2024-10-29T15:46:11  *** teepee_ is now known as teepee
2024-10-29T22:37:30  <acidsys> status.o.o is now served from nuremberg
2024-10-29T22:40:29  <acidsys> not sure yet if email delivery works from there
2024-10-29T22:40:57  <cboltz> the mail log should tell
2024-10-29T22:41:03  <acidsys> it seems the status1.i.o.o cannot reach the internet
2024-10-29T22:41:12  <acidsys> so connection to my smtp server times out
2024-10-29T22:45:48  <acidsys> status1.i.o.o uses stonehat as a gateway, it does not log any denials for this interface but does get the traffic as seen in tcpdump on this internal interface, it has forward enabled. tried to add masquerading but doesn't help
2024-10-29T22:54:32  <cboltz> sorry if the question sounds silly, but - you checked/enabled forward and masquerading on stonehat, right?
2024-10-29T22:55:15  <cboltz> also, does stonehat allow outgoing traffic - for example if you run  curl  on stonehat?
2024-10-29T22:58:02  <cboltz> (I'd check myself, but stonehat asks me for a password when trying to ssh - looks like it doesn't fetch/use ssh keys from kanidm)
2024-10-29T23:01:35  <cboltz> BTW:   ping cboltz.de   works on status1, so some basic outgoing traffic seems to work
2024-10-29T23:02:10  <cboltz> maybe there's a firewall (probably on stonehat) that blocks outgoing traffic?
2024-10-29T23:02:56  <acidsys> yes and yes, well I solved the outbound internet access for status1.i.o.o by adding masquerade to stonehat's public interface but that broke internal routing. how did you get to status1, I currently cannot reach internal ipx from asgard
2024-10-29T23:03:43  <cboltz> I used thor1 as jumphost
2024-10-29T23:04:15  <acidsys> right now ?
2024-10-29T23:04:43  <cboltz> maybe my connection is "old enough" and I somehow benefit from the old routing - but the ssh session is still working
2024-10-29T23:04:54  <acidsys> that is rather interesting
2024-10-29T23:05:17  <acidsys> and you are really on the machine which shows 192.168.87.3/24 in it's `ip a` ?
2024-10-29T23:05:52  <cboltz> yes, on the "private" interface
2024-10-29T23:06:05  <acidsys> interesting then please keep this open :P
2024-10-29T23:06:58  <cboltz> I'll go to bed in some minutes (and plan to shutdown my laptop) - but until then...
2024-10-29T23:07:44  <acidsys> no worries have a serial console
2024-10-29T23:09:22  <cboltz> ;-)
2024-10-29T23:14:09  <acidsys> it seems as a result of restarting the firewalld (reload got stuck with some errors about duplicate entries) now all new packets from prg2_asgard1 get rejected. but since you have an existing session that's kept alive
2024-10-29T23:14:55  <acidsys> I can add your ssh key there (there is a task to refactor this machine with salt which is a todo unfortunately)
2024-10-29T23:16:41  <cboltz> having my ssh key on stonehat can't hurt ;-)
2024-10-29T23:17:48  <matrix-o-o> <Emma [it/its]> nix-managed opensuse when? (instead of salt)
2024-10-29T23:18:19  <matrix-o-o> <Emma [it/its]> (lighthearted joke to lighten the mood a bit)
2024-10-29T23:18:24  <acidsys> ^^
2024-10-29T23:19:58  <acidsys> ah I see the private interface fell out of the private zone. I think we had this in the past
2024-10-29T23:22:19  <acidsys> yes removing it from the zone "libvirt" and adding it to "libvirt-routed" makes it work. just that the zone "libvirt" routed does not exist as a permanent zone, it seems to be dynamically managed by libvirt. so if not started in order the interface finds itself in the wrong place. another thing our default salt setup would solve ..
2024-10-29T23:23:44  <acidsys> also my test mail arrived now. I guess if `mail` works mail from php/cachet should also work