opendev/system-config
Code Issues Proposed changes

Block port 2181 on zookeeper hosts

Browse Source 
We keep port 2181 listening in zookeeper so that we can easily use the
zkshell tool to debug and navigate the database. But now that all zuul
and nodepool nodes are using tls we don't need to expose this insecure
port publicly.

Change-Id: I2a5ab8a9aee8f2739953e859ea52e6e9fd440790
This commit is contained in:
Clark Boylan 2020-09-09 15:31:47 -07:00
parent 1ea83138ef
commit 1bff2f9fca
1 changed files with 0 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
inventory/service/group_vars/zookeeper.yaml
View File

@ -3,9 +3,6 @@ zookeeper_group: zookeeper
zookeeper_uid: 10001
zookeeper_gid: 10001
iptables_extra_allowed_groups:
# Insecure
- {'protocol': 'tcp', 'port': '2181', 'group': 'nodepool'}
- {'protocol': 'tcp', 'port': '2181', 'group': 'zuul'}
# Secure
- {'protocol': 'tcp', 'port': '2281', 'group': 'nodepool'}
- {'protocol': 'tcp', 'port': '2281', 'group': 'zuul'}