Rush has submitted this change and it was merged.
Change subject: Specify SSHD listen address for lvs hosts
......................................................................
Specify SSHD listen address for lvs hosts
In order to safely offer a service on port 22 on a
service ip we should restrict what IP SSH can listen
on for host access.
I used:
for host in `cat lvshosts`; \
do ssh $host "hostname -f && \
/usr/bin/facter | grep 'ipaddress_eth0 ' \
&& host \`/bin/hostname -f\`"; done
where lvshosts are defined as:
puppet cert -l -all | \
grep lvs | awk '{print $2}' \
| cut -d \" -f 2
...to verify that existing LVS hosts are using their eth0
address for ssh access now.
ref T100519
Change-Id: Ie6ec636e8d6f0979ba81d2806a6b9cc15e4c2d11
---
M hieradata/role/common/lvs/balancer.yaml
1 file changed, 2 insertions(+), 0 deletions(-)
Approvals:
Rush: Verified; Looks good to me, approved
Alexandros Kosiaris: Looks good to me, but someone else must approve
BBlack: Looks good to me, but someone else must approve
diff --git a/hieradata/role/common/lvs/balancer.yaml
b/hieradata/role/common/lvs/balancer.yaml
index e3bf6cc..59d817a 100644
--- a/hieradata/role/common/lvs/balancer.yaml
+++ b/hieradata/role/common/lvs/balancer.yaml
@@ -1 +1,3 @@
cluster: lvs
+# fqdn should resolve to the IP on eth0
+ssh::server::listen_address: %{::ipaddress_eth0}
--
To view, visit https://gerrit.wikimedia.org/r/243982
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Ie6ec636e8d6f0979ba81d2806a6b9cc15e4c2d11
Gerrit-PatchSet: 5
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Rush <r...@wikimedia.org>
Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org>
Gerrit-Reviewer: BBlack <bbl...@wikimedia.org>
Gerrit-Reviewer: Rush <r...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
