Majic Projects ~ [CLOSED] MAR-194 - Allow only IPv4 and IPv6 addresses for maintenance allowed hosts in common role

Majic Projects

Majic Ansible Roles

Projects
Wiki
- Quick links
- Wiki
- Project wikis
- Conntrackt
- Django Pydenticon
- Gimmecert
- Majic Ansible Roles
- Pydenticon
- Scripts
- Global content

Majic Ansible Roles / Closed Enhancement MAR-194 Allow only IPv4 and IPv6 addresses for maintenance allowed hosts in common role

This issue has been closed with status "Closed" and resolution "RESOLVED".

- No additional actions available

Issue basics

Type of issue

Enhancement Unknown issue type
Issue label

No label set
Category

User interface Not determined
Targetted for

8.0.0 Not determined
Status

Closed

Status not determined
Progress
Priority

Normal Not determined

Affected by this issue (0)

There are no items

People involved

Posted by
branko (@branko)

Branko Majic
@branko

Last seen online at Sep 29, 2024 - 18:46

Show user details
Owned by

Not owned by anyone
Assigned to
branko (@branko)

Branko Majic
@branko

Last seen online at Sep 29, 2024 - 18:46

Show user details
Not assigned to anyone
Subscribers

0 subscriber(s)

Click here to show the list of subscribers

Times and dates

Posted at

Feb 08, 2024
Last updated

Feb 18, 2024
Estimated time

2 hours Not estimated
Time spent

8 hours No time spent

Click here to see time logged against this issue

Issue details

Resolution

RESOLVED Not determined
Reproducability

Not determined
Severity

Not determined

Attachments (0)

There is nothing attached to this issue

Child issues (0)

This issue does not have any child issues

Duplicate issues (0)

This issue does not have any duplicates

Show / hide more details »

Description

The common role has the ability to put the managed machine into a maintenance mode in which case incoming connections are allowed only from a specific list of user-provided hosts. The list of allowed hosts is controlled via the maintenance_allowed_hosts parameter.

While a very useful feature during upgrades, the implementation is tied in to resolvable names, and in case the user passes-in a list of IP addresses, the resulting firewall will not get correctly set-up for the IPv6. The use of resolvable names can also lead to ferm failing to start because it cannot resolve the names until the network is fully up and it can connect to the DNS servers.

To simplify the implementation, and make it more unambiguous, only IPv4 and IPv6 addresses should be allowed.

The following should be done:

Update the common role.
- Rename the parameter to maintenance_allowed_sources.
- Allow only IPv4/IPv6 address to be passed into the parameter.
- Non-IPv4 or IPv6 addresses should result in an error.
Update the role reference documentation.
Update usage instructions
Update release notes.

Todos (0 / 0)

Options

There are no comments

Welcome to The Bug Genie

Log in with your username and password