From e81d2dd357118ed7157fa2fa5107b57f28c3cdf0 Mon Sep 17 00:00:00 2001 From: Stephen Gran Date: Tue, 11 Sep 2012 19:37:28 +0100 Subject: [PATCH] add params for ganeti Signed-off-by: Stephen Gran --- modules/ferm/manifests/conf.pp | 23 +++++++ modules/ferm/manifests/init.pp | 1 + modules/ferm/templates/defs.conf.erb | 7 -- modules/ganeti2/manifests/firewall.pp | 47 +++++++++++++ modules/ganeti2/manifests/init.pp | 90 +++---------------------- modules/ganeti2/manifests/params.pp | 20 ++++++ modules/ganeti2/templates/defs.conf.erb | 2 + 7 files changed, 101 insertions(+), 89 deletions(-) create mode 100644 modules/ferm/manifests/conf.pp create mode 100644 modules/ganeti2/manifests/firewall.pp create mode 100644 modules/ganeti2/manifests/params.pp create mode 100644 modules/ganeti2/templates/defs.conf.erb diff --git a/modules/ferm/manifests/conf.pp b/modules/ferm/manifests/conf.pp new file mode 100644 index 000000000..dd3bb0c8f --- /dev/null +++ b/modules/ferm/manifests/conf.pp @@ -0,0 +1,23 @@ +define ferm::conf ($content, $source) { + + case $ensure { + present,absent: {} + default: { fail ( "Invald ensure `${ensure}' for ${name}" ) } + } + + if ($source and $content) { + fail ( "Can't define both source and content for ${name}" ) + } + + if $source { + file { "/etc/ferm/conf.d/${name}": + ensure => $ensure, + source => $source + } + } elsif $content { + file { "/etc/ferm/conf.d/${name}": + ensure => $ensure, + content => $content, + } + } +} diff --git a/modules/ferm/manifests/init.pp b/modules/ferm/manifests/init.pp index 904d83a9a..6d2d0c62d 100644 --- a/modules/ferm/manifests/init.pp +++ b/modules/ferm/manifests/init.pp @@ -9,6 +9,7 @@ class ferm { # realize (i.e. enable) all @ferm::rule virtual resources Ferm::Rule <| |> + Ferm::Conf <| |> File { mode => '0400' } diff --git a/modules/ferm/templates/defs.conf.erb b/modules/ferm/templates/defs.conf.erb index 15c50157a..e19c00e60 100644 --- a/modules/ferm/templates/defs.conf.erb +++ b/modules/ferm/templates/defs.conf.erb @@ -165,13 +165,6 @@ dbs.join(' ') %>); -# FIXME XXX we should get these from other information, and reconsider the places where we use them in destination matching rules -@def $HOST_GANETI_V4 = (206.12.19.213/32 206.12.19.217/32 206.12.19.212/32 206.12.19.216/32); -@def $HOST_GANETI_BACKEND_V4 = (192.168.2.213/32 192.168.2.217/32 192.168.2.212/32 192.168.2.216/32); -@def $HOST_GANETI_MANDA_V4 = (82.195.75.103/32 82.195.75.109/32); -@def $HOST_GANETI_MANDA_BACKEND_V4 = (192.168.75.103/32 192.168.75.109/32); - - @def $HOST_DEBIAN = ($HOST_DEBIAN_V4 $HOST_DEBIAN_V6); @def $sgran = (91.103.132.24/29 85.158.45.51/32); diff --git a/modules/ganeti2/manifests/firewall.pp b/modules/ganeti2/manifests/firewall.pp new file mode 100644 index 000000000..484ac80ec --- /dev/null +++ b/modules/ganeti2/manifests/firewall.pp @@ -0,0 +1,47 @@ +class ganeti2::firewall { + + include ganeti2::params + + $ganeti_hosts = $ganeti2::params::ganeti_hosts + $ganeti_priv = $ganeti2::params::ganeti_priv + + @ferm::conf { 'ganeti2': + content => template('ganeti2/defs.conf.erb') + } + + @ferm::rule { 'dsa-ganeti-noded-v4': + description => 'allow ganeti-noded communication', + rule => 'proto tcp mod state state (NEW) dport (1811) @subchain \'ganeti-noded\' { saddr ($HOST_GANETI_V4) daddr ($HOST_GANETI_V4) ACCEPT; }', + notarule => true, + } + + @ferm::rule { 'dsa-ganeti-confd-v4': + description => 'allow ganeti-confd communication', + rule => 'proto udp mod state state (NEW) dport (1814) @subchain \'ganeti-confd\' { saddr ($HOST_GANETI_V4) daddr ($HOST_GANETI_V4) ACCEPT; }', + notarule => true, + } + + @ferm::rule { 'dsa-ganeti-rapi-v4': + description => 'allow ganeti-rapi communication', + rule => 'proto tcp mod state state (NEW) dport (5080) @subchain \'ganeti-rapi\' { saddr ($HOST_GANETI_V4) daddr ($HOST_GANETI_V4) ACCEPT; }', + notarule => true, + } + + @ferm::rule { 'dsa-ganeti-drbd-v4': + description => 'allow ganeti drbd communication', + rule => 'proto tcp mod state state (NEW) dport (11000:11999) @subchain \'ganeti-drbd\' { saddr ($HOST_GANETI_BACKEND_V4) daddr ($HOST_GANETI_BACKEND_V4) ACCEPT; }', + notarule => true, + } + + @ferm::rule { 'dsa-ganeti-kvm-migration-v4': + description => 'allow ganeti kvm migration ', + rule => 'proto tcp dport 8102 @subchain \'ganeti-kvm-migration\' { saddr ($HOST_GANETI_BACKEND_V4) daddr ($HOST_GANETI_BACKEND_V4) ACCEPT; }', + notarule => true, + } + + @ferm::rule { 'dsa-ganeti-ssh-v4': + description => 'allow ganeti to ssh around', + rule => 'proto tcp dport ssh @subchain \'ganeti-ssh\' { saddr ( $HOST_GANETI_V4 $HOST_GANETI_BACKEND_V4) ACCEPT; }', + notarule => true, + } +} diff --git a/modules/ganeti2/manifests/init.pp b/modules/ganeti2/manifests/init.pp index 3b5c83574..bacb78cf9 100644 --- a/modules/ganeti2/manifests/init.pp +++ b/modules/ganeti2/manifests/init.pp @@ -1,5 +1,10 @@ class ganeti2 { + include ganeti2::params + include ganeti2::firewall + + $drbd = $ganeti2::params::drbd + package { 'ganeti2': ensure => installed } @@ -12,88 +17,9 @@ class ganeti2 { ensure => installed } - case $::cluster { - 'ganeti2.debian.org': { - package { 'drbd8-utils': - ensure => installed - } - - @ferm::rule { 'dsa-ganeti-noded-v4': - description => 'allow ganeti-noded communication', - rule => 'proto tcp mod state state (NEW) dport (1811) @subchain \'ganeti-noded\' { saddr ($HOST_GANETI_V4) daddr ($HOST_GANETI_V4) ACCEPT; }', - notarule => true, - } - - @ferm::rule { 'dsa-ganeti-confd-v4': - description => 'allow ganeti-confd communication', - rule => 'proto udp mod state state (NEW) dport (1814) @subchain \'ganeti-confd\' { saddr ($HOST_GANETI_V4) daddr ($HOST_GANETI_V4) ACCEPT; }', - notarule => true, - } - - @ferm::rule { 'dsa-ganeti-rapi-v4': - description => 'allow ganeti-rapi communication', - rule => 'proto tcp mod state state (NEW) dport (5080) @subchain \'ganeti-rapi\' { saddr ($HOST_GANETI_V4) daddr ($HOST_GANETI_V4) ACCEPT; }', - notarule => true, - } - - @ferm::rule { 'dsa-ganeti-drbd-v4': - description => 'allow ganeti drbd communication', - rule => 'proto tcp mod state state (NEW) dport (11000:11999) @subchain \'ganeti-drbd\' { saddr ($HOST_GANETI_BACKEND_V4) daddr ($HOST_GANETI_BACKEND_V4) ACCEPT; }', - notarule => true, - } - - @ferm::rule { 'dsa-ganeti-kvm-migration-v4': - description => 'allow ganeti kvm migration ', - rule => 'proto tcp dport 8102 @subchain \'ganeti-kvm-migration\' { saddr ($HOST_GANETI_BACKEND_V4) daddr ($HOST_GANETI_BACKEND_V4) ACCEPT; }', - notarule => true, - } - - @ferm::rule { 'dsa-ganeti-ssh-v4': - description => 'allow ganeti to ssh around', - rule => 'proto tcp dport ssh @subchain \'ganeti-ssh\' { saddr ( $HOST_GANETI_V4 $HOST_GANETI_BACKEND_V4) ACCEPT; }', - notarule => true, - } - } - 'ganeti3.debian.org': { - package { 'drbd8-utils': - ensure => installed - } - - @ferm::rule { 'dsa-ganeti-noded-v4': - description => 'allow ganeti-noded communication', - rule => 'proto tcp mod state state (NEW) dport (1811) @subchain \'ganeti-noded\' { saddr ($HOST_GANETI_MANDA_V4) daddr ($HOST_GANETI_MANDA_V4) ACCEPT; }', - notarule => true, - } - - @ferm::rule { 'dsa-ganeti-confd-v4': - description => 'allow ganeti-confd communication', - rule => 'proto udp mod state state (NEW) dport (1814) @subchain \'ganeti-confd\' { saddr ($HOST_GANETI_MANDA_V4) daddr ($HOST_GANETI_MANDA_V4) ACCEPT; }', - notarule => true, - } - - @ferm::rule { 'dsa-ganeti-rapi-v4': - description => 'allow ganeti-rapi communication', - rule => 'proto tcp mod state state (NEW) dport (5080) @subchain \'ganeti-rapi\' { saddr ($HOST_GANETI_MANDA_V4) daddr ($HOST_GANETI_MANDA_V4) ACCEPT; }', - notarule => true, - } - - @ferm::rule { 'dsa-ganeti-drbd-v4': - description => 'allow ganeti drbd communication', - rule => 'proto tcp mod state state (NEW) dport (11000:11999) @subchain \'ganeti-drbd\' { saddr ($HOST_GANETI_MANDA_BACKEND_V4) daddr ($HOST_GANETI_MANDA_BACKEND_V4) ACCEPT; }', - notarule => true, - } - - @ferm::rule { 'dsa-ganeti-kvm-migration-v4': - description => 'allow ganeti kvm migration ', - rule => 'proto tcp dport 8102 @subchain \'ganeti-kvm-migration\' { saddr ($HOST_GANETI_MANDA_BACKEND_V4) daddr ($HOST_GANETI_MANDA_BACKEND_V4) ACCEPT; }', - notarule => true, - } - - @ferm::rule { 'dsa-ganeti-ssh-v4': - description => 'allow ganeti to ssh around', - rule => 'proto tcp dport ssh @subchain \'ganeti-ssh\' { saddr ( $HOST_GANETI_MANDA_V4 $HOST_GANETI_MANDA_BACKEND_V4) ACCEPT; }', - notarule => true, - } + if $drbd { + package { 'drbd8-utils': + ensure => installed } } diff --git a/modules/ganeti2/manifests/params.pp b/modules/ganeti2/manifests/params.pp new file mode 100644 index 000000000..8c64e5698 --- /dev/null +++ b/modules/ganeti2/manifests/params.pp @@ -0,0 +1,20 @@ +class ganeti2::params { + + case $::cluster { + 'ganeti2.debian.org': { + $ganeti_hosts = ['206.12.19.213/32', '206.12.19.217/32', '206.12.19.212/32', '206.12.19.216/32'] + $ganeti_priv = ['192.168.2.213/32', '192.168.2.217/32', '192.168.2.212/32', '192.168.2.216/32'] + $drbd = true + } + 'ganeti3.debian.org': { + $ganeti_hosts = ['82.195.75.103/32', '82.195.75.109/32'] + $ganeti_priv = ['192.168.75.103/32', '192.168.75.109/32'] + $drbd = true + } + default: { + $ganeti_hosts = [] + $ganeti_priv = [] + $drbd = false + } + } +} diff --git a/modules/ganeti2/templates/defs.conf.erb b/modules/ganeti2/templates/defs.conf.erb new file mode 100644 index 000000000..fe24222c0 --- /dev/null +++ b/modules/ganeti2/templates/defs.conf.erb @@ -0,0 +1,2 @@ +@def $HOST_GANETI_MANDA_V4 = (<%= scope.lookupvar('ganeti_hosts').to_a.flatten.join(' ') -%>) +@def $HOST_GANETI_MANDA_BACKEND_V4 = (<%= scope.lookupvar('ganeti_priv').to_a.flatten.join(' ')-%>) -- 2.20.1