Closed ghost closed 11 years ago
in short, the thing that is very special about my iptables cookbook is that it allows you to define many to many, many to one, and one to many relationships using roles and attributes. It really deserves more of an audience and I'd like to get some other developers in on it to make it better and if nothing else, I would love to hear feedback.
OH! I remember what I was going to say now! yeah there are some obvious flaws with this, for example... how can I bootstrap a new node to use a DNS server if the DNS server isn't allowing queries from that node in iptables yet? The same very big problem with rsync because I rsync source code to be built for services that newly created nodes will be running. since I use knife rackspace from a server that can ssh to any of those servers I've considered adding functionality to the knife rackspace plugin (I wish I could write plugins for plugins) that would basically ssh into those servers and allow the newly created nodes IP to its services before executing bootstrap.......
^____ really would love some feedback on this one .....
another possibility I've considered is a daemon that would run on those hosts that basically listens to a rabbitmq fanout for specific tasks from an appropriate sender..
Also if not a plugin for rackspace plugin or a modification to the plugin then a hack that I found in bootstrap templates:
<% system('cd /root && tar -cvf /root/chef-repo.tar chef-repo/') <--- hax print('copy and paste this password when prompted: ' + @config[:ssh_password]+ "\n") system('scp /root/chef-repo.tar root@'+@config[:server_name]+':/root/chef-repo.tar') %>
bash -c ' ... use your imagination
If you need to see to believe:
oot@appsrv-1-1-1:~# iptables -v -L
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4840K 1816M ACCEPT all -- lo any anywhere anywhere
85M 11G ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
1499K 90M ACCEPT tcp -- eth1 any lb-1-1-2.connectxyz.local anywhere tcp dpt:http
1563K 94M ACCEPT tcp -- eth1 any lb-1-1-1.connectxyz.local anywhere tcp dpt:http
1500K 90M ACCEPT tcp -- eth1 any lb-1-1-3.connectxyz.local anywhere tcp dpt:http
3 180 ACCEPT tcp -- eth1 any chefserver-1-1.connectxyz.local anywhere tcp dpt:22002
0 0 ACCEPT udp -- eth1 any chefserver-1-1.connectxyz.local anywhere udp dpt:22002
0 0 ACCEPT tcp -- eth1 any chefserver-1-1.connectxyz.local anywhere tcp dpt:mysql
0 0 ACCEPT udp -- eth1 any chefserver-1-1.connectxyz.local anywhere udp dpt:mysql
51786 3104K ACCEPT tcp -- eth1 any chefserver-1-1.connectxyz.local anywhere tcp dpt:ssh
858 51480 ACCEPT tcp -- eth1 any ossec-1-1.connectxyz.local anywhere tcp dpt:ssh
361K 22M ACCEPT tcp -- eth1 any chefserver-1-1.connectxyz.local anywhere tcp dpt:nrpe
155K 13M ACCEPT icmp -- eth1 any chefserver-1-1.connectxyz.local anywhere limit: avg 10/sec burst 5
10309 619K ACCEPT tcp -- eth1 any ossec-1-1.connectxyz.local anywhere tcp dpt:munin
0 0 ACCEPT tcp -- eth0 any chefserver-1-1.connectxyz.local anywhere tcp dpt:ssh
370K 117M LOGGING all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 96M packets, 8411M bytes) pkts bytes target prot opt in out source destination
Chain LOGGING (1 references)
pkts bytes target prot opt in out source destination
370K 117M LOG all -- any any anywhere anywhere limit: avg 100/min burst 5 LOG level warning prefix "Dropped: "
370K 117M DROP all -- any any anywhere anywhere
root@appsrv-1-1-1:~#
[5642534.495979] Dropped: IN=eth0 OUT= MAC=bc:76:4e:04:a9:eb:70:ca:9b:8d:9a:ff:08:00 SRC=188.127.229.152 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=TCP SPT=7777 DPT=19704 WINDOW=0 RES=0x00 ACK RST URGP=0 [5642544.662297] Dropped: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:bc:76:4e:04:b8:6d:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=19881 PROTO=UDP SPT=68 DPT=67 LEN=308 [5642548.080380] Dropped: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:bc:76:4e:04:eb:2c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=4871 PROTO=UDP SPT=68 DPT=67 LEN=308 [5642548.327266] Dropped: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:bc:76:4e:04:a2:70:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=13148 PROTO=UDP SPT=68 DPT=67 LEN=308
Ive been getting a shit load of spammy broadcast traffic on rackspace, I think they broke something
Hey @paigeadele! Thank you for supporting the Opscode Cookbooks! Our process has a couple prerequisites before we can merge your contribution. We need to ensure you've completed a Contributor License Agreement (CLA) and a ticket on our ticket tracker for the release workflow. Pull requests are optional, but should always include the ticket number that they're related to for cross-referencing. Please take a moment to review the below wiki page for the appropriate steps:
Ohai!
I'm going to close this due to inactivity, but please re-open if you have more time to work on this issue :smile:.
...far... easily the most useful thing I've ever written imho. Please Please Please, read the readme file its gonna tell you far more than what I can tell you right off the top of my head at the moment. This really is my favorite cookbook next to my DNS cookbook, actually I have an "ssh script" cookbook that creates something to this effect:
!/bin/bash
LOCALHOST="127.0.0.1" ssh -l root -L${LOCALHOST}:4141:127.0.0.1:4040 -L${LOCALHOST}:8999:127.0.0.1:80 -L${LOCALHOST}:9000:127.0.0.1:81 -L${LOCALHOST}:9001:127.0.0.1:82 -L${LOCALHOST}:9002:servicenetip1:80 -L${LOCALHOST}:8091:servicenetip2:8091 -L${LOCALHOST}:8092:servicenetip3:8091 -L${LOCALHOST}:8093:servicenetip4:8091 -L${LOCALHOST}:3306:servicenetip5:3306 -L${LOCALHOST}:3307:servicenetip6:3306 -L${LOCALHOST}:3308:servicenetip7:3306 ectectect
its a very tedious script but it works really really well and nobody can access those addresses except the chef server on rackspace's servicenet (or so, thats the intended purpose of all of this anyway...) basically, the intended purpose is nobody can even ssh to my chef server except me from our work IP and me from my home IP, and I HAVE to ssh to that server to get to ssh to any of the other servers.....really tedious but once you have the hang of it and understand it all well it's really a life saver.