Alexandros Kosiaris has uploaded a new change for review. https://gerrit.wikimedia.org/r/101216
Change subject: Temporarily punch holes for hooft and bast4001 ...................................................................... Temporarily punch holes for hooft and bast4001 hooft and bast4001 are technically bastion hosts however they do not have that class applied to them. Moreover that class would not punch holes right now cause it lacks the corresponding rules. An effort for that is at gerrit #96424. In the meantime punch holes directly in site.pp for this and two (2) other 2 unpuppetized services (rsync/udpmcast). Finally create a virtual resources for ganglia aggreator that will only be realized on hosts that include base::firewall Change-Id: I055e9b0bc1c7a0b5fc6a3d4f307aaa964060d08b --- M manifests/site.pp M modules/ganglia_new/manifests/monitor/aggregator/instance.pp 2 files changed, 32 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/16/101216/1 diff --git a/manifests/site.pp b/manifests/site.pp index 75cd4ac..3cd2302 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -292,6 +292,14 @@ misc::management::ipmi, role::installserver::tftp-server + # TODO: should have bastionhost class and it should open ssh access + # but it is ready yet. Fix and remove this. tftp-server includes + # base::firewall and policy is set to DROP + ferm::service { 'ssh': + proto => 'tcp', + port => 'ssh', + } + } node "beryllium.wikimedia.org" { @@ -1140,6 +1148,25 @@ admins::mortals, admins::restricted + # TODO: 2013-12-13. rsync is an unpuppetized service on hooft. Ferms is + # applied through role::installserver::tftp-server and policy is DROP. + # Temporarily opening access. Must puppetize properly + ferm::service { 'rsync': + proto => 'tcp', + port => '873', + } + # TODO: Same for udpmcast + ferm::service { 'udpmcast': + proto => 'udp', + port => '4827', + } + # TODO: should have bastionhost class and it should open ssh access + # but it is ready yet. Fix and remove this + ferm::service { 'ssh': + proto => 'tcp', + port => 'ssh', + } + class { "ganglia_new::monitor::aggregator": sites => ["esams"] } } diff --git a/modules/ganglia_new/manifests/monitor/aggregator/instance.pp b/modules/ganglia_new/manifests/monitor/aggregator/instance.pp index c0e217a..f758f98 100644 --- a/modules/ganglia_new/manifests/monitor/aggregator/instance.pp +++ b/modules/ganglia_new/manifests/monitor/aggregator/instance.pp @@ -25,6 +25,11 @@ $ensure = "absent" } + # This will only be realized if base::firewall (well ferm..) is included + @ferm::rule { + rule => "proto udp dport ${gmond_port} { saddr \$ALL_NETWORKS ACCEPT; }" + } + file { "/etc/ganglia/aggregators/${id}.conf": require => File["/etc/ganglia/aggregators"], mode => 0444, -- To view, visit https://gerrit.wikimedia.org/r/101216 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I055e9b0bc1c7a0b5fc6a3d4f307aaa964060d08b Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Alexandros Kosiaris <akosia...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits