Juju Charms Collection
elasticsearch package

Merge lp:~michael.nelson/charms/trusty/elasticsearch/ufw-for-peers-too into lp:~charmers/charms/trusty/elasticsearch/trunk

  1. Trusty Tahr (14.04)
  2. ufw-for-peers-too
  3. Merge into trunk
Proposed by Michael Nelson
Status: Merged
Approved by: Matt Bruzek
Approved revision: 41
Merge reported by: Matt Bruzek
Merged at revision: not available
Proposed branch: lp:~michael.nelson/charms/trusty/elasticsearch/ufw-for-peers-too
Merge into: lp:~charmers/charms/trusty/elasticsearch/trunk
Prerequisite: lp:~michael.nelson/charms/trusty/elasticsearch/add-ufw
Diff against target: 82 lines (+20/-2)
5 files modified
README.md (+4/-0)
hooks/hooks.py (+1/-0)
playbook.yaml (+4/-1)
tasks/peer-relations.yml (+0/-1)
tasks/setup-ufw.yml (+11/-0)
To merge this branch: bzr merge lp:~michael.nelson/charms/trusty/elasticsearch/ufw-for-peers-too
Reviewer Review Type Date Requested Status
Matt Bruzek (community) Approve
Kapil Thangavelu (community) Approve
Review via email: mp+225968@code.launchpad.net

Commit message

Firewall rules for the node-to-node communications port 9300

Description of the change

This branch follows on from the prerequisite, and adds firewall rules for the peer-to-peer communications port 9300.

I found that I could only deny all on 9300 once the unit had joined the cluster, as the es master communicates back to the unit is part of joining the cluster.

Here's a full demo of adding and destroying units showing the firewall rules at each step (note, the charm has a task that actually fails if a unit fails to join the cluster):

http://paste.ubuntu.com/7765540/

To post a comment you must log in.
Revision history for this message
Kapil Thangavelu (hazmat) wrote :

same comments apply to this as to the pre-req merge proposal, re upgrade of extant cluster.

lp:~michael.nelson/charms/trusty/elasticsearch/ufw-for-peers-too updated
40. By Michael Nelson

Merged add-ufw

41. By Michael Nelson

Rewrite ufw during peer relations too.

Revision history for this message
Michael Nelson (michael.nelson) wrote :

Ditto (see comments on pre-req MP).

I tested an upgrade-charm of a configured elasticsearch service using
this branch: https://pastebin.canonical.com/114541/

Thanks.

Revision history for this message
Kapil Thangavelu (hazmat) wrote :

lgtm

review: Approve
Revision history for this message
Matt Bruzek (mbruzek) wrote :

I tested this several different ways and found it to work as described. Thank you Michael for providing the pastebin outline for tests.

I did deploy 2 nodes of elastic search before the ufw fix verified they did not have ufw rules and then upgraded-charm to the latest version. The upgrade went well and worked as expected.

I also tested with an ELK relations. Adding and destroying units of elastic search.

This change looks good to me. +1

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'README.md'
--- README.md 2014-07-30 07:23:55 +0000
+++ README.md 2014-07-30 07:23:55 +0000
@@ -37,6 +37,10 @@
37 epoch timestamp cluster status node.total node.data shards ...37 epoch timestamp cluster status node.total node.data shards ...
38 1404728290 10:18:10 elasticsearch green 2 2 038 1404728290 10:18:10 elasticsearch green 2 2 0
3939
40Note that the admin port (9200) is only accessible from the instance itself
41and any clients that join. Similarly the node-to-node communication
42port (9300) is only available to other units in the elasticsearch service.
43
40See the separate HACKING.md for information about deploying this charm44See the separate HACKING.md for information about deploying this charm
41from a local repository.45from a local repository.
4246
4347
=== modified file 'hooks/hooks.py'
--- hooks/hooks.py 2014-07-30 07:23:55 +0000
+++ hooks/hooks.py 2014-07-30 07:23:55 +0000
@@ -13,6 +13,7 @@
13 'config-changed',13 'config-changed',
14 'cluster-relation-joined',14 'cluster-relation-joined',
15 'peer-relation-joined',15 'peer-relation-joined',
16 'peer-relation-departed',
16 'nrpe-external-master-relation-changed',17 'nrpe-external-master-relation-changed',
17 'rest-relation-joined',18 'rest-relation-joined',
18 'start',19 'start',
1920
=== added symlink 'hooks/peer-relation-departed'
=== target is u'hooks.py'
=== modified file 'playbook.yaml'
--- playbook.yaml 2014-07-30 07:23:55 +0000
+++ playbook.yaml 2014-07-30 07:23:55 +0000
@@ -13,17 +13,20 @@
13 vars:13 vars:
14 - service_name: "{{ local_unit.split('/')[0] }}"14 - service_name: "{{ local_unit.split('/')[0] }}"
15 - client_relation_id: "{{ relations['client'].keys()[0] | default('') }}"15 - client_relation_id: "{{ relations['client'].keys()[0] | default('') }}"
16 - peer_relation_id: "{{ relations['peer'].keys()[0] | default('') }}"
1617
17 tasks:18 tasks:
1819
19 - include: tasks/install-elasticsearch.yml20 - include: tasks/install-elasticsearch.yml
21 - include: tasks/peer-relations.yml
20 - include: tasks/setup-ufw.yml22 - include: tasks/setup-ufw.yml
21 tags:23 tags:
22 - install24 - install
23 - upgrade-charm25 - upgrade-charm
24 - client-relation-joined26 - client-relation-joined
25 - client-relation-departed27 - client-relation-departed
26 - include: tasks/peer-relations.yml28 - peer-relation-joined
29 - peer-relation-departed
2730
28 - name: Update configuration31 - name: Update configuration
29 tags:32 tags:
3033
=== modified file 'tasks/peer-relations.yml'
--- tasks/peer-relations.yml 2014-06-06 14:40:08 +0000
+++ tasks/peer-relations.yml 2014-07-30 07:23:55 +0000
@@ -54,4 +54,3 @@
54 - peer-relation-joined54 - peer-relation-joined
55 fail: msg="Unit failed to join cluster during peer-relation-joined"55 fail: msg="Unit failed to join cluster during peer-relation-joined"
56 when: cluster_health.json.number_of_nodes == 1 and cluster_health_after_restart.json.number_of_nodes == 156 when: cluster_health.json.number_of_nodes == 1 and cluster_health_after_restart.json.number_of_nodes == 1
57
5857
=== modified file 'tasks/setup-ufw.yml'
--- tasks/setup-ufw.yml 2014-07-30 07:23:55 +0000
+++ tasks/setup-ufw.yml 2014-07-30 07:23:55 +0000
@@ -27,3 +27,14 @@
2727
28- name: Deny all other requests on 920028- name: Deny all other requests on 9200
29 ufw: rule=deny port=920029 ufw: rule=deny port=9200
30
31- name: Open the firewall for all peers
32 ufw: rule=allow src={{ item.value['private-address'] }} port=9300 proto=tcp
33 with_dict: relations["peer"]["{{ peer_relation_id }}"] | default({})
34 when: not item.key == local_unit
35
36# Only deny incoming on 9300 once the unit is part of a cluster.
37- name: Deny all incoming requests on 9300 once unit is part of cluster
38 ufw: rule=deny port=9300
39 when: not peer_relation_id == ""
40

Subscribers

People subscribed via source and target branches

to all changes: