As with OPSI, we need to open up a port or two for the try slaves to work with puppet. So, all of the linux and mac try slaves (try-linux-slave01 -> try-linux-slave19, try-mac-slave01 -> try-mac-slave19) need access to mount 10.2.71.136:/export/buildlogs/puppet-files read-only over NFS. Additionally, try-{linux,mac}-slave05 need access to staging-puppet.b.m.o on tcp/8140 and the rest need access to production-puppet.b.m.o on tcp/8140. I'm pretty sure that's it, but there might be one more after we get this far.

Ben, I can't find any DNS entries for try-mac-slave10 -> try-mac-slave19, so I am unable to create the necessary firewall rules for them. However, all other rules should now be in place, as you've requested.

I'm still unable to mount the NFS share from try-linux-slave05, unfortunately.

Ben, try-linux-slave05 has been grouped with all the other try-linux slaves and should be subject to the exact same ruleset. Additional debugging needs to happen, here... From try-linux-slave05, can you ping 10.2.71.136? How about ssh?

Sorry, my last comment was very unclear. I've only tried to mount the share with slave05, and was unsuccessful.

(In reply to comment #3) > From try-linux-slave05, can you ping 10.2.71.136? How about ssh? I can ping it, but I can't ssh to it.

I've confirmed that the firewall is passing the necessary traffic, so we're looking at a different issue. Can you ping/ssh in the opposite direction, 10.2.71.136 -> 10.2.76.29 ? Would it be possible to give us temporary root access on 10.2.71.136 in order to perform further debugging?

(In reply to comment #6) > I've confirmed that the firewall is passing the necessary traffic, so we're > looking at a different issue. > > Can you ping/ssh in the opposite direction, 10.2.71.136 -> 10.2.76.29 ? > > Would it be possible to give us temporary root access on 10.2.71.136 in order > to perform further debugging? AFAIK 10.2.71.136 is under your control (it's bm-sun-xf01.build.mozilla.org). I don't have access to it - that's for sure. I'm happy to give you whatever access you need to try-linux-slave05 (10.2.76.29) if it helps, though. Ping me if you want it, and I'll set you up.

(In reply to comment #7) > AFAIK 10.2.71.136 is under your control (it's bm-sun-xf01.build.mozilla.org) Ah, well... this was all very silly. I do have access to that server, now, and this entire configuration turns out to be unnecessary. bm-sun-xf01.build actually has an interface on the same sandbox network as the try servers. Configure your slaves to mount 10.2.76.136 instead of 10.2.71.136 and everything should start working.

(In reply to comment #1) > Ben, > > I can't find any DNS entries for try-mac-slave10 -> try-mac-slave19, so I am > unable to create the necessary firewall rules for them. > > However, all other rules should now be in place, as you've requested. These machines should all exist now - can you update their rules to match?

10 additional try slaves added