diff options
| author | James Shubin <james@shubin.ca> | 2013-09-16 01:28:06 -0400 |
|---|---|---|
| committer | James Shubin <james@shubin.ca> | 2013-09-16 01:28:06 -0400 |
| commit | 1d423ade0362a01acf2cbc35399808b4befe0864 (patch) | |
| tree | 35d5179b86f07511c2fbf0812a2d318f55d94171 | |
| parent | 9c30b8e200f05b7adc599d6d2862a4be71523c90 (diff) | |
| download | puppet-gluster-1d423ade0362a01acf2cbc35399808b4befe0864.tar.gz puppet-gluster-1d423ade0362a01acf2cbc35399808b4befe0864.tar.xz puppet-gluster-1d423ade0362a01acf2cbc35399808b4befe0864.zip | |
Some initial firewalling cleanups.
Appropriate firewalling support is a hard thing in gluster if you take
in to account all the bootstrapping problems of what needs to be open
before subsequent things can work. Hopefully this patch is a good first
step in finally doing the right things.
| -rw-r--r-- | manifests/host.pp | 73 | ||||
| -rw-r--r-- | manifests/server.pp | 101 |
2 files changed, 109 insertions, 65 deletions
diff --git a/manifests/host.pp b/manifests/host.pp index a9bc10a..cc34564 100644 --- a/manifests/host.pp +++ b/manifests/host.pp @@ -20,6 +20,7 @@ # only the host holding the vip is allowed to execute cluster peer operations. define gluster::host( + $ip = $::ipaddress, # specify which ip address to use (if multiple) $uuid = '' # if empty, puppet will attempt to use the gluster fact ) { include gluster::vardir @@ -134,6 +135,78 @@ define gluster::host( } } } + + # firewalling... + $shorewall = $::gluster::server::shorewall + if ( "${fqdn}" == "${name}" ) and $shorewall { + $zone = $::gluster::server::zone # firewall zone + $ips = $::gluster::server::ips # override host ip list + + #$other_host_ips = inline_template("<%= ips.delete_if {|x| x == '${ipaddress}' }.join(',') %>") # list of ips except myself + #$all_ips = inline_template("<%= (ips+[vip]+clients).uniq.delete_if {|x| x.empty? }.join(',') %>") + $source_ips = type($ips) ? { + 'array' => inline_template("<%= (ips+[]).uniq.delete_if {|x| x.empty? }.join(',') %>"), + default => ["${ip}"], + } + + @@shorewall::rule { "glusterd-management-${name}": + action => 'ACCEPT', + source => "${zone}", # override this on collect... + source_ips => $source_ips, + dest => '$FW', + proto => 'tcp', + port => '24007', + comment => 'Allow incoming tcp:24007 from each glusterd.', + tag => 'gluster_firewall_management', + ensure => present, + } + + # NOTE: used by rdma + @@shorewall::rule { "glusterd-rdma-${name}": + action => 'ACCEPT', + source => "${zone}", # override this on collect... + source_ips => $source_ips, + dest => '$FW', + proto => 'tcp', + port => '24008', + comment => 'Allow incoming tcp:24008 for rdma.', + tag => 'gluster_firewall_management', + ensure => present, + } + + # TODO: is this only used for nfs? + @@shorewall::rule { "gluster-tcp111-${name}": + action => 'ACCEPT', + source => "${zone}", # override this on collect... + source_ips => $source_ips, + dest => '$FW', + proto => 'tcp', + port => '111', + comment => 'Allow tcp 111.', + tag => 'gluster_firewall_management', + ensure => present, + } + + # TODO: is this only used for nfs? + @@shorewall::rule { "gluster-udp111-${name}": + action => 'ACCEPT', + source => "${zone}", # override this on collect... + source_ips => $source_ips, + dest => '$FW', + proto => 'udp', + port => '111', + comment => 'Allow udp 111.', + tag => 'gluster_firewall_management', + ensure => present, + } + + # TODO: this collects our own entries too... we could exclude + # them but this isn't a huge issue at the moment... + Shorewall::Rule <<| tag == 'gluster_firewall_management' |>> { + source => "${zone}", # use our source zone + before => Service['glusterd'], + } + } } # vim: ts=8 diff --git a/manifests/server.pp b/manifests/server.pp index e5a2bf0..f98078a 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -16,13 +16,12 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. class gluster::server( - $ips = [], # this should be a list of ip's for each in hosts[] # TODO: i would have rather this happen with a local dns resolver, but I can't figure out how to make one! # NOTE: this can be overcome probably by using exported resources or dns names in shorewall (bad) - $clients = [], # list of allowed client ip's #$vip = '', # vip of the cluster (optional but recommended) $nfs = false, # TODO $shorewall = false, $zone = 'net', # TODO: allow a list of zones - $allow = 'all' + $ips = false, # an optional list of ip's for each in hosts[] + $clients = [] # list of allowed client ip's # TODO: get from exported resources ) { $FW = '$FW' # make using $FW in shorewall easier @@ -78,77 +77,49 @@ class gluster::server( } if $shorewall { - if $allow == 'all' { - $net = 'net' - } else { - $net = "net:${allow}" - } - # TODO: could the facter values help here ? - #$other_host_ips = inline_template("<%= ips.delete_if {|x| x == '${ipaddress}' }.join(',') %>") # list of ips except myself - $source_ips = inline_template("<%= (ips+clients).uniq.delete_if {|x| x.empty? }.join(',') %>") - #$all_ips = inline_template("<%= (ips+[vip]+clients).uniq.delete_if {|x| x.empty? }.join(',') %>") - #$list_of_hosts_except_myself = split(inline_template("<%= host_list.delete_if {|x| x == '${fqdn}' }.join(' ') %>"), ' ') - - $src = "${source_ips}" ? { - '' => "${zone}", - default => "${zone}:${source_ips}", - } - - ############################################################################ - # ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL - # PORT PORT(S) DEST - shorewall::rule { 'glusterd-management': - rule => " - ACCEPT ${src} $FW tcp 24007 - ", - comment => 'Allow incoming tcp:24007 from each other glusterd or client.', - before => Service['glusterd'], - } - - # NOTE: used by rdma - shorewall::rule { 'glusterd-rdma': - rule => " - ACCEPT ${src} $FW tcp 24008 - ", - comment => 'Allow incoming tcp:24008 for rdma.', - before => Service['glusterd'], - } - - # TODO: Use the correct port range - shorewall::rule { 'glusterfsd-easyfw': - rule => " - ACCEPT ${src} $FW tcp 24009:25009 # XXX: Use the correct port range - ", - comment => 'Allow incoming tcp:24009-25009 from each other glusterfsd and clients.', - before => Service['glusterd'], - } + # XXX: WIP + #if type($ips) == 'array' { + # #$other_host_ips = inline_template("<%= ips.delete_if {|x| x == '${ipaddress}' }.join(',') %>") # list of ips except myself + # $source_ips = inline_template("<%= (ips+clients).uniq.delete_if {|x| x.empty? }.join(',') %>") + # #$all_ips = inline_template("<%= (ips+[vip]+clients).uniq.delete_if {|x| x.empty? }.join(',') %>") + + # $src = "${source_ips}" ? { + # '' => "${zone}", + # default => "${zone}:${source_ips}", + # } + + #} else { + # # automatically build our source ip list... + # if "${::gluster_firewall_ips}" == '' { # fact ! + # $src = "${zone}" + # } else { + # $src = "${zone}:${::gluster_firewall_ips}" + # } + #} - # TODO: is this only used for nfs? - shorewall::rule { 'gluster-111': - rule => " - ACCEPT ${src} $FW tcp 111 - ACCEPT ${src} $FW udp 111 - ", - comment => 'Allow tcp/udp 111.', - before => Service['glusterd'], - } + #shorewall::rule { 'glusterfsd-easyfw': # XXX: use the correct port range + # rule => " + # ACCEPT ${src} $FW tcp 24009:25009 + # ", + # comment => 'Allow incoming tcp:24009-25009 from each other glusterfsd and clients.', + # before => Service['glusterd'], + #} - # XXX: WIP - #$endport = inline_template('<%= 24009+hosts.count %>') # XXX: is there one brick per server or two ? what does 'brick' mean in the context of open ports? - #$nfs_endport = inline_template('<%= 38465+hosts.count %>') # XXX: is there one brick per server or two ? what does 'brick' mean in the context of open ports? + #$endport = inline_template('<%= 24009+hosts.count %>') + #$nfs_endport = inline_template('<%= 38465+hosts.count %>') #shorewall::rule { 'gluster-24000': # rule => " - # ACCEPT ${zone} $FW tcp 24009:${endport} + # ACCEPT ${src} $FW tcp 24009:${endport} # ", # comment => 'Allow 24000s for gluster', # before => Service['glusterd'], #} - if $nfs { # FIXME: TODO - shorewall::rule { 'gluster-nfs': rule => " - ACCEPT $(net} $FW tcp 38465:${nfs_endport} - ", comment => 'Allow nfs for gluster'} - } + #if $nfs { # FIXME: TODO + # shorewall::rule { 'gluster-nfs': rule => " + # ACCEPT $(src} $FW tcp 38465:${nfs_endport} + # ", comment => 'Allow nfs for gluster'} + #} } # start service only after the firewall is opened and hosts are defined |