[MediaWiki-commits] [Gerrit] Temporarily punch holes for hooft and bast4001 - change (operations/puppet)

[Alexandros Kosiaris (Code Review)]

Alexandros Kosiaris has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/101216


Change subject: Temporarily punch holes for hooft and bast4001
......................................................................

Temporarily punch holes for hooft and bast4001

hooft and bast4001 are technically bastion hosts however they do not
have that class applied to them. Moreover that class would not punch
holes right now cause it lacks the corresponding rules. An effort for
that is at gerrit #96424.
In the meantime punch holes directly in site.pp for this and two (2)
other 2 unpuppetized services (rsync/udpmcast). Finally create a virtual
resources for ganglia aggreator that will only be realized on hosts that
include base::firewall

Change-Id: I055e9b0bc1c7a0b5fc6a3d4f307aaa964060d08b
---
M manifests/site.pp
M modules/ganglia_new/manifests/monitor/aggregator/instance.pp
2 files changed, 32 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/16/101216/1

diff --git a/manifests/site.pp b/manifests/site.pp
index 75cd4ac..3cd2302 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -292,6 +292,14 @@
     misc::management::ipmi,
     role::installserver::tftp-server
 
+    # TODO: should have bastionhost class and it should open ssh access
+    # but it is ready yet. Fix and remove this. tftp-server includes
+    # base::firewall and policy is set to DROP
+    ferm::service { 'ssh':
+        proto   => 'tcp',
+        port    => 'ssh',
+    }
+
 }
 
 node "beryllium.wikimedia.org" {
@@ -1140,6 +1148,25 @@
         admins::mortals,
         admins::restricted
 
+    # TODO: 2013-12-13. rsync is an unpuppetized service on hooft. Ferms is
+    # applied through role::installserver::tftp-server and policy is DROP.
+    # Temporarily opening access. Must puppetize properly
+    ferm::service { 'rsync':
+        proto => 'tcp',
+        port  => '873',
+    }
+    # TODO: Same for udpmcast
+    ferm::service { 'udpmcast':
+        proto => 'udp',
+        port  => '4827',
+    }
+    # TODO: should have bastionhost class and it should open ssh access
+    # but it is ready yet. Fix and remove this
+    ferm::service { 'ssh':
+        proto   => 'tcp',
+        port    => 'ssh',
+    }
+
     class { "ganglia_new::monitor::aggregator": sites => ["esams"] }
 }
 
diff --git a/modules/ganglia_new/manifests/monitor/aggregator/instance.pp 
b/modules/ganglia_new/manifests/monitor/aggregator/instance.pp
index c0e217a..f758f98 100644
--- a/modules/ganglia_new/manifests/monitor/aggregator/instance.pp
+++ b/modules/ganglia_new/manifests/monitor/aggregator/instance.pp
@@ -25,6 +25,11 @@
                $ensure = "absent"
        }
 
+    # This will only be realized if base::firewall (well ferm..) is included
+    @ferm::rule {
+        rule => "proto udp dport ${gmond_port} { saddr \$ALL_NETWORKS ACCEPT; 
}"
+    }
+
        file { "/etc/ganglia/aggregators/${id}.conf":
                require => File["/etc/ganglia/aggregators"],
                mode => 0444,

-- 
To view, visit https://gerrit.wikimedia.org/r/101216
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I055e9b0bc1c7a0b5fc6a3d4f307aaa964060d08b
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Alexandros Kosiaris <akosia...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits