| *** ysandeep|out is now known as ysandeep | 04:43 | |
| *** jpena|off is now known as jpena | 07:29 | |
| *** ykarel is now known as ykarel|lunch | 07:56 | |
| *** ysandeep is now known as ysandeep|lunch | 08:37 | |
| *** ykarel|lunch is now known as ykarel | 09:00 | |
| *** ysandeep|lunch is now known as ysandeep | 09:30 | |
| *** bhagyashris is now known as bhagyashris|rover | 09:32 | |
| *** ykarel is now known as ykarel|afk | 09:53 | |
| *** jcapitao is now known as jcapitao_lunch | 10:24 | |
| *** bhagyashris is now known as bhagyashris|rover | 10:38 | |
| *** ykarel|afk is now known as ykarel | 10:53 | |
| *** rlandy is now known as rlandy|ruck | 11:00 | |
| *** jpena is now known as jpena|lunch | 11:32 | |
| *** jpodivin is now known as jpodivin|ruck | 11:40 | |
| *** jcapitao_lunch is now known as jcapitao | 11:59 | |
| *** jpena|lunch is now known as jpena | 12:25 | |
| *** redrobot is now known as Guest1129 | 15:09 | |
| opendevreview | Dr. Jens Harbott proposed openstack/project-config master: Fix neutron-dynamic-routing grafana dashboard https://review.opendev.org/c/openstack/project-config/+/811182 | 15:13 |
|---|---|---|
| opendevreview | Merged openstack/project-config master: Fix neutron-dynamic-routing grafana dashboard https://review.opendev.org/c/openstack/project-config/+/811182 | 15:40 |
| *** ysandeep is now known as ysandeep|out | 16:12 | |
| *** jpena is now known as jpena|off | 16:38 | |
| clarkb | yoctozepto: I've discovered https://docs.openstack.org/kolla-ansible/latest/reference/deployment-and-bootstrapping/bootstrap-servers.html#disabling-firewalls and am wondering if that means kolla is actively undermining the rules we've put in place on the test nodes. Ideally we'd keep those in place as they help prevent a number of problems | 17:21 |
| fungi | chief among those, the problem of our donor providers locking out our accounts because of abuse | 17:23 |
| yoctozepto | clarkb, fungi: yeah, it does disable firewalls atm; what rules are we losing then? it's been like this for years :-( | 17:28 |
| clarkb | yoctozepto: potentially things like rogue dhcpd prevention, dns resolver reflection, etc | 17:29 |
| clarkb | the way we set up iptables in the jobs allows the nodes to talk to each other but keeps external stuff out | 17:29 |
| clarkb | and you really shouldn't subvert that | 17:29 |
| fungi | adding rules to allow more communication between nodes for the same job is generally fine though | 17:30 |
| clarkb | some of our clouds also do periodic port scanning and they complain if random services are publicaly available | 17:33 |
| clarkb | things like dns servers, mecached iirc etc | 17:33 |
| fungi | in the same vein as rogue dhcp servers, our default rules should also effectively prevent rogue router announcements from leaking into the provider's lan | 17:34 |
| fungi | which could be part of the picture for https://launchpad.net/bugs/1844712 | 17:35 |
| yoctozepto | clarkb, fungi: thankfully, you don't rely on ufw nor firewalld so we leave your rules in place | 17:55 |
| fungi | ahh, good | 17:58 |
| opendevreview | Merged openstack/project-config master: Remove github3.py from our zuul config https://review.opendev.org/c/openstack/project-config/+/810530 | 18:08 |
| -opendevstatus- NOTICE: Gerrit and Zuul services are being restarted briefly for configuration and code updates but should return to service momentarily | 20:09 | |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!