forked from arunjax/cookbooks-1
-
Notifications
You must be signed in to change notification settings - Fork 0
MongoDB: Firewall configuration
thekorn edited this page Oct 19, 2011
·
3 revisions
If you close all port by default, it may be difficult to configure all necessary rules to allow all MongoDB nodes to communicate among themselves. The MongoDB cookbook solves this by having a "client_roles" attribute, which defines which external nodes should have access to the DB, and by using the "cluster_name" attribute.
Example firewall configuration for iptables (add to recipes/default.rb):
## Firewall ##
source_nodes = []
# Search for external nodes that should have access
node['mongodb']['client_roles'].each do |client_role|
source_nodes += search(:node, "role:#{client_role} AND chef_environment:#{node.chef_environment}")
end
# open connections to all members of the cluster, excluding the node itself
if !node['mongodb']['cluster_name'].nil?
source_nodes += search(
:node,
"mongodb_cluster_name:#{node['mongodb']['cluster_name']} AND \
(NOT ipaddress:#{node['ipaddress']}) AND \
chef_environment:#{node.chef_environment}"
)
end
# Create list of rules
rules = source_nodes.collect {
|n| {:source => n['ipaddress'], :port => node['mongodb']['port']}
}.uniq
iptables_rule "open_ports_mongodb" do
source "open_ports.erb"
variables :rules => rules
end
That assumes that you have the following template (open_ports.erb):
<% unless @rules.nil?%>
<% @rules.each do |rule| %>
<% if (rule.key?(:source) or rule.key?(:port)) %>
-A FWR -p tcp <%= "-s #{rule[:source]}" if rule.key?(:source) %> <%= "--dport #{rule[:port]}" if rule.key?(:port) %> -j ACCEPT
<% end %>
<% end %>
<% end %>
<% unless @ports.nil? %>
<% @ports.each do |port| %>
-A FWR -p tcp --dport <%= port.to_i %> -j ACCEPT
<% end %>
<% end %>