create a hardened bastion host for the cymru management network
in #40097 (closed), we setup a network for management but currently all nodes have access to it. we should restrict this to only a subset, and create a hardened host (or a Ganeti instance?) that has access to this, but is only accessible through ipsec.
Next steps are:
-
renumber iDRACs to point to a floating IP (say 172.30.140.100/24
) as a gateway, instead of the current, which is the iDRAC ofchi-node-01
(172.30.140.10
) so that routing works correctly -
configure two chi-node-X machines (or an instance spread over those two?) with that IP, in Puppet -
investigate alternatives to packet forwarding or, failing that, configure routing on that node ( net.ipv4.ip_forward=1
) -
allow access to the VLAN to only those two chi-node-X machines -
restrict usage of those boxes?
Edited by anarcat