Review openvpn SOP
Signed-off-by: Michal Konečný <mkonecny@redhat.com>
This commit is contained in:
Michal Konečný
parent
61955e9fbf
commit
3b483e7cd3
2 changed files with 16 additions and 14 deletions
|
|
@ -82,7 +82,7 @@
|
|||
** xref:odcs.adoc[On Demand Compose Service - SOP]
|
||||
** xref:openqa.adoc[OpenQA Infrastructure - SOP]
|
||||
** xref:openshift.adoc[OpenShift - SOP]
|
||||
** xref:openvpn.adoc[openvpn - SOP in review ]
|
||||
** xref:openvpn.adoc[OpenVPN - SOP]
|
||||
** xref:outage.adoc[outage - SOP in review ]
|
||||
** xref:packagedatabase.adoc[packagedatabase - SOP in review ]
|
||||
** xref:packagereview.adoc[packagereview - SOP in review ]
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
OpenVPN is our server->server VPN solution. It is deployed in a
|
||||
routeless manner and uses ansible managed keys for authentication. All
|
||||
hosts should be given static IP's and a hostname.vpn.fedoraproject.org
|
||||
hosts should be given static IP's and a _hostname.vpn.fedoraproject.org_
|
||||
DNS address.
|
||||
|
||||
== Contact Information
|
||||
|
|
@ -11,8 +11,6 @@ Owner::
|
|||
Fedora Infrastructure Team
|
||||
Contact::
|
||||
#fedora-admin, sysadmin-main
|
||||
Location::
|
||||
Phoenix
|
||||
Servers::
|
||||
bastion (vpn.fedoraproject.org)
|
||||
Purpose::
|
||||
|
|
@ -34,7 +32,7 @@ cd ansible-private/vpn/openvpn
|
|||
....
|
||||
|
||||
Next prepare your environment and run the build-key script. This example
|
||||
is for host "proxy4.fedora.phx.redhat.com":
|
||||
is for host "proxy4.fedora.iad2.redhat.com":
|
||||
|
||||
....
|
||||
. ./vars
|
||||
|
|
@ -102,7 +100,7 @@ sudo -i ansible ns\* -a "/usr/local/bin/update-dns"
|
|||
=== Update resolv.conf on the client
|
||||
|
||||
To make sure traffic actually goes over the VPN, make sure the search
|
||||
line in /etc/resolv.conf looks like:
|
||||
line in `/etc/resolv.conf` looks like:
|
||||
|
||||
....
|
||||
search vpn.fedoraproject.org fedoraproject.org
|
||||
|
|
@ -111,20 +109,24 @@ search vpn.fedoraproject.org fedoraproject.org
|
|||
for external hosts and:
|
||||
|
||||
....
|
||||
search phx2.fedoraproject.org vpn.fedoraproject.org fedoraproject.org
|
||||
search iad2.fedoraproject.org vpn.fedoraproject.org fedoraproject.org
|
||||
....
|
||||
|
||||
for PHX2 hosts.
|
||||
for IAD2 hosts.
|
||||
|
||||
== Remove a host
|
||||
|
||||
::::
|
||||
# This is to ensure that the clone is not world-readable at any point.
|
||||
RESTORE_UMASK=$(umask -p) umask 0077 git clone
|
||||
/srv/git/ansible-private $RESTORE_UMASK cd private/vpn/openvpn
|
||||
....
|
||||
# This is to ensure that the clone is not world-readable at any point.
|
||||
RESTORE_UMASK=$(umask -p)
|
||||
umask 0077
|
||||
git clone /srv/git/ansible-private
|
||||
$RESTORE_UMASK
|
||||
cd ansible-private/vpn/openvpn
|
||||
....
|
||||
|
||||
Next prepare your environment and run the build-key script. This example
|
||||
is for host "proxy4.fedora.phx.redhat.com":
|
||||
is for host "proxy4.fedora.iad2.redhat.com":
|
||||
|
||||
....
|
||||
. ./vars
|
||||
|
|
@ -136,6 +138,6 @@ git push
|
|||
|
||||
== TODO
|
||||
|
||||
Deploy an additional VPN server outside of PHX. OpenVPN does support
|
||||
Deploy an additional VPN server outside of IAD2. OpenVPN does support
|
||||
failover automatically so if configured properly, when the primary VPN
|
||||
server goes down all hosts should connect to the next host in the list.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue