infra-docs-fpo/modules/sysadmin_guide/pages/bastion-hosts-info.adoc

= Fedora Bastion Hosts

== Contact Information

Owner::
  sysadmin-main
Contact::
  admin@fedoraproject.org
Location::
  rdu3
Servers::
  bastion01, bastion02
Purpose::
  background and description of bastion hosts and their unique issues.

== Description

There are 2 primary bastion hosts in the _rdu3_ datacenter. One will be
active at any given time and the second will be a hot spare, ready to
take over. Switching between bastion hosts is currently a manual process
that requires changes in ansible.

All of the bastion hosts have an external IP that is mapped into them.
The reverse dns for these IPs is controlled by RHIT, so any changes must
be carefully coordinated.

The active bastion host performs the following functions:

* Outgoing smtp from fedora servers. This includes email aliases,
mailing list posts, build and commit notices, mailing list posts, etc.

* Incoming smtp from servers in _rdu3_ or on the fedora vpn. Incoming mail
directly from the outside is NOT accepted or forwarded.

* ssh access to all _rdu3/vpn_ connected servers.

* openvpn hub. This is the hub that all vpn clients connect to and talk
to each other via. Taking down or stopping this service will be a major
outage of services as all proxy and app servers use the vpn to talk to
each other.

When rebuilding these machines, care must be taken to match up the dns
names externally, and to preserve the ssh host keys.
Added the infra SOPs ported to asciidoc. 2021-07-26 10:39:47 +02:00			`= Fedora Bastion Hosts`

Review bastio-hosts-info SOP Signed-off-by: Michal Konečný <mkonecny@redhat.com> 2021-08-17 14:45:42 +02:00			`== Contact Information`

			`Owner::`
			`sysadmin-main`
			`Contact::`
			`admin@fedoraproject.org`
			`Location::`
DC move: iad => rdu3, 10.3. => 10.16. And remove some obsolete things. Signed-off-by: Nils Philippsen <nils@redhat.com> 2025-07-04 11:55:02 +02:00			`rdu3`
Review bastio-hosts-info SOP Signed-off-by: Michal Konečný <mkonecny@redhat.com> 2021-08-17 14:45:42 +02:00			`Servers::`
			`bastion01, bastion02`
			`Purpose::`
			`background and description of bastion hosts and their unique issues.`

Added the infra SOPs ported to asciidoc. 2021-07-26 10:39:47 +02:00			`== Description`

DC move: iad => rdu3, 10.3. => 10.16. And remove some obsolete things. Signed-off-by: Nils Philippsen <nils@redhat.com> 2025-07-04 11:55:02 +02:00			`There are 2 primary bastion hosts in the _rdu3_ datacenter. One will be`
Added the infra SOPs ported to asciidoc. 2021-07-26 10:39:47 +02:00			`active at any given time and the second will be a hot spare, ready to`
			`take over. Switching between bastion hosts is currently a manual process`
			`that requires changes in ansible.`

			`All of the bastion hosts have an external IP that is mapped into them.`
			`The reverse dns for these IPs is controlled by RHIT, so any changes must`
			`be carefully coordinated.`

			`The active bastion host performs the following functions:`

			`* Outgoing smtp from fedora servers. This includes email aliases,`
			`mailing list posts, build and commit notices, mailing list posts, etc.`
Review bastio-hosts-info SOP Signed-off-by: Michal Konečný <mkonecny@redhat.com> 2021-08-17 14:45:42 +02:00
DC move: iad => rdu3, 10.3. => 10.16. And remove some obsolete things. Signed-off-by: Nils Philippsen <nils@redhat.com> 2025-07-04 11:55:02 +02:00			`* Incoming smtp from servers in _rdu3_ or on the fedora vpn. Incoming mail`
Added the infra SOPs ported to asciidoc. 2021-07-26 10:39:47 +02:00			`directly from the outside is NOT accepted or forwarded.`
Review bastio-hosts-info SOP Signed-off-by: Michal Konečný <mkonecny@redhat.com> 2021-08-17 14:45:42 +02:00
DC move: iad => rdu3, 10.3. => 10.16. And remove some obsolete things. Signed-off-by: Nils Philippsen <nils@redhat.com> 2025-07-04 11:55:02 +02:00			`* ssh access to all _rdu3/vpn_ connected servers.`
Review bastio-hosts-info SOP Signed-off-by: Michal Konečný <mkonecny@redhat.com> 2021-08-17 14:45:42 +02:00
Added the infra SOPs ported to asciidoc. 2021-07-26 10:39:47 +02:00			`* openvpn hub. This is the hub that all vpn clients connect to and talk`
			`to each other via. Taking down or stopping this service will be a major`
			`outage of services as all proxy and app servers use the vpn to talk to`
			`each other.`

			`When rebuilding these machines, care must be taken to match up the dns`
			`names externally, and to preserve the ssh host keys.`