Page MenuHomePhabricator
Create Task
Maniphest T237016

Update router ACLs for newer bacula hosts
Closed, ResolvedPublic
Actions

Description

We have new bacula hosts, the analytics firewall requires an update

I see helium is there

akosiaris@re0.cr1-eqiad> show configuration firewall family inet | display set | match bacula    
set firewall family inet filter analytics-in4 term bacula from destination-address 10.64.0.179/32
set firewall family inet filter analytics-in4 term bacula from protocol tcp
set firewall family inet filter analytics-in4 term bacula from protocol udp
set firewall family inet filter analytics-in4 term bacula from destination-port 9103
set firewall family inet filter analytics-in4 term bacula then accept

we need IPv4/IPv6 for backup1001, backup2001

IPv4: 10.64.48.36, 10.192.48.116
IPv6: 2620:0:861:107:10:64:48:36, 2620:0:860:104:10:192:48:116

Details

SubjectRepoBranchLines +/-
Update Bacula configs for analytics-in filtersoperations/homer/publicmaster+16 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

akosiaris created this task.Oct 31 2019, 2:14 PM
Restricted Application added a project: SRE. · View Herald TranscriptOct 31 2019, 2:14 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
akosiaris triaged this task as Medium priority.Oct 31 2019, 2:14 PM
akosiaris added a parent task: T229209: Strengthen backup infrastructure and support.
jcrespo added subscribers: elukey, Ottomata, jcrespo.Nov 4 2019, 10:59 AM

This is currently affecting backups from analytics1029 and an-master1002 FYI T236406#5630631 CC Analytics @Ottomata @elukey .

jcrespo mentioned this in T236406: Switchover backup director service from helium to backup1001.Nov 4 2019, 11:05 AM
gerritbot added a comment.Nov 4 2019, 11:26 AM

Change 548228 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/homer/public@master] Update Bacula configs for analytics-in filters

https://gerrit.wikimedia.org/r/548228

gerritbot added a project: Patch-For-Review.Nov 4 2019, 11:26 AM
elukey added a comment.Nov 4 2019, 11:29 AM

Thanks a lot Jaime!

@akosiaris if the change looks good I can update cr1/cr2 manually (or I can use homer if already available!)

akosiaris added a comment.Nov 4 2019, 12:19 PM

Let a minor comment, namely let's keep helium around for a bit more.

(or I can use homer if already available!)

I don't know tbh. I filed the task explicitly because of this. Probably @ayounsi can tell us if we should use homer for this or not.

Volans subscribed.Nov 4 2019, 12:33 PM

While you wait for @ayounsi I can maybe fill some gap. Homer is already a thing and Arzhel is using and testing it, but it doesn't have yet proper documentation for a wider usage (it will soon though). In the meanwhile, if you do manual changes to network devices is good in any case to have a patch for Homer's templates (when applicable) to keep things in sync.
So thanks for the patch, it's great to have it!

Stashbot added a comment.Nov 4 2019, 1:38 PM

Mentioned in SAL (#wikimedia-operations) [2019-11-04T13:38:00Z] <elukey> update bacula terms on analytics-in{4,6} filters on cr{1,2}-eqiad - T237016

elukey added a comment.Nov 4 2019, 1:38 PM

To keep archives happy:

cr1-eqiad:

elukey@re0.cr1-eqiad# show | compare
[edit firewall family inet filter analytics-in4 term bacula from destination-address]
         10.64.0.179/32 { ... }
+        /* backup1001 */
+        10.64.48.36/32;
+        /* backup2001 */
+        10.192.48.116/32;
[edit firewall family inet6 filter analytics-in6]
       term kerberos { ... }
+      term bacula {
+          from {
+              destination-address {
+                  /* 'backup1001' */
+                  2620:0:861:107:10:64:48:36/128;
+                  /* 'backup2001' */
+                  2620:0:860:104:10:192:48:116/128;
+              }
+              next-header [ tcp udp ];
+              destination-port 9103;
+          }
+          then accept;
+      }
       term default { ... }

cr2-eqiad:

elukey@re0.cr2-eqiad# show | compare
[edit firewall family inet filter analytics-in4 term bacula from destination-address]
         10.64.0.179/32 { ... }
+        /* backup1001 */
+        10.64.48.36/32;
+        /* 'backup2001' */
+        10.192.48.116/32;
[edit firewall family inet6 filter analytics-in6]
       term kerberos { ... }
+      term bacula {
+          from {
+              destination-address {
+                  /* 'backup1001' */
+                  2620:0:861:107:10:64:48:36/128;
+                  /* 'backup2001' */
+                  2620:0:860:104:10:192:48:116/128;
+              }
+              next-header [ tcp udp ];
+              destination-port 9103;
+          }
+          then accept;
+      }
       term default { ... }
gerritbot added a comment.Nov 4 2019, 1:38 PM

Change 548228 merged by Elukey:
[operations/homer/public@master] Update Bacula configs for analytics-in filters

https://gerrit.wikimedia.org/r/548228

akosiaris closed this task as Resolved.Nov 4 2019, 1:43 PM
akosiaris claimed this task.
akosiaris@an-master1002:~$ telnet -4 backup1001.eqiad.wmnet 9103
Trying 10.64.48.36...
Connected to backup1001.eqiad.wmnet.
Escape character is '^]'.

\o/

@elukey thanks!

jcrespo added a comment.Nov 4 2019, 1:45 PM

For the record, the other host affected:

analytics1029:~$ telnet -4 backup1001.eqiad.wmnet 9103
Trying 10.64.48.36...
Connected to backup1001.eqiad.wmnet
Maintenance_bot removed a project: Patch-For-Review.Nov 4 2019, 2:10 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL