I have done exactly this with a MariaDB cluster. Each client that needs
to access the database includes a class called mariadb::client which
includes this snippet:
# Auto-add a firewall rule in the MySQL and MariaDB server just for us
@@firewall { "100-mariadb-${::fqdn}":
proto => 'tcp',
dport => '3306',
tag => 'mariadb',
source => $::ipaddress,
action => 'accept',
}
And then the MariaDB server realises all of those resources in its
server class:
# MariaDB firewall rules for clients
Firewall <<| tag == 'mariadb' |>>
It works nicely, but the only flaw is that when you build a new system,
it is not immediately able to use the database, and you have to wait
until after the database server has also checked in with Puppet.
Cheers,
Jonathan
On 23/01/15 22:15, Jason Price wrote:
Problem statement:
I have a Database server, and I have an arbitrary number of clients.
I wish to collect the client IP addresses, and build out a set of
firewall rules on the DB server to allow the client IPs to connect.
Bonus points if something can be purged out if it hasn't called home
to puppet in 48 hours (or something similar)
(technically, I need to do it both directions, since the DB is
Cassandra, and the number of nodes can grow there too, and the clients
need to be able to have firewall rules for each of those, but one
problem at a time)
Does puppet offer a canonical solution for this problem?
In searching around, using Exported Resources with puppetdb seems like
a good start, but there are numerous challenges with this approach:
mostly in leveraging those IP addresses in an ERB (to drive the
firewall rules).
Other searching lead to the ConCat module, but that seems to only work
within the context of a single client and doesn't seem to be queryable
by other clients.
Thanks for any insights;
Jason
--
You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected]
<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAChvjRC-t90oYDZJyFztkRX2J9E3riC-Ns2%3DQjJuNucfV%2BDEtg%40mail.gmail.com
<https://groups.google.com/d/msgid/puppet-users/CAChvjRC-t90oYDZJyFztkRX2J9E3riC-Ns2%3DQjJuNucfV%2BDEtg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/54C608BA.9070300%40bristol.ac.uk.
For more options, visit https://groups.google.com/d/optout.
