Page MenuHomePhabricator
Create Task
Maniphest T345654

cloudservices1006 can't talk to the cloud-wide puppetmaster
Closed, ResolvedPublic
Actions

Description

Designate-sink, running on cloudservices nodes, connects to the puppetmaster to clean certs for deleted VMs.

Right now that doesn't work from cloudservices1006.

2023-09-05 15:22:53.649 4140106 WARNING wmf_sink.base [None req-6ebffc2f-0319-4c31-a048-0c303b8e653f - - - all - -] Remote command ['/usr/bin/ssh', '-o', 'StrictHostKeyChecking=no', '-lcertmanager', '185.15.56.64', 'sudo puppet cert clean fullstackd-20230905140741.admin-monitoring.eqiad.wmflabs'] failed with output b'' and err b'ssh: connect to host 185.15.56.64 port 22: Connection timed out\r\n'
2023-09-05 15:22:53.654 4140106 WARNING wmf_sink.base [None req-e6784487-32f3-404c-96ed-6e38c44f9fb5 - - - - - -] Remote command ['/usr/bin/ssh', '-o', 'StrictHostKeyChecking=no', '-lcertmanager', '185.15.56.64', 'sudo puppet cert clean fullstackd-20230905144625.admin-monitoring.eqiad.wmflabs'] failed with output b'' and err b'ssh: connect to host 185.15.56.64 port 22: Connection timed out\r\n'

Related Objects
Search...

Event Timeline

Andrew created this task.Sep 5 2023, 6:10 PM
Restricted Application edited projects, added cloud-services-team; removed Patch-For-Review, cloud-services-team (FY2023/2024-Q1-Q2). · View Herald TranscriptSep 5 2023, 6:10 PM
taavi closed this task as Resolved.Sep 5 2023, 6:20 PM
taavi claimed this task.

Fixed by adding the following firewall rule to the puppetmaster security group in the cloudinfra project:

image.png (49×1 px, 9 KB)

Andrew added a comment.Sep 5 2023, 6:28 PM

Added this security group rule:

Ingress 	IPv4 	TCP 	8101 	172.20.1.5/32 	- 	cloudservices1006 (private)
Andrew added a comment.Sep 5 2023, 6:29 PM

Taavi's is broader, I'll stick with that one

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits