We have some hosts that are not currently logging to log02. We should fix them.
See: https://fedorahosted.org/fedora-infrastructure/ticket/2885 for details.
The list is:
{{{ backup03 darkserver01 fakefas01 hosted04 insight02 lockbox01 (is present as infrastructure.fedoraproject.org) publictest01 publictest04 sign-bridge02 }}}
Some of these aren't logging because the are not in phx2 and don't have a vpn. We could add vpn for them on the 192.168.100.x network and make sure that network is blocked off for everything except syslog at bastion. These hosts are:
{{{ darkserver01 fakefas01 insight02 publictest01 publictest04 }}}
We have some hosts that are 'high security', but we should see if their logs contain anything we care about and just add them. These are:
{{{ backup03 sign-bridge02 }}}
We have some that are just broken. These are:
{{{ hosted04 lockbox01 (is present as infrastructure.fedoraproject.org) }}}
I think lockbox01 is showing up as infrastructure just due to a /etc/hosts file on log02.
hosted04 is fixed - it had a broken /etc/resolv.conf.
lockbox01 is fixed - it was indeed a /etc/hosts issue on log02.
Is backup03 used at all? In puppet everything is commented out for this node. And what about hosted04 and lockbox01, are these hosts fixed? Because I can't find that out from puppet manifests.
backup03 is still used, but it's moved over to ansible now.
hosted04 is a backup instance for hosted03, so it should exist and be up and running.
lockbox01 isn't used anymore, it's an old version of lockbox02.
Here is now first patch. The job is far from done. I'm guessing I still need to configure IP addresses, ports, perhaps iptables rules... Kevin could you have a look and give me some information how to successfully complete the job. I have a feeling that I will have to do some work in /modules/openvpn/files/ccd/ directory.
attachment logging_patch_1
One more thing. I think darkserver01 should log to log02. At least everything in puppet repo suggests that logging is properly configured on darkserver01. What about host insight02? Does it exist at all?
Read the openvpn SOP today. To complete the job I need to configure IPs in /ccd and DNS. How do I know which IP do I assign to certain host? And why are certain IPs in files inside /ccd directory duplicated, for example:
backup1 192.168.1.22 192.168.0.22
hosted-lists01 192.168.1.22 192.168.0.22
Replying to [comment:6 janeznemanic]:
darkserver01 should be working. You don't see it?
insight02 does not exist anymore.
Replying to [comment:7 janeznemanic]:
Read the openvpn SOP today. To complete the job I need to configure IPs in /ccd and DNS. How do I know which IP do I assign to certain host? And why are certain IPs in files inside /ccd directory duplicated, for example: backup1 192.168.1.22 192.168.0.22 hosted-lists01 192.168.1.22 192.168.0.22
Thats an error... backup1 doesn't exist anymore, so likely that ip got reused for hosted-lists01. We should remove backup1.
You can look in the dns repo:
git clone /git/dns
on lockbox01, and look at master/168.192.in-addr.arpa (the master reverse zone for the vpn.fedoraproject.org).
Here's new patch. Do I have to do any changes in dns/master/vpn.fedoraproject.org?
attachment logging_patch_2
ok, publictest* are also gone now. ;)
Sign-bridge02 is in phx2, so it shouldn't need a vpn to log.
That leaves fakefas. :) One slight change for it... we have 192.168.1.x as the main vpn, but we also have defined 192.168.100.x in the vpn as 'less trusted' hosts. Other things firewall off the 192.168.100.x net so it can't talk to most things.
Could you adjust fakefas to use a 192.168.100.x ip instead of a 192.168.1.x ip. Then, I think I just apply that, make sure sign-bridge02 is logging and we are done. ;)
Thanks a bunch for working on this.
Will do that, but there is still backup03. I haven't started working on that one. The plan was to first do all the work in puppet and then configure backup03 in ansible. So after puppet patch will be applied, I move on to backup03.
Checked out backup03 in ansible and I think that host is OK and should log as expected. I adjusted fakefas and hopefully now is OK.
attachment logging_patch_3
And one more thing. Could you Kevin have a look at ticket #3639? Not sure but I think patch there is probably ready to be applied.
Cool. Applied. :)
yeah, I will likely apply 3639 soon...
Login to comment on this ticket.