This ip had hit release-monitoring.org like 5,000,000 times in the
course of a few hours and swamped it's web pod.
Lets block it for now and see if anyone complains.
If this is you: please add some rate limiting.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Seems like the proxies don't want to handle port 80 nicely, I get
errors in Zabbix for them using localhost:80/apache-status (which
works elsewhere, like sundries). However using https/443 seems to
work, so we'll do that instead.
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
There's no log messages about it, but we have been seeing some odd
connection reset messages and collectd shows we are near the 2500 limit
we had.
So, bump this to 3200 (based on 8 cpus * 300 ).
If we need to bump this more, we probibly need to add cpus.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This ip is posting to /rpms/seahorse/pull-request/5/comment?js=1
about 400k times a day.
It may be a script gone wrong or something.
Remove the block if the user says they fixed it.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We need this because the cluster needs to be able to access api in order
to pull images, etc. So, in rdu3 proxies we go direct to the cluster
nodes, but in all the other proxies we go via the vpn.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We need the rdu3 proxies to directly talk to the openshift compute
nodes, as it needs this to work to pull images.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We can't use easily the existing hostname/site, as that goes to the
current iad2 cluster, so setup a -rdu3 version for now.
After we switch we can drop this and repoint the main one to the new
cluster.
Hopefully this all works and does the right thing.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
migrated notes from infra/hosts
motd changes; excluding CSI infos
removed csi_* vars from group_vars; converted csi_purpose & csi_relationship into notes
fixed merge conflicts
minor changes; var
updating YAMLs & playbooks
udpated YAMLs & playbooks again
updated correctly; buildhw.yml
fixing merge conflicts
dest added in motd.yml
This has been hitting us on a few proxies (14 and now 3).
There's no particular harm to increasing this, they seem to handle
things just fine.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This is pretty harmless. It's the haproxy stats page, but
we get questions about it and people don't like that it's
there. There's also no reason to keep it open as we normally
access this via a proxy.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Our openshift 3.11 cluster(s) served us long and well.
Now we have everything finally moved to the openshift 4 clusters (fas2
was the last holdout). We can finally retire this. :)
🎉🥂
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
I think I handled all the special cases here already.
We want to switch non iad2 proxies to reach the oco4 cluster over it's
vpn now that it has one. This should allow us to still keep ipv6
available for applications and not have to change dns for moving from
ocp3 cluster anymore. Will roll this out slowly to one proxy then
another, then the rest if it all looks ok.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This fixes ticket 10521.
Basically we want to just open the api. It requires auth to do anything
and other openshift instances have it available, so it shouldn't
hopefully expose us to too much risk. With ocp3 the api was part of the
normal port/web flow, but with ocp4 it's a seperate port.
This also adds new workers to haproxy. I can drop that part if it's
controversal, but it should be fine I would think.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This was done using yq (
https://mikefarah.gitbook.io/yq/operators/sort-keys )
Doing things this way makes it much easier to see if a variable is set
in a file or if two hosts differ in what variables they set. Hopefully
we can keep things sorted moving forward.
Basically this means just sort a-z anything you add to any host or group
vaiable and it will be in the right place.
Additionally, this enforces 'normal' intent rules for all the variable
files which we should also try and obey. 2 spaces for first level, 3 for
next, etc. When in doubt you can run yq on it.
This should cause NO actual vairable changes, it's all just readability
fixing for humans, ansible parses it exactly the same.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Also add a ssl connection cache.
These changes are live on proxy01/10 and seem to have made them stable
again. Will look at pushing to the rest tomorrow.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
