Jcrespo has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/399164 )
Change subject: mariadb: Preparing reimage of dbproxy1001 and setup proxy
firewall
......................................................................
mariadb: Preparing reimage of dbproxy1001 and setup proxy firewall
Setup all dbproxy hosts to be reimaged as stretch.
Setup the option firewall, that can be 'disabled', 'internal' (for
production services only) and 'cloud' (for cloud services).
Enable the firewall on all hosts that are currently passive- other
will be failed over and reenabled step by step (except labsdb,
proxies which will likely be kept disabled or the 3306 fully open
to everywhere.
Prepare dbproxy1001 with the new parameters, and with the stretch
(haproxy >= 1.7) address syntax.
mariadb::ferm_wmcs is still a role, that has to be fixed
separately.
Bug: T148507
Change-Id: I97067576fcd3e7b0fe5c94676fc225fe46757fd4
---
M hieradata/hosts/dbproxy1001.yaml
M hieradata/hosts/dbproxy1002.yaml
M hieradata/hosts/dbproxy1003.yaml
M hieradata/hosts/dbproxy1005.yaml
M hieradata/hosts/dbproxy1006.yaml
M hieradata/hosts/dbproxy1009.yaml
M hieradata/hosts/dbproxy1010.yaml
M hieradata/hosts/dbproxy1011.yaml
M modules/install_server/files/dhcpd/linux-host-entries.ttyS1-115200
M modules/profile/manifests/mariadb/proxy.pp
10 files changed, 48 insertions(+), 8 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/64/399164/1
diff --git a/hieradata/hosts/dbproxy1001.yaml b/hieradata/hosts/dbproxy1001.yaml
index 076253e..adef909 100644
--- a/hieradata/hosts/dbproxy1001.yaml
+++ b/hieradata/hosts/dbproxy1001.yaml
@@ -1,6 +1,4 @@
-profile::mariadb::proxy::pid: '/var/run/haproxy.pid'
-profile::mariadb::proxy::socket: '/tmp/haproxy.socket'
profile::mariadb::proxy::master::primary_name: 'db1016'
-profile::mariadb::proxy::master::primary_addr: '10.64.0.20'
+profile::mariadb::proxy::master::primary_addr: '10.64.0.20:3306'
profile::mariadb::proxy::master::secondary_name: 'db1001'
-profile::mariadb::proxy::master::secondary_addr: '10.64.0.5'
+profile::mariadb::proxy::master::secondary_addr: '10.64.0.5:3306'
diff --git a/hieradata/hosts/dbproxy1002.yaml b/hieradata/hosts/dbproxy1002.yaml
index c31bd1d..6c9e3ab 100644
--- a/hieradata/hosts/dbproxy1002.yaml
+++ b/hieradata/hosts/dbproxy1002.yaml
@@ -4,3 +4,4 @@
profile::mariadb::proxy::master::primary_addr: '10.64.16.9'
profile::mariadb::proxy::master::secondary_name: 'db2011'
profile::mariadb::proxy::master::secondary_addr: '10.192.0.14'
+profile::mariadb::proxy::firewall: 'disabled'
diff --git a/hieradata/hosts/dbproxy1003.yaml b/hieradata/hosts/dbproxy1003.yaml
index c7e6c74..92fa06e 100644
--- a/hieradata/hosts/dbproxy1003.yaml
+++ b/hieradata/hosts/dbproxy1003.yaml
@@ -4,3 +4,4 @@
profile::mariadb::proxy::master::primary_addr: '10.64.16.32'
profile::mariadb::proxy::master::secondary_name: 'db1059'
profile::mariadb::proxy::master::secondary_addr: '10.64.32.29'
+profile::mariadb::proxy::firewall: 'disabled'
diff --git a/hieradata/hosts/dbproxy1005.yaml b/hieradata/hosts/dbproxy1005.yaml
index 5727806..75795b2 100644
--- a/hieradata/hosts/dbproxy1005.yaml
+++ b/hieradata/hosts/dbproxy1005.yaml
@@ -4,3 +4,4 @@
profile::mariadb::proxy::master::primary_addr: '10.64.0.13'
profile::mariadb::proxy::master::secondary_name: 'db2030'
profile::mariadb::proxy::master::secondary_addr: '10.192.16.18'
+profile::mariadb::proxy::firewall: 'cloud'
diff --git a/hieradata/hosts/dbproxy1006.yaml b/hieradata/hosts/dbproxy1006.yaml
index 076253e..39b3b74 100644
--- a/hieradata/hosts/dbproxy1006.yaml
+++ b/hieradata/hosts/dbproxy1006.yaml
@@ -4,3 +4,4 @@
profile::mariadb::proxy::master::primary_addr: '10.64.0.20'
profile::mariadb::proxy::master::secondary_name: 'db1001'
profile::mariadb::proxy::master::secondary_addr: '10.64.0.5'
+profile::mariadb::proxy::firewall: 'disabled'
diff --git a/hieradata/hosts/dbproxy1009.yaml b/hieradata/hosts/dbproxy1009.yaml
index 2176b4d..f118d97 100644
--- a/hieradata/hosts/dbproxy1009.yaml
+++ b/hieradata/hosts/dbproxy1009.yaml
@@ -4,3 +4,4 @@
profile::mariadb::proxy::master::primary_addr: '10.64.0.214:3306'
profile::mariadb::proxy::master::secondary_name: 'db1108'
profile::mariadb::proxy::master::secondary_addr: '10.64.32.71:3306'
+profile::mariadb::proxy::firewall: 'disabled'
diff --git a/hieradata/hosts/dbproxy1010.yaml b/hieradata/hosts/dbproxy1010.yaml
index 1f806ce..454e93e 100644
--- a/hieradata/hosts/dbproxy1010.yaml
+++ b/hieradata/hosts/dbproxy1010.yaml
@@ -4,3 +4,4 @@
profile::mariadb::proxy::master::primary_addr: '10.64.37.23'
profile::mariadb::proxy::master::secondary_name: 'labsdb1009'
profile::mariadb::proxy::master::secondary_addr: '10.64.4.14'
+profile::mariadb::proxy::firewall: 'disabled'
diff --git a/hieradata/hosts/dbproxy1011.yaml b/hieradata/hosts/dbproxy1011.yaml
index 5429610..9c94c45 100644
--- a/hieradata/hosts/dbproxy1011.yaml
+++ b/hieradata/hosts/dbproxy1011.yaml
@@ -1,6 +1,7 @@
-profile::mariadb::proxy::pid: /var/run/haproxy.pid
-profile::mariadb::proxy::socket: /tmp/haproxy.socket
+profile::mariadb::proxy::pid: '/var/run/haproxy.pid'
+profile::mariadb::proxy::socket: '/tmp/haproxy.socket'
profile::mariadb::proxy::master::primary_name: 'labsdb1011'
profile::mariadb::proxy::master::primary_addr: '10.64.37.24'
profile::mariadb::proxy::master::secondary_name: 'labsdb1010'
profile::mariadb::proxy::master::secondary_addr: '10.64.37.23'
+profile::mariadb::proxy::firewall: 'disabled'
diff --git a/modules/install_server/files/dhcpd/linux-host-entries.ttyS1-115200
b/modules/install_server/files/dhcpd/linux-host-entries.ttyS1-115200
index 3317fd9..1cc2940 100644
--- a/modules/install_server/files/dhcpd/linux-host-entries.ttyS1-115200
+++ b/modules/install_server/files/dhcpd/linux-host-entries.ttyS1-115200
@@ -1679,16 +1679,22 @@
host dbproxy1001 {
hardware ethernet 84:2b:2b:fd:bd:56;
fixed-address dbproxy1001.eqiad.wmnet;
+ option pxelinux.pathprefix "stretch-installer/";
+ filename "stretch-installer/debian-installer/amd64/pxelinux.0";
}
host dbproxy1002 {
hardware ethernet 84:2b:2b:fd:be:a3;
fixed-address dbproxy1002.eqiad.wmnet;
+ option pxelinux.pathprefix "stretch-installer/";
+ filename "stretch-installer/debian-installer/amd64/pxelinux.0";
}
host dbproxy1003 {
hardware ethernet 84:2b:2b:fc:af:c2;
fixed-address dbproxy1003.eqiad.wmnet;
+ option pxelinux.pathprefix "stretch-installer/";
+ filename "stretch-installer/debian-installer/amd64/pxelinux.0";
}
host dbproxy1004 {
@@ -1701,21 +1707,29 @@
host dbproxy1005 {
hardware ethernet 84:2b:2b:fd:be:d9;
fixed-address dbproxy1005.eqiad.wmnet;
+ option pxelinux.pathprefix "stretch-installer/";
+ filename "stretch-installer/debian-installer/amd64/pxelinux.0";
}
host dbproxy1006 {
hardware ethernet 84:2b:2b:fc:ad:79;
fixed-address dbproxy1006.eqiad.wmnet;
+ option pxelinux.pathprefix "stretch-installer/";
+ filename "stretch-installer/debian-installer/amd64/pxelinux.0";
}
host dbproxy1007 {
hardware ethernet 84:2b:2b:fd:c0:a4;
fixed-address dbproxy1007.eqiad.wmnet;
+ option pxelinux.pathprefix "stretch-installer/";
+ filename "stretch-installer/debian-installer/amd64/pxelinux.0";
}
host dbproxy1008 {
hardware ethernet 84:2b:2b:fd:be:eb;
fixed-address dbproxy1008.eqiad.wmnet;
+ option pxelinux.pathprefix "stretch-installer/";
+ filename "stretch-installer/debian-installer/amd64/pxelinux.0";
}
host dbproxy1009 {
@@ -1728,11 +1742,15 @@
host dbproxy1010 {
hardware ethernet 84:2b:2b:fd:bf:72;
fixed-address dbproxy1010.eqiad.wmnet;
+ option pxelinux.pathprefix "stretch-installer/";
+ filename "stretch-installer/debian-installer/amd64/pxelinux.0";
}
host dbproxy1011 {
hardware ethernet 84:2b:2b:fd:bf:69;
fixed-address dbproxy1011.eqiad.wmnet;
+ option pxelinux.pathprefix "stretch-installer/";
+ filename "stretch-installer/debian-installer/amd64/pxelinux.0";
}
host dbstore1001 {
diff --git a/modules/profile/manifests/mariadb/proxy.pp
b/modules/profile/manifests/mariadb/proxy.pp
index 5e49589..92cde89 100644
--- a/modules/profile/manifests/mariadb/proxy.pp
+++ b/modules/profile/manifests/mariadb/proxy.pp
@@ -1,9 +1,16 @@
# base profile to have a manually-managed haproxy installation, pointing to
# to nowere by default. Check ::profile::mariadb::proxy::{master,replica} for
# it to do something useful (failover or load balancing)
+# * pid: full path of the pid passed to haproxy to control running process
+# * socket: full path of the socket passed to haproxy to connect without tcp
+# * firewall: controls the firewall, the options are:
+# - 'disabled': no firewall is setup
+# - 'cloud': firewall with holes to cloud network for cloud production
services
+# - 'internal': firewall only to the internal network
class profile::mariadb::proxy (
- $pid = hiera('profile::mariadb::proxy::pid',
'/run/haproxy/haproxy.pid'),
- $socket = hiera('profile::mariadb::proxy::socket',
'/run/haproxy/haproxy.sock'),
+ $pid = hiera('profile::mariadb::proxy::pid',
'/run/haproxy/haproxy.pid'),
+ $socket = hiera('profile::mariadb::proxy::socket',
'/run/haproxy/haproxy.sock'),
+ $firewall = hiera('profile::mariadb::proxy::firewall', 'internal')
){
class { 'haproxy':
@@ -12,4 +19,14 @@
socket => $socket,
}
+ if $firewall == 'internal' {
+ include ::profile::base::firewall
+ include ::profile::mariadb::ferm
+ } else if $firewall == 'cloud' {
+ include ::profile::base::firewall
+ # FIXME: this should be a profile
+ include ::role::mariadb::ferm_wmcs
+ } elseif $firewall != 'disabled' {
+ fail('profile::mariadb::proxy::firewall can only be internal, cloud or
disabled.')
+ }
}
--
To view, visit https://gerrit.wikimedia.org/r/399164
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I97067576fcd3e7b0fe5c94676fc225fe46757fd4
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Jcrespo <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
