bundles/nfs-server: ensure nfs runs on managed ports, fix firewall rules

2022-02-20 08:24:38 +01:00 · 2022-02-20 08:24:38 +01:00 · 88891b44be
parent 6267b4c33d
commit 88891b44be
4 changed files with 41 additions and 7 deletions
--- a/bundles/nfs-server/files/etc-default
+++ b/bundles/nfs-server/files/etc-default
@ -0,0 +1,19 @@
+# Number of servers to start up
+RPCNFSDCOUNT=8
+
+# Runtime priority of server (see nice(1))
+RPCNFSDPRIORITY=0
+
+# Options for rpc.mountd.
+# If you have a port-based firewall, you might want to set up
+# a fixed port here using the --port option. For more information, 
+# see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS
+# To disable NFSv4 on the server, specify '--no-nfs-version 4' here
+RPCMOUNTDOPTS="--port 35295"
+
+# Do you want to start the svcgssd daemon? It is only required for Kerberos
+# exports. Valid alternatives are "yes" and "no"; the default is "no".
+NEED_SVCGSSD=""
+
+# Options for rpc.svcgssd.
+RPCSVCGSSDOPTS=""
--- a/bundles/nfs-server/items.py
+++ b/bundles/nfs-server/items.py
@ -5,6 +5,12 @@ files = {
            'action:nfs_reload_shares',
        },
    },
+    '/etc/default/nfs-kernel-server': {
+        'source': 'etc-default',
+        'triggers': {
+            'svc_systemd:nfs-server:restart',
+        },
+    },
 }

 actions = {
--- a/bundles/nfs-server/metadata.py
+++ b/bundles/nfs-server/metadata.py
@ -11,6 +11,15 @@ defaults = {
            },
        },
    },
+    'sysctl': {
+        'options': {
+            'fs.nfs.nlm_udpport': 4045,
+            'fs.nfs.nlm_tcpport': 4045,
+        },
+        'reload_triggers': {
+            'svc_systemd:nfs-server:restart',
+        },
+    },
 }


@ -19,18 +28,17 @@ defaults = {
 )
 def firewall(metadata):
    ips = set()
-
    for share_items in metadata.get('nfs-server/shares', {}).values():
        for share_target in share_items:
            ips.add(share_target)

+    rules = {}
+    for port in ('111', '2049', '1110', '4045', '35295'): # TODO find out if we need more ports
+        for proto in ('', '/udp'):
+            rules[port + proto] = atomic(ips)
+
    return {
        'firewall': {
-            'port_rules': {
-                '111': atomic(ips),
-                '111/udp': atomic(ips),
-                '2049': atomic(ips),
-                '35295': atomic(ips),
-            },
+            'port_rules': rules,
        },
    }
--- a/bundles/sysctl/items.py
+++ b/bundles/sysctl/items.py
@ -36,5 +36,6 @@ actions = {
        'needs': {
            'file:/usr/local/sbin/apply-sysctl',
        },
+        'triggers': node.metadata.get('sysctl/reload_triggers', set())
    },
 }