Freeze break request: add rsync for httpd logs
Stephen John Smoogen
smooge at gmail.com
Tue May 14 19:21:50 UTC 2013
Reviewed. +1.
On 14 May 2013 10:45, Kevin Fenzi <kevin at scrye.com> wrote:
> So, first freeze break request. ;)
>
> I added a number of applications to have log02 pull httpd logs from,
> but some of them do not have rsync installed, so pulling logs from them
> is failing. I'd like to have them include rsync::server (which by
> default only exposes logs to log02 for rsync) and allow that in
> firewalls.
>
> It's not urgent, but it would be nice to start collecting these sooner
> rather than later.
>
> kevin
> --
> diff --git a/manifests/nodes/ask01.phx2.fedoraproject.org.pp
> b/manifests/nodes/ask01.phx2.fedoraproject.org.pp
> index 8a24a68..b85905c 100644
> --- a/manifests/nodes/ask01.phx2.fedoraproject.org.pp
> +++ b/manifests/nodes/ask01.phx2.fedoraproject.org.pp
> @@ -17,7 +17,9 @@ node "ask01.phx2.fedoraproject.org" {
> }
>
> iptables::firewall { 'ipv4':
> - tcpPorts => [ 80 ]
> + tcpPorts => [ 80 ],
> + custom => [ "-A INPUT -p tcp -m tcp -s 10.5.126.29 --dport 873 -j
> ACCEPT",
> + ]
> }
>
> collectd::collectd { 'log02': }
> diff --git a/manifests/nodes/ask01.stg.phx2.fedoraproject.org.pp
> b/manifests/nodes/ask01.stg.phx2.fedoraproject.org.pp
> index e1abad9..661f5ac 100644
> --- a/manifests/nodes/ask01.stg.phx2.fedoraproject.org.pp
> +++ b/manifests/nodes/ask01.stg.phx2.fedoraproject.org.pp
> @@ -16,7 +16,9 @@ node "ask01.stg.phx2.fedoraproject.org" {
> }
>
> iptables::firewall { 'ipv4':
> - tcpPorts => [ 80, 443, 8888 ]
> + tcpPorts => [ 80, 443, 8888 ],
> + custom => [ "-A INPUT -p tcp -m tcp -s 10.5.126.29 --dport 873 -j
> ACCEPT",
> + ]
> }
> }
>
> diff --git a/manifests/nodes/ask02.phx2.fedoraproject.org.pp
> b/manifests/nodes/ask02.phx2.fedoraproject.org.pp
> index bf7b259..6df2054 100644
> --- a/manifests/nodes/ask02.phx2.fedoraproject.org.pp
> +++ b/manifests/nodes/ask02.phx2.fedoraproject.org.pp
> @@ -17,7 +17,9 @@ node "ask02.phx2.fedoraproject.org" {
> }
>
> iptables::firewall { 'ipv4':
> - tcpPorts => [ 80 ]
> + tcpPorts => [ 80 ],
> + custom => [ "-A INPUT -p tcp -m tcp -s 10.5.126.29 --dport 873 -j
> ACCEPT",
> + ]
> }
>
> collectd::collectd { 'log02': }
> diff --git a/manifests/nodes/blockerbugs01.phx2.fedoraproject.org.pp
> b/manifests/nodes/blockerbugs01.phx2.fedoraproject.org.pp
> index 6647b05..61cf44e 100644
> --- a/manifests/nodes/blockerbugs01.phx2.fedoraproject.org.pp
> +++ b/manifests/nodes/blockerbugs01.phx2.fedoraproject.org.pp
> @@ -12,7 +12,9 @@ node "blockerbugs01.phx2.fedoraproject.org" {
> include blockerbugs::nobalance
>
> iptables::firewall { 'ipv4':
> - tcpPorts => [ 80, 443, 8888 ]
> + tcpPorts => [ 80, 443, 8888 ],
