From e0354eda8f1dba999c452caf99c40dcb6f7af33e Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 19 Mar 2013 08:57:35 +0100 Subject: working on stunnel for bigcouch clustering --- puppet/modules/site_couchdb/manifests/stunnel.pp | 12 ++++++++++++ puppet/modules/site_shorewall/manifests/couchdb.pp | 16 +++++++++++++++- 2 files changed, 27 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 1afe25a4..2133d6da 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -39,5 +39,17 @@ class site_couchdb::stunnel ($key, $cert, $ca) { rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4' } + stunnel::service { 'bigcouch': + accept => '6984', + connect => '127.0.0.1:5984', + client => false, + cafile => $ca_path, + key => $key_path, + cert => $cert_path, + verify => '2', + pid => '/var/run/stunnel4/couchdb.pid', + rndfile => '/var/lib/stunnel4/.rnd', + debuglevel => '4' + } } diff --git a/puppet/modules/site_shorewall/manifests/couchdb.pp b/puppet/modules/site_shorewall/manifests/couchdb.pp index 9fa59569..5fa1861b 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb.pp @@ -3,10 +3,13 @@ class site_shorewall::couchdb { include site_shorewall::defaults $couchdb_port = '6984' + # Erlang Port Mapper daemon, used for communication between + # bigcouch cluster nodes + $portmapper_port = '5369' # define macro for incoming services file { '/etc/shorewall/macro.leap_couchdb': - content => "PARAM - - tcp $couchdb_port", + content => "PARAM - - tcp $couchdb_port $portmapper_port", notify => Service['shorewall'], require => Package['shorewall'] } @@ -20,4 +23,15 @@ class site_shorewall::couchdb { order => 200; } + shorewall::rule { + 'dnat-bigcouch-clustering-to-stunnel': + destination => "net:${::ipaddress}:8080", + destinationport => $portmapper_port, + source => '$FW', + proto => 'tcp', + order => 200, + action => 'DNAT'; + } + + } -- cgit v1.2.3 From cc082541980df1062cb5b2d10f4980cf8b6664c9 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 19 Mar 2013 13:54:40 +0100 Subject: moved generic stunnel config from site_webapp to site_stunnel --- puppet/modules/site_stunnel/manifests/clients.pp | 32 ++++++++++++++++ puppet/modules/site_stunnel/manifests/setup.pp | 30 +++++++++++++++ puppet/modules/site_webapp/manifests/couchdb.pp | 21 +++++++++-- .../site_webapp/manifests/couchdb_stunnel.pp | 43 ---------------------- .../manifests/couchdb_stunnel/clients.pp | 17 --------- 5 files changed, 79 insertions(+), 64 deletions(-) create mode 100644 puppet/modules/site_stunnel/manifests/clients.pp create mode 100644 puppet/modules/site_stunnel/manifests/setup.pp delete mode 100644 puppet/modules/site_webapp/manifests/couchdb_stunnel.pp delete mode 100644 puppet/modules/site_webapp/manifests/couchdb_stunnel/clients.pp (limited to 'puppet') diff --git a/puppet/modules/site_stunnel/manifests/clients.pp b/puppet/modules/site_stunnel/manifests/clients.pp new file mode 100644 index 00000000..28ed6d3c --- /dev/null +++ b/puppet/modules/site_stunnel/manifests/clients.pp @@ -0,0 +1,32 @@ +define site_stunnel::clients ( + $accept_port, + $connect, + $client = true, + $cafile, + $key, + $cert, + $verify = '2', + $pid = $name, + $rndfile = '/var/lib/stunnel4/.rnd', + $debuglevel = '4' ) { + + $couchdb_stunnel_client_defaults = { + 'cafile' => $ca_path, + 'key' => $key_path, + 'cert' => $cert_path, + } + + + stunnel::service { $name: + accept => "127.0.0.1:${accept_port}", + connect => "${connect}:6984", + client => $client, + cafile => $cafile, + key => $key, + cert => $cert, + verify => $verify, + pid => "/var/run/stunnel4/${pid}.pid", + rndfile => $rndfile, + debuglevel => $debuglevel + } + } diff --git a/puppet/modules/site_stunnel/manifests/setup.pp b/puppet/modules/site_stunnel/manifests/setup.pp new file mode 100644 index 00000000..a6384a6e --- /dev/null +++ b/puppet/modules/site_stunnel/manifests/setup.pp @@ -0,0 +1,30 @@ +class site_stunnel::setup ($cert_name, $key, $cert, $ca) { + + include x509::variables + include site_stunnel + + $ca_name = 'leap_ca' + $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" + $cert_path = "${x509::variables::certs}/${cert_name}.crt" + $key_path = "${x509::variables::keys}/${cert_name}.key" + + x509::key { + $cert_name: + content => $key, + notify => Service['stunnel']; + } + + x509::cert { + $cert_name: + content => $cert, + notify => Service['stunnel']; + } + + x509::ca { + $ca_name: + content => $ca, + notify => Service['stunnel']; + } + +} + diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index ef61aeb6..e45691c1 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -33,10 +33,11 @@ class site_webapp::couchdb { mode => '0744'; } - class { 'site_webapp::couchdb_stunnel': - key => $key, - cert => $cert, - ca => $ca + class { 'site_stunnel::setup': + cert_name => 'leap_couchdb', + key => $key, + cert => $cert, + ca => $ca } exec { 'migrate_design_documents': @@ -45,4 +46,16 @@ class site_webapp::couchdb { require => Exec['bundler_update'], notify => Service['apache']; } + + $couchdb_stunnel_client_defaults = { + 'client' => true, + 'cafile' => $ca_path, + 'key' => $key_path, + 'cert' => $cert_path, + 'verify' => '2', + 'rndfile' => '/var/lib/stunnel4/.rnd', + 'debuglevel' => '4' + } + + create_resources(site_stunnel::clients, hiera('stunnel'), $couchdb_stunnel_client_defaults) } diff --git a/puppet/modules/site_webapp/manifests/couchdb_stunnel.pp b/puppet/modules/site_webapp/manifests/couchdb_stunnel.pp deleted file mode 100644 index 325b18ee..00000000 --- a/puppet/modules/site_webapp/manifests/couchdb_stunnel.pp +++ /dev/null @@ -1,43 +0,0 @@ -class site_webapp::couchdb_stunnel ($key, $cert, $ca) { - - include x509::variables - include site_stunnel - - $cert_name = 'leap_couchdb' - $ca_name = 'leap_ca' - $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" - $cert_path = "${x509::variables::certs}/${cert_name}.crt" - $key_path = "${x509::variables::keys}/${cert_name}.key" - - x509::key { - $cert_name: - content => $key, - notify => Service['stunnel']; - } - - x509::cert { - $cert_name: - content => $cert, - notify => Service['stunnel']; - } - - x509::ca { - $ca_name: - content => $ca, - notify => Service['stunnel']; - } - - $couchdb_stunnel_client_defaults = { - 'client' => true, - 'cafile' => $ca_path, - 'key' => $key_path, - 'cert' => $cert_path, - 'verify' => '2', - 'rndfile' => '/var/lib/stunnel4/.rnd', - 'debuglevel' => '4' - } - - create_resources(site_webapp::couchdb_stunnel::clients, hiera('stunnel'), $couchdb_stunnel_client_defaults) - -} - diff --git a/puppet/modules/site_webapp/manifests/couchdb_stunnel/clients.pp b/puppet/modules/site_webapp/manifests/couchdb_stunnel/clients.pp deleted file mode 100644 index eac43b08..00000000 --- a/puppet/modules/site_webapp/manifests/couchdb_stunnel/clients.pp +++ /dev/null @@ -1,17 +0,0 @@ -define site_webapp::couchdb_stunnel::clients - ( $accept_port, $connect, $client, $cafile, $key, $cert, - $verify, $pid = $name, $rndfile, $debuglevel ) { - - stunnel::service { $name: - accept => "127.0.0.1:${accept_port}", - connect => "${connect}:6984", - client => $client, - cafile => $cafile, - key => $key, - cert => $cert, - verify => $verify, - pid => "/var/run/stunnel4/${pid}.pid", - rndfile => $rndfile, - debuglevel => $debuglevel - } - } -- cgit v1.2.3 From 4b2aa1020d07d0ab25f907fbc6c76a3d78a6a84e Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 19 Mar 2013 15:11:54 +0100 Subject: shorewall couchdb config: get open ports right --- puppet/modules/site_shorewall/manifests/couchdb.pp | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/couchdb.pp b/puppet/modules/site_shorewall/manifests/couchdb.pp index 5fa1861b..f1784a38 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb.pp @@ -9,7 +9,7 @@ class site_shorewall::couchdb { # define macro for incoming services file { '/etc/shorewall/macro.leap_couchdb': - content => "PARAM - - tcp $couchdb_port $portmapper_port", + content => "PARAM - - tcp ${couchdb_port},${portmapper_port}", notify => Service['shorewall'], require => Package['shorewall'] } @@ -23,15 +23,15 @@ class site_shorewall::couchdb { order => 200; } - shorewall::rule { - 'dnat-bigcouch-clustering-to-stunnel': - destination => "net:${::ipaddress}:8080", - destinationport => $portmapper_port, - source => '$FW', - proto => 'tcp', - order => 200, - action => 'DNAT'; - } + #shorewall::rule { + # 'dnat-bigcouch-clustering-to-stunnel': + # destination => "net:${::ipaddress}:8080", + # destinationport => $portmapper_port, + # source => '$FW', + # proto => 'tcp', + # order => 200, + # action => 'DNAT'; + #} } -- cgit v1.2.3 From 4669a64cb8e63a67825a35513b51b4e1f2a4ec5d Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 19 Mar 2013 15:14:35 +0100 Subject: moving generic stunnel config from site_webapp to site_stunnel now working --- puppet/modules/site_stunnel/manifests/clients.pp | 31 +++++++++--------------- puppet/modules/site_stunnel/manifests/setup.pp | 6 ----- puppet/modules/site_webapp/manifests/couchdb.pp | 8 +++--- 3 files changed, 16 insertions(+), 29 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_stunnel/manifests/clients.pp b/puppet/modules/site_stunnel/manifests/clients.pp index 28ed6d3c..9f8aeaff 100644 --- a/puppet/modules/site_stunnel/manifests/clients.pp +++ b/puppet/modules/site_stunnel/manifests/clients.pp @@ -10,23 +10,16 @@ define site_stunnel::clients ( $rndfile = '/var/lib/stunnel4/.rnd', $debuglevel = '4' ) { - $couchdb_stunnel_client_defaults = { - 'cafile' => $ca_path, - 'key' => $key_path, - 'cert' => $cert_path, - } - - - stunnel::service { $name: - accept => "127.0.0.1:${accept_port}", - connect => "${connect}:6984", - client => $client, - cafile => $cafile, - key => $key, - cert => $cert, - verify => $verify, - pid => "/var/run/stunnel4/${pid}.pid", - rndfile => $rndfile, - debuglevel => $debuglevel - } + stunnel::service { $name: + accept => "127.0.0.1:${accept_port}", + connect => "${connect}:6984", + client => $client, + cafile => $cafile, + key => $key, + cert => $cert, + verify => $verify, + pid => "/var/run/stunnel4/${pid}.pid", + rndfile => $rndfile, + debuglevel => $debuglevel } +} diff --git a/puppet/modules/site_stunnel/manifests/setup.pp b/puppet/modules/site_stunnel/manifests/setup.pp index a6384a6e..7ec2378f 100644 --- a/puppet/modules/site_stunnel/manifests/setup.pp +++ b/puppet/modules/site_stunnel/manifests/setup.pp @@ -1,13 +1,7 @@ class site_stunnel::setup ($cert_name, $key, $cert, $ca) { - include x509::variables include site_stunnel - $ca_name = 'leap_ca' - $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" - $cert_path = "${x509::variables::certs}/${cert_name}.crt" - $key_path = "${x509::variables::keys}/${cert_name}.key" - x509::key { $cert_name: content => $key, diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index e45691c1..48a95c8d 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -34,7 +34,7 @@ class site_webapp::couchdb { } class { 'site_stunnel::setup': - cert_name => 'leap_couchdb', + cert_name => $cert_name, key => $key, cert => $cert, ca => $ca @@ -49,9 +49,9 @@ class site_webapp::couchdb { $couchdb_stunnel_client_defaults = { 'client' => true, - 'cafile' => $ca_path, - 'key' => $key_path, - 'cert' => $cert_path, + 'cafile' => "${x509::variables::local_CAs}/${ca_name}.crt", + 'key' => "${x509::variables::keys}/${cert_name}.key", + 'cert' => "${x509::variables::certs}/${cert_name}.crt", 'verify' => '2', 'rndfile' => '/var/lib/stunnel4/.rnd', 'debuglevel' => '4' -- cgit v1.2.3 From ec2727a1cae91c34233c831ae31277690a8ef3dc Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 19 Mar 2013 15:29:48 +0100 Subject: added bigcouch.conf as incoming stunnel config for bigcouch clustering --- puppet/modules/site_couchdb/manifests/stunnel.pp | 28 +++++++++--------------- 1 file changed, 10 insertions(+), 18 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 2133d6da..d16e09b5 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -9,24 +9,14 @@ class site_couchdb::stunnel ($key, $cert, $ca) { $cert_path = "${x509::variables::certs}/${cert_name}.crt" $key_path = "${x509::variables::keys}/${cert_name}.key" - x509::key { - $cert_name: - content => $key, - notify => Service['stunnel']; - } - - x509::cert { - $cert_name: - content => $cert, - notify => Service['stunnel']; - } - - x509::ca { - $ca_name: - content => $ca, - notify => Service['stunnel']; + class { 'site_stunnel::setup': + cert_name => $cert_name, + key => $key, + cert => $cert, + ca => $ca } + # webapp access stunnel::service { 'couchdb': accept => '6984', connect => '127.0.0.1:5984', @@ -39,9 +29,11 @@ class site_couchdb::stunnel ($key, $cert, $ca) { rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4' } + + # clustering between bigcouch nodes stunnel::service { 'bigcouch': - accept => '6984', - connect => '127.0.0.1:5984', + accept => '5369', + connect => '127.0.0.1:4369', client => false, cafile => $ca_path, key => $key_path, -- cgit v1.2.3 From bb0f29e2d7ae2db57257eb4d1a20616c5c834a4e Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 20 Mar 2013 19:06:07 +0100 Subject: make site_stunnel::clients connect_port configurable --- puppet/modules/site_stunnel/manifests/clients.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_stunnel/manifests/clients.pp b/puppet/modules/site_stunnel/manifests/clients.pp index 9f8aeaff..b23c7bc6 100644 --- a/puppet/modules/site_stunnel/manifests/clients.pp +++ b/puppet/modules/site_stunnel/manifests/clients.pp @@ -1,5 +1,6 @@ define site_stunnel::clients ( $accept_port, + $connect_port, $connect, $client = true, $cafile, @@ -12,7 +13,7 @@ define site_stunnel::clients ( stunnel::service { $name: accept => "127.0.0.1:${accept_port}", - connect => "${connect}:6984", + connect => "${connect}:${connect_port}", client => $client, cafile => $cafile, key => $key, -- cgit v1.2.3 From d9c9cbb7ae5fde7767ac6b2cbc25936a0045104d Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 20 Mar 2013 19:06:45 +0100 Subject: addded client side of bigcouch cluster protocol stunnel config --- puppet/modules/site_couchdb/manifests/stunnel.pp | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index d16e09b5..2d5cbaa1 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -31,6 +31,8 @@ class site_couchdb::stunnel ($key, $cert, $ca) { } # clustering between bigcouch nodes + + # server stunnel::service { 'bigcouch': accept => '5369', connect => '127.0.0.1:4369', @@ -43,5 +45,19 @@ class site_couchdb::stunnel ($key, $cert, $ca) { rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4' } + + # clients + $couchdb_stunnel_client_defaults = { + 'connect_port' => '5369', + 'client' => true, + 'cafile' => "${x509::variables::local_CAs}/${ca_name}.crt", + 'key' => "${x509::variables::keys}/${cert_name}.key", + 'cert' => "${x509::variables::certs}/${cert_name}.crt", + 'verify' => '2', + 'rndfile' => '/var/lib/stunnel4/.rnd', + 'debuglevel' => '4' + } + create_resources(site_stunnel::clients, hiera('stunnel'), $couchdb_stunnel_client_defaults) + } -- cgit v1.2.3 From 7a08ff22b0317e77895e4ff52e6f56db70afb8df Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 20 Mar 2013 20:06:47 +0100 Subject: increase stunnel verbosity until everything is running smooth --- puppet/modules/site_couchdb/manifests/stunnel.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 2d5cbaa1..44ddae0b 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -43,7 +43,7 @@ class site_couchdb::stunnel ($key, $cert, $ca) { verify => '2', pid => '/var/run/stunnel4/couchdb.pid', rndfile => '/var/lib/stunnel4/.rnd', - debuglevel => '4' + debuglevel => '7' } # clients -- cgit v1.2.3 From fbcc9e9a93816374e1b53b561df4b9d2a59ae7b8 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 20 Mar 2013 22:01:41 +0100 Subject: added site_shorewall::dnat to configure DNAT rules --- puppet/modules/site_shorewall/manifests/dnat.pp | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 puppet/modules/site_shorewall/manifests/dnat.pp (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/dnat.pp b/puppet/modules/site_shorewall/manifests/dnat.pp new file mode 100644 index 00000000..5992c91f --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/dnat.pp @@ -0,0 +1,19 @@ +define site_shorewall::dnat ( + $source, + $destination, + $proto, + $destinationport, + $originaldest ) { + + + shorewall::rule { + "dnat_${name}_${destinationport}": + source => $source, + destination => $destination, + destinationport => $destinationport, + originaldest => $originaldest, + proto => $proto, + order => 200, + action => 'DNAT'; + } +} -- cgit v1.2.3 From 40f32a207957293dd7c9a85df3bcccd340e16522 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 20 Mar 2013 22:02:55 +0100 Subject: added site_shorewall::couchdb::bigcouch bigcouch cluster protocol communicate via the fqdn of the neighbor hosts. So we need to bend all requests to :4369 to localhost:400x (which is the entry of an stunnel connection to the other neighbor) --- puppet/modules/site_shorewall/manifests/couchdb.pp | 11 ----------- puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp | 7 +++++++ 2 files changed, 7 insertions(+), 11 deletions(-) create mode 100644 puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/couchdb.pp b/puppet/modules/site_shorewall/manifests/couchdb.pp index f1784a38..a448dd42 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb.pp @@ -23,15 +23,4 @@ class site_shorewall::couchdb { order => 200; } - #shorewall::rule { - # 'dnat-bigcouch-clustering-to-stunnel': - # destination => "net:${::ipaddress}:8080", - # destinationport => $portmapper_port, - # source => '$FW', - # proto => 'tcp', - # order => 200, - # action => 'DNAT'; - #} - - } diff --git a/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp new file mode 100644 index 00000000..f96ef87b --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp @@ -0,0 +1,7 @@ +class site_shorewall::couchdb::bigcouch inherits site_shorewall::couchdb { + + include site_shorewall::defaults + + create_resources(site_shorewall::dnat, hiera('shorewall_dnat')) + +} -- cgit v1.2.3 From 34a44db0de9a7d79ac68e93e79f29dcc32a30c76 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 20 Mar 2013 22:07:25 +0100 Subject: couchdb hosts include site_shorewall::couchdb::bigcouch --- puppet/modules/site_couchdb/manifests/init.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index d317de65..e0f379cd 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -67,4 +67,5 @@ class site_couchdb ( $bigcouch = false ) { } include site_shorewall::couchdb + include site_shorewall::couchdb::bigcouch } -- cgit v1.2.3 From 6e223037a4ca36273984c0ab0f2eb9b81f5f10da Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 20 Mar 2013 22:11:40 +0100 Subject: decrease stunnel debug level --- puppet/modules/site_couchdb/manifests/stunnel.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 44ddae0b..2d5cbaa1 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -43,7 +43,7 @@ class site_couchdb::stunnel ($key, $cert, $ca) { verify => '2', pid => '/var/run/stunnel4/couchdb.pid', rndfile => '/var/lib/stunnel4/.rnd', - debuglevel => '7' + debuglevel => '4' } # clients -- cgit v1.2.3 From 63e6b8633e07045751011c0218f9e6891e25cca5 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 20 Mar 2013 22:17:55 +0100 Subject: provide stunnel connect_port to site_webapp:couchdb --- puppet/modules/site_webapp/manifests/couchdb.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 48a95c8d..ffc4454b 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -48,6 +48,7 @@ class site_webapp::couchdb { } $couchdb_stunnel_client_defaults = { + 'connect_port' => '6984', 'client' => true, 'cafile' => "${x509::variables::local_CAs}/${ca_name}.crt", 'key' => "${x509::variables::keys}/${cert_name}.key", -- cgit v1.2.3 From e9b00c6efb65faa4c0dfa955527fafc2b13889d4 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 20 Mar 2013 22:31:51 +0100 Subject: fix bigcouch stunnel pid name --- puppet/modules/site_couchdb/manifests/stunnel.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 2d5cbaa1..f5001051 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -25,7 +25,7 @@ class site_couchdb::stunnel ($key, $cert, $ca) { key => $key_path, cert => $cert_path, verify => '2', - pid => '/var/run/stunnel4/couchdb.pid', + pid => '/var/run/stunnel4/bigcouch.pid', rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4' } -- cgit v1.2.3 From eac4d82da1675d839fcdc2360df5929e41322c2d Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 21 Mar 2013 14:03:07 +0100 Subject: start erlang vm on dedicated port so firewalling is easier --- puppet/modules/site_shorewall/manifests/couchdb.pp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/couchdb.pp b/puppet/modules/site_shorewall/manifests/couchdb.pp index a448dd42..04b608e2 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb.pp @@ -7,9 +7,12 @@ class site_shorewall::couchdb { # bigcouch cluster nodes $portmapper_port = '5369' + # see http://stackoverflow.com/questions/8459949/bigcouch-cluster-connection-issue#comment10467603_8463814 + $erlang_vm_port = '9001' + # define macro for incoming services file { '/etc/shorewall/macro.leap_couchdb': - content => "PARAM - - tcp ${couchdb_port},${portmapper_port}", + content => "PARAM - - tcp ${couchdb_port},${portmapper_port},${erlang_vm_port}", notify => Service['shorewall'], require => Package['shorewall'] } -- cgit v1.2.3 From 50cbfca55b99c0e284aff23c8f779499f4af1f4a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 26 Mar 2013 13:52:22 -0400 Subject: remove duplicate 'include site_stunnel' this already exists in class site_stunnel::setup which is instantiated in this class --- puppet/modules/site_couchdb/manifests/stunnel.pp | 1 - 1 file changed, 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index f5001051..9e1bad49 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -1,7 +1,6 @@ class site_couchdb::stunnel ($key, $cert, $ca) { include x509::variables - include site_stunnel $cert_name = 'leap_couchdb' $ca_name = 'leap_ca' -- cgit v1.2.3 From 8b75721b7941c8ab6b7dc05101e80a121dcb0849 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 31 Mar 2013 12:09:45 -0400 Subject: shorewall: add couch_server stunnel port to macro.leap_couchdb, this is necessary for the stunnel to communicate --- puppet/modules/site_shorewall/manifests/couchdb.pp | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/couchdb.pp b/puppet/modules/site_shorewall/manifests/couchdb.pp index 04b608e2..6a8c2cf2 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb.pp @@ -2,7 +2,10 @@ class site_shorewall::couchdb { include site_shorewall::defaults - $couchdb_port = '6984' + $stunnel = hiera('stunnel') + $couch_server = $stunnel['couch_server'] + $couch_stunnel_port = $couch_server['accept'] + # Erlang Port Mapper daemon, used for communication between # bigcouch cluster nodes $portmapper_port = '5369' @@ -12,12 +15,11 @@ class site_shorewall::couchdb { # define macro for incoming services file { '/etc/shorewall/macro.leap_couchdb': - content => "PARAM - - tcp ${couchdb_port},${portmapper_port},${erlang_vm_port}", + content => "PARAM - - tcp ${couch_stunnel_port},${portmapper_port},${erlang_vm_port}", notify => Service['shorewall'], require => Package['shorewall'] } - shorewall::rule { 'net2fw-couchdb': source => 'net', -- cgit v1.2.3 From ebc6b4f0e8f8c29b02b284d60402faaddbe2f6a3 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 31 Mar 2013 12:10:33 -0400 Subject: lint so default options are together --- puppet/modules/site_stunnel/manifests/clients.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_stunnel/manifests/clients.pp b/puppet/modules/site_stunnel/manifests/clients.pp index b23c7bc6..ed766e1a 100644 --- a/puppet/modules/site_stunnel/manifests/clients.pp +++ b/puppet/modules/site_stunnel/manifests/clients.pp @@ -2,10 +2,10 @@ define site_stunnel::clients ( $accept_port, $connect_port, $connect, - $client = true, $cafile, $key, $cert, + $client = true, $verify = '2', $pid = $name, $rndfile = '/var/lib/stunnel4/.rnd', -- cgit v1.2.3 From fa65ec5b35433ecc643aa240db4c42e60dac6af9 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 31 Mar 2013 12:16:54 -0400 Subject: remove unnecessary class inheritance --- puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp index f96ef87b..2afdea87 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp @@ -1,4 +1,4 @@ -class site_shorewall::couchdb::bigcouch inherits site_shorewall::couchdb { +class site_shorewall::couchdb::bigcouch { include site_shorewall::defaults -- cgit v1.2.3 From 6714ff4ae1a53b6b3eda66f13c2212c3ba285bf3 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 31 Mar 2013 12:19:46 -0400 Subject: refactor couch_client stunnel to use new stunnel_client leap_cli macro re-order variables to be more consistant --- puppet/modules/site_webapp/manifests/couchdb.pp | 32 +++++++++++++++---------- 1 file changed, 20 insertions(+), 12 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index ffc4454b..e956fd54 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -1,9 +1,5 @@ class site_webapp::couchdb { - $x509 = hiera('x509') - $key = $x509['key'] - $cert = $x509['cert'] - $ca = $x509['ca_cert'] $webapp = hiera('webapp') # haproxy listener on port localhost:4096, see site_webapp::haproxy $couchdb_host = 'localhost' @@ -13,6 +9,21 @@ class site_webapp::couchdb { $couchdb_webapp_user = $webapp['couchdb_webapp_user']['username'] $couchdb_webapp_password = $webapp['couchdb_webapp_user']['password'] + $stunnel = hiera('stunnel') + $couch_client = $stunnel['couch_client'] + $couch_client_connect = $couch_client['connect'] + + include x509::variable + $x509 = hiera('x509') + $key = $x509['key'] + $cert = $x509['cert'] + $ca = $x509['ca_cert'] + $cert_name = 'leap_couchdb' + $ca_name = 'leap_ca' + $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" + $cert_path = "${x509::variables::certs}/${cert_name}.crt" + $key_path = "${x509::variables::keys}/${cert_name}.key" + file { '/srv/leap-webapp/config/couchdb.yml.admin': content => template('site_webapp/couchdb.yml.admin.erb'), @@ -48,15 +59,12 @@ class site_webapp::couchdb { } $couchdb_stunnel_client_defaults = { - 'connect_port' => '6984', + 'connect_port' => $couch_client_connect, 'client' => true, - 'cafile' => "${x509::variables::local_CAs}/${ca_name}.crt", - 'key' => "${x509::variables::keys}/${cert_name}.key", - 'cert' => "${x509::variables::certs}/${cert_name}.crt", - 'verify' => '2', - 'rndfile' => '/var/lib/stunnel4/.rnd', - 'debuglevel' => '4' + 'cafile' => $ca_path, + 'key' => $key_path, + 'cert' => $cert_path, } - create_resources(site_stunnel::clients, hiera('stunnel'), $couchdb_stunnel_client_defaults) + create_resources(site_stunnel::clients, $couch_client, $couchdb_stunnel_client_defaults) } -- cgit v1.2.3 From dd459efb1063de6c11f9f11583290c6a0891436a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 31 Mar 2013 12:22:52 -0400 Subject: replace long-form variables with shorter ones remove unnecessary bigcouch_replication_client_default values (verify, rndfile, debuglevel) --- puppet/modules/site_couchdb/manifests/stunnel.pp | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 9e1bad49..a49b51b9 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -49,12 +49,9 @@ class site_couchdb::stunnel ($key, $cert, $ca) { $couchdb_stunnel_client_defaults = { 'connect_port' => '5369', 'client' => true, - 'cafile' => "${x509::variables::local_CAs}/${ca_name}.crt", - 'key' => "${x509::variables::keys}/${cert_name}.key", - 'cert' => "${x509::variables::certs}/${cert_name}.crt", - 'verify' => '2', - 'rndfile' => '/var/lib/stunnel4/.rnd', - 'debuglevel' => '4' + 'cafile' => $ca_path, + 'key' => $key_path, + 'cert' => $cert_path, } create_resources(site_stunnel::clients, hiera('stunnel'), $couchdb_stunnel_client_defaults) -- cgit v1.2.3 From baf3ed5b6db4e8af052564864d8c3e426cf5d9d0 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 31 Mar 2013 12:32:42 -0400 Subject: switch to using stunnel_client and stunnel_server leap_cli macros add bigcouch_replication_clients to couchdb.json change site_couchdb/manifests/stunnel to use stunnel_client and stunnel_server generated hiera values to setup the stunnels for the couch_server connections, and the bigcouch_replication_server and bigcouch_replication_clients tunnels instead of using hard-coded ips and ports. also change the pid names to be more consistent with what the tunnels are and are named --- puppet/modules/site_couchdb/manifests/stunnel.pp | 41 +++++++++++++++--------- 1 file changed, 26 insertions(+), 15 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index a49b51b9..1eb79293 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -1,13 +1,26 @@ class site_couchdb::stunnel ($key, $cert, $ca) { - include x509::variables + $stunnel = hiera('stunnel') + + $couch_server = $stunnel['couch_server'] + $couch_server_accept = $couch_server['accept'] + $couch_server_connect = $couch_server['connect'] + + $bigcouch_replication_server = $stunnel['bigcouch_replication_server'] + $bigcouch_replication_server_accept = $bigcouch_replication_server['accept'] + $bigcouch_replication_server_connect = $bigcouch_replication_server['connect'] + $bigcouch_replication_clients = $stunnel['bigcouch_replication_clients'] + + include x509::variables $cert_name = 'leap_couchdb' $ca_name = 'leap_ca' $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" $cert_path = "${x509::variables::certs}/${cert_name}.crt" $key_path = "${x509::variables::keys}/${cert_name}.key" + # basic setup: ensure cert, key, ca files are in place, and some generic + # stunnel things are done class { 'site_stunnel::setup': cert_name => $cert_name, key => $key, @@ -15,45 +28,43 @@ class site_couchdb::stunnel ($key, $cert, $ca) { ca => $ca } - # webapp access - stunnel::service { 'couchdb': - accept => '6984', - connect => '127.0.0.1:5984', + # setup a stunnel server for the webapp to connect to couchdb + stunnel::service { 'couch_server': + accept => $couch_server_accept, + connect => $couch_server_connect, client => false, cafile => $ca_path, key => $key_path, cert => $cert_path, verify => '2', - pid => '/var/run/stunnel4/bigcouch.pid', + pid => '/var/run/stunnel4/couchserver.pid', rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4' } - # clustering between bigcouch nodes + # setup stunnels for bigcouch clustering between each bigcouchdb node # server - stunnel::service { 'bigcouch': - accept => '5369', - connect => '127.0.0.1:4369', + stunnel::service { 'bigcouch_replication_server': + accept => $bigcouch_replication_server_accept, + connect => $bigcouch_replication_server_connect, client => false, cafile => $ca_path, key => $key_path, cert => $cert_path, verify => '2', - pid => '/var/run/stunnel4/couchdb.pid', + pid => '/var/run/stunnel4/bigcouchreplication_server.pid', rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4' } # clients - $couchdb_stunnel_client_defaults = { - 'connect_port' => '5369', + $bigcouch_replication_client_defaults = { 'client' => true, 'cafile' => $ca_path, 'key' => $key_path, 'cert' => $cert_path, } - create_resources(site_stunnel::clients, hiera('stunnel'), $couchdb_stunnel_client_defaults) + create_resources(site_stunnel::clients, $bigcouch_replication_clients, $bigcouch_replication_client_defaults) } - -- cgit v1.2.3 From 128c8ddfd4969a9b9b525cb4f4a34b1e98c2fe76 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 31 Mar 2013 12:39:36 -0400 Subject: shorewall: create a macro for the bigcouch replication server stunnel to enable these connections pulling bigcouch_replication_clients, bigcouch_replication_server_port from hiera create site_shorewall::couchdb::dnat and create_resources to properly setup DNAT for bigcouch_replication_clients --- .../site_shorewall/manifests/couchdb/bigcouch.pp | 30 +++++++++++++++++++++- .../site_shorewall/manifests/couchdb/dnat.pp | 21 +++++++++++++++ 2 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_shorewall/manifests/couchdb/dnat.pp (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp index 2afdea87..a0d63d15 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp @@ -2,6 +2,34 @@ class site_shorewall::couchdb::bigcouch { include site_shorewall::defaults - create_resources(site_shorewall::dnat, hiera('shorewall_dnat')) + $stunnel = hiera('stunnel') + $bigcouch_replication_clients = $stunnel['bigcouch_replication_clients'] + + $bigcouch_replication_server = $stunnel['bigcouch_replication_server'] + $bigcouch_replication_server_port = $bigcouch_replication_server['accept'] + + # define macro for incoming services + file { '/etc/shorewall/macro.leap_bigcouch': + content => "PARAM - - tcp ${bigcouch_replication_server_port}", + notify => Service['shorewall'], + require => Package['shorewall'] + } + + shorewall::rule { + 'net2fw-bigcouch': + source => 'net', + destination => '$FW', + action => 'leap_bigcouch(ACCEPT)', + order => 300; + } + + $bigcouch_shorewall_dnat_defaults = { + 'source' => '$FW', + 'proto' => 'tcp', + 'destinationport' => '4369', + } + + create_resources(site_shorewall::couchdb::dnat, $bigcouch_replication_clients, $bigcouch_shorewall_dnat_defaults) } + diff --git a/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp b/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp new file mode 100644 index 00000000..85cea9d5 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp @@ -0,0 +1,21 @@ +define site_shorewall::couchdb::dnat ( + $source, + $connect, + $connect_port, + $accept_port, + $proto, + $destinationport ) +{ + + + shorewall::rule { + "dnat_${name}_${destinationport}": + source => $source, + destination => "\$FW:127.0.0.1:${accept_port}", + destinationport => $destinationport, + originaldest => $connect, + proto => $proto, + order => 200, + action => 'DNAT'; + } +} -- cgit v1.2.3 From c849ef699d6426b3161f901eea625247cdefbef5 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 2 Apr 2013 16:41:06 -0400 Subject: fix variable curly braces --- puppet/modules/site_config/manifests/hosts.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp index 81795f7d..1e1590f5 100644 --- a/puppet/modules/site_config/manifests/hosts.pp +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -9,7 +9,7 @@ class site_config::hosts() { content => $hostname } - exec { "/bin/hostname $hostname": + exec { "/bin/hostname ${hostname}": subscribe => [ File['/etc/hostname'], File['/etc/hosts'] ], refreshonly => true; } -- cgit v1.2.3 From ee1555bd9091e1ffe66e54856d2bde72d50a7e60 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 2 Apr 2013 16:55:12 -0400 Subject: firewall: remove no longer needed epmd port --- puppet/modules/site_shorewall/manifests/couchdb.pp | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/couchdb.pp b/puppet/modules/site_shorewall/manifests/couchdb.pp index 6a8c2cf2..1ef91bb0 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb.pp @@ -6,16 +6,12 @@ class site_shorewall::couchdb { $couch_server = $stunnel['couch_server'] $couch_stunnel_port = $couch_server['accept'] - # Erlang Port Mapper daemon, used for communication between - # bigcouch cluster nodes - $portmapper_port = '5369' - # see http://stackoverflow.com/questions/8459949/bigcouch-cluster-connection-issue#comment10467603_8463814 $erlang_vm_port = '9001' # define macro for incoming services file { '/etc/shorewall/macro.leap_couchdb': - content => "PARAM - - tcp ${couch_stunnel_port},${portmapper_port},${erlang_vm_port}", + content => "PARAM - - tcp ${couch_stunnel_port},${erlang_vm_port}", notify => Service['shorewall'], require => Package['shorewall'] } -- cgit v1.2.3 From 0227e03513f38cfae4a041ba6740b425fdc21198 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 2 Apr 2013 17:09:22 -0400 Subject: replace hard-coded port number with hiera determined one, manipulated to remove the 'ip:' from the beginning in bigcouch replication client stunnels --- puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp index a0d63d15..85272657 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp @@ -7,6 +7,7 @@ class site_shorewall::couchdb::bigcouch { $bigcouch_replication_server = $stunnel['bigcouch_replication_server'] $bigcouch_replication_server_port = $bigcouch_replication_server['accept'] + $bigcouch_replication_connect = $bigcouch_replication_server['connect'] # define macro for incoming services file { '/etc/shorewall/macro.leap_bigcouch': @@ -26,7 +27,7 @@ class site_shorewall::couchdb::bigcouch { $bigcouch_shorewall_dnat_defaults = { 'source' => '$FW', 'proto' => 'tcp', - 'destinationport' => '4369', + 'destinationport' => regsubst($bigcouch_replication_connect, '^([0-9.]+:)([0-9]+)$', '\2') } create_resources(site_shorewall::couchdb::dnat, $bigcouch_replication_clients, $bigcouch_shorewall_dnat_defaults) -- cgit v1.2.3 From 1750bec7032e90ddbe43da35eb5f49066187d1d4 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 2 Apr 2013 17:43:43 -0400 Subject: shorewall: re-order dnat rule variables to match configuration file order --- puppet/modules/site_shorewall/manifests/couchdb/dnat.pp | 6 +++--- puppet/modules/site_shorewall/manifests/dnat.pp | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp b/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp index 85cea9d5..f1bc9acf 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp @@ -10,12 +10,12 @@ define site_shorewall::couchdb::dnat ( shorewall::rule { "dnat_${name}_${destinationport}": + action => 'DNAT', source => $source, destination => "\$FW:127.0.0.1:${accept_port}", + proto => $proto, destinationport => $destinationport, originaldest => $connect, - proto => $proto, - order => 200, - action => 'DNAT'; + order => 200 } } diff --git a/puppet/modules/site_shorewall/manifests/dnat.pp b/puppet/modules/site_shorewall/manifests/dnat.pp index 5992c91f..a73294cc 100644 --- a/puppet/modules/site_shorewall/manifests/dnat.pp +++ b/puppet/modules/site_shorewall/manifests/dnat.pp @@ -8,12 +8,12 @@ define site_shorewall::dnat ( shorewall::rule { "dnat_${name}_${destinationport}": + action => 'DNAT', source => $source, destination => $destination, + proto => $proto, destinationport => $destinationport, originaldest => $originaldest, - proto => $proto, - order => 200, - action => 'DNAT'; + order => 200 } } -- cgit v1.2.3