Question:
My typical playbook usually includes firewall and ssh configuration:
- hosts: api
roles:
- sshd
- apf
For sshd, simply copy the template with the desired port to /etc/ssh/sshd_config , where:
# What ports, IPs and protocols we listen for
Port {{ ssh_port }}
After that the installation of apf takes place, setting up /etc/apf-firewall/allow_hosts.rules and the main /etc/apf-firewall/conf.apf . As you understand in conf.apf :
IG_TCP_CPORTS="{{ ssh_port }}"
Prerequisite: Let's say we already have sshd and apf installed and the port for ssh is set to 22 .
When reconfiguring (for example, we want to change the port to 222 ), it may happen that something goes wrong between the sshd setup and the apf setup.
As a result, ssh will be on port 222 , but the old port 22 will be open in apf. As a result, you can no longer connect via ssh, you will have to reboot the machine in recovery mod and fix everything manually.
I gave this example because I myself encountered a similar one. But in many other tasks, if a problem occurs in the middle of the role execution, the system will end up in an inconsistent state.
How can such things be prevented or the damage minimized?
Answer:
But what if you move gradually?
-
apf – open port 222.
If it breaks after this step, you will just have an extra open port 222.
-
sshd – switch to port 222
If it breaks here, then there will also be an extra open 22, but you can already log in to 222 via ssh.
-
apf – close port 222