#9182 Build hosts trying to connect to port 9940 to ci.centos.org and others
Closed: Fixed 4 months ago by smooge. Opened 6 months ago by smooge.

Describe what you would like us to do:

Currently the IAD2 firewall is recording connections from

to port 9940 on pagure.io, ci.centos.org and anitya.fedoraproject.org

  1. Should these be allowed for the time being
  2. Why are these services still doing this and should they?
  3. If they are to remain should they go over the vpn?

When do you need this to be done by? (YYYY/MM/DD)

So I've checked bodhi-backend01:

fedmsg is installed:

# rpm -qa |grep fedm

It's pulled in by pungi:

# yum remove python3-fedmsg
Dependencies resolved.
 Package                          Architecture      Version                            Repository                Size
 python3-fedmsg                   noarch            1.1.1-9.fc32                       @fedora                  1.3 M
Removing dependent packages:
 fedmsg                           noarch            1.1.1-9.fc32                       @fedora                   27 k
 pungi-utils                      noarch            4.2.3-2.fc32.infra.2               @@commandline             99 k

The process running fedmsg seems to also be pungi:

# ps aux |grep fedm
apache   2132923 32.9  2.1 4311124 2169404 ?     Sl   18:14   7:38 /usr/bin/python3 /usr/bin/pungi-koji --config /tmp/bodhi-pungi-f31-updates-7bm02rt9/pungi.conf --quiet --print-output-dir --target-dir /mnt/koji/compose/updates/ --old-composes /mnt/koji/compose/updates/ --no-latest-link --label Update-20200730.1814 --notification-script=/usr/bin/pungi-fedmsg-notification --notification-script=pungi-wait-for-signed-ostree-handler

This makes me believe that bodhi-backend01 is only trying to send messages, which should require only accessing FMN, busgateway and datagrepper.

Pretty sure we can drop cico from there, especially considering that CI doesn't do anything with pungi messages.


This is definitely the pdc-updaters that are still running in fedmsg-hub.

I can stop them if we want

Metadata Update from @mobrien:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: groomed, medium-gain, medium-trouble

6 months ago

I have confirmed with the CI folks that fedora-ci is no longer sending any notifications via fedmsg, so there is no need to try to listen to anything there.

These should be allowed now

Metadata Update from @smooge:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

5 months ago

These should be allowed now

I don't think we should, my investigation were about: do we need this? and apparently we don't, so I was planning on fixing things in ansible so these hosts do not try to access ci.centos.org which is not needed.

Metadata Update from @pingou:
- Issue status updated to: Open (was: Closed)

5 months ago

I have removed all references to ci.centos.org in https://pagure.io/fedora-infra/ansible/c/36616fc5210205b5705bdf09ab62ca55ea6ed6bb?branch=master

It'll be deployed in the next master playbook run or so and we can put the firewall back on :)

@smooge should we ask to close this port in the firewall?

opening internal ticket and closing this one.

Metadata Update from @smooge:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

4 months ago

Login to comment on this ticket.