[Gluster-infra] Cage internal network lock down

Michael Scherer mscherer at redhat.com
Tue Jul 10 08:28:45 UTC 2018


Le vendredi 15 juin 2018 à 18:35 +0200, Michael Scherer a écrit :
> Le mardi 13 mars 2018 à 17:22 +0100, Michael Scherer a écrit :
> > Hi,
> > 
> > So, I have been working on tightening the internal network of the
> > gluster community cage part of the world, e.g., all the servers in
> > *.int.rht.gluster.org. That's mostly internal infra servers, and
> > newer
> > non cloud builder, but I plan to later also move gerrit/jenkins and
> > various servers.
> > 
> > The goal is to reduce IP v4 usage (cause that's limited), and
> > increase
> > security (no direct access to attack, and more difficult to later
> > exploit in case of compromission).
> > 
> > 
> > That's mostly non impacting people (or I would have asked for
> > maintainance windows) but I just switched all servers in the
> > internal
> > network to use the firewall (masamune.rht.gluster.org) as a gateway
> > rather than IT firewall, so if anything is broken on a
> > *.int.rht.gluster.org server, please tell me and I will look.
> > 
> > Everything is in HA, and I have done several tests and reboot
> > during
> > the day without trouble. In fact, more than half of the servers
> > were
> > using that. 
> > 
> > Right now, the firewall is not yet blocking anything, but that's
> > planned, server by server.
> > 
> > Next steps are to prevent direct internet access (so start to use
> > the
> > firewall), and provides both a web proxy and a dns server, so we
> > can
> > log and control what is going on.
> 
> So I made some progress here (after a rather hectic week, my fault
> for
> not staying in vacation):
> 
> - we have now 2 internal DNS servers (gonna test and switch internal
> builders, etc once I validate them, I will likely do them by small
> batches)

So the 2 DNS servers are working. I didn't yet do switch to them by
default, because I want to do some setup of the disk for squid
(colocated on the same VM) and may need to reinstall, but that part is
done.

> - I start to switch to nftables for the firewall (not enabled yet, I
> will announce in advance and do that outside of working hours)

Same, the testing of nftables seems to be positive. I installed another
server to serve as a temporary firewall, and started to refine the
rules. Still no plan to switch yet, will wait when Nigel is back.

I also slowly started to use a squid proxy for controlling outgoing
http connexion, and so far so good.




-- 
Michael Scherer
Sysadmin, Community Infrastructure and Platform, OSAS

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.gluster.org/pipermail/gluster-infra/attachments/20180710/b95d2d6f/attachment.sig>


More information about the Gluster-infra mailing list