add params for ganeti

Signed-off-by: Stephen Gran <steve@lobefin.net>

diff --git a/modules/ferm/manifests/conf.pp b/modules/ferm/manifests/conf.pp
new file mode 100644 (file)
index 0000000..dd3bb0c
--- /dev/null
+++ b/modules/ferm/manifests/conf.pp
@@ -0,0 +1,23 @@
+define ferm::conf ($content, $source) {
+
+       case $ensure {
+               present,absent: {}
+               default: { fail ( "Invald ensure `${ensure}' for ${name}" ) }
+       }
+
+       if ($source and $content) {
+               fail ( "Can't define both source and content for ${name}" )
+       }
+
+       if $source {
+               file { "/etc/ferm/conf.d/${name}":
+                       ensure => $ensure,
+                       source => $source
+               }
+       } elsif $content {
+               file { "/etc/ferm/conf.d/${name}":
+                       ensure  => $ensure,
+                       content => $content,
+               }
+       }
+}

diff --git a/modules/ferm/manifests/init.pp b/modules/ferm/manifests/init.pp
index 904d83a..6d2d0c6 100644 (file)
--- a/modules/ferm/manifests/init.pp
+++ b/modules/ferm/manifests/init.pp
@@ -9,6 +9,7 @@
 class ferm {
        # realize (i.e. enable) all @ferm::rule virtual resources
        Ferm::Rule <| |>
+       Ferm::Conf <| |>
 
        File { mode => '0400' }
 

diff --git a/modules/ferm/templates/defs.conf.erb b/modules/ferm/templates/defs.conf.erb
index 15c5015..e19c00e 100644 (file)
--- a/modules/ferm/templates/defs.conf.erb
+++ b/modules/ferm/templates/defs.conf.erb
@@ -165,13 +165,6 @@
   dbs.join(' ')
 %>);
 
-# FIXME XXX we should get these from other information, and reconsider the places where we use them in destination matching rules
-@def $HOST_GANETI_V4                = (206.12.19.213/32 206.12.19.217/32 206.12.19.212/32 206.12.19.216/32);
-@def $HOST_GANETI_BACKEND_V4        = (192.168.2.213/32 192.168.2.217/32 192.168.2.212/32 192.168.2.216/32);
-@def $HOST_GANETI_MANDA_V4          = (82.195.75.103/32 82.195.75.109/32);
-@def $HOST_GANETI_MANDA_BACKEND_V4 = (192.168.75.103/32 192.168.75.109/32);
-
-
 @def $HOST_DEBIAN = ($HOST_DEBIAN_V4 $HOST_DEBIAN_V6);
 
 @def $sgran   = (91.103.132.24/29 85.158.45.51/32);

diff --git a/modules/ganeti2/manifests/firewall.pp b/modules/ganeti2/manifests/firewall.pp
new file mode 100644 (file)
index 0000000..484ac80
--- /dev/null
+++ b/modules/ganeti2/manifests/firewall.pp
@@ -0,0 +1,47 @@
+class ganeti2::firewall {
+
+       include ganeti2::params
+
+       $ganeti_hosts = $ganeti2::params::ganeti_hosts
+       $ganeti_priv  = $ganeti2::params::ganeti_priv
+
+       @ferm::conf { 'ganeti2':
+               content => template('ganeti2/defs.conf.erb')
+       }
+
+       @ferm::rule { 'dsa-ganeti-noded-v4':
+               description => 'allow ganeti-noded communication',
+               rule        => 'proto tcp mod state state (NEW) dport (1811) @subchain \'ganeti-noded\' { saddr ($HOST_GANETI_V4) daddr ($HOST_GANETI_V4) ACCEPT; }',
+               notarule    => true,
+       }
+
+       @ferm::rule { 'dsa-ganeti-confd-v4':
+               description => 'allow ganeti-confd communication',
+               rule        => 'proto udp mod state state (NEW) dport (1814) @subchain \'ganeti-confd\' { saddr ($HOST_GANETI_V4) daddr ($HOST_GANETI_V4) ACCEPT; }',
+               notarule    => true,
+       }
+
+       @ferm::rule { 'dsa-ganeti-rapi-v4':
+               description => 'allow ganeti-rapi communication',
+               rule        => 'proto tcp mod state state (NEW) dport (5080) @subchain \'ganeti-rapi\' { saddr ($HOST_GANETI_V4) daddr ($HOST_GANETI_V4) ACCEPT; }',
+               notarule    => true,
+       }
+
+       @ferm::rule { 'dsa-ganeti-drbd-v4':
+               description => 'allow ganeti drbd communication',
+               rule        => 'proto tcp mod state state (NEW) dport (11000:11999) @subchain \'ganeti-drbd\' { saddr ($HOST_GANETI_BACKEND_V4) daddr ($HOST_GANETI_BACKEND_V4) ACCEPT; }',
+               notarule    => true,
+       }
+
+       @ferm::rule { 'dsa-ganeti-kvm-migration-v4':
+               description => 'allow ganeti kvm migration ',
+               rule        => 'proto tcp dport 8102 @subchain \'ganeti-kvm-migration\' { saddr ($HOST_GANETI_BACKEND_V4) daddr ($HOST_GANETI_BACKEND_V4) ACCEPT; }',
+               notarule    => true,
+       }
+
+       @ferm::rule { 'dsa-ganeti-ssh-v4':
+               description => 'allow ganeti to ssh around',
+               rule        => 'proto tcp dport ssh @subchain \'ganeti-ssh\' { saddr ( $HOST_GANETI_V4 $HOST_GANETI_BACKEND_V4) ACCEPT; }',
+               notarule    => true,
+       }
+}

diff --git a/modules/ganeti2/manifests/init.pp b/modules/ganeti2/manifests/init.pp
index 3b5c835..bacb78c 100644 (file)
--- a/modules/ganeti2/manifests/init.pp
+++ b/modules/ganeti2/manifests/init.pp
@@ -1,5 +1,10 @@
 class ganeti2 {
 
+       include ganeti2::params
+       include ganeti2::firewall
+
+       $drbd = $ganeti2::params::drbd
+
        package { 'ganeti2':
                ensure => installed
        }
@@ -12,88 +17,9 @@ class ganeti2 {
                ensure => installed
        }
 
-       case $::cluster {
-               'ganeti2.debian.org': {
-                       package { 'drbd8-utils':
-                               ensure => installed
-                       }
-
-                       @ferm::rule { 'dsa-ganeti-noded-v4':
-                               description => 'allow ganeti-noded communication',
-                               rule        => 'proto tcp mod state state (NEW) dport (1811) @subchain \'ganeti-noded\' { saddr ($HOST_GANETI_V4) daddr ($HOST_GANETI_V4) ACCEPT; }',
-                               notarule    => true,
-                       }
-
-                       @ferm::rule { 'dsa-ganeti-confd-v4':
-                               description => 'allow ganeti-confd communication',
-                               rule        => 'proto udp mod state state (NEW) dport (1814) @subchain \'ganeti-confd\' { saddr ($HOST_GANETI_V4) daddr ($HOST_GANETI_V4) ACCEPT; }',
-                               notarule    => true,
-                       }
-
-                       @ferm::rule { 'dsa-ganeti-rapi-v4':
-                               description => 'allow ganeti-rapi communication',
-                               rule        => 'proto tcp mod state state (NEW) dport (5080) @subchain \'ganeti-rapi\' { saddr ($HOST_GANETI_V4) daddr ($HOST_GANETI_V4) ACCEPT; }',
-                               notarule    => true,
-                       }
-
-                       @ferm::rule { 'dsa-ganeti-drbd-v4':
-                               description => 'allow ganeti drbd communication',
-                               rule        => 'proto tcp mod state state (NEW) dport (11000:11999) @subchain \'ganeti-drbd\' { saddr ($HOST_GANETI_BACKEND_V4) daddr ($HOST_GANETI_BACKEND_V4) ACCEPT; }',
-                               notarule    => true,
-                       }
-
-                       @ferm::rule { 'dsa-ganeti-kvm-migration-v4':
-                               description => 'allow ganeti kvm migration ',
-                               rule        => 'proto tcp dport 8102 @subchain \'ganeti-kvm-migration\' { saddr ($HOST_GANETI_BACKEND_V4) daddr ($HOST_GANETI_BACKEND_V4) ACCEPT; }',
-                               notarule    => true,
-                       }
-
-                       @ferm::rule { 'dsa-ganeti-ssh-v4':
-                               description => 'allow ganeti to ssh around',
-                               rule        => 'proto tcp dport ssh @subchain \'ganeti-ssh\' { saddr ( $HOST_GANETI_V4 $HOST_GANETI_BACKEND_V4) ACCEPT; }',
-                               notarule    => true,
-                       }
-               }
-               'ganeti3.debian.org': {
-                       package { 'drbd8-utils':
-                               ensure => installed
-                       }
-
-                       @ferm::rule { 'dsa-ganeti-noded-v4':
-                               description => 'allow ganeti-noded communication',
-                               rule        => 'proto tcp mod state state (NEW) dport (1811) @subchain \'ganeti-noded\' { saddr ($HOST_GANETI_MANDA_V4) daddr ($HOST_GANETI_MANDA_V4) ACCEPT; }',
-                               notarule    => true,
-                       }
