Skynet/nixos
6
1
Fork 0
Code Issues 42 Pull requests 1 Projects Releases Packages Wiki Activity Actions

Ticket: i24-06-04_017 #64

New issue
Open
opened 2024-06-04 11:25:39 +00:00 by silver · 10 comments
silver commented 2024-06-04 11:25:39 +00:00 (Migrated from gitlab.skynet.ie)
Copy link

Ticket ID

i24-06-04_017

Hi there,

Looking to get a few more ports added to the whitelist for the skynet
servers.
Please find attached the updated CSV of our network ports.

IP: 193.1.99.76
Ports: 4190
Reason: Email sieve to allow members to add email filters to their
skynet mail.

IP: 193.1.99.82
Ports: 80/443
Reason: Public services such as a binary cache, open governance and
keyserver.

IP: 193.1.99.90
Ports: 8080
Reason: There is a websocket on this port that is used for the config panel

Additionally we are currently setting up metrics collection and as ye
know one of our servers (193.1.96.165) is in a separate subnet with
limited access from the rest of the cluster.
Would it be possible to allow 193.1.99.74 access to ports 9000-9020 on
193.1.96.165 (the same way 193.1.99.78 has access to 22 on 193.1.96.165
to allow updating)

Thank you,
Brendan.
Skynet Sysadmin.
## Ticket ID i24-06-04_017 ``` Hi there, Looking to get a few more ports added to the whitelist for the skynet servers. Please find attached the updated CSV of our network ports. IP: 193.1.99.76 Ports: 4190 Reason: Email sieve to allow members to add email filters to their skynet mail. IP: 193.1.99.82 Ports: 80/443 Reason: Public services such as a binary cache, open governance and keyserver. IP: 193.1.99.90 Ports: 8080 Reason: There is a websocket on this port that is used for the config panel Additionally we are currently setting up metrics collection and as ye know one of our servers (193.1.96.165) is in a separate subnet with limited access from the rest of the cluster. Would it be possible to allow 193.1.99.74 access to ports 9000-9020 on 193.1.96.165 (the same way 193.1.99.78 has access to 22 on 193.1.96.165 to allow updating) Thank you, Brendan. Skynet Sysadmin. ```
silver commented 2024-06-04 11:25:39 +00:00 (Migrated from gitlab.skynet.ie)
Copy link

assigned to @silver

assigned to @silver
silver commented 2024-06-04 11:26:20 +00:00 (Migrated from gitlab.skynet.ie)
Copy link

marked this issue as related to #30

marked this issue as related to #30
silver commented 2024-06-04 11:26:31 +00:00 (Migrated from gitlab.skynet.ie)
Copy link

removed the relation with #30

removed the relation with #30
silver commented 2024-06-04 11:27:12 +00:00 (Migrated from gitlab.skynet.ie)
Copy link

marked this issue as related to #30

marked this issue as related to #30
silver commented 2024-06-04 11:27:47 +00:00 (Migrated from gitlab.skynet.ie)
Copy link

marked this issue as related to #63

marked this issue as related to #63
silver commented 2024-06-04 11:29:05 +00:00 (Migrated from gitlab.skynet.ie)
Copy link

marked this issue as related to #57

marked this issue as related to #57
silver commented 2024-06-04 11:29:16 +00:00 (Migrated from gitlab.skynet.ie)
Copy link

marked this issue as related to #58

marked this issue as related to #58
silver commented 2024-06-04 11:31:05 +00:00 (Migrated from gitlab.skynet.ie)
Copy link

marked this issue as related to #65

marked this issue as related to #65
silver commented 2024-06-16 10:46:47 +00:00 (Migrated from gitlab.skynet.ie)
Copy link

Not everythign got complete, some stuff is still pending

Closes #30
Closes #57

#63 and #65 are going to be reviewed on Monday

Not everythign got complete, some stuff is still pending Closes #30 Closes #57 #63 and #65 are going to be reviewed on Monday
silver commented 2024-06-16 10:59:57 +00:00 (Migrated from gitlab.skynet.ie)
Copy link
14/06/2024 12:01 PM Martin Moran:
Hi Brendan,

I made the changes there from external for the below two servers.
We left the 193.1.99.90 of the other change control for now. This port is down for the config panel. For management ports these shouldn't be made externally accessible. 
Can this be accessed via the MFA ssl vpn or just on campus? Just need some additional information before logging a change control.

- IP: 193.1.99.76
Ports: 4190
Reason: Email sieve to allow members to add email filters to their
skynet mail.

IP: 193.1.99.82
Ports: 80/443
Reason: Public services such as a binary cache, open governance and
keyserver.

Thanks
Martin

14/06/2024 12:06 PM Martin Moran:
Also will log a separate change control for this part also.
Do you have an application name that will be doing the metrics collection and some information that is being collected.
need 2 or 3 lines for the change control.

Additionally we are currently setting up metrics collection and as ye
know one of our servers (193.1.96.165) is in a separate subnet with
limited access from the rest of the cluster.
Would it be possible to allow 193.1.99.74 access to ports 9000-9020 on
193.1.96.165 (the same way 193.1.99.78 has access to 22 on 193.1.96.165
to allow updating)

Thanks
Martin

Hi Martin,

For the logging:
* Allow 193.1.99.83 access to ports 9000-9010 on 193.1.96.165
   * Was .74 -> .165 in original request
* Open ports 80/443 on 193.1.99.83
   * Was using .74 as a test setup to see what works so properly set it up in its own space.

We are using Prometheus to capture metrics and logging to export to our grafana instance.
The types of logs captured are initially done by node_exporter (https://github.com/prometheus/node_exporter) which captures everything from cpu usage to disk space. 
Without this data we are in the dark about any potential issues that may develop (such as sudden changes in disk space indicate something in need of investigation).
There are more exporters we will be able to use as well, such as nginx for network traffic and ssh logins (and failures), each of these require their own port which is why we are requesting a range.

For 193.1.99.90
* Open port 8080 on 193.1.99.90
   * I forgot to expand out the original comment to say that it is the config/management for game servers.

This is a config panel for minecraft/game servers, the websocket is to allow authenticated users to see (game) server stats in the webGUI.
As for why it would be not great to have it for on-campus only as we host game servers for other societies and they manage their own servers.
The webGUI allows starting, stopping and restarting game servers but no access to the underlying system.

And since a new ticket is going to be opened may as well throw in a small bit of cleanup.
* Close port 25565 on 193.1.99.112.
   * This used to be the games server and we just finished migrating minecraft servers across to our new setup.

Brendan.
``` 14/06/2024 12:01 PM Martin Moran: Hi Brendan, I made the changes there from external for the below two servers. We left the 193.1.99.90 of the other change control for now. This port is down for the config panel. For management ports these shouldn't be made externally accessible. Can this be accessed via the MFA ssl vpn or just on campus? Just need some additional information before logging a change control. - IP: 193.1.99.76 Ports: 4190 Reason: Email sieve to allow members to add email filters to their skynet mail. IP: 193.1.99.82 Ports: 80/443 Reason: Public services such as a binary cache, open governance and keyserver. Thanks Martin ``` ``` 14/06/2024 12:06 PM Martin Moran: Also will log a separate change control for this part also. Do you have an application name that will be doing the metrics collection and some information that is being collected. need 2 or 3 lines for the change control. Additionally we are currently setting up metrics collection and as ye know one of our servers (193.1.96.165) is in a separate subnet with limited access from the rest of the cluster. Would it be possible to allow 193.1.99.74 access to ports 9000-9020 on 193.1.96.165 (the same way 193.1.99.78 has access to 22 on 193.1.96.165 to allow updating) Thanks Martin ``` ``` Hi Martin, For the logging: * Allow 193.1.99.83 access to ports 9000-9010 on 193.1.96.165 * Was .74 -> .165 in original request * Open ports 80/443 on 193.1.99.83 * Was using .74 as a test setup to see what works so properly set it up in its own space. We are using Prometheus to capture metrics and logging to export to our grafana instance. The types of logs captured are initially done by node_exporter (https://github.com/prometheus/node_exporter) which captures everything from cpu usage to disk space. Without this data we are in the dark about any potential issues that may develop (such as sudden changes in disk space indicate something in need of investigation). There are more exporters we will be able to use as well, such as nginx for network traffic and ssh logins (and failures), each of these require their own port which is why we are requesting a range. For 193.1.99.90 * Open port 8080 on 193.1.99.90 * I forgot to expand out the original comment to say that it is the config/management for game servers. This is a config panel for minecraft/game servers, the websocket is to allow authenticated users to see (game) server stats in the webGUI. As for why it would be not great to have it for on-campus only as we host game servers for other societies and they manage their own servers. The webGUI allows starting, stopping and restarting game servers but no access to the underlying system. And since a new ticket is going to be opened may as well throw in a small bit of cleanup. * Close port 25565 on 193.1.99.112. * This used to be the games server and we just finished migrating minecraft servers across to our new setup. Brendan. ```
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
#85-test-forgejo
#76-Nuked-Backup
#70-logging-dns
#56-external-dns
#52-dns-for-non-nixos
#50_mirror_using_gitlab.com
second-interface-routing
add_automx2
No results found.
Labels
Clear labels   
Draft

   
ITD Ticket

   
Improvement

   
Logging

   
Trainee

   
bugfix
No labels
Draft
ITD Ticket
Improvement
Logging
Trainee
bugfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: Skynet/nixos#64
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?