Muehlenhoff has uploaded a new change for review. https://gerrit.wikimedia.org/r/227216
Change subject: WIP/RfC: Allow multiple/dynamic range of ports for ferm services ...................................................................... WIP/RfC: Allow multiple/dynamic range of ports for ferm services rcstream uses a dynamic range of ports depending on how many CPUs/core the server has. Since Puppet doesn't have builtin iteration in the current version, the expansion occurs in the ERB template. If anyone has a alternate suggestion to implement this, I'd be interested to learn about it. This introduces a bit of code duplication in form of a separate ferm::service_multiport, an alternative would be to also move existing call sites of ferm::service to use an array instead of a string to specify the ports. The current approach is less intrusive, though. Bug: T104981 Change-Id: I0e31307b46ff56286dd6f17595ed620682482628 --- M modules/ferm/manifests/service.pp A modules/ferm/templates/service-multi.erb 2 files changed, 47 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/16/227216/1 diff --git a/modules/ferm/manifests/service.pp b/modules/ferm/manifests/service.pp index 8b1f5ae..ae0b77a 100644 --- a/modules/ferm/manifests/service.pp +++ b/modules/ferm/manifests/service.pp @@ -25,3 +25,31 @@ tag => 'ferm', } } + +# == Define ferm::service_multiport +# Uses ferm def &SERVICE or &R_SERVICE to allow incoming +# connections on the specific protocol and ports. This is similar +# to ferm::service, but allows to specify a list of ports +# +# If $srange is not provided, all source addresses will be allowed. +# otherwise only traffic coming from $srange will be allowed. +define ferm::service_multiport( + $proto, + $ports, + $ensure = present, + $desc = '', + $prio = '10', + $srange = undef, + $notrack = false, +) { + @file { "/etc/ferm/conf.d/${prio}_${name}": + ensure => $ensure, + owner => 'root', + group => 'root', + mode => '0400', + content => template('ferm/service-multi.erb'), + require => File['/etc/ferm/conf.d'], + notify => Service['ferm'], + tag => 'ferm', + } +} diff --git a/modules/ferm/templates/service-multi.erb b/modules/ferm/templates/service-multi.erb new file mode 100644 index 0000000..73df7f5 --- /dev/null +++ b/modules/ferm/templates/service-multi.erb @@ -0,0 +1,19 @@ +# Autogenerated by puppet. DO NOT EDIT BY HAND! +# +# <%= @desc %> +<% if @srange -%> + <% for @port in @ports -%> + &R_SERVICE(<%= @proto %>, <%= @port %>, <%= @srange %>); + <% end %> + +<% else -%> + <% for @port in @ports -%> + &SERVICE(<%= @proto %>, <%= @port %>); + <% end -%> +<% end -%> + +<% if @notrack == true %> + <% for @port in @ports -%> + &NO_TRACK(<%= @proto %>, <%= @port %>); + <% end -%> +<% end -%> -- To view, visit https://gerrit.wikimedia.org/r/227216 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I0e31307b46ff56286dd6f17595ed620682482628 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff <mmuhlenh...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits