fedora-infra / ansible

Clone
Source Code
GIT

#147 [osbs] update ips from phx2 to iad2
Merged 3 years ago by mobrien. Opened 3 years ago by mobrien.
Unknown source osbs-update-ips-iad2  into  master

file modified
+2 -2 
@@ -1,2 +1,2 @@
 

- server=/fedoraproject.org/10.5.126.21
 

- server=/fedoraproject.org/10.5.126.22
 

+ server=/fedoraproject.org/10.3.163.33
 

+ server=/fedoraproject.org/10.3.163.34

file modified
+27 -28 
@@ -30,48 +30,47 @@
 

  

  # Now insert access to allowed boxes
 

  # docker-registry
 

- iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.125.56 --dport 443 -j ACCEPT
 

+ #iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.125.56 --dport 443 -j ACCEPT
 

  

  #koji.fp.o
 

- iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.125.61 --dport 80 -j ACCEPT
 

- iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.125.61 --dport 443 -j ACCEPT
 

+ iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.169.104 --dport 80 -j ACCEPT
 

+ iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.169.104 --dport 443 -j ACCEPT
 

  

  # pkgs
 

- iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.125.44 --dport 80 -j ACCEPT
 

- iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.125.44 --dport 443 -j ACCEPT
 

- iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.125.44 --dport 9418 -j ACCEPT
 

+ iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.169.116 --dport 80 -j ACCEPT
 

+ iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.169.116 --dport 443 -j ACCEPT
 

+ iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.169.116 --dport 9418 -j ACCEPT
 

  

  # DNS
 

- iptables -A FILTER_FORWARD -p udp -m udp -d 10.5.126.21 --dport 53 -j ACCEPT
 

- iptables -A FILTER_FORWARD -p udp -m udp -d 10.5.126.22 --dport 53 -j ACCEPT
 

+ iptables -A FILTER_FORWARD -p udp -m udp -d 10.3.163.33 --dport 53 -j ACCEPT
 

+ iptables -A FILTER_FORWARD -p udp -m udp -d 10.3.163.33 --dport 53 -j ACCEPT
 

  

  # mirrors.fp.o
 

- iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.8 --dport 443 -j ACCEPT
 

- iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.9 --dport 443 -j ACCEPT
 

- iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.51 --dport 443 -j ACCEPT
 

- iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.52 --dport 443 -j ACCEPT
 

+ iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.163.76 --dport 443 -j ACCEPT
 

+ iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.163.77 --dport 443 -j ACCEPT
 

+ iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.163.75 --dport 443 -j ACCEPT
 

+ iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.163.74 --dport 443 -j ACCEPT
 

  

  # infrastructure.fp.o (infra repos)
 

- iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.23 --dport 443 -j ACCEPT
 

+ iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.163.35 --dport 443 -j ACCEPT
 

  

  # Kerberos
 

- iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.8 --dport 1088 -j ACCEPT
 

- iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.9 --dport 1088 -j ACCEPT
 

- iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.51 --dport 1088 -j ACCEPT
 

- iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.52 --dport 1088 -j ACCEPT
 

+ iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.163.76 --dport 1088 -j ACCEPT
 

+ iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.163.77 --dport 1088 -j ACCEPT
 

+ iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.163.75 --dport 1088 -j ACCEPT
 

+ iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.163.74 --dport 1088 -j ACCEPT
 

  

  # dl.phx2

we should update that comment to replace phx2 by iad2

 
- iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.93 --dport 80 -j ACCEPT
 

- iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.93 --dport 443 -j ACCEPT
 

- iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.94 --dport 80 -j ACCEPT
 

- iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.94 --dport 443 -j ACCEPT
 

- iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.95 --dport 80 -j ACCEPT
 

- iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.95 --dport 443 -j ACCEPT
 

- iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.96 --dport 80 -j ACCEPT
 

- iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.96 --dport 443 -j ACCEPT
 

- iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.97 --dport 80 -j ACCEPT
 

- iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.97 --dport 443 -j ACCEPT
 

- 

+ iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.163.49 --dport 80 -j ACCEPT
 

+ iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.163.49 --dport 443 -j ACCEPT
 

+ iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.163.50 --dport 80 -j ACCEPT
 

+ iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.163.50 --dport 443 -j ACCEPT
 

+ iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.163.51 --dport 80 -j ACCEPT
 

+ iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.163.51 --dport 443 -j ACCEPT
 

+ iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.163.85 --dport 80 -j ACCEPT
 

+ iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.163.85 --dport 443 -j ACCEPT
 

+ iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.163.84 --dport 80 -j ACCEPT
 

+ iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.163.84 --dport 443 -j ACCEPT
 

  

  # Docker is CRAZY and forces Google DNS upon us.....
 

  iptables -A FILTER_FORWARD -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT

file modified
+3 -3 
@@ -639,7 +639,7 @@
 

      - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
 

    tasks:
 

      - name: enable nrpe for monitoring (noc01)
 

-       iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT
 

+       iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.3.163.10 state=present jump=ACCEPT
 

        tags:
 

        - iptables
 

  
@@ -684,7 +684,7 @@
 

  

    tasks:
 

      - name: enable nrpe for monitoring (noc01)
 

-       iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT
 

+       iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.3.163.10 state=present jump=ACCEPT
 

        tags:
 

        - iptables
 

  
@@ -810,4 +810,4 @@
 

        changed_when: "'Downloaded newer image' in docker_pull_fedora.stdout"
 

  

      - name: enable nrpe for monitoring (noc01)
 

-       iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT
 

+       iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.3.163.10 state=present jump=ACCEPT

file modified
+3 -3 
@@ -28,7 +28,7 @@
 

      - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
 

    tasks:
 

      - name: enable nrpe for monitoring (noc01)
 

-       iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT
 

+       iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.3.163.10 state=present jump=ACCEPT
 

        tags:
 

        - iptables
 

  
@@ -68,7 +68,7 @@
 

  

    tasks:
 

      - name: enable nrpe for monitoring (noc01)
 

-       iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT
 

+       iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.3.163.10 state=present jump=ACCEPT
 

        tags:
 

        - iptables
 

  
@@ -192,4 +192,4 @@
 

        changed_when: "'Downloaded newer image' in docker_pull_fedora.stdout"
 

  

      - name: enable nrpe for monitoring (noc01)
 

-       iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT
 

+       iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.3.163.10 state=present jump=ACCEPT

no initial comment

Build succeeded.

For some reason inline comment won't work for me. The IP on https://pagure.io/fedora-infra/ansible/pull-request/147#_2__2 is the only one left.

I am not sure what this relates to, I thought it may be one of the oci-registries but the IP doesn't match to the phx2 version of any of them.

I'd say just remove it. I can't find it in old dns git repo either... that ip shows as 'unassigned'

1 new commit added

  • [osbs] comment out unkown ip in iptables
3 years ago

rebased onto 6ce987e
3 years ago

rebased onto 6ce987e
3 years ago

Pull-Request has been merged by mobrien
3 years ago

Build succeeded.

we should update that comment to replace phx2 by iad2

1 small comment but otherwise LGTM.
Metadata
None
No Tags
Flags
Zuul
success
Jobs result is success
3 years ago
Changes Summary 4
+2 -2
file changed
files/osbs/fedora-dnsmasq.conf.production
+27 -28
file changed
files/osbs/fix-docker-iptables.production
+3 -3
file changed
playbooks/groups/osbs-cluster.yml
+3 -3
file changed
playbooks/groups/osbs/osbs-post-install.yml
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.