[Gluster-devel] Firewall migration around the end of the month.

Michael Scherer mscherer at redhat.com
Tue Aug 14 14:13:39 UTC 2018

Hi folks,

So after a few weeks of testing, the new firewall based on nft seems to
be ready. I did switch a few servers on a test firewall
(chrono.rht.gluster.org) without any trouble so far.

So I plan to switch the 2 HA main firewall (masa and mune) to use nft
instead of firewalld sometime in the next 2 weeks, depending on how
fast I can recover from Flock and where in the world I will be by then.

Switching to the new firewall would permit to have:
- better management of the firewall (using 1 single file, instead of
the ctulhuan horror of using 75 call to firewalld ansible module)
- a more modern stack (see https://developers.redhat.com/blog/2018/08/1
0/firewalld-the-future-is-nftables/ )
- more locked down internal network (which in turn would make easier to
detect a future attack, especially if we start to sign packages, etc).

In practice, this should be pretty transparent for the users, but if
you see any network issue on a builder in the int.rht.gluster.org
domain, please tell us along the date so we can investigate. 

People interested can see the config file on https://github.com/gluster

Is there a time that should be avoided for the deploy, even if it
should only impact various internal infra servers, and the various
internal builders ?

We later still plan to move some services inside the internal lan, like
postgres, jenkins, etc, but that's out of scope for this change.

Michael Scherer
Sysadmin, Community Infrastructure and Platform, OSAS

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.gluster.org/pipermail/gluster-devel/attachments/20180814/ff8a6f11/attachment.sig>

More information about the Gluster-devel mailing list