Hashar has uploaded a new change for review.
https://gerrit.wikimedia.org/r/94136
Change subject: contint: deny Zuul gearman port (4370) beside localhost
......................................................................
contint: deny Zuul gearman port (4370) beside localhost
Zuul comes with a build in Gearman daemon. At first its only worker will
be the Jenkins master installed on the same box, they will communicates
over the loopback 127.0.0.1.
We can not give access to gearman from labs machine or from the rest of
the Wikimedia cluster to prevent someone from triggering unwanted jobs.
Hence why I firewall out the port.
Change-Id: I708d562a02a98a9e603bd6afbd7399d737cc4322
---
M manifests/iptables.pp
M modules/contint/manifests/firewall.pp
2 files changed, 8 insertions(+), 0 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/36/94136/1
diff --git a/manifests/iptables.pp b/manifests/iptables.pp
index a706f8b..cf82006 100644
--- a/manifests/iptables.pp
+++ b/manifests/iptables.pp
@@ -4,6 +4,7 @@
beam2 => "5672",
beam3 => "56918",
epmd => "4369",
+ gearman => "4370",
git_daemon => "9418",
glance_api => "9292",
glance_registry => "9191",
@@ -55,6 +56,7 @@
beam2 => "tcp",
beam3 => "tcp",
epmd => "tcp",
+ gearman => "tcp",
git_daemon => "tcp",
glance_api => "tcp",
glance_registry => "tcp",
diff --git a/modules/contint/manifests/firewall.pp
b/modules/contint/manifests/firewall.pp
index 8a3f595..6d8071f 100644
--- a/modules/contint/manifests/firewall.pp
+++ b/modules/contint/manifests/firewall.pp
@@ -9,6 +9,7 @@
iptables_purge_service{ 'deny_all_http-alt': service => 'http-alt' }
iptables_purge_service{ 'deny_all_zuul-daemon': service =>
'zuul_webservice' }
+ iptables_purge_service{ 'deny_all-gearman': service => 'gearman' }
iptables_purge_service{ 'deny_all_git-daemon': service => 'git_daemon' }
}
@@ -18,6 +19,11 @@
iptables_add_service{ 'lo_all': interface => 'lo', service => 'all', jump
=> 'ACCEPT' }
iptables_add_service{ 'localhost_all': source => '127.0.0.1', service =>
'all', jump => 'ACCEPT' }
+
+ # We really need to drop Zuul gearman there or anyone in wikimedia network
+ # would be able to reach Zuul gearman daemon.
+ iptables_add_service{ 'deny_all-gearman': service => 'gearman', jump =>
'DROP' }
+
iptables_add_service{ 'private_all': source => '10.0.0.0/8', service =>
'all', jump => 'ACCEPT' }
iptables_add_service{ 'public_all': source => '208.80.152.0/22', service
=> 'all', jump => 'ACCEPT' }
}
--
To view, visit https://gerrit.wikimedia.org/r/94136
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I708d562a02a98a9e603bd6afbd7399d737cc4322
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Hashar <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
