Alexandros Kosiaris has submitted this change and it was merged.
Change subject: Temporarily punch holes for hooft and bast4001
......................................................................
Temporarily punch holes for hooft and bast4001
hooft and bast4001 are technically bastion hosts however they do not
have that class applied to them. Moreover that class would not punch
holes right now cause it lacks the corresponding rules. An effort for
that is at gerrit #96424.
In the meantime punch holes directly in site.pp for this and two (2)
other 2 unpuppetized services (rsync/udpmcast). Finally create
ferm::rule resources for ganglia aggreator that will only be realized
on hosts that include base::firewall
Change-Id: I055e9b0bc1c7a0b5fc6a3d4f307aaa964060d08b
---
M manifests/site.pp
M modules/ganglia_new/manifests/monitor/aggregator/instance.pp
2 files changed, 32 insertions(+), 0 deletions(-)
Approvals:
Alexandros Kosiaris: Looks good to me, approved
jenkins-bot: Verified
diff --git a/manifests/site.pp b/manifests/site.pp
index 75cd4ac..3cd2302 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -292,6 +292,14 @@
misc::management::ipmi,
role::installserver::tftp-server
+ # TODO: should have bastionhost class and it should open ssh access
+ # but it is ready yet. Fix and remove this. tftp-server includes
+ # base::firewall and policy is set to DROP
+ ferm::service { 'ssh':
+ proto => 'tcp',
+ port => 'ssh',
+ }
+
}
node "beryllium.wikimedia.org" {
@@ -1140,6 +1148,25 @@
admins::mortals,
admins::restricted
+ # TODO: 2013-12-13. rsync is an unpuppetized service on hooft. Ferms is
+ # applied through role::installserver::tftp-server and policy is DROP.
+ # Temporarily opening access. Must puppetize properly
+ ferm::service { 'rsync':
+ proto => 'tcp',
+ port => '873',
+ }
+ # TODO: Same for udpmcast
+ ferm::service { 'udpmcast':
+ proto => 'udp',
+ port => '4827',
+ }
+ # TODO: should have bastionhost class and it should open ssh access
+ # but it is ready yet. Fix and remove this
+ ferm::service { 'ssh':
+ proto => 'tcp',
+ port => 'ssh',
+ }
+
class { "ganglia_new::monitor::aggregator": sites => ["esams"] }
}
diff --git a/modules/ganglia_new/manifests/monitor/aggregator/instance.pp
b/modules/ganglia_new/manifests/monitor/aggregator/instance.pp
index c0e217a..2e91e02 100644
--- a/modules/ganglia_new/manifests/monitor/aggregator/instance.pp
+++ b/modules/ganglia_new/manifests/monitor/aggregator/instance.pp
@@ -25,6 +25,11 @@
$ensure = "absent"
}
+ # This will only be realized if base::firewall (well ferm..) is included
+ ferm::rule { "aggregator-${id}":
+ rule => "proto udp dport ${gmond_port} { saddr \$ALL_NETWORKS
ACCEPT; }",
+ }
+
file { "/etc/ganglia/aggregators/${id}.conf":
require => File["/etc/ganglia/aggregators"],
mode => 0444,
--
To view, visit https://gerrit.wikimedia.org/r/101216
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I055e9b0bc1c7a0b5fc6a3d4f307aaa964060d08b
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Alexandros Kosiaris <akosia...@wikimedia.org>
Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
