Alexandros Kosiaris has submitted this change and it was merged. Change subject: Temporarily punch holes for hooft and bast4001 ......................................................................
Temporarily punch holes for hooft and bast4001 hooft and bast4001 are technically bastion hosts however they do not have that class applied to them. Moreover that class would not punch holes right now cause it lacks the corresponding rules. An effort for that is at gerrit #96424. In the meantime punch holes directly in site.pp for this and two (2) other 2 unpuppetized services (rsync/udpmcast). Finally create ferm::rule resources for ganglia aggreator that will only be realized on hosts that include base::firewall Change-Id: I055e9b0bc1c7a0b5fc6a3d4f307aaa964060d08b --- M manifests/site.pp M modules/ganglia_new/manifests/monitor/aggregator/instance.pp 2 files changed, 32 insertions(+), 0 deletions(-) Approvals: Alexandros Kosiaris: Looks good to me, approved jenkins-bot: Verified diff --git a/manifests/site.pp b/manifests/site.pp index 75cd4ac..3cd2302 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -292,6 +292,14 @@ misc::management::ipmi, role::installserver::tftp-server + # TODO: should have bastionhost class and it should open ssh access + # but it is ready yet. Fix and remove this. tftp-server includes + # base::firewall and policy is set to DROP + ferm::service { 'ssh': + proto => 'tcp', + port => 'ssh', + } + } node "beryllium.wikimedia.org" { @@ -1140,6 +1148,25 @@ admins::mortals, admins::restricted + # TODO: 2013-12-13. rsync is an unpuppetized service on hooft. Ferms is + # applied through role::installserver::tftp-server and policy is DROP. + # Temporarily opening access. Must puppetize properly + ferm::service { 'rsync': + proto => 'tcp', + port => '873', + } + # TODO: Same for udpmcast + ferm::service { 'udpmcast': + proto => 'udp', + port => '4827', + } + # TODO: should have bastionhost class and it should open ssh access + # but it is ready yet. Fix and remove this + ferm::service { 'ssh': + proto => 'tcp', + port => 'ssh', + } + class { "ganglia_new::monitor::aggregator": sites => ["esams"] } } diff --git a/modules/ganglia_new/manifests/monitor/aggregator/instance.pp b/modules/ganglia_new/manifests/monitor/aggregator/instance.pp index c0e217a..2e91e02 100644 --- a/modules/ganglia_new/manifests/monitor/aggregator/instance.pp +++ b/modules/ganglia_new/manifests/monitor/aggregator/instance.pp @@ -25,6 +25,11 @@ $ensure = "absent" } + # This will only be realized if base::firewall (well ferm..) is included + ferm::rule { "aggregator-${id}": + rule => "proto udp dport ${gmond_port} { saddr \$ALL_NETWORKS ACCEPT; }", + } + file { "/etc/ganglia/aggregators/${id}.conf": require => File["/etc/ganglia/aggregators"], mode => 0444, -- To view, visit https://gerrit.wikimedia.org/r/101216 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I055e9b0bc1c7a0b5fc6a3d4f307aaa964060d08b Gerrit-PatchSet: 2 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Alexandros Kosiaris <akosia...@wikimedia.org> Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org> Gerrit-Reviewer: jenkins-bot _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits