Muehlenhoff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/316341

Change subject: Add ferm service for mariadb_dbproxy
......................................................................

Add ferm service for mariadb_dbproxy

Add a custom rule restricting the haproxy/33306 access to DOMAIN_NETWORKS
(i.e. systems with that role in production are restricted to production
networks and systems in labs are restricted to labs networks).

The dbproxy systems don't use base::firewall yet.

We can't reuse role::mariadb::ferm, since it also allows admin access
to 3307, which isn't in use for the dbproxy setup.

Change-Id: I150221d90b2d24d59f26e6a5bf292e6184e074be
---
M manifests/role/mariadb.pp
1 file changed, 7 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/41/316341/1

diff --git a/manifests/role/mariadb.pp b/manifests/role/mariadb.pp
index ad181c2..3e00ac8 100644
--- a/manifests/role/mariadb.pp
+++ b/manifests/role/mariadb.pp
@@ -923,6 +923,13 @@
         content => template('mariadb/haproxy-master.cfg.erb'),
     }
 
+    ferm::service{ 'mariadb_dbproxy':
+        proto   => 'tcp',
+        port    => '3306',
+        notrack => true,
+        srange  => '$DOMAIN_NETWORKS',
+    }
+
     nrpe::monitor_service { 'haproxy_failover':
         description  => 'haproxy failover',
         nrpe_command => '/usr/lib/nagios/plugins/check_haproxy 
--check=failover',

-- 
To view, visit https://gerrit.wikimedia.org/r/316341
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I150221d90b2d24d59f26e6a5bf292e6184e074be
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff <mmuhlenh...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to