Better diag for Gerrit server connection limit

In order to limit impact to Gerrit's embedded sshd from runaway automated systems, we employ a concurrent connection limit. Having the ability to diagnose that limit when users may be encountering it is necessary. To that end, add a logging rule matching the connection limit rule, and install an additional administrative tool capable of interfacing with the kernel's connection tracking feature. Change-Id: If5e61bb34cbe2f9fe0c2db9b923842428771c5f0
2023-02-07 17:52:07 +00:00 · 2023-02-07 17:52:07 +00:00 · 770d5a48bb
commit 770d5a48bb
parent 4a67a684bc
2 changed files with 7 additions and 0 deletions
--- a/inventory/service/group_vars/review.yaml
+++ b/inventory/service/group_vars/review.yaml
@ -1,6 +1,7 @@
 exim_extra_aliases:
  gerrit2: root
 iptables_rules:
+  - -p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j LOG
  - -p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT
 iptables_extra_public_tcp_ports:
  - 80
--- a/playbooks/roles/gerrit/tasks/main.yaml
+++ b/playbooks/roles/gerrit/tasks/main.yaml
@ -333,3 +333,9 @@

 - name: Setup db backups
  include_tasks: backup.yaml
+
+# This is handy to have for inspecting the firewall's connection tracking.
+- name: Install conntrack
+  package:
+    name: conntrack
+    state: present