Muehlenhoff has uploaded a new change for review. https://gerrit.wikimedia.org/r/235982
Change subject: Restrict Hadoop access to the analytics network ...................................................................... Restrict Hadoop access to the analytics network Due to a bug in Hadoop is uses unrepredictable dynamic ports although configured not to do so, see T111433. Until that is fixed we only restrict access to the analytics network. Change-Id: Iddc3c02a0cd3026508fe49bc76588820e5a3d9d5 --- M manifests/role/analytics/hadoop.pp 1 file changed, 3 insertions(+), 77 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/82/235982/1 diff --git a/manifests/role/analytics/hadoop.pp b/manifests/role/analytics/hadoop.pp index 92d5e19..5c5ab72 100644 --- a/manifests/role/analytics/hadoop.pp +++ b/manifests/role/analytics/hadoop.pp @@ -619,84 +619,10 @@ } } - # Open up port for debugging - ferm::service{ 'jmxtrans-jmx': + # T111433 + ferm::service{ 'hadoop-access': proto => 'tcp', - port => '2101', - srange => '$INTERNAL', - } - - ferm::service{ 'hadoop-hdfs-journalnode-jmx': - proto => 'tcp', - port => '9981', - srange => '$ANALYTICS_NETWORKS', - } - - ferm::service{ 'hadoop-yarn-nodemanager-jmx': - proto => 'tcp', - port => '9984', - srange => '$ANALYTICS_NETWORKS', - } - - ferm::service{ 'hadoop-yarn-nodemanager': - proto => 'tcp', - port => '8041', - srange => '$ANALYTICS_NETWORKS', - } - - ferm::service{ 'hadoop-yarn-nodemanager-localizer': - proto => 'tcp', - port => '8040', - srange => '$ANALYTICS_NETWORKS', - } - - ferm::service{ 'hadoop-yarn-nodemanager-http-ui': - proto => 'tcp', - port => '8042', - srange => '$ANALYTICS_NETWORKS', - } - - ferm::service{ 'hadoop-yarn-mapreduce-application-master': - proto => 'tcp', - # $yarn_app_mapreduce_am_job_client_port_range could look like '55000-55199,55500-55599'. - # Translate '-' -> ':' and ',' => ' ' for ferm, e.g. (55000:55199 55500:55599) - port => inline_template('(<%= @yarn_app_mapreduce_am_job_client_port_range.tr("-,", ": ") %>)'), - srange => '$ANALYTICS_NETWORKS', - } - - ferm::service{ 'hadoop-hdfs-ha-journalnode-http': - proto => 'tcp', - port => '8480', - srange => '$ANALYTICS_NETWORKS', - } - - ferm::service{ 'hadoop-hdfs-ha-journalnode': - proto => 'tcp', - port => '8485', - srange => '$ANALYTICS_NETWORKS', - } - - ferm::service{ 'hadoop-mapreduce-shuffle': - proto => 'tcp', - port => '13562', - srange => '$ANALYTICS_NETWORKS', - } - - ferm::service{ 'hadoop-hdfs-datanode-http-ui': - proto => 'tcp', - port => '50075', - srange => '$ANALYTICS_NETWORKS', - } - - ferm::service{ 'hadoop-hdfs-datanode-ipc': - proto => 'tcp', - port => '50020', - srange => '$ANALYTICS_NETWORKS', - } - - ferm::service{ 'hadoop-hdfs-datanode-dfs-transfer': - proto => 'tcp', - port => '50010', + port => '1024:65535', srange => '$ANALYTICS_NETWORKS', } -- To view, visit https://gerrit.wikimedia.org/r/235982 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Iddc3c02a0cd3026508fe49bc76588820e5a3d9d5 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff <mmuhlenh...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits