From f4d43af31244a2fe83d24715ce6b4c7f503a1f97 Mon Sep 17 00:00:00 2001 From: Ian Wienand Date: Fri, 9 Apr 2021 14:50:20 +1000 Subject: [PATCH] review02: pin ipv6 configuration As discussed in the thread mentioned inline, this pins the ipv6 configuration to avoid listening to RA's on the review02 server. Change-Id: I17b0e049fcc1e975e8b4383957b020c11d9b89f0 --- playbooks/service-review.yaml | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/playbooks/service-review.yaml b/playbooks/service-review.yaml index 65cb17a484..7505c63f35 100644 --- a/playbooks/service-review.yaml +++ b/playbooks/service-review.yaml @@ -24,3 +24,38 @@ state: present key: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVuhTMAz1H2Jr9AC3py9A0vlNna6Sdt4yrvZOayxukPqQ7GPZd+Mo7MVyypxLD479N2mA09JAdsbq1eTiPP8ksEkB+dNxZzw8mY1653R/IXSW6J9xPcoDa88HF2s/xHN24IWzgiDjNNe79AQ+sKleByEQZ++xXny3MRpy258hKUvAtjjOLOnM1PBs8JNOzBL+UPgWRgSX6GG0qywJZqjD1Qx5kvH9RTRLi+tcMhEi4laN7BYvn4csY0sYzTzPG4ZTu3ootIJoRlQGtQ0LmoFO1vSwyEJUags6/ZZGjgy3jl3kwcU/b8ZnFlF4MDw1OB1QqMb4r6bMHbXNIupp4zJbz' key_options: 'command="/home/gerrit2/bin/rrsync -ro /home/gerrit2",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty' + +# NOTE(ianw) 2021-04-09 This is a workaround for RA leaks seen in +# vexxhost which is currently unresolved. This pins the ipv6 config +# and ensures we don't listen to RA's. See: +# http://lists.opendev.org/pipermail/service-discuss/2021-April/000200.html +# https://launchpad.net/bugs/1844712 +- hosts: "review02.opendev.org" + tasks: + - name: Install RA rejection + copy: + dest: '/etc/netplan/50-cloud-init.yaml' + owner: 'root' + group: 'root' + mode: '0644' + content: | + network: + version: 2 + ethernets: + ens3: + dhcp4: true + dhcp6: false + accept-ra: false + addresses: + - '2604:e100:1:0:f816:3eff:fe52:22de/64' + routes: + - to: '::/0' + via: 'fe80::ce2d:e0ff:fe0f:74af' + metric: 100 + - to: '::/0' + via: 'fe80::ce2d:e0ff:fe5a:d84e' + metric: 100 + match: + macaddress: fa:16:3e:52:22:de + mtu: 1500 + set-name: ens3