> + custom => [ "-A INPUT -p tcp -m tcp -s 10.5.126.29 --dport 873 -j
> ACCEPT",
> + ]
> }
> # This points to db01
> host { 'db-blockerbugs':
> diff --git a/manifests/nodes/blockerbugs01.stg.phx2.fedoraproject.org.pp
> b/manifests/nodes/blockerbugs01.stg.phx2.fedoraproject.org.pp
> index a034e3d..aa7eb45 100644
> --- a/manifests/nodes/blockerbugs01.stg.phx2.fedoraproject.org.pp
> +++ b/manifests/nodes/blockerbugs01.stg.phx2.fedoraproject.org.pp
> @@ -9,6 +9,8 @@ node "blockerbugs01.stg.phx2.fedoraproject.org" {
> include blockerbugs::nobalance
>
> iptables::firewall { 'ipv4':
> - tcpPorts => [ 80, 443, 8888 ]
> + tcpPorts => [ 80, 443, 8888 ],
> + custom => [ "-A INPUT -p tcp -m tcp -s 10.5.126.29 --dport 873 -j
> ACCEPT",
> + ]
> }
> }
> diff --git a/manifests/nodes/blockerbugs02.phx2.fedoraproject.org.pp
> b/manifests/nodes/blockerbugs02.phx2.fedoraproject.org.pp
> index 61267e7..e558851 100644
> --- a/manifests/nodes/blockerbugs02.phx2.fedoraproject.org.pp
> +++ b/manifests/nodes/blockerbugs02.phx2.fedoraproject.org.pp
> @@ -12,7 +12,9 @@ node "blockerbugs02.phx2.fedoraproject.org" {
> # include blockerbugs::nobalance
>
> iptables::firewall { 'ipv4':
> - tcpPorts => [ 80, 443, 8888 ]
> + tcpPorts => [ 80, 443, 8888 ],
> + custom => [ "-A INPUT -p tcp -m tcp -s 10.5.126.29 --dport 873 -j
> ACCEPT",
> + ]
> }
> # This points to db01
> host { 'db-blockerbugs':
> diff --git a/manifests/nodes/datagrepper01.phx2.fedoraproject.org.pp
> b/manifests/nodes/datagrepper01.phx2.fedoraproject.org.pp
> index 8198138..a2616d0 100644
> --- a/manifests/nodes/datagrepper01.phx2.fedoraproject.org.pp
> +++ b/manifests/nodes/datagrepper01.phx2.fedoraproject.org.pp
> @@ -11,7 +11,9 @@ node "datagrepper01.phx2.fedoraproject.org" {
> include openvpn::client
>
> iptables::firewall { 'ipv4':
> - tcpPorts => [ 80, 443 ]
> + tcpPorts => [ 80, 443 ],
> + custom => [ "-A INPUT -p tcp -m tcp -s 10.5.126.29 --dport 873 -j
> ACCEPT",
> + ]
> }
>
> host { 'db-for-datagrepper':
> diff --git a/manifests/nodes/datagrepper01.stg.phx2.fedoraproject.org.pp
> b/manifests/nodes/datagrepper01.stg.phx2.fedoraproject.org.pp
> index c81a938..78e8f8d 100644
> --- a/manifests/nodes/datagrepper01.stg.phx2.fedoraproject.org.pp
> +++ b/manifests/nodes/datagrepper01.stg.phx2.fedoraproject.org.pp
> @@ -12,7 +12,9 @@ node "datagrepper01.stg.phx2.fedoraproject.org" {
> include datagrepper::app
>
> iptables::firewall { 'ipv4':
> - tcpPorts => [ 80, 443 ]
> + tcpPorts => [ 80, 443 ],
> + custom => [ "-A INPUT -p tcp -m tcp -s 10.5.126.29 --dport 873 -j
> ACCEPT",
> + ]
> }
>
> host { 'db-for-datagrepper':
> diff --git a/manifests/nodes/datagrepper02.phx2.fedoraproject.org.pp
> b/manifests/nodes/datagrepper02.phx2.fedoraproject.org.pp
> index 4a7c423..84b45ec 100644
> --- a/manifests/nodes/datagrepper02.phx2.fedoraproject.org.pp
> +++ b/manifests/nodes/datagrepper02.phx2.fedoraproject.org.pp
> @@ -11,7 +11,9 @@ node "datagrepper02.phx2.fedoraproject.org" {
> include openvpn::client
>
> iptables::firewall { 'ipv4':
> - tcpPorts => [ 80, 443 ]
> + tcpPorts => [ 80, 443 ],
> + custom => [ "-A INPUT -p tcp -m tcp -s 10.5.126.29 --dport 873 -j
> ACCEPT",
> + ]
> }
>
> host { 'db-for-datagrepper':
> diff --git a/manifests/nodes/fedocal01.phx2.fedoraproject.org.pp
> b/manifests/nodes/fedocal01.phx2.fedoraproject.org.pp
> index 14168c2..9567cec 100644
> --- a/manifests/nodes/fedocal01.phx2.fedoraproject.org.pp
> +++ b/manifests/nodes/fedocal01.phx2.fedoraproject.org.pp
> @@ -9,7 +9,9 @@ node "fedocal01.phx2.fedoraproject.org" {
> include fedocal::nobalance
>
> iptables::firewall { 'ipv4':
> - tcpPorts => [ 80, 443 ]
> + tcpPorts => [ 80, 443 ],
> + custom => [ "-A INPUT -p tcp -m tcp -s 10.5.126.29 --dport 873 -j
> ACCEPT",
> + ]
> }
>
> # This points to db01
> diff --git a/manifests/nodes/fedocal01.stg.phx2.fedoraproject.org.pp
> b/manifests/nodes/fedocal01.stg.phx2.fedoraproject.org.pp
> index fd13777..3c6adf8 100644
> --- a/manifests/nodes/fedocal01.stg.phx2.fedoraproject.org.pp
> +++ b/manifests/nodes/fedocal01.stg.phx2.fedoraproject.org.pp
> @@ -10,7 +10,9 @@ node "fedocal01.stg.phx2.fedoraproject.org" {
> include fedocal::nobalance
>
> iptables::firewall { 'ipv4':
> - tcpPorts => [ 80, 443 ]
> + tcpPorts => [ 80, 443 ],
> + custom => [ "-A INPUT -p tcp -m tcp -s 10.5.126.29 --dport 873 -j
> ACCEPT",
> + ]
> }
>
> # This points to db02.stg
> diff --git a/manifests/nodes/fedocal02.phx2.fedoraproject.org.pp
> b/manifests/nodes/fedocal02.phx2.fedoraproject.org.pp
> index 090207c..d224fd1 100644
> --- a/manifests/nodes/fedocal02.phx2.fedoraproject.org.pp
> +++ b/manifests/nodes/fedocal02.phx2.fedoraproject.org.pp
> @@ -10,7 +10,9 @@ node "fedocal02.phx2.fedoraproject.org" {
> #include fedocal::nobalance
>
> iptables::firewall { 'ipv4':
> - tcpPorts => [ 80, 443 ]
> + tcpPorts => [ 80, 443 ],
> + custom => [ "-A INPUT -p tcp -m tcp -s 10.5.126.29 --dport 873 -j
> ACCEPT",
> + ]
> }
>
> # This points to db01
> diff --git a/manifests/nodes/openid01.phx2.fedoraproject.org.pp
> b/manifests/nodes/openid01.phx2.fedoraproject.org.pp
> index 8db2feb..94daf55 100644
> --- a/manifests/nodes/openid01.phx2.fedoraproject.org.pp
> +++ b/manifests/nodes/openid01.phx2.fedoraproject.org.pp
> @@ -9,7 +9,9 @@ node "openid01.phx2.fedoraproject.org" {
> include openvpn::client
>
> iptables::firewall { 'ipv4':
> - tcpPorts => [ 80, 443 ]
> + tcpPorts => [ 80, 443 ],
> + custom => [ "-A INPUT -p tcp -m tcp -s 10.5.126.29 --dport 873 -j
> ACCEPT",
> + ]
> }
>
> # This points to db-fas01
> diff --git a/manifests/nodes/openid01.stg.phx2.fedoraproject.org.pp
> b/manifests/nodes/openid01.stg.phx2.fedoraproject.org.pp
> index e3527ce..40386d5 100644
> --- a/manifests/nodes/openid01.stg.phx2.fedoraproject.org.pp
> +++ b/manifests/nodes/openid01.stg.phx2.fedoraproject.org.pp
> @@ -9,7 +9,9 @@ node "openid01.stg.phx2.fedoraproject.org" {
> include fas-openid
>
> iptables::firewall { 'ipv4':
> - tcpPorts => [ 80, 443 ]
> + tcpPorts => [ 80, 443 ],
> + custom => [ "-A INPUT -p tcp -m tcp -s 10.5.126.29 --dport 873 -j
> ACCEPT",
> + ]
> }
>
> # This points to db-fas01.stg
> diff --git a/manifests/nodes/openid02.phx2.fedoraproject.org.pp
> b/manifests/nodes/openid02.phx2.fedoraproject.org.pp
> index 3e95783..81142df 100644
> --- a/manifests/nodes/openid02.phx2.fedoraproject.org.pp
> +++ b/manifests/nodes/openid02.phx2.fedoraproject.org.pp
> @@ -9,7 +9,9 @@ node "openid02.phx2.fedoraproject.org" {
> include openvpn::client
>
> iptables::firewall { 'ipv4':
> - tcpPorts => [ 80, 443 ]
> + tcpPorts => [ 80, 443 ],
> + custom => [ "-A INPUT -p tcp -m tcp -s 10.5.126.29 --dport 873 -j
> ACCEPT",
> + ]
> }
>
> # This points to db-fas01
> diff --git a/manifests/nodes/packages01.dev.fedoraproject.org.pp
> b/manifests/nodes/packages01.dev.fedoraproject.org.pp
> index af87535..bb14b41 100644
> --- a/manifests/nodes/packages01.dev.fedoraproject.org.pp
> +++ b/manifests/nodes/packages01.dev.fedoraproject.org.pp
> @@ -6,6 +6,8 @@ node "packages01.dev" {
> include httpd::mod_wsgi
>
> iptables::firewall { 'ipv4':
> - tcpPorts => [ 80, 443, 6996 ]
> + tcpPorts => [ 80, 443, 6996 ],
> + custom => [ "-A INPUT -p tcp -m tcp -s 10.5.126.29 --dport 873 -j
> ACCEPT",
> + ]
> }
> }
> diff --git a/manifests/nodes/packages01.phx2.fedoraproject.org.pp
> b/manifests/nodes/packages01.phx2.fedoraproject.org.pp
> index 39d9036..691c5ed 100644
> --- a/manifests/nodes/packages01.phx2.fedoraproject.org.pp
> +++ b/manifests/nodes/packages01.phx2.fedoraproject.org.pp
> @@ -26,7 +26,9 @@ node "packages01" {
> }
>
> iptables::firewall { 'ipv4':
> - tcpPorts => [ 80, 443, 6996 ]
> + tcpPorts => [ 80, 443, 6996 ],
> + custom => [ "-A INPUT -p tcp -m tcp -s 10.5.126.29 --dport 873 -j
> ACCEPT",
> + ]
> }
>
> glusterfs::server::config { packages:
> diff --git a/manifests/nodes/packages01.stg.phx2.fedoraproject.org.pp
> b/manifests/nodes/packages01.stg.phx2.fedoraproject.org.pp
> index b0c2b9d..f96a4bd 100644
> --- a/manifests/nodes/packages01.stg.phx2.fedoraproject.org.pp
> +++ b/manifests/nodes/packages01.stg.phx2.fedoraproject.org.pp
> @@ -25,6 +25,8 @@ node "packages01.stg" {
> netmask => '255.255.255.0',
> }
> iptables::firewall { 'ipv4':
> - tcpPorts => [ 80, 443, 6996 ]
> + tcpPorts => [ 80, 443, 6996 ],
> + custom => [ "-A INPUT -p tcp -m tcp -s 10.5.126.29 --dport 873 -j
> ACCEPT",
> + ]
> }
> }
> diff --git a/manifests/nodes/packages02.phx2.fedoraproject.org.pp
> b/manifests/nodes/packages02.phx2.fedoraproject.org.pp
> index f6a5441..a66358b 100644
> --- a/manifests/nodes/packages02.phx2.fedoraproject.org.pp
> +++ b/manifests/nodes/packages02.phx2.fedoraproject.org.pp
> @@ -24,7 +24,9 @@ node "packages02" {
> }
>
> iptables::firewall { 'ipv4':
> - tcpPorts => [ 80, 443, 6996 ]
> + tcpPorts => [ 80, 443, 6996 ],
> + custom => [ "-A INPUT -p tcp -m tcp -s 10.5.126.29 --dport 873 -j
> ACCEPT",
> + ]
> }
>
> glusterfs::server::config { packages:
> diff --git a/manifests/nodes/paste01.phx2.fedoraproject.org.pp
> b/manifests/nodes/paste01.phx2.fedoraproject.org.pp
> index 7708415..30d83e6 100644
> --- a/manifests/nodes/paste01.phx2.fedoraproject.org.pp
> +++ b/manifests/nodes/paste01.phx2.fedoraproject.org.pp
> @@ -9,7 +9,9 @@ node "paste01.phx2.fedoraproject.org" {
> collectd::collectd { 'log02': }
>
> iptables::firewall { 'ipv4':
> - tcpPorts => [ 80, 443, 8888 ]
> + tcpPorts => [ 80, 443, 8888 ],
> + custom => [ "-A INPUT -p tcp -m tcp -s 10.5.126.29 --dport 873 -j
> ACCEPT",
> + ]
> }
>
> selboolean { [
> diff --git a/manifests/nodes/paste01.stg.fedoraproject.org.pp
> b/manifests/nodes/paste01.stg.fedoraproject.org.pp
> index fa05ef1..ad861b5 100644
> --- a/manifests/nodes/paste01.stg.fedoraproject.org.pp
> +++ b/manifests/nodes/paste01.stg.fedoraproject.org.pp
> @@ -9,7 +9,9 @@ node "paste01.stg.phx2.fedoraproject.org" {
> include sticky-notes
>
> iptables::firewall { 'ipv4':
> - tcpPorts => [ 80, 443, 8888 ]
> + tcpPorts => [ 80, 443, 8888 ],
> + custom => [ "-A INPUT -p tcp -m tcp -s 10.5.126.29 --dport 873 -j
> ACCEPT",
> + ]
> }
>
> selboolean { [
> diff --git a/manifests/nodes/paste02.phx2.fedoraproject.org.pp
> b/manifests/nodes/paste02.phx2.fedoraproject.org.pp
> index 091e894..14d694c 100644
> --- a/manifests/nodes/paste02.phx2.fedoraproject.org.pp
> +++ b/manifests/nodes/paste02.phx2.fedoraproject.org.pp
> @@ -9,7 +9,9 @@ node "paste02.phx2.fedoraproject.org" {
> collectd::collectd { 'log02': }
>
> iptables::firewall { 'ipv4':
> - tcpPorts => [ 80, 443, 8888 ]
> + tcpPorts => [ 80, 443, 8888 ],
> + custom => [ "-A INPUT -p tcp -m tcp -s 10.5.126.29 --dport 873 -j
> ACCEPT",
> + ]
> }
>
> selboolean { [
> diff --git a/modules/askbot/manifests/init.pp
> b/modules/askbot/manifests/init.pp
> index 50bb7d2..98afdb0 100644
> --- a/modules/askbot/manifests/init.pp
> +++ b/modules/askbot/manifests/init.pp
> @@ -1,5 +1,6 @@
> class askbot {
> include httpd::mod_wsgi
> + include rsync::server
>
> package { "askbot":
> ensure => installed,
> diff --git a/modules/blockerbugs/manifests/init.pp
