[11:08:26] <Emperor>	 I'm doing something stupid in a pontoon stack. I have '&R_SERVICE(tcp, (873 1873), ());' in a ferm config which I think should mean I should be able to reach that port from elsewhere in the stack. All my nodes are in the default security group, rsync is definitely running on the server (if I do 'nc -4 swift-ms-fe-01 873' on swift-ms-fe01 I get the @RSYNCD response). But if I try and connect from another node in the stack I just get a 
[11:08:26] <Emperor>	 connection time out response. tcpdump on the server shows the incoming packets, but no response, and rsyncd itself is not logging any connection attempt.
[11:09:15] <Emperor>	 So _something_ is dropping the packets, but I think that ferm rule should be letting them through, but perhaps I am confused, and I can't see what else to poke to try and unbreak this...?
[11:11:55] <Emperor>	 Hm, no, that's wrong, that rule is in fact blocking those ports, isn't it?
[11:12:06] <Emperor>	 or rather not opening them from anywhere
[11:59:37] <Emperor>	 [in the end, because pontoon stacks have no role::puppetserver (they have role::puppetserver::pontoon, which wmflib::role::hosts('puppetserver') doesn't pick up) ]
[12:22:29] <moritzm>	 you could conditionalise the role name to be passed to wmflib::role::hosts:    if $realm == 'production' (...)
[12:32:40] <Emperor>	 Interesting idea, thanks.