bundles/nfs-server: ensure nfs runs on managed ports, fix firewall rules
Some checks failed
kunsi/bundlewrap/pipeline/head There was a failure building this commit
Some checks failed
kunsi/bundlewrap/pipeline/head There was a failure building this commit
This commit is contained in:
parent
6267b4c33d
commit
88891b44be
GPG key ID:
12E3D2136B818350
4 changed files with 41 additions and 7 deletions
19
bundles/nfs-server/files/etc-default
Normal file
19
bundles/nfs-server/files/etc-default
Normal file
|
|
@ -0,0 +1,19 @@
|
|||
# Number of servers to start up
|
||||
RPCNFSDCOUNT=8
|
||||
|
||||
# Runtime priority of server (see nice(1))
|
||||
RPCNFSDPRIORITY=0
|
||||
|
||||
# Options for rpc.mountd.
|
||||
# If you have a port-based firewall, you might want to set up
|
||||
# a fixed port here using the --port option. For more information,
|
||||
# see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS
|
||||
# To disable NFSv4 on the server, specify '--no-nfs-version 4' here
|
||||
RPCMOUNTDOPTS="--port 35295"
|
||||
|
||||
# Do you want to start the svcgssd daemon? It is only required for Kerberos
|
||||
# exports. Valid alternatives are "yes" and "no"; the default is "no".
|
||||
NEED_SVCGSSD=""
|
||||
|
||||
# Options for rpc.svcgssd.
|
||||
RPCSVCGSSDOPTS=""
|
||||
|
|
@ -5,6 +5,12 @@ files = {
|
|||
'action:nfs_reload_shares',
|
||||
},
|
||||
},
|
||||
'/etc/default/nfs-kernel-server': {
|
||||
'source': 'etc-default',
|
||||
'triggers': {
|
||||
'svc_systemd:nfs-server:restart',
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
actions = {
|
||||
|
|
|
|||
|
|
@ -11,6 +11,15 @@ defaults = {
|
|||
},
|
||||
},
|
||||
},
|
||||
'sysctl': {
|
||||
'options': {
|
||||
'fs.nfs.nlm_udpport': 4045,
|
||||
'fs.nfs.nlm_tcpport': 4045,
|
||||
},
|
||||
'reload_triggers': {
|
||||
'svc_systemd:nfs-server:restart',
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -19,18 +28,17 @@ defaults = {
|
|||
)
|
||||
def firewall(metadata):
|
||||
ips = set()
|
||||
|
||||
for share_items in metadata.get('nfs-server/shares', {}).values():
|
||||
for share_target in share_items:
|
||||
ips.add(share_target)
|
||||
|
||||
rules = {}
|
||||
for port in ('111', '2049', '1110', '4045', '35295'): # TODO find out if we need more ports
|
||||
for proto in ('', '/udp'):
|
||||
rules[port + proto] = atomic(ips)
|
||||
|
||||
return {
|
||||
'firewall': {
|
||||
'port_rules': {
|
||||
'111': atomic(ips),
|
||||
'111/udp': atomic(ips),
|
||||
'2049': atomic(ips),
|
||||
'35295': atomic(ips),
|
||||
},
|
||||
'port_rules': rules,
|
||||
},
|
||||
}
|
||||
|
|
|
|||
|
|
@ -36,5 +36,6 @@ actions = {
|
|||
'needs': {
|
||||
'file:/usr/local/sbin/apply-sysctl',
|
||||
},
|
||||
'triggers': node.metadata.get('sysctl/reload_triggers', set())
|
||||
},
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue