[MediaWiki-commits] [Gerrit] Specify SSHD listen address for lvs hosts - change (operations/puppet)
Rush has submitted this change and it was merged.
Change subject: Specify SSHD listen address for lvs hosts
..
Specify SSHD listen address for lvs hosts
In order to safely offer a service on port 22 on a
service ip we should restrict what IP SSH can listen
on for host access.
I used:
for host in `cat lvshosts`; \
do ssh $host "hostname -f && \
/usr/bin/facter | grep 'ipaddress_eth0 ' \
&& host \`/bin/hostname -f\`"; done
where lvshosts are defined as:
puppet cert -l -all | \
grep lvs | awk '{print $2}' \
| cut -d \" -f 2
...to verify that existing LVS hosts are using their eth0
address for ssh access now.
ref T100519
Change-Id: Ie6ec636e8d6f0979ba81d2806a6b9cc15e4c2d11
---
M hieradata/role/common/lvs/balancer.yaml
1 file changed, 2 insertions(+), 0 deletions(-)
Approvals:
Rush: Verified; Looks good to me, approved
Alexandros Kosiaris: Looks good to me, but someone else must approve
BBlack: Looks good to me, but someone else must approve
diff --git a/hieradata/role/common/lvs/balancer.yaml
b/hieradata/role/common/lvs/balancer.yaml
index e3bf6cc..59d817a 100644
--- a/hieradata/role/common/lvs/balancer.yaml
+++ b/hieradata/role/common/lvs/balancer.yaml
@@ -1 +1,3 @@
cluster: lvs
+# fqdn should resolve to the IP on eth0
+ssh::server::listen_address: %{::ipaddress_eth0}
--
To view, visit https://gerrit.wikimedia.org/r/243982
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Ie6ec636e8d6f0979ba81d2806a6b9cc15e4c2d11
Gerrit-PatchSet: 5
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Rush
Gerrit-Reviewer: Alexandros Kosiaris
Gerrit-Reviewer: BBlack
Gerrit-Reviewer: Rush
Gerrit-Reviewer: jenkins-bot <>
___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] Specify SSHD listen address for lvs hosts - change (operations/puppet)
Rush has uploaded a new change for review.
https://gerrit.wikimedia.org/r/243982
Change subject: Specify SSHD listen address for lvs hosts
..
Specify SSHD listen address for lvs hosts
In order to safely offer a service on port 22 on a
service ip we should restrict what IP SSH can listen
on for host access.
I used:
for host in `cat lvshosts`; \
do ssh $host "hostname -f && \
/usr/bin/facter | grep 'ipaddress_eth0 ' \
&& host \`/bin/hostname -f\`"; done
where lvshosts are defined as:
puppet cert -l -all | \
grep lvs | awk '{print $2}' \
| cut -d \" -f 2
...to verify that existing LVS hosts are using their eth0
address for ssh access now.
ref T100519
Change-Id: Ie6ec636e8d6f0979ba81d2806a6b9cc15e4c2d11
---
M modules/role/manifests/lvs/balancer.pp
1 file changed, 6 insertions(+), 0 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/82/243982/1
diff --git a/modules/role/manifests/lvs/balancer.pp
b/modules/role/manifests/lvs/balancer.pp
index 5478edf..4003055 100644
--- a/modules/role/manifests/lvs/balancer.pp
+++ b/modules/role/manifests/lvs/balancer.pp
@@ -1,4 +1,5 @@
class role::lvs::balancer {
+
system::role { "role::lvs::balancer": description => "LVS balancer" }
$rp_args = inline_template('<%= @interfaces.split(",").map{|x|
"net.ipv4.conf.#{x.gsub("_","/")}.rp_filter=0" if !x.start_with?("lo")
}.compact.join(",") %>')
@@ -7,6 +8,11 @@
nrpe_command => "/usr/lib/nagios/plugins/check_sysctl ${rp_args}",
}
+# fqdn should resolve to the IP on eth0
+class {'ssh::server':
+listen_address => $::ipaddress_eth0,
+}
+
include lvs::configuration
$sip = $lvs::configuration::service_ips
--
To view, visit https://gerrit.wikimedia.org/r/243982
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ie6ec636e8d6f0979ba81d2806a6b9cc15e4c2d11
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Rush
___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
