[Gluster-infra] Cage internal network lock down

Michael Scherer mscherer at redhat.com
Fri Jun 15 16:35:49 UTC 2018 

Le mardi 13 mars 2018 à 17:22 +0100, Michael Scherer a écrit :
> Hi,
> 
> So, I have been working on tightening the internal network of the
> gluster community cage part of the world, e.g., all the servers in
> *.int.rht.gluster.org. That's mostly internal infra servers, and
> newer
> non cloud builder, but I plan to later also move gerrit/jenkins and
> various servers.
> 
> The goal is to reduce IP v4 usage (cause that's limited), and
> increase
> security (no direct access to attack, and more difficult to later
> exploit in case of compromission).
> 
> 
> That's mostly non impacting people (or I would have asked for
> maintainance windows) but I just switched all servers in the internal
> network to use the firewall (masamune.rht.gluster.org) as a gateway
> rather than IT firewall, so if anything is broken on a
> *.int.rht.gluster.org server, please tell me and I will look.
> 
> Everything is in HA, and I have done several tests and reboot during
> the day without trouble. In fact, more than half of the servers were
> using that. 
> 
> Right now, the firewall is not yet blocking anything, but that's
> planned, server by server.
> 
> Next steps are to prevent direct internet access (so start to use the
> firewall), and provides both a web proxy and a dns server, so we can
> log and control what is going on.

So I made some progress here (after a rather hectic week, my fault for
not staying in vacation):

- we have now 2 internal DNS servers (gonna test and switch internal
builders, etc once I validate them, I will likely do them by small
batches)

- I start to switch to nftables for the firewall (not enabled yet, I
will announce in advance and do that outside of working hours)

I also upgraded the firewalls from the Copenhague airport last month
and proxys today to F28, but since no one complained, it show this was
pretty transparent (and resilient)

Next step is squid, then work on moving munin inside the lan, and
postgres. (and make postgres in HA too)

-- 
Michael Scherer
Sysadmin, Community Infrastructure and Platform, OSAS

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.gluster.org/pipermail/gluster-infra/attachments/20180615/43e57f5e/attachment.sig>

More information about the Gluster-infra mailing list