Simplify elasticsearch firewall rules
Because we are no longer running elasticsearch daemons on logstash-workers to perform indexing (and instead use http to the elasticsearch cluster data nodes) and because kibana also speaks the http API and doesn't join the cluster from logstash.openstack.org we don't need to allow the full mesh of connectivity over ports 9200 to 9400. Remove these unneeded firewall rules as the next step is converting to the new dns resolving firewall rule builder parameter in puppet-iptables. Change-Id: If79bab6dc0b510c5589b83c943458e8580eb8092
This commit is contained in:
parent
994365d1bf
commit
5f876310ce
|
@ -463,11 +463,8 @@ node /^wiki-dev\d+\.openstack\.org$/ {
|
|||
# Node-OS: trusty
|
||||
# Node-OS: xenial
|
||||
node /^logstash\d*\.openstack\.org$/ {
|
||||
$iptables_es_rule = regsubst($elasticsearch_nodes,
|
||||
'^(.*)$', '-m state --state NEW -m tcp -p tcp --dport 9200:9400 -s \1 -j ACCEPT')
|
||||
$iptables_gm_rule = regsubst($logstash_gearman_clients,
|
||||
$logstash_iptables_rule = regsubst($logstash_gearman_clients,
|
||||
'^(.*)$', '-m state --state NEW -m tcp -p tcp --dport 4730 -s \1 -j ACCEPT')
|
||||
$logstash_iptables_rule = flatten([$iptables_es_rule, $iptables_gm_rule])
|
||||
|
||||
class { 'openstack_project::server':
|
||||
iptables_public_tcp_ports => [22, 80, 3306],
|
||||
|
@ -493,14 +490,10 @@ node /^logstash\d*\.openstack\.org$/ {
|
|||
# Node-OS: trusty
|
||||
# Node-OS: xenial
|
||||
node /^logstash-worker\d+\.openstack\.org$/ {
|
||||
$logstash_worker_iptables_rule = regsubst(flatten([$elasticsearch_nodes, $elasticsearch_clients]),
|
||||
'^(.*)$', '-m state --state NEW -m tcp -p tcp --dport 9200:9400 -s \1 -j ACCEPT')
|
||||
$group = 'logstash-worker'
|
||||
|
||||
class { 'openstack_project::server':
|
||||
iptables_public_tcp_ports => [22],
|
||||
iptables_rules6 => $logstash_worker_iptables_rule,
|
||||
iptables_rules4 => $logstash_worker_iptables_rule,
|
||||
sysadmins => hiera('sysadmins', []),
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue