This patch series enables IPv6 for several infrastructure services.
* ns2, so we start serving DNS by IPv6 * proxy4, so we can start serving fedoraproject.org and other sites by IPv6 * ip6tables for these servers
Comments welcome.
Thanks, Matt
From: Matt Domsch mdomsch@puppet1.fedora.phx.redhat.com
--- configs/system/ip6tables-template.conf.erb | 40 ++++++++++++++++++++++++++++ 1 files changed, 40 insertions(+), 0 deletions(-) create mode 100644 configs/system/ip6tables-template.conf.erb
diff --git a/configs/system/ip6tables-template.conf.erb b/configs/system/ip6tables-template.conf.erb new file mode 100644 index 0000000..e0a0efc --- /dev/null +++ b/configs/system/ip6tables-template.conf.erb @@ -0,0 +1,40 @@ +# Firewall configuration written by system-config-securitylevel +# Manual customization of this file is not recommended. +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:RH-Firewall-1-INPUT - [0:0] +-A INPUT -j RH-Firewall-1-INPUT +-A FORWARD -j RH-Firewall-1-INPUT + +# loopback allowed +-A RH-Firewall-1-INPUT -i lo -j ACCEPT + +# Accept ping and traceroute (needs icmp) +-A RH-Firewall-1-INPUT -p icmpv6 -j ACCEPT + +# Accept IPv6 packets at all +-A RH-Firewall-1-INPUT -p 50 -j ACCEPT +-A RH-Firewall-1-INPUT -p 51 -j ACCEPT + +# Accept SSH +-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 22 -j ACCEPT + +# Custom Services +<% custom.each do |cust| -%> +<%= cust %> +<% end -%> + +# Services TCP +<% tcpPorts.each do |port| -%> +-A RH-Firewall-1-INPUT -p tcp -m tcp --dport <%= port %> -j ACCEPT +<% end -%> + +# Services UDP +<% udpPorts.each do |port| -%> +-A RH-Firewall-1-INPUT -p udp -m udp --dport <%= port %> -j ACCEPT +<% end -%> + +-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp6-adm-prohibited +COMMIT
From: Matt Domsch mdomsch@puppet1.fedora.phx.redhat.com
--- modules/bind/files/master/fedoraproject.org | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/modules/bind/files/master/fedoraproject.org b/modules/bind/files/master/fedoraproject.org index cb9836f..43d6d18 100644 --- a/modules/bind/files/master/fedoraproject.org +++ b/modules/bind/files/master/fedoraproject.org @@ -148,6 +148,7 @@ mx3 IN A 66.187.233.32 noc2 IN A 80.239.156.216 ns1 IN A 64.34.184.179 ns2 IN A 152.46.7.225 +ns2 IN AAAA 2610:28:200:1:216:3eff:fe1f:6b93 ols IN CNAME fedorapeople.org. osuosl1 IN A 140.211.169.194 people1 IN A 128.197.185.45 @@ -166,6 +167,7 @@ posse8 IN A 209.132.178.18 posse9 IN A 209.132.178.20 proxy3 IN A 66.35.62.162 proxy4 IN A 152.46.7.221 +proxy4 IN AAAA 2610:28:200:1:216:3eff:fe62:9fdd proxy4-2 IN A 152.46.7.222 proxy5 IN A 80.239.156.214 publictest1 IN A 152.46.7.227 @@ -214,6 +216,7 @@ talk IN CNAME asterisk1.fedoraproject.org. telia1 IN A 80.239.144.84 torrent 60 IN A 152.46.7.220 torrent1 IN A 152.46.7.220 +torrent1 IN AAAA 2610:28:200:1:216:3eff:fe42:cd90 torrents IN CNAME torrent translate IN CNAME admin translate.stg IN CNAME admin.stg.fedoraproject.org.
