Juju Charms Collection
elasticsearch package

Merge lp:~michael.nelson/charms/trusty/elasticsearch/ufw-for-peers-too into lp:~charmers/charms/trusty/elasticsearch/trunk

  1. Trusty Tahr (14.04)
  2. ufw-for-peers-too
  3. Merge into trunk
Proposed by Michael Nelson
Status: Merged
Approved by: Matt Bruzek
Approved revision: 41
Merge reported by: Matt Bruzek
Merged at revision: not available
Proposed branch: lp:~michael.nelson/charms/trusty/elasticsearch/ufw-for-peers-too
Merge into: lp:~charmers/charms/trusty/elasticsearch/trunk
Prerequisite: lp:~michael.nelson/charms/trusty/elasticsearch/add-ufw
Diff against target: 82 lines (+20/-2)
5 files modified
README.md (+4/-0)
hooks/hooks.py (+1/-0)
playbook.yaml (+4/-1)
tasks/peer-relations.yml (+0/-1)
tasks/setup-ufw.yml (+11/-0)
To merge this branch: bzr merge lp:~michael.nelson/charms/trusty/elasticsearch/ufw-for-peers-too
Reviewer Review Type Date Requested Status
Matt Bruzek (community) Approve
Kapil Thangavelu (community) Approve
Review via email: mp+225968@code.launchpad.net

Commit message

Firewall rules for the node-to-node communications port 9300

Description of the change

This branch follows on from the prerequisite, and adds firewall rules for the peer-to-peer communications port 9300.

I found that I could only deny all on 9300 once the unit had joined the cluster, as the es master communicates back to the unit is part of joining the cluster.

Here's a full demo of adding and destroying units showing the firewall rules at each step (note, the charm has a task that actually fails if a unit fails to join the cluster):

http://paste.ubuntu.com/7765540/

To post a comment you must log in.
Revision history for this message
Kapil Thangavelu (hazmat) wrote :

same comments apply to this as to the pre-req merge proposal, re upgrade of extant cluster.

lp:~michael.nelson/charms/trusty/elasticsearch/ufw-for-peers-too updated
40. By Michael Nelson

Merged add-ufw

41. By Michael Nelson

Rewrite ufw during peer relations too.

Revision history for this message
Michael Nelson (michael.nelson) wrote :

Ditto (see comments on pre-req MP).

I tested an upgrade-charm of a configured elasticsearch service using
this branch: https://pastebin.canonical.com/114541/

Thanks.

Revision history for this message
Kapil Thangavelu (hazmat) wrote :

lgtm

review: Approve
Revision history for this message
Matt Bruzek (mbruzek) wrote :

I tested this several different ways and found it to work as described. Thank you Michael for providing the pastebin outline for tests.

I did deploy 2 nodes of elastic search before the ufw fix verified they did not have ufw rules and then upgraded-charm to the latest version. The upgrade went well and worked as expected.

I also tested with an ELK relations. Adding and destroying units of elastic search.

This change looks good to me. +1

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'README.md'
2--- README.md 2014-07-30 07:23:55 +0000
3+++ README.md 2014-07-30 07:23:55 +0000
4@@ -37,6 +37,10 @@
5 epoch timestamp cluster status node.total node.data shards ...
6 1404728290 10:18:10 elasticsearch green 2 2 0
7
8+Note that the admin port (9200) is only accessible from the instance itself
9+and any clients that join. Similarly the node-to-node communication
10+port (9300) is only available to other units in the elasticsearch service.
11+
12 See the separate HACKING.md for information about deploying this charm
13 from a local repository.
14
15
16=== modified file 'hooks/hooks.py'
17--- hooks/hooks.py 2014-07-30 07:23:55 +0000
18+++ hooks/hooks.py 2014-07-30 07:23:55 +0000
19@@ -13,6 +13,7 @@
20 'config-changed',
21 'cluster-relation-joined',
22 'peer-relation-joined',
23+ 'peer-relation-departed',
24 'nrpe-external-master-relation-changed',
25 'rest-relation-joined',
26 'start',
27
28=== added symlink 'hooks/peer-relation-departed'
29=== target is u'hooks.py'
30=== modified file 'playbook.yaml'
31--- playbook.yaml 2014-07-30 07:23:55 +0000
32+++ playbook.yaml 2014-07-30 07:23:55 +0000
33@@ -13,17 +13,20 @@
34 vars:
35 - service_name: "{{ local_unit.split('/')[0] }}"
36 - client_relation_id: "{{ relations['client'].keys()[0] | default('') }}"
37+ - peer_relation_id: "{{ relations['peer'].keys()[0] | default('') }}"
38
39 tasks:
40
41 - include: tasks/install-elasticsearch.yml
42+ - include: tasks/peer-relations.yml
43 - include: tasks/setup-ufw.yml
44 tags:
45 - install
46 - upgrade-charm
47 - client-relation-joined
48 - client-relation-departed
49- - include: tasks/peer-relations.yml
50+ - peer-relation-joined
51+ - peer-relation-departed
52
53 - name: Update configuration
54 tags:
55
56=== modified file 'tasks/peer-relations.yml'
57--- tasks/peer-relations.yml 2014-06-06 14:40:08 +0000
58+++ tasks/peer-relations.yml 2014-07-30 07:23:55 +0000
59@@ -54,4 +54,3 @@
60 - peer-relation-joined
61 fail: msg="Unit failed to join cluster during peer-relation-joined"
62 when: cluster_health.json.number_of_nodes == 1 and cluster_health_after_restart.json.number_of_nodes == 1
63-
64
65=== modified file 'tasks/setup-ufw.yml'
66--- tasks/setup-ufw.yml 2014-07-30 07:23:55 +0000
67+++ tasks/setup-ufw.yml 2014-07-30 07:23:55 +0000
68@@ -27,3 +27,14 @@
69
70 - name: Deny all other requests on 9200
71 ufw: rule=deny port=9200
72+
73+- name: Open the firewall for all peers
74+ ufw: rule=allow src={{ item.value['private-address'] }} port=9300 proto=tcp
75+ with_dict: relations["peer"]["{{ peer_relation_id }}"] | default({})
76+ when: not item.key == local_unit
77+
78+# Only deny incoming on 9300 once the unit is part of a cluster.
79+- name: Deny all incoming requests on 9300 once unit is part of cluster
80+ ufw: rule=deny port=9300
81+ when: not peer_relation_id == ""
82+

Subscribers

People subscribed via source and target branches

to all changes: