opendev/system-config
Code Issues Proposed changes

Switch zuulv3.o.o to use iptables_allowed_hosts

Browse Source 
Stop adding DNS entried to firewall rules, first resolve them to IP
addresses.

Change-Id: I4a3c49265f3a655af92fc39e4702eeab52a774c3
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
This commit is contained in:
Paul Belanger 2018-01-17 11:19:42 -05:00
parent 4d2e3ec86e
commit 859dd7754c
No known key found for this signature in database
GPG Key ID: 611A80832067AF38
1 changed files with 20 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
manifests/site.pp
View File

@ -1301,32 +1301,28 @@ node 'zuulv3.openstack.org' {
$git_name = 'OpenStack Zuul' $git_name = 'OpenStack Zuul'
$revision = 'feature/zuulv3' $revision = 'feature/zuulv3'
$gearman_workers = [
'ze01.openstack.org',
'ze02.openstack.org',
'ze03.openstack.org',
'ze04.openstack.org',
'ze05.openstack.org',
'ze06.openstack.org',
'ze07.openstack.org',
'ze08.openstack.org',
'ze09.openstack.org',
'ze10.openstack.org',
'zm01.openstack.org',
'zm02.openstack.org',
'zm03.openstack.org',
'zm04.openstack.org',
'zm05.openstack.org',
'zm06.openstack.org',
'zm07.openstack.org',
'zm08.openstack.org',
]
$iptables_rules = regsubst ($gearman_workers, '^(.*)$', '-m state --state NEW -m tcp -p tcp --dport 4730 -s \1 -j ACCEPT')
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [79, 80, 443], iptables_public_tcp_ports => [79, 80, 443],
iptables_rules6 => $iptables_rules, iptables_allowed_hosts => [
iptables_rules4 => $iptables_rules, {protocol => 'tcp', port => '4730', hostname => 'ze01.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'ze02.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'ze03.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'ze04.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'ze05.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'ze06.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'ze07.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'ze08.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'ze09.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'ze10.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'zm01.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'zm02.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'zm03.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'zm04.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'zm05.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'zm06.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'zm07.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'zm08.openstack.org'},
],
sysadmins => hiera('sysadmins', []), sysadmins => hiera('sysadmins', []),
} }