald TranscriptAug 22 2019, 9:25 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
ayounsi claimed this task.Fri, Aug 23, 4:25 PM

That's the change that need to be pushed to cr1/2-eqiad:

[edit firewall family inet filter labs-instance-in4 term labsdb-tcp4 from destination-address]
         10.64.37.15/32 { ... }
+        10.64.37.28/32;

I don't have access to:

ssh tools-sgebastion-07.eqiad.wmflabs 
Connection closed by UNKNOWN port 65535

Please ping me on IRC to sync up and push/test the change.

Thanks @ayounsi! Let me know when you are around today so we can get this going

Mentioned in SAL (#wikimedia-operations) [2019-08-26T17:53:42Z] <XioNoX> add new IP to labsdb-tcp4 on cr1/2-eqiad - T230980

ayounsi closed this task as Resolved.Mon, Aug 26, 5:55 PM

Pushed as it's a very low risk change. Please reopen if it doesn't work.

Marostegui reopened this task as Open.Tue, Aug 27, 5:22 AM

Re-opening and it doesn't look like it can connect:

marostegui@tools-sgebastion-07:~$ telnet dbproxy1019.eqiad.wmnet 3306
Trying 10.64.37.28...
^C

marostegui@tools-sgebastion-07:~$ telnet dbproxy1011.eqiad.wmnet 3306
Trying 10.64.37.15...
Connected to dbproxy1011.eqiad.wmnet.
Escape character is '^]'.
Y
5.5.5-10.1.39-MariaDB
                     b�Nt|3&cCe�??�TS$Udt:dh^|umysql_native_password
Connection closed by foreign host.

And from cumin1001 it works fine:

root@cumin1001:~#  telnet dbproxy1019.eqiad.wmnet 3306
Trying 10.64.37.28...
Connected to dbproxy1019.eqiad.wmnet.
Escape character is '^]'.
Y
5.5.5-10.1.39-MariaDB�b�xW,r{52;�??�oB81--;!3|8Amysql_native_password^CConnection closed by foreign host.


root@cumin1001:~#  telnet dbproxy1011.eqiad.wmnet 3306
Trying 10.64.37.15...
Connected to dbproxy1011.eqiad.wmnet.
Escape character is '^]'.
Y
5.5.5-10.1.39-MariaDB�b�Xz{|~#.\�??�gr&dDid91(s,mysql_native_password^CConnection closed by foreign host.
root@cumin1001:~#
[edit firewall family inet filter cloud-in4 term labsdb from destination-address]
         10.64.37.14/31 { ... }
+        10.64.37.28/32;
[edit firewall family inet filter cloud-in4 term clouddb_return from destination-address]
         10.64.37.20/32 { ... }
+        10.64.37.28/32;

Mentioned in SAL (#wikimedia-operations) [2019-08-27T05:36:49Z] <XioNoX> update cloud acls on cr1/2-eqiad - T230980

Marostegui closed this task as Resolved.Tue, Aug 27, 5:38 AM

And now it works!

marostegui@tools-sgebastion-07:~$ telnet dbproxy1019.eqiad.wmnet 3306
Trying 10.64.37.28...
Connected to dbproxy1019.eqiad.wmnet.
Escape character is '^]'.
Y
5.5.5-10.1.39-MariaD�7qV8V'^'�??�FhZi%uD0b~uQmysql_native_passwordConnection closed by foreign host.
marostegui@tools-sgebastion-07:~$

Thank you!