We're looking to publish fedmsg messages from the copr backend. The node that lives on is in the cloud and so will need to follow the same route as the secondary arch compose nodes. We have an inbound fedmsg relay running on busgateway01, port 9941, and haproxy proxies connections to it from hub.fedoraproject.org, port 9941.
We have that external port firewalled to only allow connections from the secondary arch compose nodes, and the copr backend!
I only discovered today, as we went to test this for the first time, that the IP listed in manifests/services/proxy.pp is incorrect.
I'd like to make this change to set it straight:
diff --git a/manifests/services/proxy.pp b/manifests/services/proxy.pp index 01b39d3..529b242 100644 --- a/manifests/services/proxy.pp +++ b/manifests/services/proxy.pp @@ -1012,7 +1012,7 @@ if $puppetEnvironment == 'staging'{ tcpPorts => [ 80, 443, 873, 8080, 6081, 9939, 9940], custom => [ # Allow copr-be.cloud to talk to the inbound relay. - '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.142 -j ACCEPT', + '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.131 -j ACCEPT', # Also, ppc-composer.qa.fedoraproject.org (secondary arch) '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.181.33 -j ACCEPT', # Also, s390-hub01.qa.fedoraproject.org (secondary arch)
This is potentially high impact in that it will be distributed to all of our proxies (which everything depends on). On the other hand, it is a really simple change that only modifies the last chunk of that ip address.
Can I get two +1's?
-Ralph
Yeah, this actually goes to every puppet managed host with the change. ;)
Anyhow, it's a simple change, so +1 here.
kevin
+1 On Nov 8, 2013 4:31 PM, "Ralph Bean" rbean@redhat.com wrote:
We're looking to publish fedmsg messages from the copr backend. The node that lives on is in the cloud and so will need to follow the same route as the secondary arch compose nodes. We have an inbound fedmsg relay running on busgateway01, port 9941, and haproxy proxies connections to it from hub.fedoraproject.org, port 9941.
We have that external port firewalled to only allow connections from the secondary arch compose nodes, and the copr backend!
I only discovered today, as we went to test this for the first time, that the IP listed in manifests/services/proxy.pp is incorrect.
I'd like to make this change to set it straight:
diff --git a/manifests/services/proxy.pp b/manifests/services/proxy.pp index 01b39d3..529b242 100644 --- a/manifests/services/proxy.pp +++ b/manifests/services/proxy.pp @@ -1012,7 +1012,7 @@ if $puppetEnvironment == 'staging'{ tcpPorts => [ 80, 443, 873, 8080, 6081, 9939, 9940], custom => [ # Allow copr-be.cloud to talk to the inbound relay.
'-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.142 -j
ACCEPT',
'-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.131 -j
ACCEPT', # Also, ppc-composer.qa.fedoraproject.org (secondary arch) '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.181.33 -j ACCEPT', # Also, s390-hub01.qa.fedoraproject.org (secondary arch)
This is potentially high impact in that it will be distributed to all of our proxies (which everything depends on). On the other hand, it is a really simple change that only modifies the last chunk of that ip address.
Can I get two +1's?
-Ralph
infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
infrastructure@lists.fedoraproject.org