Hashar has uploaded a new change for review.
https://gerrit.wikimedia.org/r/148640
Change subject: zuul: allow gearman access from merger
......................................................................
zuul: allow gearman access from merger
We will get Zuul merger installed on lanthanum in addition to gallium.
Manually maintain a list of such hosts in network::constant and adjust
the ferm rule to allow them to reach gearman.
I have renamed the ferm::rule and thus deleting the previous one.
Change-Id: Ie27fd16d3f1a0b0a6d8b625cd8d5dfea971c8212
---
M manifests/network.pp
M modules/contint/manifests/firewall.pp
2 files changed, 20 insertions(+), 3 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/40/148640/1
diff --git a/manifests/network.pp b/manifests/network.pp
index eabc857..88a09a0 100644
--- a/manifests/network.pp
+++ b/manifests/network.pp
@@ -244,6 +244,16 @@
$analytics_networks,
]
+ $contint_zuul_merger_hosts = {
+ 'production' => [
+ '208.80.154.135', # gallium.wikimedia.org
+ '10.64.0.161', # lanthanum.eqiad.wmnet
+ ],
+ 'labs' => [
+ '127.0.0.1',
+ ],
+ }
+
}
class network::checks {
diff --git a/modules/contint/manifests/firewall.pp
b/modules/contint/manifests/firewall.pp
index cf530cb..ab4653b 100644
--- a/modules/contint/manifests/firewall.pp
+++ b/modules/contint/manifests/firewall.pp
@@ -2,6 +2,7 @@
class contint::firewall {
include base::firewall
+ include network::constants
# Restrict some services to be only reacheable from localhost over both
# IPv4 and IPv6 (to be safe)
@@ -14,11 +15,17 @@
ferm::rule { 'zuul_localhost_only':
rule => 'proto tcp dport 8001 { saddr (127.0.0.1 ::1) ACCEPT; }'
}
+
+ ferm::rule { 'gearman_localhost_only':
+ ensure => absent,
+ }
+
# Gearman is used between Zuul and the Jenkin master, both on the same
# server and communicating over localhost.
- # It is also used by Zuul merger daemon. The IPs will need to be collected
- ferm::rule { 'gearman_localhost_only':
- rule => 'proto tcp dport 4730 { saddr (127.0.0.1 208.80.154.135 ::1)
ACCEPT; }'
+ # It is also used by Zuul merger daemons.
+ $zuul_merger_hosts =
flatten($::network::constants::contint_zuul_merger_hosts[$::realm])
+ ferm::rule { 'gearman_from_zuul_merger':
+ rule => "proto tcp dport 4730 { saddr (127.0.0.1 ::1
$zuul_merger_hosts) ACCEPT; }"
}
# The master runs a git-daemon process used by slave to fetch changes from
--
To view, visit https://gerrit.wikimedia.org/r/148640
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ie27fd16d3f1a0b0a6d8b625cd8d5dfea971c8212
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Hashar <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
