[Gluster-infra] Cage internal network lock down

Michael Scherer mscherer at redhat.com
Tue Mar 13 16:22:26 UTC 2018


So, I have been working on tightening the internal network of the
gluster community cage part of the world, e.g., all the servers in
*.int.rht.gluster.org. That's mostly internal infra servers, and newer
non cloud builder, but I plan to later also move gerrit/jenkins and
various servers.

The goal is to reduce IP v4 usage (cause that's limited), and increase
security (no direct access to attack, and more difficult to later
exploit in case of compromission).

That's mostly non impacting people (or I would have asked for
maintainance windows) but I just switched all servers in the internal
network to use the firewall (masamune.rht.gluster.org) as a gateway
rather than IT firewall, so if anything is broken on a
*.int.rht.gluster.org server, please tell me and I will look.

Everything is in HA, and I have done several tests and reboot during
the day without trouble. In fact, more than half of the servers were
using that. 

Right now, the firewall is not yet blocking anything, but that's
planned, server by server.

Next steps are to prevent direct internet access (so start to use the
firewall), and provides both a web proxy and a dns server, so we can
log and control what is going on.

And move more servers on the internal network (postgresql for example,
gerrit/jenkins too), by locking and opening access as needed.

Michael Scherer
Sysadmin, Community Infrastructure and Platform, OSAS

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.gluster.org/pipermail/gluster-infra/attachments/20180313/f0038f8d/attachment.sig>

More information about the Gluster-infra mailing list