#9182 Build hosts trying to connect to port 9940 to ci.centos.org and others
Opened 6 days ago by smooge. Modified 18 hours ago

Describe what you would like us to do:


Currently the IAD2 firewall is recording connections from
bodhi-backend01
pdc-backend0{1,2,3}
mbs-backend{1,2,3}

to port 9940 on pagure.io, ci.centos.org and anitya.fedoraproject.org

  1. Should these be allowed for the time being
  2. Why are these services still doing this and should they?
  3. If they are to remain should they go over the vpn?

When do you need this to be done by? (YYYY/MM/DD)



So I've checked bodhi-backend01:

fedmsg is installed:

# rpm -qa |grep fedm
fedmsg-base-1.1.1-9.fc32.noarch
python3-fedmsg-1.1.1-9.fc32.noarch
fedmsg-1.1.1-9.fc32.noarch

It's pulled in by pungi:

# yum remove python3-fedmsg
Dependencies resolved.
======================================================================================================================
 Package                          Architecture      Version                            Repository                Size
======================================================================================================================
Removing:
 python3-fedmsg                   noarch            1.1.1-9.fc32                       @fedora                  1.3 M
Removing dependent packages:
 fedmsg                           noarch            1.1.1-9.fc32                       @fedora                   27 k
 pungi-utils                      noarch            4.2.3-2.fc32.infra.2               @@commandline             99 k

The process running fedmsg seems to also be pungi:

# ps aux |grep fedm
apache   2132923 32.9  2.1 4311124 2169404 ?     Sl   18:14   7:38 /usr/bin/python3 /usr/bin/pungi-koji --config /tmp/bodhi-pungi-f31-updates-7bm02rt9/pungi.conf --quiet --print-output-dir --target-dir /mnt/koji/compose/updates/ --old-composes /mnt/koji/compose/updates/ --no-latest-link --label Update-20200730.1814 --notification-script=/usr/bin/pungi-fedmsg-notification --notification-script=pungi-wait-for-signed-ostree-handler

This makes me believe that bodhi-backend01 is only trying to send messages, which should require only accessing FMN, busgateway and datagrepper.

Pretty sure we can drop cico from there, especially considering that CI doesn't do anything with pungi messages.

pdc-backend0{1,2,3}

This is definitely the pdc-updaters that are still running in fedmsg-hub.

I can stop them if we want

Metadata Update from @mobrien:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: groomed, medium-gain, medium-trouble

5 days ago

I have confirmed with the CI folks that fedora-ci is no longer sending any notifications via fedmsg, so there is no need to try to listen to anything there.

These should be allowed now

Metadata Update from @smooge:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

2 days ago

These should be allowed now

I don't think we should, my investigation were about: do we need this? and apparently we don't, so I was planning on fixing things in ansible so these hosts do not try to access ci.centos.org which is not needed.

Metadata Update from @pingou:
- Issue status updated to: Open (was: Closed)

2 days ago

I have removed all references to ci.centos.org in https://pagure.io/fedora-infra/ansible/c/36616fc5210205b5705bdf09ab62ca55ea6ed6bb?branch=master

It'll be deployed in the next master playbook run or so and we can put the firewall back on :)

@smooge should we ask to close this port in the firewall?

Login to comment on this ticket.

Metadata