> b/modules/blockerbugs/manifests/init.pp
> index c841ab4..2636819 100644
> --- a/modules/blockerbugs/manifests/init.pp
> +++ b/modules/blockerbugs/manifests/init.pp
> @@ -19,6 +19,7 @@ class blockerbugs::app {
>
> include httpd::mod_wsgi
> include mod_ssl
> + include rsync::server
>
> selboolean { [
> "httpd_can_network_connect_db",
> diff --git a/modules/datagrepper/manifests/init.pp
> b/modules/datagrepper/manifests/init.pp
> index afc9b78..bbd10bc 100644
> --- a/modules/datagrepper/manifests/init.pp
> +++ b/modules/datagrepper/manifests/init.pp
> @@ -19,6 +19,7 @@ class datagrepper::app {
> include httpd::mod_wsgi
> include httpd::mod_ssl
> include fedmsg::config
> + include rsync::server
>
> package { "datagrepper":
> ensure => present,
> diff --git a/modules/fas-openid/manifests/init.pp
> b/modules/fas-openid/manifests/init.pp
> index 7c48d0d..3409781 100644
> --- a/modules/fas-openid/manifests/init.pp
> +++ b/modules/fas-openid/manifests/init.pp
> @@ -3,6 +3,7 @@ class fas-openid {
> include httpd::mod_ssl
> include httpd::mod_wsgi
> include hotfix::python-openid
> + include rsync::server
>
> selboolean { [
> "httpd_can_network_connect_db",
> diff --git a/modules/fedocal/manifests/init.pp
> b/modules/fedocal/manifests/init.pp
> index 6854c24..31809e5 100644
> --- a/modules/fedocal/manifests/init.pp
> +++ b/modules/fedocal/manifests/init.pp
> @@ -2,6 +2,7 @@ class fedocal {
> include selinux-enforcing
> include httpd::mod_ssl
> include httpd::mod_wsgi
> + include rsync::server
>
> selboolean { [
> "httpd_can_network_connect_db",
> diff --git a/modules/packages/manifests/init.pp
> b/modules/packages/manifests/init.pp
> index ede4331..7b211a7 100644
> --- a/modules/packages/manifests/init.pp
> +++ b/modules/packages/manifests/init.pp
> @@ -35,6 +35,7 @@ class fedoracommunity::tagger {
> include httpd::mod_wsgi
> include httpd::mod_ssl
> include fedmsg::config
> + include rsync::server
> fedmsg::certificate { "fedoratagger":
> service => "fedoratagger",
> group => "fedoratagger",
> diff --git a/modules/sticky-notes/manifests/init.pp
> b/modules/sticky-notes/manifests/init.pp
> index ed78bf2..6fd8f71 100644
> --- a/modules/sticky-notes/manifests/init.pp
> +++ b/modules/sticky-notes/manifests/init.pp
> @@ -1,6 +1,7 @@
> class sticky-notes {
> include httpd::base
> include httpd::php
> + include rsync::server
>
> package { "sticky-notes":
> ensure => installed,
>
> _______________________________________________
> infrastructure mailing list
> infrastructure at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/infrastructure
>
--
Stephen J Smoogen.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20130514/0a4b50f9/attachment-0001.html>
More information about the infrastructure
mailing list