Ayounsi has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/369697 )
Change subject: Define network infra ranges and allow them to send syslog to
logstash
......................................................................
Define network infra ranges and allow them to send syslog to logstash
Bug: T166126
Change-Id: Ie5b3ad1b8b18574d56cb580c796ad5db548ab7a1
---
M modules/base/templates/firewall/defs.erb
M modules/network/data/data.yaml
M modules/network/manifests/constants.pp
M modules/role/manifests/logstash/collector.pp
4 files changed, 16 insertions(+), 2 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/97/369697/1
diff --git a/modules/base/templates/firewall/defs.erb
b/modules/base/templates/firewall/defs.erb
index 7e902e4..81fd596 100644
--- a/modules/base/templates/firewall/defs.erb
+++ b/modules/base/templates/firewall/defs.erb
@@ -8,6 +8,7 @@
frack_networks = scope.lookupvar('network::constants::frack_networks')
analytics_networks = scope.lookupvar('network::constants::analytics_networks')
mw_appserver_networks =
scope.lookupvar('network::constants::mw_appserver_networks')
+network_infra = scope.lookupvar('network::infrastructure')
-%>
@def $INTERNAL = (10.0.0.0/8 2620:0:860:100::/56 2620:0:861:100::/56
2620:0:862:100::/56 2620:0:863:100::/56);
@@ -25,6 +26,8 @@
@def $ANALYTICS_NETWORKS = (<%- analytics_networks.each do |net| -%><%= net %>
<% end -%>);
@def $MW_APPSERVER_NETWORKS = (<%- mw_appserver_networks.each do |net| -%><%=
net %> <% end -%>);
+@def $NETWORK_INFRA = (<%- network_infra.each do |net| -%><%= net %> <% end
-%>);
+
<%- special_hosts.sort.map do |realm, services | -%>
<%- if @realm != realm then next end -%>
<%- services.sort.map do |service, addresses| -%>
diff --git a/modules/network/data/data.yaml b/modules/network/data/data.yaml
index bc1ea28..0a539de 100644
--- a/modules/network/data/data.yaml
+++ b/modules/network/data/data.yaml
@@ -6,6 +6,16 @@
- 185.15.56.0/22
- 2a02:ec80::/32
+network::infrastructure:
+ - 91.198.174.224/27 # esams
+ - 2620:0:862:fe00::/55 # esams
+ - 198.35.26.192/27 # ulsfo
+ - 2620:0:863:fe00::/55 # ulsfo
+ - 208.80.153.192/27 # codfw
+ - 2620:0:860:fe00::/55 # codfw
+ - 208.80.154.192/27 # eqiad
+ - 2620:0:861:fe00::/55 # eqiad
+
network::subnets:
production:
eqiad:
diff --git a/modules/network/manifests/constants.pp
b/modules/network/manifests/constants.pp
index bcf710e..c6d2fd7 100644
--- a/modules/network/manifests/constants.pp
+++ b/modules/network/manifests/constants.pp
@@ -6,6 +6,7 @@
$network_data = loadyaml("${module_path}/data/data.yaml")
$all_network_subnets = $network_data['network::subnets']
$external_networks = $network_data['network::external']
+ $network_infra = $network_data['network::infrastructure']
# are you really sure you want to use this? maybe what you really
# the trusted/production networks. See $production_networks for this.
diff --git a/modules/role/manifests/logstash/collector.pp
b/modules/role/manifests/logstash/collector.pp
index 38d561f..1cd090c 100644
--- a/modules/role/manifests/logstash/collector.pp
+++ b/modules/role/manifests/logstash/collector.pp
@@ -41,14 +41,14 @@
proto => 'udp',
port => '10514',
notrack => true,
- srange => '$DOMAIN_NETWORKS',
+ srange => '($DOMAIN_NETWORKS $NETWORK_INFRA)',
}
ferm::service { 'logstash_syslog_tcp':
proto => 'tcp',
port => '10514',
notrack => true,
- srange => '$DOMAIN_NETWORKS',
+ srange => '($DOMAIN_NETWORKS $NETWORK_INFRA)',
}
ferm::service { 'grafana_dashboard_definition_storage':
--
To view, visit https://gerrit.wikimedia.org/r/369697
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ie5b3ad1b8b18574d56cb580c796ad5db548ab7a1
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Ayounsi <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
