[MediaWiki-commits] [Gerrit] WIP/RfC: Allow multiple/dynamic range of ports for ferm serv... - change (operations/puppet)

Mon, 27 Jul 2015 06:17:34 -0700 

Muehlenhoff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/227216

Change subject: WIP/RfC: Allow multiple/dynamic range of ports for ferm services
......................................................................

WIP/RfC: Allow multiple/dynamic range of ports for ferm services

rcstream uses a dynamic range of ports depending on how many CPUs/core
the server has. Since Puppet doesn't have builtin iteration in the
current version, the expansion occurs in the ERB template.

If anyone has a alternate suggestion to implement this, I'd be
interested to learn about it.

This introduces a bit of code duplication in form of a separate
ferm::service_multiport, an alternative would be to also move
existing call sites of ferm::service to use an array instead of
a string to specify the ports. The current approach is less intrusive,
though.

Bug: T104981
Change-Id: I0e31307b46ff56286dd6f17595ed620682482628
---
M modules/ferm/manifests/service.pp
A modules/ferm/templates/service-multi.erb
2 files changed, 47 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/16/227216/1

diff --git a/modules/ferm/manifests/service.pp 
b/modules/ferm/manifests/service.pp
index 8b1f5ae..ae0b77a 100644
--- a/modules/ferm/manifests/service.pp
+++ b/modules/ferm/manifests/service.pp
@@ -25,3 +25,31 @@
         tag     => 'ferm',
     }
 }
+
+# == Define ferm::service_multiport
+# Uses ferm def &SERVICE or &R_SERVICE to allow incoming
+# connections on the specific protocol and ports. This is similar
+# to ferm::service, but allows to specify a list of ports
+#
+# If $srange is not provided, all source addresses will be allowed.
+# otherwise only traffic coming from $srange will be allowed.
+define ferm::service_multiport(
+    $proto,
+    $ports,
+    $ensure  = present,
+    $desc    = '',
+    $prio    = '10',
+    $srange  = undef,
+    $notrack = false,
+) {
+    @file { "/etc/ferm/conf.d/${prio}_${name}":
+        ensure  => $ensure,
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0400',
+        content => template('ferm/service-multi.erb'),
+        require => File['/etc/ferm/conf.d'],
+        notify  => Service['ferm'],
+        tag     => 'ferm',
+    }
+}
diff --git a/modules/ferm/templates/service-multi.erb 
b/modules/ferm/templates/service-multi.erb
new file mode 100644
index 0000000..73df7f5
--- /dev/null
+++ b/modules/ferm/templates/service-multi.erb
@@ -0,0 +1,19 @@
+# Autogenerated by puppet. DO NOT EDIT BY HAND!
+#
+# <%= @desc %>
+<% if @srange -%>
+  <% for @port in @ports -%>
+      &R_SERVICE(<%= @proto %>, <%= @port %>, <%= @srange %>);
+  <% end %>
+
+<% else -%>
+  <% for @port in @ports -%>
+      &SERVICE(<%= @proto %>, <%= @port %>);
+  <% end -%>
+<% end -%>
+
+<% if @notrack == true %>
+  <% for @port in @ports -%>
+      &NO_TRACK(<%= @proto %>, <%= @port %>);
+  <% end -%>
+<% end -%>

-- 
To view, visit https://gerrit.wikimedia.org/r/227216
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I0e31307b46ff56286dd6f17595ed620682482628
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff <mmuhlenh...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to