[MediaWiki-commits] [Gerrit] operations/puppet[production]: cp/lvs: prevent accidental iptables kmods

Tue, 21 Nov 2017 06:29:18 -0800 

BBlack has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/392645 )

Change subject: cp/lvs: prevent accidental iptables kmods
......................................................................

cp/lvs: prevent accidental iptables kmods

Change-Id: I7d784cc157e71a786986470f54f14fabf61c9460
---
M hieradata/role/common/cache/canary.yaml
M modules/lvs/manifests/kernel_config.pp
M modules/profile/manifests/cache/base.pp
3 files changed, 14 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/45/392645/1

diff --git a/hieradata/role/common/cache/canary.yaml 
b/hieradata/role/common/cache/canary.yaml
index ca89252..7481201 100644
--- a/hieradata/role/common/cache/canary.yaml
+++ b/hieradata/role/common/cache/canary.yaml
@@ -88,6 +88,7 @@
     - lru_interval=31
 profile::cache::base::admission_policy: 'exp'
 profile::cache::base::varnish_version: 5
+profile::cache::base::allow_iptables: true
 # Profile::cache::ssl::unified
 profile::cache::ssl::unified::monitoring: true
 profile::cache::ssl::unified::letsencrypt: false
diff --git a/modules/lvs/manifests/kernel_config.pp 
b/modules/lvs/manifests/kernel_config.pp
index 22b177a..c0394ff 100644
--- a/modules/lvs/manifests/kernel_config.pp
+++ b/modules/lvs/manifests/kernel_config.pp
@@ -13,6 +13,11 @@
         notify  => Exec['update-initramfs'],
     }
 
+    # Prevent accidental iptables module loads
+    kmod::blacklist { 'lvs-bl':
+        modules => ['x_tables'],
+    }
+
     sysctl::parameters { 'lvs':
         values => {
             # Turn OFF RP filter
diff --git a/modules/profile/manifests/cache/base.pp 
b/modules/profile/manifests/cache/base.pp
index 373cf29..6fc84a6 100644
--- a/modules/profile/manifests/cache/base.pp
+++ b/modules/profile/manifests/cache/base.pp
@@ -23,6 +23,7 @@
     $logstash_host = hiera('logstash_host', undef),
     $logstash_syslog_port = hiera('logstash_syslog_port', undef),
     $log_slow_request_threshold = 
hiera('profile::cache::base::log_slow_request_threshold', '60.0'),
+    $allow_iptables = hiera('profile::cache::base::allow_iptables', false),
 ) {
     # There is no better way to do this, so it can't be a class parameter. In 
fact,
     # I consider our requirement to make hiera calls parameters
@@ -46,6 +47,13 @@
     include ::lvs::configuration
     include ::network::constants
 
+    if ! $allow_iptables {
+        # Prevent accidental iptables module loads
+        kmod::blacklist { 'cp-bl':
+            modules => ['x_tables'],
+        }
+    }
+
     class { 'conftool::scripts': }
 
     # TODO: Spin off a profile::cache::base::production?

-- 
To view, visit https://gerrit.wikimedia.org/r/392645
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I7d784cc157e71a786986470f54f14fabf61c9460
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to