-
-                       @ferm::rule { 'dsa-ganeti-confd-v4':
-                               description => 'allow ganeti-confd communication',
-                               rule        => 'proto udp mod state state (NEW) dport (1814) @subchain \'ganeti-confd\' { saddr ($HOST_GANETI_MANDA_V4) daddr ($HOST_GANETI_MANDA_V4) ACCEPT; }',
-                               notarule    => true,
-                       }
-
-                       @ferm::rule { 'dsa-ganeti-rapi-v4':
-                               description => 'allow ganeti-rapi communication',
-                               rule        => 'proto tcp mod state state (NEW) dport (5080) @subchain \'ganeti-rapi\' { saddr ($HOST_GANETI_MANDA_V4) daddr ($HOST_GANETI_MANDA_V4) ACCEPT; }',
-                               notarule    => true,
-                       }
-
-                       @ferm::rule { 'dsa-ganeti-drbd-v4':
-                               description => 'allow ganeti drbd communication',
-                               rule        => 'proto tcp mod state state (NEW) dport (11000:11999) @subchain \'ganeti-drbd\' { saddr ($HOST_GANETI_MANDA_BACKEND_V4) daddr ($HOST_GANETI_MANDA_BACKEND_V4) ACCEPT; }',
-                               notarule    => true,
-                       }
-
-                       @ferm::rule { 'dsa-ganeti-kvm-migration-v4':
-                               description => 'allow ganeti kvm migration ',
-                               rule        => 'proto tcp dport 8102 @subchain \'ganeti-kvm-migration\' { saddr ($HOST_GANETI_MANDA_BACKEND_V4) daddr ($HOST_GANETI_MANDA_BACKEND_V4) ACCEPT; }',
-                               notarule    => true,
-                       }
-
-                       @ferm::rule { 'dsa-ganeti-ssh-v4':
-                               description => 'allow ganeti to ssh around',
-                               rule        => 'proto tcp dport ssh @subchain \'ganeti-ssh\' { saddr ( $HOST_GANETI_MANDA_V4 $HOST_GANETI_MANDA_BACKEND_V4) ACCEPT; }',
-                               notarule    => true,
-                       }
+       if $drbd {
+               package { 'drbd8-utils':
+                       ensure => installed
                }
        }
 

diff --git a/modules/ganeti2/manifests/params.pp b/modules/ganeti2/manifests/params.pp
new file mode 100644 (file)
index 0000000..8c64e56
--- /dev/null
+++ b/modules/ganeti2/manifests/params.pp
@@ -0,0 +1,20 @@
+class ganeti2::params {
+
+       case $::cluster {
+               'ganeti2.debian.org': {
+                       $ganeti_hosts = ['206.12.19.213/32', '206.12.19.217/32', '206.12.19.212/32', '206.12.19.216/32']
+                       $ganeti_priv  = ['192.168.2.213/32', '192.168.2.217/32', '192.168.2.212/32', '192.168.2.216/32']
+                       $drbd         = true
+               }
+               'ganeti3.debian.org': {
+                       $ganeti_hosts = ['82.195.75.103/32', '82.195.75.109/32']
+                       $ganeti_priv  = ['192.168.75.103/32', '192.168.75.109/32']
+                       $drbd         = true
+               }
+               default: {
+                       $ganeti_hosts = []
+                       $ganeti_priv  = []
+                       $drbd         = false
+               }
+       }
+}

diff --git a/modules/ganeti2/templates/defs.conf.erb b/modules/ganeti2/templates/defs.conf.erb
new file mode 100644 (file)
index 0000000..fe24222
--- /dev/null
+++ b/modules/ganeti2/templates/defs.conf.erb
@@ -0,0 +1,2 @@
+@def $HOST_GANETI_MANDA_V4         = (<%= scope.lookupvar('ganeti_hosts').to_a.flatten.join(' ') -%>)
+@def $HOST_GANETI_MANDA_BACKEND_V4 = (<%= scope.lookupvar('ganeti_priv').to_a.flatten.join(' ')-%>)