[MediaWiki-commits] [Gerrit] operations/puppet[production]: puppetmaster: Make ferm rules better

Alexandros Kosiaris (Code Review) Fri, 23 Sep 2016 07:06:10 -0700

Alexandros Kosiaris has submitted this change and it was merged.

Change subject: puppetmaster: Make ferm rules better
......................................................................



puppetmaster: Make ferm rules better

Only allow frontends to reach backends as it should have always been

Change-Id: I5ba8c7e3af38b2724dcc7f0213959d44f76bd11f
---
M modules/role/manifests/puppetmaster/backend.pp
M modules/role/manifests/puppetmaster/frontend.pp
2 files changed, 11 insertions(+), 10 deletions(-)

Approvals:
  Giuseppe Lavagetto: Looks good to me, but someone else must approve
  Alexandros Kosiaris: Verified; Looks good to me, approved



diff --git a/modules/role/manifests/puppetmaster/backend.pp 
b/modules/role/manifests/puppetmaster/backend.pp
index 6846db0..c035457 100644
--- a/modules/role/manifests/puppetmaster/backend.pp
+++ b/modules/role/manifests/puppetmaster/backend.pp
@@ -21,15 +21,16 @@
         config      => $::role::puppetmaster::common::config
     }
 
-    ferm::service { 'puppetmaster-backend':
-        proto => 'tcp',
-        port  => 8141,
-    }
-
     $puppetmaster_frontend_ferm = join(keys(hiera('puppetmaster::servers')), ' 
')
     ferm::service { 'ssh_puppet_merge':
         proto  => 'tcp',
         port   => '22',
         srange => "@resolve((${puppetmaster_frontend_ferm}))"
     }
+    ferm::service { 'puppetmaster-backend':
+        proto  => 'tcp',
+        port   => 8141,
+        srange => "@resolve((${puppetmaster_frontend_ferm}))"
+    }
+
 }
diff --git a/modules/role/manifests/puppetmaster/frontend.pp 
b/modules/role/manifests/puppetmaster/frontend.pp
index 3c80175..2a796a1 100644
--- a/modules/role/manifests/puppetmaster/frontend.pp
+++ b/modules/role/manifests/puppetmaster/frontend.pp
@@ -67,11 +67,6 @@
         cron_ensure => $cron,
     }
 
-    ferm::service { 'puppetmaster-backend':
-        proto => 'tcp',
-        port  => 8141,
-    }
-
     ferm::service { 'puppetmaster-frontend':
         proto => 'tcp',
         port  => 8140,
@@ -89,4 +84,9 @@
         port   => '873',
         srange => "@resolve((${puppetmaster_frontend_ferm}))"
     }
+    ferm::service { 'puppetmaster-backend':
+        proto  => 'tcp',
+        port   => 8141,
+        srange => "@resolve((${puppetmaster_frontend_ferm}))"
+    }
 }

-- 
To view, visit https://gerrit.wikimedia.org/r/312054
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I5ba8c7e3af38b2724dcc7f0213959d44f76bd11f
Gerrit-PatchSet: 4
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Alexandros Kosiaris <akosia...@wikimedia.org>
Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org>
Gerrit-Reviewer: Giuseppe Lavagetto <glavage...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: puppetmaster: Make ferm rules better

Reply via email to