Infrastructure/infra-docs-fpo
1
0
Fork 0
Code Issues 100 Pull requests 6 Projects Releases Packages Wiki Activity Actions

Review bastio-hosts-info SOP

Browse source 
Signed-off-by: Michal Konečný <mkonecny@redhat.com>
This commit is contained in:
Michal Konečný 2021-08-17 14:45:42 +02:00
parent 24014cfe2a
commit 3969182e61
2 changed files with 20 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

2
modules/sysadmin_guide/nav.adoc
View file

@ -8,7 +8,7 @@
** xref:archive-old-fedora.adoc[How to Archive Old Fedora Releases - SOP]
** xref:arm.adoc[Fedora ARM Infrastructure - SOP]
** xref:aws-access.adoc[Amazon Web Services Access - SOP]
** xref:bastion-hosts-info.adoc[bastion-hosts-info - SOP in review ]
** xref:bastion-hosts-info.adoc[Fedora Bastion Hosts - SOP]
** xref:blockerbugs.adoc[blockerbugs - SOP in review ]
** xref:bodhi.adoc[bodhi - SOP in review ]
** xref:bugzilla2fedmsg.adoc[bugzilla2fedmsg - SOP in review ]

26
modules/sysadmin_guide/pages/bastion-hosts-info.adoc
View file

@ -1,16 +1,25 @@
= Fedora Bastion Hosts
== Contact Information
Owner::
sysadmin-main
Contact::
admin@fedoraproject.org
Location::
iad2
Servers::
bastion01, bastion02
Purpose::
background and description of bastion hosts and their unique issues.
== Description
There are 2 primary bastion hosts in the phx2 datacenter. One will be
There are 2 primary bastion hosts in the _iad2_ datacenter. One will be
active at any given time and the second will be a hot spare, ready to
take over. Switching between bastion hosts is currently a manual process
that requires changes in ansible.
There is also a bastion-comm01 bastion host for the qa.fedoraproject.org
network. This is used in cases where users only need to access resources
in that qa.fedoraproject.org.
All of the bastion hosts have an external IP that is mapped into them.
The reverse dns for these IPs is controlled by RHIT, so any changes must
be carefully coordinated.
@ -19,9 +28,12 @@ The active bastion host performs the following functions:
* Outgoing smtp from fedora servers. This includes email aliases,
mailing list posts, build and commit notices, mailing list posts, etc.
* Incoming smtp from servers in phx2 or on the fedora vpn. Incoming mail
* Incoming smtp from servers in _iad2_ or on the fedora vpn. Incoming mail
directly from the outside is NOT accepted or forwarded.
* ssh access to all phx2/vpn connected servers.
* ssh access to all _iad2/vpn_ connected servers.
* openvpn hub. This is the hub that all vpn clients connect to and talk
to each other via. Taking down or stopping this service will be a major
outage of services as all proxy and app servers use the vpn to talk to