From ed99f27a1a047466ef2f0fa56ae42640a3a78fec Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Tue, 19 Jun 2012 19:31:20 +0200 Subject: [PATCH] dedicated ganeti ssh chain --- modules/ferm/templates/me.conf.erb | 8 -------- modules/ganeti2/manifests/init.pp | 8 +++++++- 2 files changed, 7 insertions(+), 9 deletions(-) diff --git a/modules/ferm/templates/me.conf.erb b/modules/ferm/templates/me.conf.erb index 55b27e20..3de244eb 100644 --- a/modules/ferm/templates/me.conf.erb +++ b/modules/ferm/templates/me.conf.erb @@ -37,14 +37,6 @@ if %w{geo1 geo2 geo3}.include?(hostname) then ssh4allowed << '194.177.211.209' # orff - master ssh6allowed << '2001:648:2ffc:deb:213:72ff:fe69:e188' # orff - master end -if %w{pasquini tristano}.include?(hostname) then - ssh4allowed << '206.12.19.23' # ganeti2.debian.org - ssh4allowed << '206.12.19.213' # tristano.debian.org - ssh4allowed << '206.12.19.217' # pasquini.debian.org - ssh4allowed << '192.168.2.23' # ganeti2.debprivate-ubc.debian.org - ssh4allowed << '192.168.2.213' # tristano-mnt.debprivate-ubc.debian.org - ssh4allowed << '192.168.2.217' # pasquini-mnt.debprivate-ubc.debian.org -end ssh4allowed.length == 0 and ssh4allowed << '0.0.0.0/0' ssh6allowed.length == 0 and ssh6allowed << '::/0' diff --git a/modules/ganeti2/manifests/init.pp b/modules/ganeti2/manifests/init.pp index 7308ca2e..7d44ee1d 100644 --- a/modules/ganeti2/manifests/init.pp +++ b/modules/ganeti2/manifests/init.pp @@ -42,7 +42,13 @@ class ganeti2 { @ferm::rule { 'dsa-ganeti-migrate': description => 'allow kvm to migrate instances', - rule => 'proto tcp dport 8102 @subchain \'kvm-migrate\' { saddr ($HOST_GANETI_BACKEND_V4) daddr ($HOST_GANETI_BACKEND_V4) ACCEPT; }', + rule => 'proto tcp dport 8102 @subchain \'ganeti-migrate\' { saddr ($HOST_GANETI_BACKEND_V4) daddr ($HOST_GANETI_BACKEND_V4) ACCEPT; }', + notarule => true, + } + + @ferm::rule { 'dsa-ganeti-ssh': + description => 'allow ganeti to ssh around', + rule => 'proto tcp dport ssh @subchain \'ganeti-ssh\' { saddr ( $HOST_GANETI_V4 $HOST_GANETI_BACKEND_V4) ACCEPT; }', notarule => true, } } -- 2.39.2