[MediaWiki-commits] [Gerrit] Add ferm::service rule for zookeeper admin port - change (operations/puppet)

Ottomata (Code Review) Wed, 13 Aug 2014 07:47:14 -0700

Ottomata has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/153801


Change subject: Add ferm::service rule for zookeeper admin port
......................................................................

Add ferm::service rule for zookeeper admin port

This will only allow hosts in the analytics cluster to connect
to the zookeeper admin port.

RT 6999

Change-Id: I1421e51afa065df4dca11a9926c83f65923fadaf
---
M manifests/role/analytics/zookeeper.pp
M modules/base/templates/firewall/defs.erb
2 files changed, 10 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/01/153801/1

diff --git a/manifests/role/analytics/zookeeper.pp 
b/manifests/role/analytics/zookeeper.pp
index 4d3806e..3afa21d 100644
--- a/manifests/role/analytics/zookeeper.pp
+++ b/manifests/role/analytics/zookeeper.pp
@@ -83,6 +83,14 @@
         # TODO: use variables from new ganglia module once it is finished.
         $ganglia_host = '239.192.1.32'
         $ganglia_port = 8649
+
+        # Only allow hosts in the Analytics Cluster to
+        # connect to the Zookeeper admin client port.
+        ferm::service { 'zookeeper-client':
+            proto  => 'tcp',
+            port   => '2181',
+            srange => '($ANALYTICS_NETWORKS)',
+        }
     }
     # Use jmxtrans for sending metrics to ganglia
     class { 'zookeeper::jmxtrans':
diff --git a/modules/base/templates/firewall/defs.erb 
b/modules/base/templates/firewall/defs.erb
index 2f0657d..fc8256b 100644
--- a/modules/base/templates/firewall/defs.erb
+++ b/modules/base/templates/firewall/defs.erb
@@ -3,10 +3,12 @@
 all_networks = scope.lookupvar('network::constants::all_networks')
 all_network_subnets = 
scope.lookupvar('network::constants::all_network_subnets')
 special_hosts = scope.lookupvar('network::constants::special_hosts')
+analytics_networks = scope.lookupvar('network::constants::analytics_networks')
 -%>
 
 @def $EXTERNAL_NETWORKS = (<%- external_networks.each do |external_net| -%><%= 
external_net %> <% end -%>);
 @def $ALL_NETWORKS = (<%- all_networks.each do |net| -%><%= net %> <% end -%>);
+@def $ANALYTICS_NETWORKS = (<%- analytics_networks.each do |net| -%><%= net %> 
<% end -%>);
 
 <%- special_hosts.sort.map do |realm, services | -%>
        <%- if @realm != realm then next end -%>

-- 
To view, visit https://gerrit.wikimedia.org/r/153801
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I1421e51afa065df4dca11a9926c83f65923fadaf
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Ottomata <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Add ferm::service rule for zookeeper admin port - change (operations/puppet)

Reply via email to