One of the last changes broke dbmaster role based ferm rules

In particular, we allowed HOST_DB ssh to all our hosts.  That does not
make semantic sense, since the db host does not need to ssh to all the
other hosts (the reverse is true).

However, since draghi makes for a useful fallback jumphost, we now
explictly allow it.  We need to figure something out for the other role
based ferm rules.

diff --git a/modules/ferm/templates/defs.conf.erb b/modules/ferm/templates/defs.conf.erb
index e9daf7f..8c19cef 100644 (file)
--- a/modules/ferm/templates/defs.conf.erb
+++ b/modules/ferm/templates/defs.conf.erb
@@ -24,7 +24,7 @@
   allnodeinfo = scope.lookupvar('deprecated::allnodeinfo')
   roles = scope.lookupvar('deprecated::roles')
 
-  %w{mailrelay nagiosmaster extranrpeclient muninmaster dbmaster dns_geo postgres_backup_server syncproxy security_master ftp_master historical_master ports_master mirrormaster dns_primary}.each do |role|
+  %w{mailrelay nagiosmaster extranrpeclient muninmaster dns_geo postgres_backup_server syncproxy security_master ftp_master historical_master ports_master mirrormaster dns_primary}.each do |role|
     rolehost[role] = []
     roles[role].each do |node|
         next unless allnodeinfo.has_key?(node) and allnodeinfo[node].has_key?('ipHostNumber')
@@ -53,10 +53,6 @@
 @def $HOST_MUNIN_V6 = (<%= scope.function_filter_ipv6([rolehost['muninmaster']]).uniq.join(' ') %>);
 @def $HOST_MUNIN = ( $HOST_MUNIN_V4 $HOST_MUNIN_V6 );
 
-@def $HOST_DB_V4 = (<%= scope.function_filter_ipv4([rolehost['dbmaster']]).uniq.join(' ') %>);
-@def $HOST_DB_V6 = (<%= scope.function_filter_ipv6([rolehost['dbmaster']]).uniq.join(' ') %>);
-@def $HOST_DB = ( $HOST_DB_V4 $HOST_DB_V6 );
-
 @def $HOST_PGBACKUPHOST_V4 = (<%= scope.function_filter_ipv4([rolehost['postgres_backup_server']]).uniq.join(' ') %>);
 @def $HOST_PGBACKUPHOST_V6 = (<%= scope.function_filter_ipv6([rolehost['postgres_backup_server']]).uniq.join(' ') %>);
 @def $HOST_PGBACKUPHOST = ( $HOST_PGBACKUPHOST_V4 $HOST_PGBACKUPHOST_V6 );

diff --git a/modules/ferm/templates/me.conf.erb b/modules/ferm/templates/me.conf.erb
index 615f633..072c2c0 100644 (file)
--- a/modules/ferm/templates/me.conf.erb
+++ b/modules/ferm/templates/me.conf.erb
@@ -25,8 +25,9 @@ should_restrict = restrict_ssh.include?(@hostname)
 
 
 if should_restrict then
-       ssh4allowed << %w{$DSA_IPS    $HOST_NAGIOS_V4 $HOST_MUNIN_V4 $HOST_DB_V4}
-       ssh6allowed << %w{$DSA_V6_IPS $HOST_NAGIOS_V6 $HOST_MUNIN_V6 $HOST_DB_V6}
+       # draghi makes for a nice jumphost
+       ssh4allowed << %w{$DSA_IPS    $HOST_NAGIOS_V4 $HOST_MUNIN_V4  82.195.75.106}
+       ssh6allowed << %w{$DSA_V6_IPS $HOST_NAGIOS_V6 $HOST_MUNIN_V6  2001:41b8:202:deb:1a1a:0:52c3:4b6a}
 
        if %w{draghi}.include?(@hostname) then
                ssh4allowed << '$HOST_DEBIAN_V4'