[MediaWiki-commits] [Gerrit] Remove the ferm rules from modules/rsync/manifests/server.pp - change (operations/puppet)

Wed, 02 Sep 2015 02:57:53 -0700 

Muehlenhoff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/235425

Change subject: Remove the ferm rules from modules/rsync/manifests/server.pp
......................................................................

Remove the ferm rules from modules/rsync/manifests/server.pp

They represent the least common denominator of all ferm rules
for rsyncd instances. Instead, rsync rules should rather be present
in the respective roles where the accessing IPs can be configured
more fine-grained depending on the needs of the role.

The ferm rule generated from the rsync module is
/etc/ferm/conf.d/10_rsync-server. I've made a salt run to search
for that file and double-checked it against existing rsync rules:

These roles have a custom rsync ferm rule already:
role package::builder (copper)
role::osm::master (labsdb1006)
role::archiva (titanium)
role::abacist (stat1001)
role statistic::cruncher (stat1003)
role::swift::storage (ms-be* hosts)

role deployment::server isn't currently ferm-enabled, although ferm has been
enabled anyway on the currently unused mira host in codfw.

role::logging:mediawiki (on fluorine) uses misc::udp2log::rsync (also used
on terbium) to configure ferm rules for rsyncd. To move these into the
relevant role classes is an independant followup patch (since the current
patch allows us to limit the access to rsyncd).

Bug: T108987
Change-Id: I845b7f71c00118b5ecc199edd7373b2ab0c65ac8
---
M modules/rsync/manifests/server.pp
1 file changed, 0 insertions(+), 5 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/25/235425/1

diff --git a/modules/rsync/manifests/server.pp 
b/modules/rsync/manifests/server.pp
index 65d5d15..06169d1 100644
--- a/modules/rsync/manifests/server.pp
+++ b/modules/rsync/manifests/server.pp
@@ -63,11 +63,6 @@
     content => template('rsync/header.erb'),
   }
 
-  ferm::service{ 'rsync-server':
-      proto  => 'tcp',
-      port   => 873,
-  }
-
   # perhaps this should be a script
   # this allows you to only have a header and no fragments, which happens
   # by default if you have an rsync::server but not an rsync::repo on a host

-- 
To view, visit https://gerrit.wikimedia.org/r/235425
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I845b7f71c00118b5ecc199edd7373b2ab0c65ac8
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to