From 770d5a48bb5350b8eb658204934e1a6edccf6f8b Mon Sep 17 00:00:00 2001 From: Jeremy Stanley Date: Tue, 7 Feb 2023 17:52:07 +0000 Subject: [PATCH] Better diag for Gerrit server connection limit In order to limit impact to Gerrit's embedded sshd from runaway automated systems, we employ a concurrent connection limit. Having the ability to diagnose that limit when users may be encountering it is necessary. To that end, add a logging rule matching the connection limit rule, and install an additional administrative tool capable of interfacing with the kernel's connection tracking feature. Change-Id: If5e61bb34cbe2f9fe0c2db9b923842428771c5f0 --- inventory/service/group_vars/review.yaml | 1 + playbooks/roles/gerrit/tasks/main.yaml | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/inventory/service/group_vars/review.yaml b/inventory/service/group_vars/review.yaml index a24c0dc8d6..fb898758cb 100644 --- a/inventory/service/group_vars/review.yaml +++ b/inventory/service/group_vars/review.yaml @@ -1,6 +1,7 @@ exim_extra_aliases: gerrit2: root iptables_rules: + - -p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j LOG - -p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT iptables_extra_public_tcp_ports: - 80 diff --git a/playbooks/roles/gerrit/tasks/main.yaml b/playbooks/roles/gerrit/tasks/main.yaml index b7f5fb4386..dfcb220822 100644 --- a/playbooks/roles/gerrit/tasks/main.yaml +++ b/playbooks/roles/gerrit/tasks/main.yaml @@ -333,3 +333,9 @@ - name: Setup db backups include_tasks: backup.yaml + +# This is handy to have for inspecting the firewall's connection tracking. +- name: Install conntrack + package: + name: conntrack + state: present