Better diag for Gerrit server connection limit

In order to limit impact to Gerrit's embedded sshd from runaway
automated systems, we employ a concurrent connection limit. Having
the ability to diagnose that limit when users may be encountering it
is necessary. To that end, add a logging rule matching the
connection limit rule, and install an additional administrative tool
capable of interfacing with the kernel's connection tracking
feature.

Change-Id: If5e61bb34cbe2f9fe0c2db9b923842428771c5f0
This commit is contained in:
Jeremy Stanley 2023-02-07 17:52:07 +00:00
parent 4a67a684bc
commit 770d5a48bb
2 changed files with 7 additions and 0 deletions

View File

@ -1,6 +1,7 @@
exim_extra_aliases: exim_extra_aliases:
gerrit2: root gerrit2: root
iptables_rules: iptables_rules:
- -p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j LOG
- -p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT - -p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT
iptables_extra_public_tcp_ports: iptables_extra_public_tcp_ports:
- 80 - 80

View File

@ -333,3 +333,9 @@
- name: Setup db backups - name: Setup db backups
include_tasks: backup.yaml include_tasks: backup.yaml
# This is handy to have for inspecting the firewall's connection tracking.
- name: Install conntrack
package:
name: conntrack
state: present