bundles/nfs-server: ensure nfs runs on managed ports, fix firewall rules
Some checks failed
kunsi/bundlewrap/pipeline/head There was a failure building this commit
Some checks failed
kunsi/bundlewrap/pipeline/head There was a failure building this commit
This commit is contained in:
parent
6267b4c33d
commit
88891b44be
GPG key ID:
12E3D2136B818350
4 changed files with 41 additions and 7 deletions
19
bundles/nfs-server/files/etc-default
Normal file
19
bundles/nfs-server/files/etc-default
Normal file
|
|
@ -0,0 +1,19 @@
|
||||||
|
# Number of servers to start up
|
||||||
|
RPCNFSDCOUNT=8
|
||||||
|
|
||||||
|
# Runtime priority of server (see nice(1))
|
||||||
|
RPCNFSDPRIORITY=0
|
||||||
|
|
||||||
|
# Options for rpc.mountd.
|
||||||
|
# If you have a port-based firewall, you might want to set up
|
||||||
|
# a fixed port here using the --port option. For more information,
|
||||||
|
# see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS
|
||||||
|
# To disable NFSv4 on the server, specify '--no-nfs-version 4' here
|
||||||
|
RPCMOUNTDOPTS="--port 35295"
|
||||||
|
|
||||||
|
# Do you want to start the svcgssd daemon? It is only required for Kerberos
|
||||||
|
# exports. Valid alternatives are "yes" and "no"; the default is "no".
|
||||||
|
NEED_SVCGSSD=""
|
||||||
|
|
||||||
|
# Options for rpc.svcgssd.
|
||||||
|
RPCSVCGSSDOPTS=""
|
||||||
|
|
@ -5,6 +5,12 @@ files = {
|
||||||
'action:nfs_reload_shares',
|
'action:nfs_reload_shares',
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
'/etc/default/nfs-kernel-server': {
|
||||||
|
'source': 'etc-default',
|
||||||
|
'triggers': {
|
||||||
|
'svc_systemd:nfs-server:restart',
|
||||||
|
},
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
actions = {
|
actions = {
|
||||||
|
|
|
||||||
|
|
@ -11,6 +11,15 @@ defaults = {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
'sysctl': {
|
||||||
|
'options': {
|
||||||
|
'fs.nfs.nlm_udpport': 4045,
|
||||||
|
'fs.nfs.nlm_tcpport': 4045,
|
||||||
|
},
|
||||||
|
'reload_triggers': {
|
||||||
|
'svc_systemd:nfs-server:restart',
|
||||||
|
},
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -19,18 +28,17 @@ defaults = {
|
||||||
)
|
)
|
||||||
def firewall(metadata):
|
def firewall(metadata):
|
||||||
ips = set()
|
ips = set()
|
||||||
|
|
||||||
for share_items in metadata.get('nfs-server/shares', {}).values():
|
for share_items in metadata.get('nfs-server/shares', {}).values():
|
||||||
for share_target in share_items:
|
for share_target in share_items:
|
||||||
ips.add(share_target)
|
ips.add(share_target)
|
||||||
|
|
||||||
|
rules = {}
|
||||||
|
for port in ('111', '2049', '1110', '4045', '35295'): # TODO find out if we need more ports
|
||||||
|
for proto in ('', '/udp'):
|
||||||
|
rules[port + proto] = atomic(ips)
|
||||||
|
|
||||||
return {
|
return {
|
||||||
'firewall': {
|
'firewall': {
|
||||||
'port_rules': {
|
'port_rules': rules,
|
||||||
'111': atomic(ips),
|
|
||||||
'111/udp': atomic(ips),
|
|
||||||
'2049': atomic(ips),
|
|
||||||
'35295': atomic(ips),
|
|
||||||
},
|
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -36,5 +36,6 @@ actions = {
|
||||||
'needs': {
|
'needs': {
|
||||||
'file:/usr/local/sbin/apply-sysctl',
|
'file:/usr/local/sbin/apply-sysctl',
|
||||||
},
|
},
|
||||||
|
'triggers': node.metadata.get('sysctl/reload_triggers', set())
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue