Akosiaris has submitted this change and it was merged.
Change subject: contint: deny Zuul gearman port (4370) beside localhost
......................................................................
contint: deny Zuul gearman port (4370) beside localhost
Zuul comes with a build in Gearman daemon. At first its only worker will
be the Jenkins master installed on the same box, they will communicates
over the loopback 127.0.0.1.
We can not give access to gearman from labs machine or from the rest of
the Wikimedia cluster to prevent someone from triggering unwanted jobs.
Hence why I firewall out the port.
Change-Id: I708d562a02a98a9e603bd6afbd7399d737cc4322
---
M manifests/iptables.pp
M modules/contint/manifests/firewall.pp
2 files changed, 8 insertions(+), 0 deletions(-)
Approvals:
Akosiaris: Looks good to me, approved
jenkins-bot: Verified
diff --git a/manifests/iptables.pp b/manifests/iptables.pp
index a706f8b..cf82006 100644
--- a/manifests/iptables.pp
+++ b/manifests/iptables.pp
@@ -4,6 +4,7 @@
beam2 => "5672",
beam3 => "56918",
epmd => "4369",
+ gearman => "4370",
git_daemon => "9418",
glance_api => "9292",
glance_registry => "9191",
@@ -55,6 +56,7 @@
beam2 => "tcp",
beam3 => "tcp",
epmd => "tcp",
+ gearman => "tcp",
git_daemon => "tcp",
glance_api => "tcp",
glance_registry => "tcp",
diff --git a/modules/contint/manifests/firewall.pp
b/modules/contint/manifests/firewall.pp
index 8a3f595..6d8071f 100644
--- a/modules/contint/manifests/firewall.pp
+++ b/modules/contint/manifests/firewall.pp
@@ -9,6 +9,7 @@
iptables_purge_service{ 'deny_all_http-alt': service => 'http-alt' }
iptables_purge_service{ 'deny_all_zuul-daemon': service =>
'zuul_webservice' }
+ iptables_purge_service{ 'deny_all-gearman': service => 'gearman' }
iptables_purge_service{ 'deny_all_git-daemon': service => 'git_daemon' }
}
@@ -18,6 +19,11 @@
iptables_add_service{ 'lo_all': interface => 'lo', service => 'all', jump
=> 'ACCEPT' }
iptables_add_service{ 'localhost_all': source => '127.0.0.1', service =>
'all', jump => 'ACCEPT' }
+
+ # We really need to drop Zuul gearman there or anyone in wikimedia network
+ # would be able to reach Zuul gearman daemon.
+ iptables_add_service{ 'deny_all-gearman': service => 'gearman', jump =>
'DROP' }
+
iptables_add_service{ 'private_all': source => '10.0.0.0/8', service =>
'all', jump => 'ACCEPT' }
iptables_add_service{ 'public_all': source => '208.80.152.0/22', service
=> 'all', jump => 'ACCEPT' }
}
--
To view, visit https://gerrit.wikimedia.org/r/94136
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I708d562a02a98a9e603bd6afbd7399d737cc4322
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Hashar <[email protected]>
Gerrit-Reviewer: Akosiaris <[email protected]>
Gerrit-Reviewer: jenkins-bot
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
