[MediaWiki-commits] [Gerrit] contint: deny Zuul gearman port (4370) beside localhost - change (operations/puppet)

Thu, 07 Nov 2013 07:24:22 -0800 

Hashar has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/94136


Change subject: contint: deny Zuul gearman port (4370) beside localhost
......................................................................

contint: deny Zuul gearman port (4370) beside localhost

Zuul comes with a build in Gearman daemon. At first its only worker will
be the Jenkins master installed on the same box, they will communicates
over the loopback 127.0.0.1.

We can not give access to gearman from labs machine or from the rest of
the Wikimedia cluster to prevent someone from triggering unwanted jobs.
Hence why I firewall out the port.

Change-Id: I708d562a02a98a9e603bd6afbd7399d737cc4322
---
M manifests/iptables.pp
M modules/contint/manifests/firewall.pp
2 files changed, 8 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/36/94136/1

diff --git a/manifests/iptables.pp b/manifests/iptables.pp
index a706f8b..cf82006 100644
--- a/manifests/iptables.pp
+++ b/manifests/iptables.pp
@@ -4,6 +4,7 @@
        beam2 => "5672",
        beam3 => "56918",
        epmd => "4369",
+       gearman => "4370",
        git_daemon => "9418",
        glance_api => "9292",
        glance_registry => "9191",
@@ -55,6 +56,7 @@
        beam2 => "tcp",
        beam3 => "tcp",
        epmd => "tcp",
+       gearman => "tcp",
        git_daemon => "tcp",
        glance_api => "tcp",
        glance_registry => "tcp",
diff --git a/modules/contint/manifests/firewall.pp 
b/modules/contint/manifests/firewall.pp
index 8a3f595..6d8071f 100644
--- a/modules/contint/manifests/firewall.pp
+++ b/modules/contint/manifests/firewall.pp
@@ -9,6 +9,7 @@
 
     iptables_purge_service{  'deny_all_http-alt': service => 'http-alt' }
     iptables_purge_service{  'deny_all_zuul-daemon': service => 
'zuul_webservice' }
+    iptables_purge_service{  'deny_all-gearman': service => 'gearman' }
     iptables_purge_service{  'deny_all_git-daemon': service  => 'git_daemon' }
   }
 
@@ -18,6 +19,11 @@
 
     iptables_add_service{ 'lo_all': interface => 'lo', service => 'all', jump 
=> 'ACCEPT' }
     iptables_add_service{ 'localhost_all': source => '127.0.0.1', service => 
'all', jump => 'ACCEPT' }
+
+    # We really need to drop Zuul gearman there or anyone in wikimedia network
+    # would be able to reach Zuul gearman daemon.
+    iptables_add_service{ 'deny_all-gearman': service => 'gearman', jump => 
'DROP' }
+
     iptables_add_service{ 'private_all': source => '10.0.0.0/8', service => 
'all', jump => 'ACCEPT' }
     iptables_add_service{ 'public_all': source => '208.80.152.0/22', service 
=> 'all', jump => 'ACCEPT' }
   }

-- 
To view, visit https://gerrit.wikimedia.org/r/94136
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I708d562a02a98a9e603bd6afbd7399d737cc4322
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Hashar <has...@free.fr>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to