Ask Your Question
0

getting IP addresses of all servers with a particular role in a manifest -

asked 2016-10-27 04:38:41 -0500

gilbo gravatar image

Hi There

Here's a question. We've a group of servers (5 or so) which provide a service to most of our other servers (hundreds of them!). This small group of servers will always have a the same role.

We create firewall rules on the rest of the estate and these servers need to connect in to the small group of servers. Now my question is, when a new server is added with the particular role, how can I get the firewall rules on all the other servers to automatically update?

Would it be something like a custom fact? Would anyone be able to provide some pointers how I'd achieve it?

Cheers

edit retag flag offensive close merge delete

2 Answers

Sort by » oldest newest most voted
1

answered 2016-10-27 07:59:04 -0500

DarylW gravatar image

There are two ways you can go about this, both require puppetdb.

The first way is to have exported resources. You could have each of the servers with a given role export a firewall rule that you could realize on the other servers.

The second approach is to use PuppetQueryLanguage (PQL - https://puppet.com/blog/introducing-p... ). From the linked documentation

#You can call PQL from Puppet

#Alongside PQL, we've introduced a function defined in the PuppetDB terminus package that queries PuppetDB from within a Puppet manifest. This function can be used to similar effect as in Erik Dalén’s puppet-puppetdbquery module, and in some cases, Puppet's exported resources. The function is called puppetdb_query, and using it is as simple as this:
$last_node_query = 'nodes{order by report_timestamp desc limit 1}'
$latest_node = puppetdb_query($last_node_query)[0]['certname']
Notify {"hello PQL":
    message => "My last report was from $latest_node.",
}

Using pql, you would be able to construct a query that would return the value of the appropriate values from facter (ipaddress or ipaddress_eth1, etc) for each of your nodes that has the appropriate role, and use that to construct your firewall rules (possibly in a base role for all the servers that require it, or a common profile.

edit flag offensive delete link more
1

answered 2016-10-28 02:53:29 -0500

gilbo gravatar image

updated 2016-10-28 02:54:44 -0500

Thanks DarylW. Your answer got me looking at PQL, reading up on it then took me to dalen's module puppet-puppetdbquery and that lead me install it and to simply add in my common profile:

$servers=query_facts('trusted.extensions.pp_role="<the role name i need>"' , ['networking.interfaces.eth0.ip'] )

and then iterate through the results of that with:

$servers.each |$name, $server| {
    firewalld_rich_rule { "Allow Incoming Traffic from server ${name} On SSH Port 22":
      ensure  => 'present',
      zone    => 'public',
      source  =>  $server[networking_interfaces_eth0_ip],
      service => 'ssh',
      action  => 'accept',
   }
  }

Great bit of code and module - very powerful I think.

edit flag offensive delete link more

Comments

I'm glad I could help point you in the right direction!

DarylW gravatar imageDarylW ( 2016-10-28 16:27:13 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2016-10-27 04:38:41 -0500

Seen: 77 times

Last updated: Oct 28 '16