From f65a48aa615721691df2c8102004e66f436c8b01 Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Fri, 12 Jun 2020 11:01:08 -0400 Subject: [PATCH] allow log01 to get logs from proxies and other hosts. fix both iptables and rsyncd --- inventory/group_vars/badges_web | 2 +- inventory/group_vars/batcave | 2 +- inventory/group_vars/certgetter | 2 +- inventory/group_vars/datagrepper | 2 +- inventory/group_vars/fedocal | 2 +- inventory/group_vars/github2fedmsg | 2 +- inventory/group_vars/kerneltest | 2 +- inventory/group_vars/kojipkgs | 2 +- inventory/group_vars/mbs_frontend | 2 +- inventory/group_vars/odcs_backend | 2 +- inventory/group_vars/odcs_frontend | 2 +- inventory/group_vars/packages | 2 +- inventory/group_vars/proxies | 2 +- inventory/group_vars/value | 6 +-- inventory/group_vars/zanata2fedmsg | 2 +- roles/base/templates/iptables/iptables | 8 +-- .../iptables/iptables.kojibuilder_iad2 | 2 - roles/base/templates/iptables/iptables.releng | 10 ++-- roles/rsyncd/files/rsyncd.conf.default | 2 +- .../rsyncd.conf.people01.fedoraproject.org | 2 +- roles/rsyncd/files/rsyncd.conf.sundries | 54 +++++++++---------- .../rsyncd/templates/rsyncd.conf.download.j2 | 2 +- 22 files changed, 55 insertions(+), 59 deletions(-) diff --git a/inventory/group_vars/badges_web b/inventory/group_vars/badges_web index 7489a003b5..1acaddae18 100644 --- a/inventory/group_vars/badges_web +++ b/inventory/group_vars/badges_web @@ -15,7 +15,7 @@ wsgi_threads: 2 tcp_ports: [ 80 ] # Neeed for rsync from log01 for logs. -custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] +custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] fas_client_groups: sysadmin-noc,sysadmin-badges,sysadmin-veteran diff --git a/inventory/group_vars/batcave b/inventory/group_vars/batcave index 2efa28b8fd..05306866bb 100644 --- a/inventory/group_vars/batcave +++ b/inventory/group_vars/batcave @@ -6,7 +6,7 @@ num_cpus: 10 tcp_ports: [ 80, 443, 8442, 8443 ] # Neeed for rsync from log01 for logs. -custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] +custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] fas_client_groups: sysadmin-ask,sysadmin-atomic,sysadmin-cvs,sysadmin-main,sysadmin-web,sysadmin-noc,sysadmin-hosted,sysadmin-releng,sysadmin-qa,sysadmin-tools,sysadmin-cloud,sysadmin-bot,sysadmin-centos,sysadmin-koschei,sysadmin-datanommer,sysadmin-fedimg,fi-apprentice,sysadmin-badges,sysadmin-mbs,sysadmin-veteran,sysadmin-coreos,sysadmin-upstreamfirst,sysadmin-releasemonitoring,sysadmin-fpdc,sysadmin-messaging,sysadmin-libravatar,sysadmin-gnome,sysadmin-copr,sysadmin-osbs,sysadmin-odcs diff --git a/inventory/group_vars/certgetter b/inventory/group_vars/certgetter index 5c1601a5bf..5969ffe27d 100644 --- a/inventory/group_vars/certgetter +++ b/inventory/group_vars/certgetter @@ -10,6 +10,6 @@ num_cpus: 2 tcp_ports: [ 80, 443 ] # Neeed for rsync from log01 for logs. -custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] +custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] fas_client_groups: sysadmin-main diff --git a/inventory/group_vars/datagrepper b/inventory/group_vars/datagrepper index 3bc3d163c2..f2908864c1 100644 --- a/inventory/group_vars/datagrepper +++ b/inventory/group_vars/datagrepper @@ -10,7 +10,7 @@ num_cpus: 2 tcp_ports: [ 80, 443, 6996 ] # Neeed for rsync from log01 for logs. custom_rules: [ - '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', + '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT', ] diff --git a/inventory/group_vars/fedocal b/inventory/group_vars/fedocal index 588c7ee1d6..1425afdb9a 100644 --- a/inventory/group_vars/fedocal +++ b/inventory/group_vars/fedocal @@ -13,7 +13,7 @@ tcp_ports: [ 80, 443, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015] # Neeed for rsync from log01 for logs. -custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] +custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] fas_client_groups: sysadmin-noc,sysadmin-web,sysadmin-veteran diff --git a/inventory/group_vars/github2fedmsg b/inventory/group_vars/github2fedmsg index a231ae0052..67bceeac80 100644 --- a/inventory/group_vars/github2fedmsg +++ b/inventory/group_vars/github2fedmsg @@ -15,7 +15,7 @@ wsgi_threads: 2 tcp_ports: [ 80 ] # Neeed for rsync from log01 for logs. -custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] +custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] fas_client_groups: sysadmin-noc,sysadmin-veteran diff --git a/inventory/group_vars/kerneltest b/inventory/group_vars/kerneltest index ee766df326..3865e3dd81 100644 --- a/inventory/group_vars/kerneltest +++ b/inventory/group_vars/kerneltest @@ -15,7 +15,7 @@ wsgi_threads: 1 tcp_ports: [ 80 ] # Neeed for rsync from log01 for logs. -custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] +custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] fas_client_groups: sysadmin-noc,sysadmin-veteran diff --git a/inventory/group_vars/kojipkgs b/inventory/group_vars/kojipkgs index 18c49449e2..00959c3c13 100644 --- a/inventory/group_vars/kojipkgs +++ b/inventory/group_vars/kojipkgs @@ -7,7 +7,7 @@ num_cpus: 16 custom_rules: [ # Need for rsync from log01 for logs. - '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', + '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT', ] diff --git a/inventory/group_vars/mbs_frontend b/inventory/group_vars/mbs_frontend index a4592299d8..0122085bc4 100644 --- a/inventory/group_vars/mbs_frontend +++ b/inventory/group_vars/mbs_frontend @@ -14,7 +14,7 @@ wsgi_threads: 2 tcp_ports: [ 80 ] # Neeed for rsync from log01 for logs. -custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] +custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] fas_client_groups: sysadmin-noc,sysadmin-releng,sysadmin-mbs,sysadmin-veteran diff --git a/inventory/group_vars/odcs_backend b/inventory/group_vars/odcs_backend index 5705d46f56..9f3645c76b 100644 --- a/inventory/group_vars/odcs_backend +++ b/inventory/group_vars/odcs_backend @@ -28,7 +28,7 @@ virt_install_command: "{{ virt_install_command_two_nic }}" nfs_mount_opts: "ro,hard,bg,intr,noatime,nodev,nosuid,nfsvers=3" # Neeed for rsync from log01 for logs. -custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] +custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] fas_client_groups: sysadmin-noc,sysadmin-releng,sysadmin-odcs,sysadmin-veteran diff --git a/inventory/group_vars/odcs_frontend b/inventory/group_vars/odcs_frontend index 7dabe36cc1..8f096731ff 100644 --- a/inventory/group_vars/odcs_frontend +++ b/inventory/group_vars/odcs_frontend @@ -23,7 +23,7 @@ tcp_ports: [ udp_ports: [ 111 ] # Neeed for rsync from log01 for logs. -custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] +custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] fas_client_groups: sysadmin-noc,sysadmin-releng,sysadmin-odcs,sysadmin-veteran diff --git a/inventory/group_vars/packages b/inventory/group_vars/packages index 2058d81482..7f91385873 100644 --- a/inventory/group_vars/packages +++ b/inventory/group_vars/packages @@ -13,7 +13,7 @@ tcp_ports: [ 80, 443, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015] # Neeed for rsync from log01 for logs. -custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] +custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] fas_client_groups: sysadmin-noc,sysadmin-web,sysadmin-veteran,sysadmin-packages diff --git a/inventory/group_vars/proxies b/inventory/group_vars/proxies index b1d27ce87b..d43ec39dd8 100644 --- a/inventory/group_vars/proxies +++ b/inventory/group_vars/proxies @@ -41,7 +41,7 @@ tcp_ports: [ ] custom_rules: [ # Need for rsync from log01 for logs. - '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', + '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 209.132.181.102 --dport 873 -j ACCEPT', diff --git a/inventory/group_vars/value b/inventory/group_vars/value index f13d8064c7..32988eeb4b 100644 --- a/inventory/group_vars/value +++ b/inventory/group_vars/value @@ -16,11 +16,11 @@ tcp_ports: [ 80, 443, custom_rules: [ # Needed for rsync from log01 for logs. - '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', + '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT', # Needed to let nagios on noc01 and noc02 pipe alerts to zodbot here - '-A INPUT -p tcp -m tcp -s 10.5.126.41 --dport 5050 -j ACCEPT', - '-A INPUT -p tcp -m tcp -s 10.5.126.241 --dport 5050 -j ACCEPT', + '-A INPUT -p tcp -m tcp -s 10.3.163.10 --dport 5050 -j ACCEPT', + '-A INPUT -p tcp -m tcp -s 10.3.166.10 --dport 5050 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.20 --dport 5050 -j ACCEPT', # batcave01 also needs access to announce commits. '-A INPUT -p tcp -m tcp -s 192.168.20.41 --dport 5050 -j ACCEPT', diff --git a/inventory/group_vars/zanata2fedmsg b/inventory/group_vars/zanata2fedmsg index b799fe31fd..d67b21cdaa 100644 --- a/inventory/group_vars/zanata2fedmsg +++ b/inventory/group_vars/zanata2fedmsg @@ -18,7 +18,7 @@ tcp_ports: [ 80 ] # Neeed for rsync from log01 for logs. custom_rules: [ - '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', + '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT', ] diff --git a/roles/base/templates/iptables/iptables b/roles/base/templates/iptables/iptables index 8050469154..53a9c7f517 100644 --- a/roles/base/templates/iptables/iptables +++ b/roles/base/templates/iptables/iptables @@ -30,8 +30,8 @@ # FIXME - this is the global nat-ip and we need the noc01-specific ip -A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.102 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.35 -j ACCEPT --A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT --A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.241 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5666 -s 10.3.163.10 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5666 -s 10.3.166.10 -j ACCEPT {% if env != 'staging' and datacenter == 'phx2' and inventory_hostname not in groups['staging_friendly'] %} # @@ -41,7 +41,7 @@ # production we have marked 'staging-friendly' that we do allow staging to talk to for # mostly read-only data they need. # --A INPUT -s 10.5.128.0/24 -j REJECT --reject-with icmp-host-prohibited + {% endif %} {% if ansible_domain == 'qa.fedoraproject.org' and inventory_hostname not in groups['qa_isolated'] %} @@ -90,7 +90,7 @@ {% endif %} {% endfor %} # nagios --A INPUT -p tcp -m tcp --dport {{ port }} --src 10.5.126.41 -j ACCEPT +-A INPUT -p tcp -m tcp --dport {{ port }} --src 10.3.163.10 -j ACCEPT {% endfor %} {% endif %} diff --git a/roles/base/templates/iptables/iptables.kojibuilder_iad2 b/roles/base/templates/iptables/iptables.kojibuilder_iad2 index 086ac04cc0..06f3970ab2 100644 --- a/roles/base/templates/iptables/iptables.kojibuilder_iad2 +++ b/roles/base/templates/iptables/iptables.kojibuilder_iad2 @@ -74,8 +74,6 @@ -A OUTPUT -p tcp -m tcp -d 10.3.169.104 --dport 22 -j ACCEPT {% endif %} -# http to pull sources from pkgs lookaside -#-A OUTPUT -m tcp -p tcp --dport 80 -d 10.5.125.44 -j ACCEPT # https git on pagure.io -A OUTPUT -p tcp -m tcp -d 8.43.85.75 --dport 443 -j ACCEPT diff --git a/roles/base/templates/iptables/iptables.releng b/roles/base/templates/iptables/iptables.releng index 78a15b9c00..18b369927d 100644 --- a/roles/base/templates/iptables/iptables.releng +++ b/roles/base/templates/iptables/iptables.releng @@ -24,8 +24,8 @@ # FIXME - this is the global nat-ip and we need the noc01-specific ip -A INPUT -p tcp -m tcp -s 209.132.181.102 --dport 5666 -j ACCEPT -A INPUT -p tcp -m tcp -s 209.132.181.35 --dport 5666 -j ACCEPT --A INPUT -p tcp -m tcp -s 10.5.126.41 --dport 5666 -j ACCEPT --A INPUT -p tcp -m tcp -s 10.5.126.241 --dport 5666 -j ACCEPT +-A INPUT -p tcp -m tcp -s 10.3.163.10 --dport 5666 -j ACCEPT +-A INPUT -p tcp -m tcp -s 10.3.166.10 --dport 5666 -j ACCEPT # if the blocked_ips is defined - drop them {% if blocked_ips is defined %} @@ -43,10 +43,8 @@ -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT # Allow all netapp traffic --A INPUT -p udp -m udp -s 10.5.88.36 -j ACCEPT --A INPUT -p tcp -m tcp -s 10.5.88.36 -j ACCEPT --A INPUT -p udp -m udp -s 