From 0ef1653e16e2302442e4eae47cd22a2f9954facb Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Sun, 15 Sep 2019 15:11:28 +0200 Subject: [PATCH] One of the last changes broke dbmaster role based ferm rules In particular, we allowed HOST_DB ssh to all our hosts. That does not make semantic sense, since the db host does not need to ssh to all the other hosts (the reverse is true). However, since draghi makes for a useful fallback jumphost, we now explictly allow it. We need to figure something out for the other role based ferm rules. --- modules/ferm/templates/defs.conf.erb | 6 +----- modules/ferm/templates/me.conf.erb | 5 +++-- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/modules/ferm/templates/defs.conf.erb b/modules/ferm/templates/defs.conf.erb index e9daf7f0b..8c19cefa7 100644 --- a/modules/ferm/templates/defs.conf.erb +++ b/modules/ferm/templates/defs.conf.erb @@ -24,7 +24,7 @@ allnodeinfo = scope.lookupvar('deprecated::allnodeinfo') roles = scope.lookupvar('deprecated::roles') - %w{mailrelay nagiosmaster extranrpeclient muninmaster dbmaster dns_geo postgres_backup_server syncproxy security_master ftp_master historical_master ports_master mirrormaster dns_primary}.each do |role| + %w{mailrelay nagiosmaster extranrpeclient muninmaster dns_geo postgres_backup_server syncproxy security_master ftp_master historical_master ports_master mirrormaster dns_primary}.each do |role| rolehost[role] = [] roles[role].each do |node| next unless allnodeinfo.has_key?(node) and allnodeinfo[node].has_key?('ipHostNumber') @@ -53,10 +53,6 @@ @def $HOST_MUNIN_V6 = (<%= scope.function_filter_ipv6([rolehost['muninmaster']]).uniq.join(' ') %>); @def $HOST_MUNIN = ( $HOST_MUNIN_V4 $HOST_MUNIN_V6 ); -@def $HOST_DB_V4 = (<%= scope.function_filter_ipv4([rolehost['dbmaster']]).uniq.join(' ') %>); -@def $HOST_DB_V6 = (<%= scope.function_filter_ipv6([rolehost['dbmaster']]).uniq.join(' ') %>); -@def $HOST_DB = ( $HOST_DB_V4 $HOST_DB_V6 ); - @def $HOST_PGBACKUPHOST_V4 = (<%= scope.function_filter_ipv4([rolehost['postgres_backup_server']]).uniq.join(' ') %>); @def $HOST_PGBACKUPHOST_V6 = (<%= scope.function_filter_ipv6([rolehost['postgres_backup_server']]).uniq.join(' ') %>); @def $HOST_PGBACKUPHOST = ( $HOST_PGBACKUPHOST_V4 $HOST_PGBACKUPHOST_V6 ); diff --git a/modules/ferm/templates/me.conf.erb b/modules/ferm/templates/me.conf.erb index 615f63398..072c2c08a 100644 --- a/modules/ferm/templates/me.conf.erb +++ b/modules/ferm/templates/me.conf.erb @@ -25,8 +25,9 @@ should_restrict = restrict_ssh.include?(@hostname) if should_restrict then - ssh4allowed << %w{$DSA_IPS $HOST_NAGIOS_V4 $HOST_MUNIN_V4 $HOST_DB_V4} - ssh6allowed << %w{$DSA_V6_IPS $HOST_NAGIOS_V6 $HOST_MUNIN_V6 $HOST_DB_V6} + # draghi makes for a nice jumphost + ssh4allowed << %w{$DSA_IPS $HOST_NAGIOS_V4 $HOST_MUNIN_V4 82.195.75.106} + ssh6allowed << %w{$DSA_V6_IPS $HOST_NAGIOS_V6 $HOST_MUNIN_V6 2001:41b8:202:deb:1a1a:0:52c3:4b6a} if %w{draghi}.include?(@hostname) then ssh4allowed << '$HOST_DEBIAN_V4' -- 2.20.1