[tor-bugs] #33143 [Internal Services/Tor Sysadmin Team]: ferm: convert BASE_SSH_ALLOWED rules into puppet exported rules
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Feb 3 20:11:31 UTC 2020
#33143: ferm: convert BASE_SSH_ALLOWED rules into puppet exported rules
-------------------------------------------------+-------------------------
Reporter: anarcat | Owner: tpa
Type: task | Status: new
Priority: Medium | Milestone:
Component: Internal Services/Tor Sysadmin | Version:
Team | Keywords: tpa-
Severity: Normal | roadmap-february
Actual Points: | Parent ID: #31239
Points: | Reviewer:
Sponsor: |
-------------------------------------------------+-------------------------
right now a new node technically doesn't get the "jumphost" functionality
("has SSH access everywhere else") out of the box. for that to work, the
network the box is on needs to be added to `tor-
puppet/modules/ferm/templates/defs.conf.erb` by hand. this is okay-ish for
instances of IP ranges that already exist, but is a pain for new (say)
ganeti nodes themselves which are usually not in those ranges (as opposed
to their instances, using the vswitch range).
so those magic IP addresses should be turned into exported resources that
follow our policy. maybe that exported resource should be part of a
"jumphost" class that get included where we want, or just everywhere, but
in any case, it should be moved into puppet to make installs more
consistent and faster.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33143>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list