[MediaWiki-commits] [Gerrit] zuul: allow gearman access from mergers - change (operations/puppet)

[Alexandros Kosiaris (Code Review)]

Alexandros Kosiaris has submitted this change and it was merged.

Change subject: zuul: allow gearman access from mergers
......................................................................


zuul: allow gearman access from mergers

We will get Zuul merger installed on lanthanum in addition to gallium.
Manually maintain a list of such hosts in network::constant and adjust
the ferm rule to allow them to reach gearman.

Note: the ferm::rule is being renamed.

Change-Id: Ie27fd16d3f1a0b0a6d8b625cd8d5dfea971c8212
---
M manifests/network.pp
M modules/contint/manifests/firewall.pp
2 files changed, 16 insertions(+), 3 deletions(-)

Approvals:
  Alexandros Kosiaris: Verified; Looks good to me, approved



diff --git a/manifests/network.pp b/manifests/network.pp
index eabc857..88a09a0 100644
--- a/manifests/network.pp
+++ b/manifests/network.pp
@@ -244,6 +244,16 @@
         $analytics_networks,
     ]
 
+    $contint_zuul_merger_hosts = {
+        'production' => [
+            '208.80.154.135',  # gallium.wikimedia.org
+            '10.64.0.161',     # lanthanum.eqiad.wmnet
+            ],
+        'labs' => [
+            '127.0.0.1',
+            ],
+    }
+
 }
 
 class network::checks {
diff --git a/modules/contint/manifests/firewall.pp 
b/modules/contint/manifests/firewall.pp
index cf530cb..91d92ce 100644
--- a/modules/contint/manifests/firewall.pp
+++ b/modules/contint/manifests/firewall.pp
@@ -2,6 +2,7 @@
 class contint::firewall {
 
     include base::firewall
+    include network::constants
 
     # Restrict some services to be only reacheable from localhost over both
     # IPv4 and IPv6 (to be safe)
@@ -14,11 +15,13 @@
     ferm::rule { 'zuul_localhost_only':
         rule => 'proto tcp dport 8001 { saddr (127.0.0.1 ::1) ACCEPT; }'
     }
+
     # Gearman is used between Zuul and the Jenkin master, both on the same
     # server and communicating over localhost.
-    # It is also used by Zuul merger daemon. The IPs will need to be collected
-    ferm::rule { 'gearman_localhost_only':
-        rule => 'proto tcp dport 4730 { saddr (127.0.0.1 208.80.154.135 ::1) 
ACCEPT; }'
+    # It is also used by Zuul merger daemons.
+    $zuul_merger_hosts = 
join($::network::constants::contint_zuul_merger_hosts[$::realm], ' ')
+    ferm::rule { 'gearman_from_zuul_mergers':
+        rule => "proto tcp dport 4730 { saddr (127.0.0.1 ::1 
${zuul_merger_hosts}) ACCEPT; }"
     }
 
     # The master runs a git-daemon process used by slave to fetch changes from

-- 
To view, visit https://gerrit.wikimedia.org/r/148640
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Ie27fd16d3f1a0b0a6d8b625cd8d5dfea971c8212
Gerrit-PatchSet: 5
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Hashar <has...@free.fr>
Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org>
Gerrit-Reviewer: Giuseppe Lavagetto <glavage...@wikimedia.org>
Gerrit-Reviewer: Hashar <has...@free.fr>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits