Update logstash gearman client firewall rules

This converts the config for logstsah gearman client firewall rules to
use the new puppet-iptables iptables_allowed_hosts feature. This works
around an issue with netfilter-persistent starting before dns
resolution is working on boot.

Change-Id: I76c45d8edbfe9f5420884e0ef2fb62cff2cc2bc9
This commit is contained in:
Clark Boylan 2017-12-14 13:54:39 -08:00
parent 5f876310ce
commit 6f4637c1ef
2 changed files with 34 additions and 39 deletions

View File

@ -28,39 +28,39 @@ elasticsearch_clients:
- logstash-worker18.openstack.org
- logstash-worker19.openstack.org
- logstash-worker20.openstack.org
logstash_gearman_clients:
- logstash-worker01.openstack.org
- logstash-worker02.openstack.org
- logstash-worker03.openstack.org
- logstash-worker04.openstack.org
- logstash-worker05.openstack.org
- logstash-worker06.openstack.org
- logstash-worker07.openstack.org
- logstash-worker08.openstack.org
- logstash-worker09.openstack.org
- logstash-worker10.openstack.org
- logstash-worker11.openstack.org
- logstash-worker12.openstack.org
- logstash-worker13.openstack.org
- logstash-worker14.openstack.org
- logstash-worker15.openstack.org
- logstash-worker16.openstack.org
- logstash-worker17.openstack.org
- logstash-worker18.openstack.org
- logstash-worker19.openstack.org
- logstash-worker20.openstack.org
- subunit-worker01.openstack.org
- subunit-worker02.openstack.org
- ze01.openstack.org
- ze02.openstack.org
- ze03.openstack.org
- ze04.openstack.org
- ze05.openstack.org
- ze06.openstack.org
- ze07.openstack.org
- ze08.openstack.org
- ze09.openstack.org
- ze10.openstack.org
logstash_iptables_rule_data:
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker01.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker02.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker03.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker04.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker05.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker06.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker07.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker08.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker09.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker10.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker11.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker12.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker13.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker14.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker15.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker16.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker17.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker18.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker19.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker20.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'subunit-worker01.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'subunit-worker02.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze01.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze02.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze03.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze04.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze05.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze06.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze07.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze08.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze09.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze10.openstack.org'}
infra_apache_serveradmin: noc@openstack.org
statusbot_channels:
- ara

View File

@ -7,7 +7,6 @@
#
$elasticsearch_nodes = hiera_array('elasticsearch_nodes')
$elasticsearch_clients = hiera_array('elasticsearch_clients')
$logstash_gearman_clients = hiera_array('logstash_gearman_clients')
#
# Default: should at least behave like an openstack server
@ -463,13 +462,9 @@ node /^wiki-dev\d+\.openstack\.org$/ {
# Node-OS: trusty
# Node-OS: xenial
node /^logstash\d*\.openstack\.org$/ {
$logstash_iptables_rule = regsubst($logstash_gearman_clients,
'^(.*)$', '-m state --state NEW -m tcp -p tcp --dport 4730 -s \1 -j ACCEPT')
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 3306],
iptables_rules6 => $logstash_iptables_rule,
iptables_rules4 => $logstash_iptables_rule,
iptables_allowed_hosts => hiera_array('logstash_iptables_rule_data'),
sysadmins => hiera('sysadmins', []),
}