[arch-devops] Host-based Firewalls (Task #61)
Hi all, I've spent a couple of hours looking in to task #61 ("Set up firewall"). It should be pretty straight-forward. I've reviewed each of the Hetzner hosts for the ports they are listening on vs what should be publicly accessible. I have a diff against the current ansible roles if someone would like to review and give me their thoughts? Cheers, ~p
On 2018-03-05 07:24, Phillip Smith via arch-devops wrote:
Hi all,
I've spent a couple of hours looking in to task #61 ("Set up firewall") . It should be pretty straight-forward. I've reviewed each of the Hetzner hosts for the ports they are listening on vs what should be publicly accessible.
I have a diff against the current ansible roles if someone would like to review and give me their thoughts?
Cheers, ~p
Please push it into some branch on infra repo, I will look at it later today. Bartłomiej
On 5 March 2018 at 17:57, Bartłomiej Piotrowski via arch-devops < arch-devops@lists.archlinux.org> wrote:
Please push it into some branch on infra repo, I will look at it later today.
Thanks, I have pushed it to the add-firewalld branch.
On 2018-03-05 22:42, Phillip Smith via arch-devops wrote:
On 5 March 2018 at 17:57, Bartłomiej Piotrowski via arch-devops <arch-devops@lists.archlinux.org <mailto:arch-devops@lists.archlinux.org>> wrote:
Please push it into some branch on infra repo, I will look at it later today.
Thanks, I have pushed it to the add-firewalld branch.
Looks good! I suppose you have access everywhere by now so feel free to push it and apply changes on servers. Would it make sense to tag firewalld tasks with "firewall" tag? Bartłomiej
On 8 March 2018 at 04:46, Bartłomiej Piotrowski via arch-devops < arch-devops@lists.archlinux.org> wrote:
Looks good! I suppose you have access everywhere by now so feel free to push it and apply changes on servers.
Thanks! I'll deploy 1 host at a time and monitor/test each for a while as I go.
Would it make sense to tag firewalld tasks with "firewall" tag?
Yes that probably would make more sense. Fixed.
On 8 March 2018 at 09:51, Phillip Smith <fukawi2@gmail.com> wrote:
On 8 March 2018 at 04:46, Bartłomiej Piotrowski via arch-devops < arch-devops@lists.archlinux.org> wrote:
Looks good! I suppose you have access everywhere by now so feel free to push it and apply changes on servers.
Thanks! I'll deploy 1 host at a time and monitor/test each for a while as I go.
OK, well it seems ansible and firewalld have a versioning conflict going on. The firewalld package provides the python 3.6 version of the 'firewall' module, but Ansible requires the version 2 packaging it seems: fatal: [vostok.archlinux.org]: FAILED! => {"changed": false, "msg": "firewalld and its python 2 module are required for this module, version 2.0.11 or newer required (3.0.9 or newer for offline operations)"} Seems to be a known issue: https://github.com/ansible/ansible/issues/24855 "This turns out to be as simple as the unfortunate reality that the firewalld module doesn't yet support python3 and the python2 version of firewalld is no longer available in Ubuntu. I'll try to get a python3 compat patch in over the next few days." That compat patch doesn't seem to have come to fruition yet. What are others thoughts? Is someone more fluent in python than I willing to take a look?
participants (2)
-
Bartłomiej Piotrowski
-
Phillip Smith