From edfbabb549db40fc7134545be423844227a517f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Thu, 26 Jun 2025 12:25:49 +0200 Subject: [PATCH] Open firewall ports in RDU3 for RDU3 hosts MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Aurélien Bompard --- inventory/group_vars/rabbitmq_stg | 12 ++++++++---- .../host_vars/db-fas01.rdu3.fedoraproject.org | 16 ++++++++-------- inventory/host_vars/noc01.rdu3.fedoraproject.org | 4 ++-- 3 files changed, 18 insertions(+), 14 deletions(-) diff --git a/inventory/group_vars/rabbitmq_stg b/inventory/group_vars/rabbitmq_stg index 8b6a116d77..60c29a6f5f 100644 --- a/inventory/group_vars/rabbitmq_stg +++ b/inventory/group_vars/rabbitmq_stg @@ -3,7 +3,10 @@ custom_rules: [ # Neeed for rsync from log01 for logs. '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT', # Inter-node traffic - '-A INPUT -p tcp -m tcp -s 10.3.166.78 --dport 25672 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.3.166.79 --dport 25672 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.3.166.80 --dport 25672 -j ACCEPT'] + '-A INPUT -p tcp -m tcp -s 10.3.166.78 --dport 25672 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.3.166.79 --dport 25672 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.3.166.80 --dport 25672 -j ACCEPT', + # Same but in RDU3 + '-A INPUT -p tcp -m tcp -s 10.16.166.78 --dport 25672 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.16.166.79 --dport 25672 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.16.166.80 --dport 25672 -j ACCEPT', +] nft_custom_rules: # Neeed for rsync from log01 for logs. - 'add rule ip filter INPUT ip saddr 10.3.163.39 tcp dport 873 counter accept' @@ -12,15 +15,16 @@ nft_custom_rules: - 'add rule ip filter INPUT ip saddr 10.3.166.78 tcp dport 25672 counter accept' - 'add rule ip filter INPUT ip saddr 10.3.166.79 tcp dport 25672 counter accept' - 'add rule ip filter INPUT ip saddr 10.3.166.80 tcp dport 25672 counter accept' -datacenter: iad2 + # In RDU3 + - 'add rule ip filter INPUT ip saddr 10.16.166.78 tcp dport 25672 counter accept' + - 'add rule ip filter INPUT ip saddr 10.16.166.79 tcp dport 25672 counter accept' + - 'add rule ip filter INPUT ip saddr 10.16.166.80 tcp dport 25672 counter accept' ipa_host_group: rabbitmq ipa_host_group_desc: RabbitMQ service ipa_shell_groups: - sysadmin-messaging ipa_client_sudo_groups: - sysadmin-messaging -ks_repo: https://infrastructure.fedoraproject.org/repo/rhel/RHEL8-x86_64/ -ks_url: https://infrastructure.fedoraproject.org/repo/rhel/ks/kvm-rhel-8-iad2 # Define resources for this group of hosts here. lvm_size: 20000 mem_size: 8192 diff --git a/inventory/host_vars/db-fas01.rdu3.fedoraproject.org b/inventory/host_vars/db-fas01.rdu3.fedoraproject.org index f240ae1aad..ff86aa7eac 100644 --- a/inventory/host_vars/db-fas01.rdu3.fedoraproject.org +++ b/inventory/host_vars/db-fas01.rdu3.fedoraproject.org @@ -4,16 +4,16 @@ # nft_custom_rules: # Openshift nodes (egress policy will block connection from non-authorized projects) - - 'add rule ip filter INPUT ip saddr 10.3.163.69 tcp dport 5432 counter accept' - - 'add rule ip filter INPUT ip saddr 10.3.163.70 tcp dport 5432 counter accept' - - 'add rule ip filter INPUT ip saddr 10.3.163.71 tcp dport 5432 counter accept' - - 'add rule ip filter INPUT ip saddr 10.3.163.72 tcp dport 5432 counter accept' - - 'add rule ip filter INPUT ip saddr 10.3.163.73 tcp dport 5432 counter accept' + - 'add rule ip filter INPUT ip saddr 10.16.163.69 tcp dport 5432 counter accept' + - 'add rule ip filter INPUT ip saddr 10.16.163.70 tcp dport 5432 counter accept' + - 'add rule ip filter INPUT ip saddr 10.16.163.71 tcp dport 5432 counter accept' + - 'add rule ip filter INPUT ip saddr 10.16.163.72 tcp dport 5432 counter accept' + - 'add rule ip filter INPUT ip saddr 10.16.163.73 tcp dport 5432 counter accept' # noc01 needs to connect to check the db - - 'add rule ip filter INPUT ip saddr 10.3.163.10 tcp dport 5432 counter accept' + - 'add rule ip filter INPUT ip saddr 10.16.163.10 tcp dport 5432 counter accept' # Ipsilon VMs - - 'add rule ip filter INPUT ip saddr 10.3.163.105 tcp dport 5432 counter accept' - - 'add rule ip filter INPUT ip saddr 10.3.163.106 tcp dport 5432 counter accept' + - 'add rule ip filter INPUT ip saddr 10.16.163.105 tcp dport 5432 counter accept' + - 'add rule ip filter INPUT ip saddr 10.16.163.106 tcp dport 5432 counter accept' # This is a generic list, monitored by collectd databases: - fas2 diff --git a/inventory/host_vars/noc01.rdu3.fedoraproject.org b/inventory/host_vars/noc01.rdu3.fedoraproject.org index f509d3c181..91762bfb91 100644 --- a/inventory/host_vars/noc01.rdu3.fedoraproject.org +++ b/inventory/host_vars/noc01.rdu3.fedoraproject.org @@ -2,13 +2,13 @@ custom_rules: [ '-A INPUT -p tcp -m tcp -s 192.168.1.20 --dport 5666 -j ACCEPT', # needed to allow rsync from log01 - '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', + '-A INPUT -p tcp -m tcp -s 10.16.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] nft_custom_rules: - 'add rule ip filter INPUT ip saddr 192.168.1.20 tcp dport 5666 counter accept' # needed to allow rsync from log01 - - 'add rule ip filter INPUT ip saddr 10.3.163.39 tcp dport 873 counter accept' + - 'add rule ip filter INPUT ip saddr 10.16.163.39 tcp dport 873 counter accept' - 'add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept' datacenter: rdu3 eth0_ipv4_gw: 10.16.163.254