In particular, we allowed HOST_DB ssh to all our hosts. That does not
make semantic sense, since the db host does not need to ssh to all the
other hosts (the reverse is true).
However, since draghi makes for a useful fallback jumphost, we now
explictly allow it. We need to figure something out for the other role
based ferm rules.
allnodeinfo = scope.lookupvar('deprecated::allnodeinfo')
roles = scope.lookupvar('deprecated::roles')
allnodeinfo = scope.lookupvar('deprecated::allnodeinfo')
roles = scope.lookupvar('deprecated::roles')
- %w{mailrelay nagiosmaster extranrpeclient muninmaster dbmaster dns_geo postgres_backup_server syncproxy security_master ftp_master historical_master ports_master mirrormaster dns_primary}.each do |role|
+ %w{mailrelay nagiosmaster extranrpeclient muninmaster dns_geo postgres_backup_server syncproxy security_master ftp_master historical_master ports_master mirrormaster dns_primary}.each do |role|
rolehost[role] = []
roles[role].each do |node|
next unless allnodeinfo.has_key?(node) and allnodeinfo[node].has_key?('ipHostNumber')
rolehost[role] = []
roles[role].each do |node|
next unless allnodeinfo.has_key?(node) and allnodeinfo[node].has_key?('ipHostNumber')
@def $HOST_MUNIN_V6 = (<%= scope.function_filter_ipv6([rolehost['muninmaster']]).uniq.join(' ') %>);
@def $HOST_MUNIN = ( $HOST_MUNIN_V4 $HOST_MUNIN_V6 );
@def $HOST_MUNIN_V6 = (<%= scope.function_filter_ipv6([rolehost['muninmaster']]).uniq.join(' ') %>);
@def $HOST_MUNIN = ( $HOST_MUNIN_V4 $HOST_MUNIN_V6 );
-@def $HOST_DB_V4 = (<%= scope.function_filter_ipv4([rolehost['dbmaster']]).uniq.join(' ') %>);
-@def $HOST_DB_V6 = (<%= scope.function_filter_ipv6([rolehost['dbmaster']]).uniq.join(' ') %>);
-@def $HOST_DB = ( $HOST_DB_V4 $HOST_DB_V6 );
-
@def $HOST_PGBACKUPHOST_V4 = (<%= scope.function_filter_ipv4([rolehost['postgres_backup_server']]).uniq.join(' ') %>);
@def $HOST_PGBACKUPHOST_V6 = (<%= scope.function_filter_ipv6([rolehost['postgres_backup_server']]).uniq.join(' ') %>);
@def $HOST_PGBACKUPHOST = ( $HOST_PGBACKUPHOST_V4 $HOST_PGBACKUPHOST_V6 );
@def $HOST_PGBACKUPHOST_V4 = (<%= scope.function_filter_ipv4([rolehost['postgres_backup_server']]).uniq.join(' ') %>);
@def $HOST_PGBACKUPHOST_V6 = (<%= scope.function_filter_ipv6([rolehost['postgres_backup_server']]).uniq.join(' ') %>);
@def $HOST_PGBACKUPHOST = ( $HOST_PGBACKUPHOST_V4 $HOST_PGBACKUPHOST_V6 );
- ssh4allowed << %w{$DSA_IPS $HOST_NAGIOS_V4 $HOST_MUNIN_V4 $HOST_DB_V4}
- ssh6allowed << %w{$DSA_V6_IPS $HOST_NAGIOS_V6 $HOST_MUNIN_V6 $HOST_DB_V6}
+ # draghi makes for a nice jumphost
+ ssh4allowed << %w{$DSA_IPS $HOST_NAGIOS_V4 $HOST_MUNIN_V4 82.195.75.106}
+ ssh6allowed << %w{$DSA_V6_IPS $HOST_NAGIOS_V6 $HOST_MUNIN_V6 2001:41b8:202:deb:1a1a:0:52c3:4b6a}
if %w{draghi}.include?(@hostname) then
ssh4allowed << '$HOST_DEBIAN_V4'
if %w{draghi}.include?(@hostname) then
ssh4allowed << '$HOST_DEBIAN_V4'