Page MenuHomePhabricator
Create Task
Maniphest T154150

role::puppetmaster::standalone has no firewall rule for port 8140
Closed, ResolvedPublic
Actions

Description

When applied together with a role that enables base::firewall, role::puppetmaster::standalone's puppetmaster is unreachable because it has no firewall rule to access it (port 8140).

There are two obstacles that make for example a simple ferm::service { 'puppetmaster-frontend': proto => 'tcp', port => 8140, srange => '$DOMAIN_NETWORKS', } not enough:

  1. role::labs::puppetmaster includes role::puppetmaster::standalone with the (Apache) restriction $allow_from => flatten([$labs_instance_range, '208.80.154.14', '208.80.155.119', '208.80.153.74', $horizon_host_ip, $labs_metal]) (and in general $allow_from can contain wildcard domain names as well), so restricting srange too narrowly is not an option and automatically converting $allow_from is not possible.
  2. role::labs::puppetmaster has its own ferm rules (saddr (${labs_vms} ${labs_metal} ${monitoring} ${horizon_host_ip}) proto tcp dport 8140 ACCEPT; and saddr (${labs_vms} ${labs_metal} ${monitoring} ${horizon_host_ip}) proto tcp dport 8100 ACCEPT;), so "restricting" srange too broadly is no option either.

Probably the manifests need to be reorganized so that the roles do not depend on each other, i. e. move the $use_enc bits to the class puppetmaster and then instantiate puppetmaster and not role::puppetmaster::standalone in role::puppetmaster::labs, or truly combine role::puppetmaster::standalone and role::puppetmaster::labs into one role.

Details

SubjectRepoBranchLines +/-
role::puppetmaster::standalone: add ferm rules to allow connecting to tcp/8140operations/puppetproduction+6 -0
Customize query in gerrit

Related Objects

Event Timeline

scfc created this task.Dec 26 2016, 5:13 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 26 2016, 5:13 PM
bd808 edited projects, added Cloud-VPS; removed Cloud-Services.Jul 12 2017, 5:49 AM
aborrero claimed this task.Nov 9 2017, 4:20 PM
aborrero subscribed.
bd808 added a project: cloud-services-team (Kanban).Nov 14 2017, 3:28 PM
Paladox subscribed.Nov 14 2017, 3:29 PM
aborrero added a comment.EditedNov 20 2017, 7:00 PM

I would need more investigation/information. These are my findings until now:

  • I can't find the role::labs::puppetmaster puppet role. Where do it lives?
  • If I deploy a standalone puppet master in Cloud VPS, set a proxy, I see packets reaching the webserver in 8140 (no profile::base::firewall)
aborrero mentioned this in T181304: ferm package installation fails because asks debconf question.Nov 24 2017, 1:53 PM
aborrero added a comment.Nov 24 2017, 7:00 PM

More testing. I see that a patch like this just works, but the reporter @scfc seems to suggest this doesn't work:

diff --git a/modules/role/manifests/puppetmaster/standalone.pp b/modules/role/manifests/puppetmaster/standalone.pp
index a59726673c..77fcdd97b2 100644
--- a/modules/role/manifests/puppetmaster/standalone.pp
+++ b/modules/role/manifests/puppetmaster/standalone.pp
@@ -72,4 +72,10 @@ class role::puppetmaster::standalone(
     class { 'puppetmaster::gitsync':
         run_every_minutes => $git_sync_minutes,
     }
+
+    ferm::service { 'puppetmaster-frontend':
+       proto => 'tcp',
+       port => 8140,
+       srange => '$DOMAIN_NETWORKS',
+    }
 }

With this patch, in a role::puppetmaster::standalone machine, my testing was:

  • I added ::base::firewall. Rules are loaded, I see proper iptables rules and packets reach tcp/8140
  • I then deleted ::base::firewall. My expectation was some error from puppet because using ferm::service but no loading ::base::firewall (hey, no ferm installed) but it seems just to work.
gerritbot subscribed.Nov 29 2017, 6:30 PM

Change 394101 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/puppet@production] role::puppetmaster::standalone: add ferm rules to allow connecting to tcp/8140

https://gerrit.wikimedia.org/r/394101

gerritbot added a project: Patch-For-Review.Nov 29 2017, 6:30 PM
gerritbot added a comment.Jan 3 2018, 11:07 AM

Change 394101 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] role::puppetmaster::standalone: add ferm rules to allow connecting to tcp/8140

https://gerrit.wikimedia.org/r/394101

aborrero closed this task as Resolved.Jan 3 2018, 11:36 AM

Merged both:

https://gerrit.wikimedia.org/r/394101
https://gerrit.wikimedia.org/r/#/c/401716/

I believe this task can be closed.

bd808 moved this task from Inbox to Done on the cloud-services-team (Kanban) board.Jan 4 2018, 12:15 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL