Page MenuHomePhabricator
Create Task
Maniphest T62144

Audit security groups
Closed, DeclinedPublic
Actions

Description

Currently, intra-project traffic (i. e., from tools-login to tools-redis or from tools-webproxy to tools-webgrid-01) is not subject to the firewall rules of security groups. Due to that, security groups are not up to date, for example, the redis security group doesn't explicitely allow traffic on port 6379.

The move to eqiad could change the default behaviour.

Therefore, prior to the move, we need to make sure that:

a) all hosts have proper security groups assigned, and
b) security groups really allow traffic they're supposed to allow.

Version: unspecified
Severity: normal

Details

Reference
bz60144

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 3:00 AM
bzimport added a project: Toolforge.
bzimport set Reference to bz60144.
scfc created this task.Jan 16 2014, 7:41 PM
coren added a comment.Aug 27 2014, 10:49 PM

Anything intended "prior to the move" is not all that relevant today. :-)

scfc added a comment.Aug 28 2014, 1:09 AM

Eh, yes, irrespective of the DC location, we should still make sure that:

a) all hosts have proper security groups assigned, and
b) security groups really allow traffic they're supposed to allow.

Dzahn added a comment.Aug 28 2014, 1:20 AM

agree, just because we didn't already do it doesn't mean it's invalid :)

coren moved this task from Backlog to Ready to be worked on on the Toolforge board.Nov 25 2014, 4:15 PM
coren closed this task as Declined.Mar 25 2015, 6:42 PM

With no comment on the relevance of an audit in general, the security groups include the allow from source rule which lets traffic through when it comes from the right source. That applies before ingress rules set by destination. So no change to the networking stack can break intra-project traffic.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL