Filippo Giunchedi has submitted this change and it was merged.
Change subject: cassandra: add ferm rules using hiera data
......................................................................
cassandra: add ferm rules using hiera data
Adding ferm rules for the cassandra ports to allow connections
only from (other) restbase servers.
Gets the list of cassandra host names from hiera, then uses @resolve in ferm
to perform a DNS lookup and convert them to IPs for use in the srange.
Bug:T92680
Change-Id: I7d077c92641f356d51f59c5749427e53ab1ef453
---
M manifests/role/cassandra.pp
1 file changed, 14 insertions(+), 10 deletions(-)
Approvals:
Filippo Giunchedi: Verified; Looks good to me, approved
Eevans: Looks good to me, but someone else must approve
Alexandros Kosiaris: Looks good to me, but someone else must approve
jenkins-bot: Verified
Dzahn: Looks good to me, but someone else must approve
diff --git a/manifests/role/cassandra.pp b/manifests/role/cassandra.pp
index 9246595..aa4094e 100644
--- a/manifests/role/cassandra.pp
+++ b/manifests/role/cassandra.pp
@@ -22,22 +22,26 @@
check_command => 'check_tcp!9042',
}
- ferm::service { 'cassandra-cql-native-transport':
- proto => 'tcp',
- port => '9042',
- srange => '$ALL_NETWORKS',
- }
+ $cassandra_hosts = hiera('cassandra::seeds')
+ $cassandra_hosts_ferm = join($cassandra_hosts, ' ')
- ferm::service { 'cassandra-internode-comms':
+ # Cassandra intra-node messaging
+ ferm::service { 'cassandra-intra-node':
proto => 'tcp',
port => '7000',
- srange => '$ALL_NETWORKS',
+ srange => "@resolve(($cassandra_hosts_ferm))",
}
-
- ferm::service { 'cassandra-jmx-monitoring':
+ # Cassandra JMX/RMI
+ ferm::service { 'cassandra-jmx-rmi':
proto => 'tcp',
port => '7199',
- srange => '$ALL_NETWORKS',
+ srange => "@resolve(($cassandra_hosts_ferm))",
+ }
+ # Cassandra CQL query interface
+ ferm::service { 'cassandra-cql':
+ proto => 'tcp',
+ port => '9042',
+ srange => "@resolve(($cassandra_hosts_ferm))",
}
}
--
To view, visit https://gerrit.wikimedia.org/r/197840
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I7d077c92641f356d51f59c5749427e53ab1ef453
Gerrit-PatchSet: 11
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Dzahn <dz...@wikimedia.org>
Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org>
Gerrit-Reviewer: Dzahn <dz...@wikimedia.org>
Gerrit-Reviewer: Eevans <eev...@wikimedia.org>
Gerrit-Reviewer: Faidon Liambotis <fai...@wikimedia.org>
Gerrit-Reviewer: Filippo Giunchedi <fgiunch...@wikimedia.org>
Gerrit-Reviewer: GWicke <gwi...@wikimedia.org>
Gerrit-Reviewer: John F. Lewis <johnflewi...@gmail.com>
Gerrit-Reviewer: Matanya <mata...@foss.co.il>
Gerrit-Reviewer: Yuvipanda <yuvipa...@gmail.com>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
