From 6f4637c1ef2d5c9978b6445e5022dad5ca8a71a3 Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Thu, 14 Dec 2017 13:54:39 -0800 Subject: [PATCH] Update logstash gearman client firewall rules This converts the config for logstsah gearman client firewall rules to use the new puppet-iptables iptables_allowed_hosts feature. This works around an issue with netfilter-persistent starting before dns resolution is working on boot. Change-Id: I76c45d8edbfe9f5420884e0ef2fb62cff2cc2bc9 --- hiera/common.yaml | 66 +++++++++++++++++++++++------------------------ manifests/site.pp | 7 +---- 2 files changed, 34 insertions(+), 39 deletions(-) diff --git a/hiera/common.yaml b/hiera/common.yaml index 8ac56af070..586dcf4e41 100644 --- a/hiera/common.yaml +++ b/hiera/common.yaml @@ -28,39 +28,39 @@ elasticsearch_clients: - logstash-worker18.openstack.org - logstash-worker19.openstack.org - logstash-worker20.openstack.org -logstash_gearman_clients: -- logstash-worker01.openstack.org -- logstash-worker02.openstack.org -- logstash-worker03.openstack.org -- logstash-worker04.openstack.org -- logstash-worker05.openstack.org -- logstash-worker06.openstack.org -- logstash-worker07.openstack.org -- logstash-worker08.openstack.org -- logstash-worker09.openstack.org -- logstash-worker10.openstack.org -- logstash-worker11.openstack.org -- logstash-worker12.openstack.org -- logstash-worker13.openstack.org -- logstash-worker14.openstack.org -- logstash-worker15.openstack.org -- logstash-worker16.openstack.org -- logstash-worker17.openstack.org -- logstash-worker18.openstack.org -- logstash-worker19.openstack.org -- logstash-worker20.openstack.org -- subunit-worker01.openstack.org -- subunit-worker02.openstack.org -- ze01.openstack.org -- ze02.openstack.org -- ze03.openstack.org -- ze04.openstack.org -- ze05.openstack.org -- ze06.openstack.org -- ze07.openstack.org -- ze08.openstack.org -- ze09.openstack.org -- ze10.openstack.org +logstash_iptables_rule_data: +- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker01.openstack.org'} +- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker02.openstack.org'} +- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker03.openstack.org'} +- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker04.openstack.org'} +- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker05.openstack.org'} +- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker06.openstack.org'} +- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker07.openstack.org'} +- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker08.openstack.org'} +- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker09.openstack.org'} +- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker10.openstack.org'} +- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker11.openstack.org'} +- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker12.openstack.org'} +- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker13.openstack.org'} +- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker14.openstack.org'} +- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker15.openstack.org'} +- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker16.openstack.org'} +- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker17.openstack.org'} +- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker18.openstack.org'} +- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker19.openstack.org'} +- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker20.openstack.org'} +- {protocol: 'tcp', port: '4730', hostname: 'subunit-worker01.openstack.org'} +- {protocol: 'tcp', port: '4730', hostname: 'subunit-worker02.openstack.org'} +- {protocol: 'tcp', port: '4730', hostname: 'ze01.openstack.org'} +- {protocol: 'tcp', port: '4730', hostname: 'ze02.openstack.org'} +- {protocol: 'tcp', port: '4730', hostname: 'ze03.openstack.org'} +- {protocol: 'tcp', port: '4730', hostname: 'ze04.openstack.org'} +- {protocol: 'tcp', port: '4730', hostname: 'ze05.openstack.org'} +- {protocol: 'tcp', port: '4730', hostname: 'ze06.openstack.org'} +- {protocol: 'tcp', port: '4730', hostname: 'ze07.openstack.org'} +- {protocol: 'tcp', port: '4730', hostname: 'ze08.openstack.org'} +- {protocol: 'tcp', port: '4730', hostname: 'ze09.openstack.org'} +- {protocol: 'tcp', port: '4730', hostname: 'ze10.openstack.org'} infra_apache_serveradmin: noc@openstack.org statusbot_channels: - ara diff --git a/manifests/site.pp b/manifests/site.pp index 91d4fa1f41..44e69c120c 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -7,7 +7,6 @@ # $elasticsearch_nodes = hiera_array('elasticsearch_nodes') $elasticsearch_clients = hiera_array('elasticsearch_clients') -$logstash_gearman_clients = hiera_array('logstash_gearman_clients') # # Default: should at least behave like an openstack server @@ -463,13 +462,9 @@ node /^wiki-dev\d+\.openstack\.org$/ { # Node-OS: trusty # Node-OS: xenial node /^logstash\d*\.openstack\.org$/ { - $logstash_iptables_rule = regsubst($logstash_gearman_clients, - '^(.*)$', '-m state --state NEW -m tcp -p tcp --dport 4730 -s \1 -j ACCEPT') - class { 'openstack_project::server': iptables_public_tcp_ports => [22, 80, 3306], - iptables_rules6 => $logstash_iptables_rule, - iptables_rules4 => $logstash_iptables_rule, + iptables_allowed_hosts => hiera_array('logstash_iptables_rule_data'), sysadmins => hiera('sysadmins', []), }