Update logstash gearman client firewall rules

This converts the config for logstsah gearman client firewall rules to use the new puppet-iptables iptables_allowed_hosts feature. This works around an issue with netfilter-persistent starting before dns resolution is working on boot. Change-Id: I76c45d8edbfe9f5420884e0ef2fb62cff2cc2bc9
2017-12-14 13:54:39 -08:00 · 2017-12-14 13:54:39 -08:00 · 6f4637c1ef
commit 6f4637c1ef
parent 5f876310ce
2 changed files with 34 additions and 39 deletions
--- a/hiera/common.yaml
+++ b/hiera/common.yaml
@ -28,39 +28,39 @@ elasticsearch_clients:
 - logstash-worker18.openstack.org
 - logstash-worker19.openstack.org
 - logstash-worker20.openstack.org
-logstash_gearman_clients:
- logstash-worker01.openstack.org
- logstash-worker02.openstack.org
- logstash-worker03.openstack.org
- logstash-worker04.openstack.org
- logstash-worker05.openstack.org
- logstash-worker06.openstack.org
- logstash-worker07.openstack.org
- logstash-worker08.openstack.org
- logstash-worker09.openstack.org
- logstash-worker10.openstack.org
- logstash-worker11.openstack.org
- logstash-worker12.openstack.org
- logstash-worker13.openstack.org
- logstash-worker14.openstack.org
- logstash-worker15.openstack.org
- logstash-worker16.openstack.org
- logstash-worker17.openstack.org
- logstash-worker18.openstack.org
- logstash-worker19.openstack.org
- logstash-worker20.openstack.org
- subunit-worker01.openstack.org
- subunit-worker02.openstack.org
- ze01.openstack.org
- ze02.openstack.org
- ze03.openstack.org
- ze04.openstack.org
- ze05.openstack.org
- ze06.openstack.org
- ze07.openstack.org
- ze08.openstack.org
- ze09.openstack.org
- ze10.openstack.org
+logstash_iptables_rule_data:
+- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker01.openstack.org'}
+- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker02.openstack.org'}
+- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker03.openstack.org'}
+- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker04.openstack.org'}
+- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker05.openstack.org'}
+- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker06.openstack.org'}
+- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker07.openstack.org'}
+- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker08.openstack.org'}
+- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker09.openstack.org'}
+- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker10.openstack.org'}
+- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker11.openstack.org'}
+- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker12.openstack.org'}
+- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker13.openstack.org'}
+- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker14.openstack.org'}
+- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker15.openstack.org'}
+- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker16.openstack.org'}
+- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker17.openstack.org'}
+- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker18.openstack.org'}
+- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker19.openstack.org'}
+- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker20.openstack.org'}
+- {protocol: 'tcp', port: '4730', hostname: 'subunit-worker01.openstack.org'}
+- {protocol: 'tcp', port: '4730', hostname: 'subunit-worker02.openstack.org'}
+- {protocol: 'tcp', port: '4730', hostname: 'ze01.openstack.org'}
+- {protocol: 'tcp', port: '4730', hostname: 'ze02.openstack.org'}
+- {protocol: 'tcp', port: '4730', hostname: 'ze03.openstack.org'}
+- {protocol: 'tcp', port: '4730', hostname: 'ze04.openstack.org'}
+- {protocol: 'tcp', port: '4730', hostname: 'ze05.openstack.org'}
+- {protocol: 'tcp', port: '4730', hostname: 'ze06.openstack.org'}
+- {protocol: 'tcp', port: '4730', hostname: 'ze07.openstack.org'}
+- {protocol: 'tcp', port: '4730', hostname: 'ze08.openstack.org'}
+- {protocol: 'tcp', port: '4730', hostname: 'ze09.openstack.org'}
+- {protocol: 'tcp', port: '4730', hostname: 'ze10.openstack.org'}
 infra_apache_serveradmin: noc@openstack.org
 statusbot_channels:
 - ara
--- a/manifests/site.pp
+++ b/manifests/site.pp
@ -7,7 +7,6 @@
 #
 $elasticsearch_nodes = hiera_array('elasticsearch_nodes')
 $elasticsearch_clients = hiera_array('elasticsearch_clients')
-$logstash_gearman_clients = hiera_array('logstash_gearman_clients')

 #
 # Default: should at least behave like an openstack server
@ -463,13 +462,9 @@ node /^wiki-dev\d+\.openstack\.org$/ {
 # Node-OS: trusty
 # Node-OS: xenial
 node /^logstash\d*\.openstack\.org$/ {
-  $logstash_iptables_rule = regsubst($logstash_gearman_clients,
-  '^(.*)$', '-m state --state NEW -m tcp -p tcp --dport 4730 -s \1 -j ACCEPT')
-
  class { 'openstack_project::server':
    iptables_public_tcp_ports => [22, 80, 3306],
-    iptables_rules6           => $logstash_iptables_rule,
-    iptables_rules4           => $logstash_iptables_rule,
+    iptables_allowed_hosts    => hiera_array('logstash_iptables_rule_data'),
    sysadmins                 => hiera('sysadmins', []),
  }