Ayounsi has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/371949 )
Change subject: Define management networks and allow them to send syslog to
logstash
......................................................................
Define management networks and allow them to send syslog to logstash
Needed to have switches in logstash
Change-Id: Ia0d4ab58835bf38a0e0976e5943d9962deebbd1e
---
M modules/base/templates/firewall/defs.erb
M modules/network/data/data.yaml
M modules/network/manifests/constants.pp
M modules/role/manifests/logstash/collector.pp
4 files changed, 14 insertions(+), 2 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/49/371949/1
diff --git a/modules/base/templates/firewall/defs.erb
b/modules/base/templates/firewall/defs.erb
index 4e68ff9..3322333 100644
--- a/modules/base/templates/firewall/defs.erb
+++ b/modules/base/templates/firewall/defs.erb
@@ -9,6 +9,8 @@
analytics_networks = scope.lookupvar('network::constants::analytics_networks')
mw_appserver_networks =
scope.lookupvar('network::constants::mw_appserver_networks')
network_infra = scope.lookupvar('network::constants::network_infra')
+mgmt_networks = scope.lookupvar('network::constants::mgmt_networks')
+
-%>
@def $INTERNAL = (10.0.0.0/8 2620:0:860:100::/56 2620:0:861:100::/56
2620:0:862:100::/56 2620:0:863:100::/56);
@@ -27,6 +29,8 @@
@def $MW_APPSERVER_NETWORKS = (<%- mw_appserver_networks.each do |net| -%><%=
net %> <% end -%>);
@def $NETWORK_INFRA = (<%- network_infra.each do |net| -%><%= net %> <% end
-%>);
+@def $MGMT_NETWORKS = (<%- mgmt_networks.each do |net| -%><%= net %> <% end
-%>);
+
<%- special_hosts.sort.map do |realm, services | -%>
<%- if @realm != realm then next end -%>
diff --git a/modules/network/data/data.yaml b/modules/network/data/data.yaml
index 0a539de..f98fd27 100644
--- a/modules/network/data/data.yaml
+++ b/modules/network/data/data.yaml
@@ -16,6 +16,12 @@
- 208.80.154.192/27 # eqiad
- 2620:0:861:fe00::/55 # eqiad
+network::management:
+ - 10.65.0.0/16 # eqiad
+ - 10.128.128.0/17 # ulsfo
+ - 10.193.0.0/16 # codfw
+ - 10.21.0.0/24 # esams
+
network::subnets:
production:
eqiad:
diff --git a/modules/network/manifests/constants.pp
b/modules/network/manifests/constants.pp
index c6d2fd7..c95e9f7 100644
--- a/modules/network/manifests/constants.pp
+++ b/modules/network/manifests/constants.pp
@@ -7,6 +7,8 @@
$all_network_subnets = $network_data['network::subnets']
$external_networks = $network_data['network::external']
$network_infra = $network_data['network::infrastructure']
+ $mgmt_networks = $network_data['network::management']
+
# are you really sure you want to use this? maybe what you really
# the trusted/production networks. See $production_networks for this.
diff --git a/modules/role/manifests/logstash/collector.pp
b/modules/role/manifests/logstash/collector.pp
index 1cd090c..7113d5a 100644
--- a/modules/role/manifests/logstash/collector.pp
+++ b/modules/role/manifests/logstash/collector.pp
@@ -41,14 +41,14 @@
proto => 'udp',
port => '10514',
notrack => true,
- srange => '($DOMAIN_NETWORKS $NETWORK_INFRA)',
+ srange => '($DOMAIN_NETWORKS $NETWORK_INFRA $MGMT_NETWORKS)',
}
ferm::service { 'logstash_syslog_tcp':
proto => 'tcp',
port => '10514',
notrack => true,
- srange => '($DOMAIN_NETWORKS $NETWORK_INFRA)',
+ srange => '($DOMAIN_NETWORKS $NETWORK_INFRA $MGMT_NETWORKS)',
}
ferm::service { 'grafana_dashboard_definition_storage':
--
To view, visit https://gerrit.wikimedia.org/r/371949
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ia0d4ab58835bf38a0e0976e5943d9962deebbd1e
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Ayounsi <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
