[MediaWiki-commits] [Gerrit] Template ferm's defs.production - change (operations/puppet)
Akosiaris has submitted this change and it was merged.
Change subject: Template ferm's defs.production
..
Template ferm's defs.production
defs.${::realm} was too static and it caused issues with people trying
to duplicate information in it which was already present in network.pp.
This patch pulls information from network.pp and populates
ferm.production to facilitate easier firewall construction
While at it, convert network::constants to a more readable format and
add bastion hosts and monitoring hosts to it, using them to populate
ferm. Labs bastion/monitoring hosts are also taken into account and ferm
arrays are populated according to the $::realm they belong into
Change-Id: Icd266ac5f1c0edd40d07de041be90422f8003daf
---
M manifests/network.pp
D modules/base/files/firewall/defs.production
M modules/base/manifests/init.pp
A modules/base/templates/firewall/defs.erb
A modules/base/templates/firewall/defs.labs.erb
5 files changed, 105 insertions(+), 16 deletions(-)
Approvals:
Akosiaris: Looks good to me, approved
jenkins-bot: Verified
diff --git a/manifests/network.pp b/manifests/network.pp
index 01c8389..f434b6d 100644
--- a/manifests/network.pp
+++ b/manifests/network.pp
@@ -1,8 +1,63 @@
# network.pp
class network::constants {
- $external_networks = [ 91.198.174.0/24, 208.80.152.0/22,
2620:0:860::/46, 185.15.56.0/22, 198.35.26.0/23, 2a02:ec80::/32 ]
- $all_networks = [ 91.198.174.0/24, 208.80.152.0/22,
2620:0:860::/46, 10.0.0.0/8, 185.15.56.0/22, 198.35.26.0/23,
2a02:ec80::/32 ]
+ $external_networks = [
+ '91.198.174.0/24',
+ '208.80.152.0/22',
+ '2620:0:860::/46',
+ '198.35.26.0/23',
+ '185.15.56.0/22',
+ '2a02:ec80::/32',
+ ]
+ # NOTE: Should we just use stdlib's concat function and just add
10.0.0.0/8
+ # to external_networks to populate this one?
+ $all_networks = [
+ '91.198.174.0/24',
+ '208.80.152.0/22',
+ '2620:0:860::/46',
+ '198.35.26.0/23',
+ '185.15.56.0/22',
+ '2a02:ec80::/32',
+ '10.0.0.0/8',
+ ]
+
+ $special_hosts = {
+ 'production' = {
+ 'bastion_hosts' = [
+ '208.80.152.165',
+ '208.80.154.149',
+ '91.198.174.113',
+ '198.35.26.5',
+ '2620:0:860:2:21e:c9ff:feea:ab95',
+ '2620:0:861:2:7a2b:cbff:fe09:11ba',
+ '2620:0:862:1:a6ba:dbff:fe30:d770',
+ '2620:0:863:1:92b1:1cff:fe4d:4249',
+ ],
+ 'monitoring_hosts' = [
+ '208.80.154.14',
+ '2620:0:861:1:7a2b:cbff:fe08:a42f',
+ ]
+ },
+ 'labs' = {
+ 'bastion_hosts' = [
+ '208.80.153.202',
+ '208.80.153.203',
+ '208.80.153.207',
+ '208.80.153.232',
+ '10.4.1.55',
+ '10.4.1.58',
+ '10.4.1.84',
+ '10.4.1.85',
+ ],
+ 'monitoring_hosts' = [
+ '208.80.153.210',
+ '208.80.153.249',
+ '10.4.1.120',
+ '10.4.1.137',
+ ],
+ }
+ }
+
$all_network_subnets = {
'production' = {
'eqiad' = {
diff --git a/modules/base/files/firewall/defs.production
b/modules/base/files/firewall/defs.production
deleted file mode 100644
index d4b2b5b..000
--- a/modules/base/files/firewall/defs.production
+++ /dev/null
@@ -1,11 +0,0 @@
-@def $BASTION_V4 = (208.80.152.165 208.80.154.149 91.198.174.113 198.35.26.5);
-@def $BASTION_V6 = (2620:0:860:2:21e:c9ff:feea:ab95
2620:0:861:2:7a2b:cbff:fe09:11ba 2620:0:862:1:a6ba:dbff:fe30:d770);
-@def $BASTION = ($BASTION_V4 $BASTION_V6);
-
-@def $INTERNAL_V4 = (10.0.0.0/8);
-@def $INTERNAL_V6 = (2620:0:100::/56);
-@def $INTERNAL = ($INTERNAL_V4 $INTERNAL_V6);
-
-@def $ICINGA_V4 =
[MediaWiki-commits] [Gerrit] Template ferm's defs.production - change (operations/puppet)
Akosiaris has uploaded a new change for review.
https://gerrit.wikimedia.org/r/99705
Change subject: Template ferm's defs.production
..
Template ferm's defs.production
defs.${::realm} was too static and it caused issues with people trying
to duplicate information in it which was already present in network.pp.
This patch pulls information from network.pp and populates
ferm.production to facilitate easier firewall construction
Change-Id: Icd266ac5f1c0edd40d07de041be90422f8003daf
---
D modules/base/files/firewall/defs.production
M modules/base/manifests/init.pp
A modules/base/templates/firewall/defs.production.erb
3 files changed, 43 insertions(+), 12 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/05/99705/1
diff --git a/modules/base/files/firewall/defs.production
b/modules/base/files/firewall/defs.production
deleted file mode 100644
index d4b2b5b..000
--- a/modules/base/files/firewall/defs.production
+++ /dev/null
@@ -1,11 +0,0 @@
-@def $BASTION_V4 = (208.80.152.165 208.80.154.149 91.198.174.113 198.35.26.5);
-@def $BASTION_V6 = (2620:0:860:2:21e:c9ff:feea:ab95
2620:0:861:2:7a2b:cbff:fe09:11ba 2620:0:862:1:a6ba:dbff:fe30:d770);
-@def $BASTION = ($BASTION_V4 $BASTION_V6);
-
-@def $INTERNAL_V4 = (10.0.0.0/8);
-@def $INTERNAL_V6 = (2620:0:100::/56);
-@def $INTERNAL = ($INTERNAL_V4 $INTERNAL_V6);
-
-@def $ICINGA_V4 = (208.80.154.14);
-@def $ICINGA_V6 = (2620:0:861:1:7a2b:cbff:fe08:a42f);
-@def $ICINGA = ($ICINGA_V4 $ICINGA_V6);
diff --git a/modules/base/manifests/init.pp b/modules/base/manifests/init.pp
index 1c5c94d..661001b 100644
--- a/modules/base/manifests/init.pp
+++ b/modules/base/manifests/init.pp
@@ -363,6 +363,7 @@
# Don't include this sub class on all hosts yet
# NOTE: Policy is DROP by default
class base::firewall {
+include network::constants
include ferm
ferm::conf { 'main':
@@ -374,7 +375,8 @@
ferm::conf { 'defs':
ensure = present,
prio= '00',
-source = puppet:///modules/base/firewall/defs.${::realm},
+content = template(base/firewall/defs.${::realm}.erb),
+source =
'puppet:///modules/base/firewall/main-input-default-drop.conf',
}
ferm::rule { 'bastion-ssh':
diff --git a/modules/base/templates/firewall/defs.production.erb
b/modules/base/templates/firewall/defs.production.erb
new file mode 100644
index 000..c01b738
--- /dev/null
+++ b/modules/base/templates/firewall/defs.production.erb
@@ -0,0 +1,40 @@
+%-
+external_networks = scope.lookupvar('network::constants::external_networks')
+all_networks = scope.lookupvar('network::constants::all_networks')
+all_network_subnets =
scope.lookupvar('network::constants::all_network_subnets')
+-%
+
+@def $EXTERNAL_NETWORKS = (%- external_networks.each do |external_net| -%%=
external_net % % end -%);
+@def $ALL_NETWORKS = (%- all_networks.each do |net| -%%= net % % end -%);
+%- all_network_subnets.each_pair do |realm, sites| -%
+ %- sites.each_pair do |site, spheres| -%
+ %- spheres.each_pair do |sphere, networks | -%
+ %- networks.each_pair do |network, families| -%
+
+# Realm: %= realm %, # Site: %= site %, # Sphere: %= sphere %, #
Network: %= network %
+ %-
+ descr =
#{site.upcase()}_#{sphere.upcase()}_#{network.upcase()}
+ familydescrs = Array.new()
+ families.each_pair do |family, address|
+ familydescr =
#{descr}_#{family.upcase()}
+ familydescrs familydescr -%
+@def $%= familydescr % = (%= address %);
+ %- end -%
+@def $%= descr % = (%- familydescrs.each do |fd|%$%= fd % % end -%);
+ %- end -%
+ %- end -%
+ %- end -%
+%- end -%
+
+@def $INTERNAL_V4 = (10.0.0.0/8);
+@def $INTERNAL_V6 = (2620:0:100::/56);
+@def $INTERNAL = ($INTERNAL_V4 $INTERNAL_V6);
+
+# Specific hosts
+@def $BASTION_V4 = (208.80.152.165 208.80.154.149 91.198.174.113 198.35.26.5);
+@def $BASTION_V6 = (2620:0:860:2:21e:c9ff:feea:ab95
2620:0:861:2:7a2b:cbff:fe09:11ba 2620:0:862:1:a6ba:dbff:fe30:d770);
+@def $BASTION = ($BASTION_V4 $BASTION_V6);
+
+@def $ICINGA_V4 = (208.80.154.14);
+@def $ICINGA_V6 = (2620:0:861:1:7a2b:cbff:fe08:a42f);
+@def $ICINGA = ($ICINGA_V4 $ICINGA_V6);
--
To view, visit https://gerrit.wikimedia.org/r/99705
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Icd266ac5f1c0edd40d07de041be90422f8003daf
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Akosiaris akosia...@wikimedia.org
___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
