HomeDevCentral
Diffusion Nasqueron Operations 4d08af81970d

Resolve private network interface
4d08af81970d
Actions

Description

Resolve private network interface

Summary:
Currently, node.resolve_network() gives the "most public" IP address
available on a node.

For tasks like T1826 or T1829, we need to know the "most private" IP address
to allow servers like SSH or Alkane to listen there, restricting those services
for internal use.

For example, this allows to pass the following Jinja template expression
to any configuration needing a private IP address to listen to:

{{ network["private_ipv4_address"] | default("localhost") }}

By heuristics, the method will recommend through is_private_network_stable
if the private network is stable, i.e. suitable to listen to critical
services like SSH. A network is currently unstable if it needs a GRE tunnel
to connect to the private network. The goal is to avoid to be locked
outside a machine if the tunnel is broken: a SSH connection is useful
to debug it. In the future, we can declare stable the nodes with a KVM,
and documented procedure to relink quickly to the private network.

Ref T1829

Test Plan: salt '*' node.resolve_network

Reviewers: dereckson

Reviewed By: dereckson

Maniphest Tasks: T1829

Differential Revision: https://devcentral.nasqueron.org/D3004

Details

Provenance
derecksonAuthored on Apr 12 2023, 17:52
derecksonPushed on Apr 12 2023, 20:17
Reviewer
dereckson
Differential Revision
D3004: Resolve private network interface
Parents
rOPSfc68688d0e13: Update Let's Encrypt configuration for webserver-core role
Branches
Unknown
Tags
Unknown
Tasks
T1829: Don't listen to world SSH for IntraNought servers

Changes (1)

PathSize
_modules/

rOPS4d08af81970d

View Options

_modules/node.py

Loading...
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator