[Gluster-devel] Firewall migration around the end of the month.

[Michael Scherer]

Hi folks,

So after a few weeks of testing, the new firewall based on nft seems to
be ready. I did switch a few servers on a test firewall
(chrono.rht.gluster.org) without any trouble so far.

So I plan to switch the 2 HA main firewall (masa and mune) to use nft
instead of firewalld sometime in the next 2 weeks, depending on how
fast I can recover from Flock and where in the world I will be by then.

Switching to the new firewall would permit to have:
- better management of the firewall (using 1 single file, instead of
the ctulhuan horror of using 75 call to firewalld ansible module)
- a more modern stack (see https://developers.redhat.com/blog/2018/08/1
0/firewalld-the-future-is-nftables/ )
- more locked down internal network (which in turn would make easier to
detect a future attack, especially if we start to sign packages, etc).

In practice, this should be pretty transparent for the users, but if
you see any network issue on a builder in the int.rht.gluster.org
domain, please tell us along the date so we can investigate. 

People interested can see the config file on https://github.com/gluster
/gluster.org_ansible_configuration/blob/master/roles/nftables/templates
/nftables.conf

Is there a time that should be avoided for the deploy, even if it
should only impact various internal infra servers, and the various
internal builders ?

We later still plan to move some services inside the internal lan, like
postgres, jenkins, etc, but that's out of scope for this change.

-- 
Michael Scherer
Sysadmin, Community Infrastructure and Platform, OSAS

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.gluster.org/pipermail/gluster-devel/attachments/20180814/ff8a6f11/attachment.sig>