10.5.88.41 -j ACCEPT --A INPUT -p tcp -m tcp -s 10.5.88.41 -j ACCEPT +-A INPUT -p udp -m udp -s 10.3.162.0/24 -j ACCEPT + # Custom Services diff --git a/roles/rsyncd/files/rsyncd.conf.default b/roles/rsyncd/files/rsyncd.conf.default index c1c397817b..a006758a6a 100644 --- a/roles/rsyncd/files/rsyncd.conf.default +++ b/roles/rsyncd/files/rsyncd.conf.default @@ -13,4 +13,4 @@ path = /var/log uid = root gid = root read only = yes -hosts allow = 10.5.126.13 192.168.1.59 10.3.163.39 +hosts allow = 192.168.1.59 10.3.163.39 diff --git a/roles/rsyncd/files/rsyncd.conf.people01.fedoraproject.org b/roles/rsyncd/files/rsyncd.conf.people01.fedoraproject.org index 5110ff60c1..eace3c315a 100644 --- a/roles/rsyncd/files/rsyncd.conf.people01.fedoraproject.org +++ b/roles/rsyncd/files/rsyncd.conf.people01.fedoraproject.org @@ -13,7 +13,7 @@ path = /var/log uid = root gid = root read only = yes -hosts allow = 10.5.126.13 192.168.1.59 +hosts allow = 10.3.163.39 192.168.1.59 [people-repos] comment = repos.fedorapeople.org content diff --git a/roles/rsyncd/files/rsyncd.conf.sundries b/roles/rsyncd/files/rsyncd.conf.sundries index f978e4de9f..cafa6995c6 100644 --- a/roles/rsyncd/files/rsyncd.conf.sundries +++ b/roles/rsyncd/files/rsyncd.conf.sundries @@ -12,7 +12,7 @@ path = /var/log uid = root gid = root read only = yes -hosts allow = 10.5.126.13 192.168.1.59 10.3.163.39 +hosts allow = 10.3.163.39 192.168.1.59 [docs-old] comment = Old Docs Site @@ -20,7 +20,7 @@ path = /srv/web/docs-old uid = root gid = root read only = yes -hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 +hosts allow = 10.3.160.0/255.255.224.0 [docs] comment = Docs Site @@ -28,7 +28,7 @@ path = /srv/docs uid = root gid = root read only = yes -hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 +hosts allow = 10.3.160.0/255.255.224.0 [membership-map] comment = Ambassadors Membership Map @@ -36,7 +36,7 @@ path = /srv/web/membership-map uid = root gid = root read only = yes -hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 +hosts allow = 10.3.160.0/255.255.224.0 [review-stats] comment = Package Review Stats @@ -44,7 +44,7 @@ path = /srv/web/review-stats uid = root gid = root read only = yes -hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 +hosts allow = 10.3.160.0/255.255.224.0 [gather-easyfix] comment = Gather easyfix available in Fedora @@ -52,7 +52,7 @@ path = /srv/web/easyfix uid = root gid = root read only = yes -hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 +hosts allow = 10.3.160.0/255.255.224.0 [fedoraproject.org] comment = fedoraproject.org @@ -60,7 +60,7 @@ path = /srv/web/fedoraproject.org uid = root gid = root read only = yes -hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 +hosts allow = 10.3.160.0/255.255.224.0 [spins.fedoraproject.org] comment = spins.fedoraproject.org @@ -68,7 +68,7 @@ path = /srv/web/spins.fedoraproject.org uid = root gid = root read only = yes -hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 +hosts allow = 10.3.160.0/255.255.224.0 [talk.fedoraproject.org] comment = talk.fedoraproject.org @@ -76,7 +76,7 @@ path = /srv/web/talk.fedoraproject.org uid = root gid = root read only = yes -hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 +hosts allow = 10.3.160.0/255.255.224.0 [start.fedoraproject.org] comment = start.fedoraproject.org @@ -84,7 +84,7 @@ path = /srv/web/start.fedoraproject.org uid = root gid = root read only = yes -hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 +hosts allow = 10.3.160.0/255.255.224.0 [mirrors.fedoraproject.org] comment = mirrors.fedoraproject.org @@ -92,7 +92,7 @@ path = /srv/web/mirrors.fedoraproject.org uid = root gid = root read only = yes -hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 +hosts allow = 10.3.160.0/255.255.224.0 [fedoracommunity.org] comment = fedoracommunity.org @@ -100,7 +100,7 @@ path = /srv/web/fedoracommunity.org uid = root gid = root read only = yes -hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 +hosts allow = 10.3.160.0/255.255.224.0 [fudcon.fedoraproject.org] comment = fudcon.fedoraproject.org @@ -108,7 +108,7 @@ path = /srv/web/fudcon.fedoraproject.org uid = root gid = root read only = yes -hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 +hosts allow = 10.3.160.0/255.255.224.0 [flocktofedora.org] comment = flocktofedora.org @@ -116,7 +116,7 @@ path = /srv/web/flocktofedora.org uid = root gid = root read only = yes -hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 +hosts allow = 10.3.160.0/255.255.224.0 [getfedora.org] comment = getfedora.org @@ -124,7 +124,7 @@ path = /srv/websites/getfedora.org uid = root gid = root read only = yes -hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 +hosts allow = 10.3.160.0/255.255.224.0 [labs.fedoraproject.org] comment = labs.fedoraproject.org @@ -132,7 +132,7 @@ path = /srv/web/labs.fedoraproject.org uid = root gid = root read only = yes -hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 +hosts allow = 10.3.160.0/255.255.224.0 [budget.fedoraproject.org] comment = budget.fedoraproject.org @@ -140,7 +140,7 @@ path = /srv/web/budget.fedoraproject.org uid = root gid = root read only = yes -hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 +hosts allow = 10.3.160.0/255.255.224.0 [arm.fedoraproject.org] comment = arm.fedoraproject.org @@ -148,7 +148,7 @@ path = /srv/web/arm.fedoraproject.org uid = root gid = root read only = yes -hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 +hosts allow = 10.3.160.0/255.255.224.0 [iot.fedoraproject.org] comment = iot.fedoraproject.org @@ -156,7 +156,7 @@ path = /srv/web/iot.fedoraproject.org uid = root gid = root read only = yes -hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 +hosts allow = 10.3.160.0/255.255.224.0 [developer.fedoraproject.org] comment = developer.fedoraproject.org @@ -164,7 +164,7 @@ path = /srv/web/developer.fedoraproject.org uid = root gid = root read only = yes -hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 +hosts allow = 10.3.160.0/255.255.224.0 [codecs.fedoraproject.org] comment = codecs.fedoraproject.org @@ -172,7 +172,7 @@ path = /srv/web/codecs.fedoraproject.org uid = root gid = root read only = yes -hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 +hosts allow = 10.3.160.0/255.255.224.0 [alt.fedoraproject.org] comment = alt.fedoraproject.org @@ -180,7 +180,7 @@ path = /srv/web/alt.fedoraproject.org uid = root gid = root read only = yes -hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 +hosts allow = 10.3.160.0/255.255.224.0 [fmw] comment = fmw @@ -188,7 +188,7 @@ path = /srv/web/fmw uid = root gid = root read only = yes -hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 +hosts allow = 10.3.160.0/255.255.224.0 [registry-signatures] comment = registry-signatures @@ -196,7 +196,7 @@ path = /srv/web/registry-signatures uid = root gid = root read only = yes -hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 +hosts allow = 10.3.160.0/255.255.224.0 [registry-index] comment = registry-index @@ -204,7 +204,7 @@ path = /var/lib/reg-server/static/ uid = root gid = root read only = yes -hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 +hosts allow = 10.3.160.0/255.255.224.0 [regindexer] comment = regindexer @@ -212,7 +212,7 @@ path = /var/lib/regindexer/ uid = root gid = root read only = yes -hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 +hosts allow = 10.3.160.0/255.255.224.0 [docs-redirects] comment = Docs Site Redirects @@ -220,4 +220,4 @@ path = /srv/web/docs-redirects uid = root gid = root read only = yes -hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 +hosts allow = 10.3.160.0/255.255.224.0 diff --git a/roles/rsyncd/templates/rsyncd.conf.download.j2 b/roles/rsyncd/templates/rsyncd.conf.download.j2 index 026525928a..6610dcaa81 100644 --- a/roles/rsyncd/templates/rsyncd.conf.download.j2 +++ b/roles/rsyncd/templates/rsyncd.conf.download.j2 @@ -172,5 +172,5 @@ refuse options = checksum uid = root gid = root read only = yes - hosts allow = 10.5.126.13 + hosts allow = 10.3.163.39 list = no