Change Details

After a chat with @ayounsi we decided to review some `analytics-in4` terms on cr1/cr2 eqiad because they contain stale IPs. **logstash** ``` term logstash { from { destination-address { 10.64.32.137/32; 10.64.0.122/32; 10.64.48.113/32; } protocol udp; destination-port 12201; } then accept; } ``` This one seems related to T84332 (we don't use anymore logstash for Hadoop) and contains 3 stale IPs (logstash100[1-3], now decommed). I propose to drop it. **eventlogging_zeromq** ``` term eventlogging_zeromq { from { destination-address { 10.64.32.167/32; } destination-port [ 8521-8523 8600 8421-8422 ]; } } ``` Related to an old service running on eventlog1001 (now decommed). I propose to drop it. **zookeeper** ``` term zookeeper { from { destination-address { /* conf100{1,2,3} */ 10.64.0.18/32; 10.64.32.180/32; 10.64.48.111/32; /* conf100{4,5,6} */ 10.64.0.23/32; 10.64.16.29/32; 10.64.48.167/32; } protocol tcp; destination-port [ 2181 2182 2183 ]; } then accept; } ``` conf100[1-3] should be removed since zookeeper is not running on them anymore. **wdqs** ``` term wdqs { from { destination-address { /* wdqs1001 */ 10.64.48.112/32; /* wdqs1002 */ 10.64.32.183/32; /* wdqs1003 */ 10.64.0.14/32; /* wdqs2001 */ 10.192.32.148/32; /* wdqs2002 */ 10.192.48.65/32; /* wdqs2003 */ 10.192.0.29/32; } protocol tcp; destination-port 8888; } then accept; } ``` I had a chat with @Addshore and they seem to use at the moment only wdqs1003 via [[ https://gerrit.wikimedia.org/r/#/c/analytics/wmde/scripts/+/380974/1/src/wikidata/sparql/instanceof.php | this code ]]. There are some stale IPs that need to be updated, and also T176875 filed as follow up. Adding also @gehel for the final word on what hosts are best to use. **ipsec** ``` term ipsec { from { protocol esp; } then accept; } term ipsec-ike { from { protocol udp; destination-port 500; } then accept; } ``` This one was probably needed to allow IPsec connections between kafka1012->23 to cp*. The kafka hosts do not need anymore this connection since their webrequest traffic is now handled by Kafka Jumbo (not in the analytics vlan). **es** ``` /* Revert this when we get a good queue to undo T120281 */ term es { from { destination-address { /* elastic1017 */ 10.64.48.39/32; /* elastic1018 */ 10.64.48.40/32; /* elastic1019 */ 10.64.48.41/32; [..looong list of IPs..] ``` For this one we agreed with @gehel and @dcausse that only a few hosts are needed. They are all listed in [[ https://gerrit.wikimedia.org/r/#/c/wikimedia/discovery/analytics/+/443105/1/oozie/transfer_to_es/bundle.xml | this patch ]]: * elastic1017 * elastic1051 * elastic1052 * elastic2010 * elastic2035 * elastic2036 **kafka** IPs are ok but we'd need to add port 9093 to the destination addresses (TLS).

After a chat with @ayounsi we decided to review some `analytics-in4` terms on cr1/cr2 eqiad because they contain stale IPs. **logstash** ``` term logstash { from { destination-address { 10.64.32.137/32; 10.64.0.122/32; 10.64.48.113/32; } protocol udp; destination-port 12201; } then accept; } ``` This one seems related to T84332 (we don't use anymore logstash for Hadoop) and contains 3 stale IPs (logstash100[1-3], now decommed). I propose to drop it. **eventlogging_zeromq** ``` term eventlogging_zeromq { from { destination-address { 10.64.32.167/32; } destination-port [ 8521-8523 8600 8421-8422 ]; } } ``` Related to an old service running on eventlog1001 (now decommed). I propose to drop it. **zookeeper** ``` term zookeeper { from { destination-address { /* conf100{1,2,3} */ 10.64.0.18/32; 10.64.32.180/32; 10.64.48.111/32; /* conf100{4,5,6} */ 10.64.0.23/32; 10.64.16.29/32; 10.64.48.167/32; } protocol tcp; destination-port [ 2181 2182 2183 ]; } then accept; } ``` conf100[1-3] should be removed since zookeeper is not running on them anymore. **wdqs** ``` term wdqs { from { destination-address { /* wdqs1001 */ 10.64.48.112/32; /* wdqs1002 */ 10.64.32.183/32; /* wdqs1003 */ 10.64.0.14/32; /* wdqs2001 */ 10.192.32.148/32; /* wdqs2002 */ 10.192.48.65/32; /* wdqs2003 */ 10.192.0.29/32; } protocol tcp; destination-port 8888; } then accept; } ``` I had a chat with @Addshore and they seem to use at the moment only wdqs1003 via [[ https://gerrit.wikimedia.org/r/#/c/analytics/wmde/scripts/+/380974/1/src/wikidata/sparql/instanceof.php | this code ]]. There are some stale IPs that need to be updated, and also T176875 filed as follow up. Adding also @gehel for the final word on what hosts are best to use. I'd propose to remove all the IPs in there and replace them with the VIP wdqs.svc.eqiad.wmnet. **ipsec** ``` term ipsec { from { protocol esp; } then accept; } term ipsec-ike { from { protocol udp; destination-port 500; } then accept; } ``` This one was probably needed to allow IPsec connections between kafka1012->23 to cp*. The kafka hosts do not need anymore this connection since their webrequest traffic is now handled by Kafka Jumbo (not in the analytics vlan). **es** ``` /* Revert this when we get a good queue to undo T120281 */ term es { from { destination-address { /* elastic1017 */ 10.64.48.39/32; /* elastic1018 */ 10.64.48.40/32; /* elastic1019 */ 10.64.48.41/32; [..looong list of IPs..] ``` For this one we agreed with @gehel and @dcausse that only a few hosts are needed. They are all listed in [[ https://gerrit.wikimedia.org/r/#/c/wikimedia/discovery/analytics/+/443105/1/oozie/transfer_to_es/bundle.xml | this patch ]]: * elastic1017 * elastic1051 * elastic1052 * elastic2010 * elastic2035 * elastic2036 **kafka** IPs are ok but we'd need to add port 9093 to the destination addresses (TLS).

After a chat with @ayounsi we decided to review some `analytics-in4` terms on cr1/cr2 eqiad because they contain stale IPs. **logstash** ``` term logstash { from { destination-address { 10.64.32.137/32; 10.64.0.122/32; 10.64.48.113/32; } protocol udp; destination-port 12201; } then accept; } ``` This one seems related to T84332 (we don't use anymore logstash for Hadoop) and contains 3 stale IPs (logstash100[1-3], now decommed). I propose to drop it. **eventlogging_zeromq** ``` term eventlogging_zeromq { from { destination-address { 10.64.32.167/32; } destination-port [ 8521-8523 8600 8421-8422 ]; } } ``` Related to an old service running on eventlog1001 (now decommed). I propose to drop it. **zookeeper** ``` term zookeeper { from { destination-address { /* conf100{1,2,3} */ 10.64.0.18/32; 10.64.32.180/32; 10.64.48.111/32; /* conf100{4,5,6} */ 10.64.0.23/32; 10.64.16.29/32; 10.64.48.167/32; } protocol tcp; destination-port [ 2181 2182 2183 ]; } then accept; } ``` conf100[1-3] should be removed since zookeeper is not running on them anymore. **wdqs** ``` term wdqs { from { destination-address { /* wdqs1001 */ 10.64.48.112/32; /* wdqs1002 */ 10.64.32.183/32; /* wdqs1003 */ 10.64.0.14/32; /* wdqs2001 */ 10.192.32.148/32; /* wdqs2002 */ 10.192.48.65/32; /* wdqs2003 */ 10.192.0.29/32; } protocol tcp; destination-port 8888; } then accept; } ``` I had a chat with @Addshore and they seem to use at the moment only wdqs1003 via [[ https://gerrit.wikimedia.org/r/#/c/analytics/wmde/scripts/+/380974/1/src/wikidata/sparql/instanceof.php | this code ]]. There are some stale IPs that need to be updated, and also T176875 filed as follow up. Adding also @gehel for the final word on what hosts are best to use. I'd propose to remove all the IPs in there and replace them with the VIP wdqs.svc.eqiad.wmnet. **ipsec** ``` term ipsec { from { protocol esp; } then accept; } term ipsec-ike { from { protocol udp; destination-port 500; } then accept; } ``` This one was probably needed to allow IPsec connections between kafka1012->23 to cp*. The kafka hosts do not need anymore this connection since their webrequest traffic is now handled by Kafka Jumbo (not in the analytics vlan). **es** ``` /* Revert this when we get a good queue to undo T120281 */ term es { from { destination-address { /* elastic1017 */ 10.64.48.39/32; /* elastic1018 */ 10.64.48.40/32; /* elastic1019 */ 10.64.48.41/32; [..looong list of IPs..] ``` For this one we agreed with @gehel and @dcausse that only a few hosts are needed. They are all listed in [[ https://gerrit.wikimedia.org/r/#/c/wikimedia/discovery/analytics/+/443105/1/oozie/transfer_to_es/bundle.xml | this patch ]]: * elastic1017 * elastic1051 * elastic1052 * elastic2010 * elastic2035 * elastic2036 **kafka** IPs are ok but we'd need to add port 9093 to the destination addresses (TLS).