From b9b510ba6a93502ad34a46f9dbb8c8577e968102 Mon Sep 17 00:00:00 2001
From: Jeremy Stanley <fungi@yuggoth.org>
Date: Thu, 28 Mar 2013 02:42:05 +0000
Subject: [PATCH] Connectivity from workers to gearmand on zuul.

* manifests/site.pp: Pass both jenkins.openstack.org and
jenkins-dev.openstack.org to openstack_project::zuul as the list of
gearman workers for use in iptables rules.

* modules/openstack_project/manifests/jenkins.pp
* modules/openstack_project/manifests/jenkins_dev.pp: Remove unused
4155/tcp from public allowed ports list, previously for a bzr
service which is no longer running on these servers.

* modules/openstack_project/manifests/zuul.pp: Add iptables rules
allowing access from gearman workers to the gearmand, and also
configure gearmand to listen on all addresses including IPv6, as
opposed to its IPv4-only default.

* install_modules.sh: Add puppetlabs-stdlib version 3.2.0 to the list of
puppet dependencies. This is required to pull in the "flatten" function
used in zuul.pp above.

Change-Id: I05d4abc92b3050884a7e9f3c2b6cd9dcc81bfa36
Reviewed-on: https://review.openstack.org/26245
Reviewed-by: James E. Blair <corvus@inaugust.com>
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Approved: Jeremy Stanley <fungi@yuggoth.org>
Tested-by: Jenkins
---
 install_modules.sh                                 |  1 +
 manifests/site.pp                                  |  7 +++++++
 modules/openstack_project/manifests/jenkins.pp     |  2 +-
 modules/openstack_project/manifests/jenkins_dev.pp |  2 +-
 modules/openstack_project/manifests/zuul.pp        | 12 ++++++++----
 5 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/install_modules.sh b/install_modules.sh
index 44857c78fa..0fb74a0640 100755
--- a/install_modules.sh
+++ b/install_modules.sh
@@ -29,6 +29,7 @@ MODULES["puppetlabs-apache"]="0.0.4"
 MODULES["puppetlabs-apt"]="1.1.0"
 MODULES["puppetlabs-mysql"]="0.5.0"
 MODULES["puppetlabs-postgresql"]="2.0.1"
+MODULES["puppetlabs-stdlib"]="3.2.0"
 MODULES["saz-memcached"]="2.0.2"
 MODULES["saz-gearman"]="2.0.1"
 
diff --git a/manifests/site.pp b/manifests/site.pp
index 00e1b8c7d9..a96909f713 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -229,9 +229,16 @@ node 'zuul.openstack.org' {
     url_pattern          => 'http://logs.openstack.org/{change.number}/{change.patchset}/{pipeline.name}/{job.name}/{build.number}',
     sysadmins            => hiera('sysadmins'),
     statsd_host          => 'graphite.openstack.org',
+    gearman_workers      => [
+      'jenkins.openstack.org',
+      'jenkins-dev.openstack.org',
+    ],
   }
   # co-host gearman-job-server
   include gearman
+  class { 'gearman':
+    listen => '::',
+  }
 }
 
 # A bare machine, but with a jenkins user
diff --git a/modules/openstack_project/manifests/jenkins.pp b/modules/openstack_project/manifests/jenkins.pp
index 23311f97c8..c8dd59429d 100644
--- a/modules/openstack_project/manifests/jenkins.pp
+++ b/modules/openstack_project/manifests/jenkins.pp
@@ -9,7 +9,7 @@ class openstack_project::jenkins (
   $sysadmins = []
 ) {
   class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80, 443, 4155],
+    iptables_public_tcp_ports => [80, 443],
     sysadmins                 => $sysadmins,
   }
 
diff --git a/modules/openstack_project/manifests/jenkins_dev.pp b/modules/openstack_project/manifests/jenkins_dev.pp
index 1a332c99f2..cf91c2520a 100644
--- a/modules/openstack_project/manifests/jenkins_dev.pp
+++ b/modules/openstack_project/manifests/jenkins_dev.pp
@@ -4,7 +4,7 @@ class openstack_project::jenkins_dev (
   $sysadmins = []
 ) {
   class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80, 443, 4155],
+    iptables_public_tcp_ports => [80, 443],
     sysadmins                 => $sysadmins,
   }
   include bup
diff --git a/modules/openstack_project/manifests/zuul.pp b/modules/openstack_project/manifests/zuul.pp
index 74d42bbd5c..d17b82321b 100644
--- a/modules/openstack_project/manifests/zuul.pp
+++ b/modules/openstack_project/manifests/zuul.pp
@@ -11,14 +11,18 @@ class openstack_project::zuul(
   $zuul_ssh_private_key = '',
   $url_pattern = '',
   $sysadmins = [],
-  $statsd_host = ''
+  $statsd_host = '',
+  $gearman_workers = []
 ) {
-
-  $rules = [ "-m state --state NEW -m tcp -p tcp --dport 8001 -s ${jenkins_host} -j ACCEPT" ]
+  # Turn a list of hostnames into a list of iptables rules
+  $iptables_rules6 = regsubst ($gearman_workers, '^(.*)$', '-m state --state NEW -m tcp -p tcp --dport 4730 -s \1 -j ACCEPT')
+  $iptables_rules4 = flatten ([$iptables_rules6,
+    [ "-m state --state NEW -m tcp -p tcp --dport 8001 -s ${jenkins_host} -j ACCEPT" ]])
 
   class { 'openstack_project::server':
     iptables_public_tcp_ports => [80],
-    iptables_rules4           => $rules,
+    iptables_rules6           => $iptables_rules6,
+    iptables_rules4           => $iptables_rules4,
     sysadmins                 => $sysadmins,
   }