Filippo Giunchedi has submitted this change and it was merged. Change subject: cassandra: add ferm rules using hiera data ......................................................................
cassandra: add ferm rules using hiera data Adding ferm rules for the cassandra ports to allow connections only from (other) restbase servers. Gets the list of cassandra host names from hiera, then uses @resolve in ferm to perform a DNS lookup and convert them to IPs for use in the srange. Bug:T92680 Change-Id: I7d077c92641f356d51f59c5749427e53ab1ef453 --- M manifests/role/cassandra.pp 1 file changed, 14 insertions(+), 10 deletions(-) Approvals: Filippo Giunchedi: Verified; Looks good to me, approved Eevans: Looks good to me, but someone else must approve Alexandros Kosiaris: Looks good to me, but someone else must approve jenkins-bot: Verified Dzahn: Looks good to me, but someone else must approve diff --git a/manifests/role/cassandra.pp b/manifests/role/cassandra.pp index 9246595..aa4094e 100644 --- a/manifests/role/cassandra.pp +++ b/manifests/role/cassandra.pp @@ -22,22 +22,26 @@ check_command => 'check_tcp!9042', } - ferm::service { 'cassandra-cql-native-transport': - proto => 'tcp', - port => '9042', - srange => '$ALL_NETWORKS', - } + $cassandra_hosts = hiera('cassandra::seeds') + $cassandra_hosts_ferm = join($cassandra_hosts, ' ') - ferm::service { 'cassandra-internode-comms': + # Cassandra intra-node messaging + ferm::service { 'cassandra-intra-node': proto => 'tcp', port => '7000', - srange => '$ALL_NETWORKS', + srange => "@resolve(($cassandra_hosts_ferm))", } - - ferm::service { 'cassandra-jmx-monitoring': + # Cassandra JMX/RMI + ferm::service { 'cassandra-jmx-rmi': proto => 'tcp', port => '7199', - srange => '$ALL_NETWORKS', + srange => "@resolve(($cassandra_hosts_ferm))", + } + # Cassandra CQL query interface + ferm::service { 'cassandra-cql': + proto => 'tcp', + port => '9042', + srange => "@resolve(($cassandra_hosts_ferm))", } } -- To view, visit https://gerrit.wikimedia.org/r/197840 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I7d077c92641f356d51f59c5749427e53ab1ef453 Gerrit-PatchSet: 11 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Dzahn <dz...@wikimedia.org> Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org> Gerrit-Reviewer: Dzahn <dz...@wikimedia.org> Gerrit-Reviewer: Eevans <eev...@wikimedia.org> Gerrit-Reviewer: Faidon Liambotis <fai...@wikimedia.org> Gerrit-Reviewer: Filippo Giunchedi <fgiunch...@wikimedia.org> Gerrit-Reviewer: GWicke <gwi...@wikimedia.org> Gerrit-Reviewer: John F. Lewis <johnflewi...@gmail.com> Gerrit-Reviewer: Matanya <mata...@foss.co.il> Gerrit-Reviewer: Yuvipanda <yuvipa...@gmail.com> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits