Muehlenhoff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/235982

Change subject: Restrict Hadoop access to the analytics network
......................................................................

Restrict Hadoop access to the analytics network

Due to a bug in Hadoop is uses unrepredictable dynamic ports although
configured not to do so, see T111433. Until that is fixed we only
restrict access to the analytics network.

Change-Id: Iddc3c02a0cd3026508fe49bc76588820e5a3d9d5
---
M manifests/role/analytics/hadoop.pp
1 file changed, 3 insertions(+), 77 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/82/235982/1

diff --git a/manifests/role/analytics/hadoop.pp 
b/manifests/role/analytics/hadoop.pp
index 92d5e19..5c5ab72 100644
--- a/manifests/role/analytics/hadoop.pp
+++ b/manifests/role/analytics/hadoop.pp
@@ -619,84 +619,10 @@
         }
     }
 
-    # Open up port for debugging
-    ferm::service{ 'jmxtrans-jmx':
+    # T111433
+    ferm::service{ 'hadoop-access':
         proto  => 'tcp',
-        port   => '2101',
-        srange => '$INTERNAL',
-    }
-
-    ferm::service{ 'hadoop-hdfs-journalnode-jmx':
-        proto  => 'tcp',
-        port   => '9981',
-        srange => '$ANALYTICS_NETWORKS',
-    }
-
-    ferm::service{ 'hadoop-yarn-nodemanager-jmx':
-        proto  => 'tcp',
-        port   => '9984',
-        srange => '$ANALYTICS_NETWORKS',
-    }
-
-    ferm::service{ 'hadoop-yarn-nodemanager':
-        proto  => 'tcp',
-        port   => '8041',
-        srange => '$ANALYTICS_NETWORKS',
-    }
-
-    ferm::service{ 'hadoop-yarn-nodemanager-localizer':
-        proto  => 'tcp',
-        port   => '8040',
-        srange => '$ANALYTICS_NETWORKS',
-    }
-
-    ferm::service{ 'hadoop-yarn-nodemanager-http-ui':
-        proto  => 'tcp',
-        port   => '8042',
-        srange => '$ANALYTICS_NETWORKS',
-    }
-
-    ferm::service{ 'hadoop-yarn-mapreduce-application-master':
-        proto  => 'tcp',
-        # $yarn_app_mapreduce_am_job_client_port_range could look like 
'55000-55199,55500-55599'.
-        # Translate '-' -> ':' and ',' => ' ' for ferm, e.g. (55000:55199 
55500:55599)
-        port   => inline_template('(<%= 
@yarn_app_mapreduce_am_job_client_port_range.tr("-,", ": ") %>)'),
-        srange => '$ANALYTICS_NETWORKS',
-    }
-
-    ferm::service{ 'hadoop-hdfs-ha-journalnode-http':
-        proto  => 'tcp',
-        port   => '8480',
-        srange => '$ANALYTICS_NETWORKS',
-    }
-
-    ferm::service{ 'hadoop-hdfs-ha-journalnode':
-        proto  => 'tcp',
-        port   => '8485',
-        srange => '$ANALYTICS_NETWORKS',
-    }
-
-    ferm::service{ 'hadoop-mapreduce-shuffle':
-        proto  => 'tcp',
-        port   => '13562',
-        srange => '$ANALYTICS_NETWORKS',
-    }
-
-    ferm::service{ 'hadoop-hdfs-datanode-http-ui':
-        proto  => 'tcp',
-        port   => '50075',
-        srange => '$ANALYTICS_NETWORKS',
-    }
-
-    ferm::service{ 'hadoop-hdfs-datanode-ipc':
-        proto  => 'tcp',
-        port   => '50020',
-        srange => '$ANALYTICS_NETWORKS',
-    }
-
-    ferm::service{ 'hadoop-hdfs-datanode-dfs-transfer':
-        proto  => 'tcp',
-        port   => '50010',
+        port   => '1024:65535',
         srange => '$ANALYTICS_NETWORKS',
     }
 

-- 
To view, visit https://gerrit.wikimedia.org/r/235982
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Iddc3c02a0cd3026508fe49bc76588820e5a3d9d5
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff <mmuhlenh...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to