From: Matt Domsch mdomsch@puppet1.fedora.phx.redhat.com
--- modules/bind/files/named.conf | 12 +++++++++--- 1 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/modules/bind/files/named.conf b/modules/bind/files/named.conf index 6063696..29f0d63 100644 --- a/modules/bind/files/named.conf +++ b/modules/bind/files/named.conf @@ -13,9 +13,11 @@ key "rndckey" { // dns1.j2solutions.net - run by Jesse Keating jkeating@redhat.com acl "slaves" { 209.124.61.35; 209.124.61.34; 209.124.62.154; }; // -acl "me" { 127.0.0.1; }; +acl "me" { 127.0.0.1; ::1; }; // -acl "everyone" { 0.0.0.0/0; }; +acl "everyone-v4" { 0.0.0.0/0; }; +acl "everyone-v6" { ::0/0; }; +acl "everyone" { 0.0.0.0/0; ::0/0; }; // acl "ns_redhat" { 66.187.233.210; 209.132.183.2; 66.187.229.10; }; // @@ -27,6 +29,7 @@ options { allow-query { everyone; }; allow-recursion { me; cloud; }; query-source address * port *; + query-source-v6 address * port *; allow-transfer { me; slaves; }; transfer-source * port 53; pid-file "var/run/named/named.pid"; @@ -34,7 +37,10 @@ options { // forwarders { 209.132.178.0/23; }; version "cowbell++"; listen-on port 53 { - everyone; + everyone-v4; + }; + listen-on-v6 port 53 { + everyone-v6; }; notify yes; };
From: Matt Domsch mdomsch@puppet1.fedora.phx.redhat.com
--- modules/bind/files/master/fedoraproject.org | 1 + 1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/modules/bind/files/master/fedoraproject.org b/modules/bind/files/master/fedoraproject.org index 43d6d18..2327080 100644 --- a/modules/bind/files/master/fedoraproject.org +++ b/modules/bind/files/master/fedoraproject.org @@ -126,6 +126,7 @@ hosted 60 IN CNAME hosted1.fedoraproject.org. hosted1 IN A 66.135.52.17 hosted2 IN A 66.135.52.84 ibiblio1 IN A 152.46.7.219 +ibiblio1 IN AAAA 2610:28:200:1:21a:64ff:fec3:ac0a ibiblio1-mgmt IN A 152.46.7.223 id IN CNAME admin *.id IN CNAME admin
From: Matt Domsch mdomsch@puppet1.fedora.phx.redhat.com
--- configs/system/generic-network.conf.erb | 4 ++++ manifests/filetypes/interfaces.pp | 2 +- 2 files changed, 5 insertions(+), 1 deletions(-)
diff --git a/configs/system/generic-network.conf.erb b/configs/system/generic-network.conf.erb index 07ece31..f4366dd 100644 --- a/configs/system/generic-network.conf.erb +++ b/configs/system/generic-network.conf.erb @@ -19,3 +19,7 @@ BRIDGE=<%= brname %> <% else -%> TYPE=Ethernet <% end -%> + +<% if ipv6addrs.length then -%> +IPV6ADDR_SECONDARIES="<%= ipv6addrs.map{|ip| ip }.join(" ") %>" +<% end -%> diff --git a/manifests/filetypes/interfaces.pp b/manifests/filetypes/interfaces.pp index 1a7f30e..29722f6 100644 --- a/manifests/filetypes/interfaces.pp +++ b/manifests/filetypes/interfaces.pp @@ -1,6 +1,6 @@ # Define ethernet devices (usually aliased)
-define eth($ipaddr, $netmask) { +define eth($ipaddr, $netmask, $ipv6addrs=[]) { $bootproto='static' $device = $name $ethtype = "standard"
From: Matt Domsch mdomsch@puppet1.fedora.phx.redhat.com
--- modules/httpd/files/00-namevirtualhost.conf | 4 ++++ modules/httpd/files/httpd.conf-rhel5p | 1 + 2 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/modules/httpd/files/00-namevirtualhost.conf b/modules/httpd/files/00-namevirtualhost.conf index 3c87355..a3c8b39 100644 --- a/modules/httpd/files/00-namevirtualhost.conf +++ b/modules/httpd/files/00-namevirtualhost.conf @@ -25,6 +25,10 @@ NameVirtualHost 152.46.7.221:80 NameVirtualHost 152.46.7.221:443 NameVirtualHost 152.46.7.222:80 NameVirtualhost 152.46.7.222:443 +NameVirtualHost [2610:28:200:1::fed0:1]:80 +NameVirtualHost [2610:28:200:1::fed0:1]:443 +NameVirtualHost [2610:28:200:1::fed0:2]:80 +NameVirtualHost [2610:28:200:1::fed0:2]:443
#proxy5 NameVirtualHost 80.239.156.214:80 diff --git a/modules/httpd/files/httpd.conf-rhel5p b/modules/httpd/files/httpd.conf-rhel5p index 5c40c80..bd4480f 100644 --- a/modules/httpd/files/httpd.conf-rhel5p +++ b/modules/httpd/files/httpd.conf-rhel5p @@ -148,6 +148,7 @@ MaxRequestsPerChild 10000 # Listen 0.0.0.0:80 Listen 0.0.0.0:443 +Listen [::]:80
# # Dynamic Shared Object (DSO) Support
From: Matt Domsch mdomsch@puppet1.fedora.phx.redhat.com
--- manifests/servergroups/proxy.pp | 23 +++++++++++++++++++++++ 1 files changed, 23 insertions(+), 0 deletions(-)
diff --git a/manifests/servergroups/proxy.pp b/manifests/servergroups/proxy.pp index bfa0481..eeb9e19 100644 --- a/manifests/servergroups/proxy.pp +++ b/manifests/servergroups/proxy.pp @@ -22,6 +22,7 @@ class proxy { "66.35.62.162", "80.239.156.214", "152.46.7.221", + "[2610:28:200:1::fed0:1]", ], server_aliases => [ "stg.fedoraproject.org" ], ssl => true, @@ -39,6 +40,7 @@ class proxy { "66.35.62.166", "80.239.156.215", "152.46.7.222", + "[2610:28:200:1::fed0:2]", ], server_aliases => [ "admin.stg.fedoraproject.org" ], ssl => true, @@ -57,6 +59,7 @@ class proxy { "66.35.62.166", "80.239.156.215", "152.46.7.222", + "[2610:28:200:1::fed0:2]", ], server_aliases => [ "mirrors.stg.fedoraproject.org" ], ssl => true, @@ -74,6 +77,7 @@ class proxy { "66.35.62.166", "80.239.156.215", "152.46.7.222", + "[2610:28:200:1::fed0:2]", ], server_aliases => [ "download01.fedoraproject.org", @@ -103,6 +107,7 @@ class proxy { "66.35.62.166", "80.239.156.215", "152.46.7.222", + "[2610:28:200:1::fed0:2]", ], server_aliases => [ "translate.stg.fedoraproject.org" ], ssl => true, @@ -121,6 +126,7 @@ class proxy { "66.35.62.166", "80.239.156.215", "152.46.7.222", + "[2610:28:200:1::fed0:2]", ], server_aliases => [ "smolt.fedoraproject.org", "stg.smolts.org", 'www.smolts.org'], ssl => false, @@ -137,6 +143,7 @@ class proxy { "66.35.62.166", "80.239.156.215", "152.46.7.222", + "[2610:28:200:1::fed0:2]", ], server_aliases => [ "doc.fedoraproject.org", "docs.stg.fedoraproject.org" ], ssl => true, @@ -154,6 +161,7 @@ class proxy { "66.35.62.166", "80.239.156.215", "152.46.7.222", + "[2610:28:200:1::fed0:2]", ], server_aliases => [ "bodhi.stg.fedoraproject.org" ], ssl => true, @@ -171,6 +179,7 @@ class proxy { "66.35.62.166", "80.239.156.215", "152.46.7.222", + "[2610:28:200:1::fed0:2]", ], server_aliases => [ "bugz.stg.fedoraproject.org" ], ssl => true, @@ -188,6 +197,7 @@ class proxy { "66.35.62.166", "80.239.156.215", "152.46.7.222", + "[2610:28:200:1::fed0:2]", ], server_aliases => [ "fas.stg.fedoraproject.org", "accounts.fedoraproject.org" ], ssl => true, @@ -207,6 +217,7 @@ class proxy { "66.35.62.166", "80.239.156.215", "152.46.7.222", + "[2610:28:200:1::fed0:2]", ], server_aliases => [ "fedoralinux.com", @@ -252,6 +263,7 @@ class proxy { "66.35.62.166", "80.239.156.215", "152.46.7.222", + "[2610:28:200:1::fed0:2]", ], server_aliases => [ "get.stg.fedoraproject.org" ], ssl => true, @@ -269,6 +281,7 @@ class proxy { "66.35.62.166", "80.239.156.215", "152.46.7.222", + "[2610:28:200:1::fed0:2]", ], server_aliases => [ "help.stg.fedoraproject.org" ], ssl => true, @@ -286,6 +299,7 @@ class proxy { "66.35.62.166", "80.239.156.215", "152.46.7.222", + "[2610:28:200:1::fed0:2]", ], server_aliases => [ "join.stg.fedoraproject.org" ], ssl => true, @@ -303,6 +317,7 @@ class proxy { "66.35.62.166", "80.239.156.215", "152.46.7.222", + "[2610:28:200:1::fed0:2]", ], server_aliases => [ "l10n.stg.fedoraproject.org" ], ssl => true, @@ -320,6 +335,7 @@ class proxy { "66.35.62.166", "80.239.156.215", "152.46.7.222", + "[2610:28:200:1::fed0:2]", ], server_aliases => [ "start.stg.fedoraproject.org" ], ssl => true, @@ -337,6 +353,7 @@ class proxy { "66.35.62.166", "80.239.156.215", "152.46.7.222", + "[2610:28:200:1::fed0:2]", ], server_aliases => [ "download.fedora.redhat.com", @@ -357,6 +374,7 @@ class proxy { "66.35.62.166", "80.239.156.215", "152.46.7.222", + "[2610:28:200:1::fed0:2]", ], server_aliases => [ "*.id.fedoraproject.org", @@ -378,6 +396,7 @@ class proxy { "66.35.62.166", "80.239.156.215", "152.46.7.222", + "[2610:28:200:1::fed0:2]", ], server_aliases => [ "www.port389.org", @@ -398,6 +417,7 @@ class proxy { "66.35.62.166", "80.239.156.215", "152.46.7.222", + "[2610:28:200:1::fed0:2]", ], server_aliases => [ "www.k12linux.org" ], ssl => false, @@ -413,6 +433,7 @@ class proxy { "66.35.62.166", "80.239.156.215", "152.46.7.222", + "[2610:28:200:1::fed0:2]", ], server_aliases => [ "fonts.stg.fedoraproject.org" ], ssl => true, @@ -430,6 +451,7 @@ class proxy { "66.35.62.166", "80.239.156.215", "152.46.7.222", + "[2610:28:200:1::fed0:2]", ], server_aliases => [ "meetbot.stg.fedoraproject.org" ], ssl => true, @@ -447,6 +469,7 @@ class proxy { "66.35.62.166", "80.239.156.215", "152.46.7.222", + "[2610:28:200:1::fed0:2]", ], server_aliases => [ "blogs.stg.fedoraproject.org" ], ssl => true,
From: Matt Domsch mdomsch@puppet1.fedora.phx.redhat.com
--- modules/bind/files/master/fedoraproject.org | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/modules/bind/files/master/fedoraproject.org b/modules/bind/files/master/fedoraproject.org index 2327080..14eb8c3 100644 --- a/modules/bind/files/master/fedoraproject.org +++ b/modules/bind/files/master/fedoraproject.org @@ -168,8 +168,9 @@ posse8 IN A 209.132.178.18 posse9 IN A 209.132.178.20 proxy3 IN A 66.35.62.162 proxy4 IN A 152.46.7.221 -proxy4 IN AAAA 2610:28:200:1:216:3eff:fe62:9fdd +proxy4 IN AAAA 2610:28:200:1::fed0:1 proxy4-2 IN A 152.46.7.222 +proxy4-2 IN AAAA 2610:28:200:1::fed0:2 proxy5 IN A 80.239.156.214 publictest1 IN A 152.46.7.227 publictest2 IN A 152.46.7.228
From: Matt Domsch mdomsch@puppet1.fedora.phx.redhat.com
--- manifests/nodes/proxy4.fedoraproject.org.pp | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/manifests/nodes/proxy4.fedoraproject.org.pp b/manifests/nodes/proxy4.fedoraproject.org.pp index 8926d94..fb31481 100644 --- a/manifests/nodes/proxy4.fedoraproject.org.pp +++ b/manifests/nodes/proxy4.fedoraproject.org.pp @@ -61,8 +61,15 @@ node "proxy4.fedoraproject.org" { alias => ["value2", "value2.fedoraproject.org"], }
+ eth { "eth0": + ipaddr => "152.46.7.221", + netmask => "255.255.255.0", + ipv6addrs => ["2610:28:200:1::fed0:1/64"], + } + eth { "eth0:0": ipaddr => "152.46.7.222", netmask => "255.255.255.0", + ipv6addrs => ["2610:28:200:1::fed0:2/64"], } }
From: Matt Domsch mdomsch@puppet1.fedora.phx.redhat.com
--- manifests/filetypes/standard.pp | 12 ++++++++++++ 1 files changed, 12 insertions(+), 0 deletions(-)
diff --git a/manifests/filetypes/standard.pp b/manifests/filetypes/standard.pp index d4ce26a..097b3df 100644 --- a/manifests/filetypes/standard.pp +++ b/manifests/filetypes/standard.pp @@ -130,6 +130,18 @@ define iptables($owner = root, $group = root, $mode = 644, $content, notify => Service['iptables'], } } +define ip6tables($owner = root, $group = root, $mode = 644, $content, + $backup = main, $ensure = file) { + file { $name: + mode => $mode, + owner => $owner, + group => $group, + backup => $backup, + ensure => $ensure, + content => $content, + notify => Service['ip6tables'], + } +}
define nfs($device, $fstype='nfs', $ensure=mounted, $options='defaults') { include nfs-utils
From: Matt Domsch mdomsch@puppet1.fedora.phx.redhat.com
--- manifests/servergroups/proxy.pp | 9 +++++++++ 1 files changed, 9 insertions(+), 0 deletions(-)
diff --git a/manifests/servergroups/proxy.pp b/manifests/servergroups/proxy.pp index eeb9e19..745909e 100644 --- a/manifests/servergroups/proxy.pp +++ b/manifests/servergroups/proxy.pp @@ -772,11 +772,20 @@ class proxy { content => template("system/iptables-template.conf.erb"), }
+ ip6tables { "/etc/sysconfig/ip6tables": + content => template("system/ip6tables-template.conf.erb"), + } + service { "iptables": ensure => running, hasstatus => true, }
+ service { "ip6tables": + ensure => running, + hasstatus => true, + } + selboolean { [ "httpd_can_network_connect_db", "httpd_can_network_relay",
From: Matt Domsch mdomsch@puppet1.fedora.phx.redhat.com
--- manifests/servergroups/dns.pp | 9 +++++++++ 1 files changed, 9 insertions(+), 0 deletions(-)
diff --git a/manifests/servergroups/dns.pp b/manifests/servergroups/dns.pp index 0b543b2..01b5a60 100644 --- a/manifests/servergroups/dns.pp +++ b/manifests/servergroups/dns.pp @@ -12,11 +12,20 @@ class dns { content => template('system/iptables-template.conf.erb'), }
+ ip6tables { '/etc/sysconfig/ip6tables': + content => template('system/ip6tables-template.conf.erb'), + } + service { iptables: ensure => running, hasstatus => true, }
+ service { ip6tables: + ensure => running, + hasstatus => true, + } + semanage_fcontext { '/var/named/chroot/log(/.*)?': type => 'named_log_t' }
From: Matt Domsch mdomsch@puppet1.fedora.phx.redhat.com
--- modules/bind/files/master/fedoraproject.org | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/modules/bind/files/master/fedoraproject.org b/modules/bind/files/master/fedoraproject.org index 14eb8c3..6f9286d 100644 --- a/modules/bind/files/master/fedoraproject.org +++ b/modules/bind/files/master/fedoraproject.org @@ -17,12 +17,14 @@ $TTL 3600 @ 60 IN A 66.35.62.162 @ 60 IN A 152.46.7.221 ;@ 60 IN A 80.239.156.214 +@ 60 IN AAAA 2610:28:200:1::fed0:1
; Our non fp.o load balanced setup wildcard 60 IN A 209.132.176.120 wildcard 60 IN A 66.35.62.166 wildcard 60 IN A 152.46.7.222 ;wildcard 60 IN A 80.239.156.215 +wildcard 60 IN AAAA 2610:28:200:1::fed0:2
; koji koji IN A 209.132.176.65
Matt why are you spamming the list
----- Original Message ----- From: "Matt Domsch" Matt_Domsch@dell.com To: fedora-infrastructure-list@redhat.com Sent: Friday, August 28, 2009 5:11 PM Subject: [PATCH] add ip6tables on DNS servers
From: Matt Domsch mdomsch@puppet1.fedora.phx.redhat.com
manifests/servergroups/dns.pp | 9 +++++++++ 1 files changed, 9 insertions(+), 0 deletions(-)
diff --git a/manifests/servergroups/dns.pp b/manifests/servergroups/dns.pp index 0b543b2..01b5a60 100644 --- a/manifests/servergroups/dns.pp +++ b/manifests/servergroups/dns.pp @@ -12,11 +12,20 @@ class dns { content => template('system/iptables-template.conf.erb'), }
ip6tables { '/etc/sysconfig/ip6tables':
content => template('system/ip6tables-template.conf.erb'),
}
service { iptables: ensure => running, hasstatus => true, }
service { ip6tables:
ensure => running,
hasstatus => true,
}
semanage_fcontext { '/var/named/chroot/log(/.*)?': type => 'named_log_t' }
-- 1.5.5.6
Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
On Fri, 28 Aug 2009, Jerald Darow wrote:
Matt why are you spamming the list
He's trying to make sure these changes (there's a lot of them) don't break the world. And since we can't really test these in staging he's getting as many eyes on it as he can.
-Mike
----- Original Message ----- From: "Matt Domsch" Matt_Domsch@dell.com To: fedora-infrastructure-list@redhat.com Sent: Friday, August 28, 2009 5:11 PM Subject: [PATCH] add ip6tables on DNS servers
From: Matt Domsch mdomsch@puppet1.fedora.phx.redhat.com
manifests/servergroups/dns.pp | 9 +++++++++ 1 files changed, 9 insertions(+), 0 deletions(-)
diff --git a/manifests/servergroups/dns.pp b/manifests/servergroups/dns.pp index 0b543b2..01b5a60 100644 --- a/manifests/servergroups/dns.pp +++ b/manifests/servergroups/dns.pp @@ -12,11 +12,20 @@ class dns { content => template('system/iptables-template.conf.erb'), }
ip6tables { '/etc/sysconfig/ip6tables':
content => template('system/ip6tables-template.conf.erb'),
}
service { iptables: ensure => running, hasstatus => true, }
service { ip6tables:
ensure => running,
hasstatus => true,
}
semanage_fcontext { '/var/named/chroot/log(/.*)?': type => 'named_log_t' }
-- 1.5.5.6
Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
On 08/28/2009 05:11 PM, Matt Domsch wrote:
From: Matt Domschmdomsch@puppet1.fedora.phx.redhat.com
modules/bind/files/master/fedoraproject.org | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/modules/bind/files/master/fedoraproject.org b/modules/bind/files/master/fedoraproject.org index 2327080..14eb8c3 100644 --- a/modules/bind/files/master/fedoraproject.org +++ b/modules/bind/files/master/fedoraproject.org @@ -168,8 +168,9 @@ posse8 IN A 209.132.178.18 posse9 IN A 209.132.178.20 proxy3 IN A 66.35.62.162 proxy4 IN A 152.46.7.221 -proxy4 IN AAAA 2610:28:200:1:216:3eff:fe62:9fdd +proxy4 IN AAAA 2610:28:200:1::fed0:1 proxy4-2 IN A 152.46.7.222 +proxy4-2 IN AAAA 2610:28:200:1::fed0:2 proxy5 IN A 80.239.156.214 publictest1 IN A 152.46.7.227 publictest2 IN A 152.46.7.228
Tangential issue...
How are IPv6 addresses assigned to proxy4[-2] ?
If they are statically set on the machine, all good.
If they are assigned via radvd or DHCPv6, you might want to consider some setup where the machine's IPv6 address is proactively pushed to the DNS servers. One method is nsupdate + TSIG, which is pretty easy to set up on a fine-grained basis (ie. give a DNS key DNS update perms for _only_ the proxy4 AAAA addresses).
Otherwise, the dynamically-assigned IPv6 address on the host may not match the IPv6 address in DNS.
Jeff
On Fri, Aug 28, 2009 at 05:52:34PM -0400, Jeff Garzik wrote:
How are IPv6 addresses assigned to proxy4[-2] ?
If they are statically set on the machine, all good.
These two are statically assigned. I chose ::fed0:* as the host-part, so as to not conflict with autoassigned addresses. We can also statically assign them for the other services if we so choose, and I think it would be good to do so. We're not doing any address randomization over time, so the existing addresses which were autodiscovered should continue to work until we're ready to reassign into the static range above.
On 08/28/2009 05:11 PM, Matt Domsch wrote:
From: Matt Domschmdomsch@puppet1.fedora.phx.redhat.com
manifests/servergroups/proxy.pp | 23 +++++++++++++++++++++++ 1 files changed, 23 insertions(+), 0 deletions(-)
diff --git a/manifests/servergroups/proxy.pp b/manifests/servergroups/proxy.pp index bfa0481..eeb9e19 100644 --- a/manifests/servergroups/proxy.pp +++ b/manifests/servergroups/proxy.pp @@ -22,6 +22,7 @@ class proxy { "66.35.62.162", "80.239.156.214", "152.46.7.221",
"[2610:28:200:1::fed0:1]", ], server_aliases => [ "stg.fedoraproject.org" ], ssl => true,
No objection/comment on the IPv6 portion of this patch.
I'm surprised these highly repetitive address lists are not auto-generated from a flat file (or other database), though.
Jeff
On Fri, 28 Aug 2009, Jeff Garzik wrote:
On 08/28/2009 05:11 PM, Matt Domsch wrote:
From: Matt Domschmdomsch@puppet1.fedora.phx.redhat.com
manifests/servergroups/proxy.pp | 23 +++++++++++++++++++++++ 1 files changed, 23 insertions(+), 0 deletions(-)
diff --git a/manifests/servergroups/proxy.pp b/manifests/servergroups/proxy.pp index bfa0481..eeb9e19 100644 --- a/manifests/servergroups/proxy.pp +++ b/manifests/servergroups/proxy.pp @@ -22,6 +22,7 @@ class proxy { "66.35.62.162", "80.239.156.214", "152.46.7.221",
"[2610:28:200:1::fed0:1]", ], server_aliases => [ "stg.fedoraproject.org" ], ssl => true,
No objection/comment on the IPv6 portion of this patch.
I'm surprised these highly repetitive address lists are not auto-generated from a flat file (or other database), though.
I'm not quite sure what you mean but I am interested in a better way to do this. basically we've got 4 sites + staging. As such, fedoraproject.org could listen on 5 different addresses. We have to enter them somewhere, any ideas?
-Mike
On 08/28/2009 07:36 PM, Mike McGrath wrote:
On Fri, 28 Aug 2009, Jeff Garzik wrote:
On 08/28/2009 05:11 PM, Matt Domsch wrote:
From: Matt Domschmdomsch@puppet1.fedora.phx.redhat.com
manifests/servergroups/proxy.pp | 23 +++++++++++++++++++++++ 1 files changed, 23 insertions(+), 0 deletions(-)
diff --git a/manifests/servergroups/proxy.pp b/manifests/servergroups/proxy.pp index bfa0481..eeb9e19 100644 --- a/manifests/servergroups/proxy.pp +++ b/manifests/servergroups/proxy.pp @@ -22,6 +22,7 @@ class proxy { "66.35.62.162", "80.239.156.214", "152.46.7.221",
"[2610:28:200:1::fed0:1]", ], server_aliases => [ "stg.fedoraproject.org" ], ssl => true,
No objection/comment on the IPv6 portion of this patch.
I'm surprised these highly repetitive address lists are not auto-generated from a flat file (or other database), though.
I'm not quite sure what you mean but I am interested in a better way to do this. basically we've got 4 sites + staging. As such, fedoraproject.org could listen on 5 different addresses. We have to enter them somewhere, any ideas?
I was thinking in the m4-macro sense; looking at Matt's patch, it appears that a large number of virtual hosts have the same address list. If so, it seems like some sort of macro substitution could be employed to match a list of virtual hosts with a set of addresses.
Not a big deal... just noting an above-average amount of copy/paste.
Jeff
On 08/28/2009 05:11 PM, Matt Domsch wrote:
From: Matt Domschmdomsch@puppet1.fedora.phx.redhat.com
modules/httpd/files/00-namevirtualhost.conf | 4 ++++ modules/httpd/files/httpd.conf-rhel5p | 1 + 2 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/modules/httpd/files/00-namevirtualhost.conf b/modules/httpd/files/00-namevirtualhost.conf index 3c87355..a3c8b39 100644 --- a/modules/httpd/files/00-namevirtualhost.conf +++ b/modules/httpd/files/00-namevirtualhost.conf @@ -25,6 +25,10 @@ NameVirtualHost 152.46.7.221:80 NameVirtualHost 152.46.7.221:443 NameVirtualHost 152.46.7.222:80 NameVirtualhost 152.46.7.222:443 +NameVirtualHost [2610:28:200:1::fed0:1]:80 +NameVirtualHost [2610:28:200:1::fed0:1]:443 +NameVirtualHost [2610:28:200:1::fed0:2]:80 +NameVirtualHost [2610:28:200:1::fed0:2]:443
Do SSL certificates need to be aware of this new IPv6 web address?
Jeff
On Fri, 28 Aug 2009, Jeff Garzik wrote:
On 08/28/2009 05:11 PM, Matt Domsch wrote:
From: Matt Domschmdomsch@puppet1.fedora.phx.redhat.com
modules/httpd/files/00-namevirtualhost.conf | 4 ++++ modules/httpd/files/httpd.conf-rhel5p | 1 + 2 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/modules/httpd/files/00-namevirtualhost.conf b/modules/httpd/files/00-namevirtualhost.conf index 3c87355..a3c8b39 100644 --- a/modules/httpd/files/00-namevirtualhost.conf +++ b/modules/httpd/files/00-namevirtualhost.conf @@ -25,6 +25,10 @@ NameVirtualHost 152.46.7.221:80 NameVirtualHost 152.46.7.221:443 NameVirtualHost 152.46.7.222:80 NameVirtualhost 152.46.7.222:443 +NameVirtualHost [2610:28:200:1::fed0:1]:80 +NameVirtualHost [2610:28:200:1::fed0:1]:443 +NameVirtualHost [2610:28:200:1::fed0:2]:80 +NameVirtualHost [2610:28:200:1::fed0:2]:443
Do SSL certificates need to be aware of this new IPv6 web address?
AFAIK, no. ssl certs are completely unaware of IP addresses.
-Mike
On Fri, Aug 28, 2009 at 05:25:40PM -0400, Jeff Garzik wrote:
Do SSL certificates need to be aware of this new IPv6 web address?
Fortunately not, they're all DNS name-based, not address-based.
On 08/28/2009 05:11 PM, Matt Domsch wrote:
index 5c40c80..bd4480f 100644 --- a/modules/httpd/files/httpd.conf-rhel5p +++ b/modules/httpd/files/httpd.conf-rhel5p @@ -148,6 +148,7 @@ MaxRequestsPerChild 10000 # Listen 0.0.0.0:80 Listen 0.0.0.0:443 +Listen [::]:80
Two comments:
- wouldn't "*:80" accomplish the same thing as two listen directives? Perhaps "*:80" means that Apache binds, on Linux, to the slightly-more-efficient ipv6 socket, where ipv4 connections are ipv6-mapped (:ffff:10.20.30.40)?
- do you need a listen "[::]:443" also?
On Fri, Aug 28, 2009 at 11:28 PM, Jeff Garzikjgarzik@pobox.com wrote:
On 08/28/2009 05:11 PM, Matt Domsch wrote:
index 5c40c80..bd4480f 100644 --- a/modules/httpd/files/httpd.conf-rhel5p +++ b/modules/httpd/files/httpd.conf-rhel5p @@ -148,6 +148,7 @@ MaxRequestsPerChild 10000 # Listen 0.0.0.0:80 Listen 0.0.0.0:443 +Listen [::]:80
Two comments:
- wouldn't "*:80" accomplish the same thing as two listen directives?
Perhaps "*:80" means that Apache binds, on Linux, to the slightly-more-efficient ipv6 socket, where ipv4 connections are ipv6-mapped (:ffff:10.20.30.40)?
- do you need a listen "[::]:443" also?
Correct. Apache needs binding against ipv6
On 08/28/2009 05:11 PM, Matt Domsch wrote:
From: Matt Domschmdomsch@puppet1.fedora.phx.redhat.com
modules/httpd/files/00-namevirtualhost.conf | 4 ++++ modules/httpd/files/httpd.conf-rhel5p | 1 + 2 files changed, 5 insertions(+), 0 deletions(-)
another apache question...
will ipv6 addresses in log files choke any existing log analysis tools?
Jeff
On Fri, 28 Aug 2009, Jeff Garzik wrote:
On 08/28/2009 05:11 PM, Matt Domsch wrote:
From: Matt Domschmdomsch@puppet1.fedora.phx.redhat.com
modules/httpd/files/00-namevirtualhost.conf | 4 ++++ modules/httpd/files/httpd.conf-rhel5p | 1 + 2 files changed, 5 insertions(+), 0 deletions(-)
another apache question...
will ipv6 addresses in log files choke any existing log analysis tools?
All we're really using on that front right now is awstats which I believe supports ipv6. I have confirmed we're serving ipv6 on the proxy server so far we've had 374 distinct ipv6's hit.
-Mike
infrastructure@lists.fedoraproject.org