32 lines
1.3 KiB
Text
32 lines
1.3 KiB
Text
|
= Fedora Bastion Hosts
|
||
|
|
|
||
|
|
== Description
|
||
|
|
|
||
|
|
There are 2 primary bastion hosts in the phx2 datacenter. One will be
|
||
|
|
active at any given time and the second will be a hot spare, ready to
|
||
|
|
take over. Switching between bastion hosts is currently a manual process
|
||
|
|
that requires changes in ansible.
|
||
|
|
|
||
|
|
There is also a bastion-comm01 bastion host for the qa.fedoraproject.org
|
||
|
|
network. This is used in cases where users only need to access resources
|
||
|
|
in that qa.fedoraproject.org.
|
||
|
|
|
||
|
|
All of the bastion hosts have an external IP that is mapped into them.
|
||
|
|
The reverse dns for these IPs is controlled by RHIT, so any changes must
|
||
|
|
be carefully coordinated.
|
||
|
|
|
||
|
|
The active bastion host performs the following functions:
|
||
|
|
|
||
|
|
* Outgoing smtp from fedora servers. This includes email aliases,
|
||
|
|
mailing list posts, build and commit notices, mailing list posts, etc.
|
||
|
|
* Incoming smtp from servers in phx2 or on the fedora vpn. Incoming mail
|
||
|
|
directly from the outside is NOT accepted or forwarded.
|
||
|
|
* ssh access to all phx2/vpn connected servers.
|
||
|
|
* openvpn hub. This is the hub that all vpn clients connect to and talk
|
||
|
|
to each other via. Taking down or stopping this service will be a major
|
||
|
|
outage of services as all proxy and app servers use the vpn to talk to
|
||
|
|
each other.
|
||
|
|
|
||
|
|
When rebuilding these machines, care must be taken to match up the dns
|
||
|
|
names externally, and to preserve the ssh host keys.
|