Version information
This version is compatible with:
- Puppet Enterprise 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
- Puppet >= 7.0.0 < 9.0.0
- , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'simp-nfs', '7.6.1'
Learn more about managing modules with a PuppetfileDocumentation
Table of Contents
Description
The is a module for managing the exporting and mounting of NFS devices. It provides all the infrastructure needed to share folders over the network.
The module is broken into two parts: the server and the client. It supports security with either krb5 or stunnel, but not both, as these security services conflict at a system level. It also manages firewall and TCP wrapper settings, when enabled.
This is a SIMP module
This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.
If you find any issues, they may be submitted to our bug tracker.
This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:
- When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
- If used independently, all SIMP-managed security subsystems are disabled by
default and must be explicitly opted into by administrators. See the
SIMP
simp_options
module for more detail.
Setup
What nfs affects
The nfs
module installs NFS packages, configures services for the
NFS server and/or client and manages most NFS configuration files.
Setup Requirements
The only requirement is to include the nfs
module and its dependencies
in your modulepath.
- If you are using any of the
nfs
module's optional dependencies, e.g.autofs
, please also include those modules in the module path as well. The list of optional dependencies can be found in thenfs
module'smetadata.json
file undersimp/optional_dependencies
.
Beginning with nfs
You can use the nfs
module to manage NFS settings for a node that is a NFS
client, a NFS server or both.
NFS client
Including one or more nfs::client::mount
defines in a node's manifest
will automatically include the nfs::client
class, which, in turn, will
ensure the appropriate packages are installed and appropriate services
are configured and started.
NFS server
Including one or more nfs::server::export
defines in a node's manifest
and setting the hiera below will automatically include the nfs::server
class, which, in turn, will ensure the appropriate packages are installed and
appropriate services are configured.
nfs::is_server: true
nfs::is_client: false
NFS server and client
Including one or more nfs::server::export
or nfs::client::mount
defines
in a node's manifest and setting the hiera below will automatically include
the nfs::server
and nfs::client
classes. This will, in turn, ensure
the appropriate packages are installed and appropriate services are configured
for both roles.
nfs::is_server: true
Usage
Basic Usage
Exporting a filesystem
To export /srv/nfs_share
, add the following to the NFS server's manifest:
nfs::server::export { 'nfs4_root':
client => [ <trusted networks> ]
export_path => '/srv/nfs_share',
require => File['/srv/nfs_share']
}
file { '/srv/nfs_share':
ensure => 'directory',
owner => 'root',
group => 'root',
mode => '0644'
}
Be sure to set the following in hiera, as well:
nfs::is_server: true
Mounting
Static mount
To mount /srv/nfs_share
statically to /mnt/nfs
on the NFS client using
NFSv4, add the following to the NFS client's manifest:
$mount_dir = '/mnt/nfs'
nfs::client::mount { $mount_dir:
nfs_server => '<NFS server IP>',
remote_path => '/srv/nfs_share',
autofs => false
}
# mount directory must exist if not using autofs
file { $mount_dir:
ensure => 'directory',
owner => 'root',
group => 'root',
mode => '0644'
}
File[$mount_dir] -> Nfs::Client::Mount[$mount_dir]
Automatic direct mount
To automount /exports/data
as /data
using an direct mount,
add the following to the NFS client's manifest:
nfs::client::mount { '/data':
nfs_server => '<NFS server IP>',
remote_path => '/exports/data'
}
Automatic indirect mount
To automount /exports/apps
as /apps
using an indirect mount with key
substitution, add the following to the NFS client's manifest:
nfs::client::mount { '/apps':
nfs_server => '<NFS server IP>',
remote_path => '/exports/apps',
autofs_indirect_map_key => '*',
autofs_add_key_subst => true
}
Automatic mount of home directories for LDAP users
Please reference the SIMP documentation for details on how to implement this feature.
Usage with krb5
WARNING
This functionality requires some manual configuration and when keys change may require manual purging of the
gssproxy
cache.
This module, used with the SIMP krb5
module,
can automatically use kerberos to secure the exported filesystem. The module
can create and manage the entire kerberos configuration automatically, but
check the krb5
module itself if you want more control.
Modify the examples provided above to include the following hieradata on all nodes:
simp_options::kerberos: true
nfs::secure_nfs: true
krb5::config::dns_lookup_kdc: false
krb5::kdc::auto_keytabs::global_services:
- 'nfs'
On the node intended to be the KDC, include the following class:
include 'krb5::kdc'
On the NFS server and client nodes, add the following to each node's manifest:
# If your realm is not your domain name then change this
# to the string that is your realm
$myrealm = upcase($facts['domain'])
krb5::setting::realm { $myrealm:
admin_server => <KDC fqnd>,
default_domain => $myrealm
}
SIMP does not have kerberos set up to work automatically with LDAP yet. You must add a principal for each user you want to give access to the krb5 protected directories. To do this log onto the KDC and run:
kadmin.local
# Note the prompt is now kadmin.local!
kadmin.local: add_principal -pw <password> <username>
...
kadmin.local: exit
When the user logs on after kerberos has been configured they must run:
kinit
It will ask them for their password. Once the have done this they should be able to access any shares from that realm.
Usage with stunnel
When use of kerberos is not viable, but you want to encrypt NFS traffic,
you can configure the NFS server and client to use stunnel
automatically
on NFSv4 connections.
This module uses the SIMP stunnel
module
for stunnel
management.
NFSv4 stunnel, one NFS server
In this scenario, we will consider a site with one NFS server.
Export with stunnel
To enable use of stunnel at the NFS server, set the following in hieradata:
nfs::is_server: true
nfs::stunnel: true
To export /srv/nfs_share
, add the following to the NFS server's manifest:
nfs::server::export { 'nfs4_root':
client => [ <trusted networks> ]
export_path => '/srv/nfs_share',
# This MUST be set to true due to a NFS exports processing bug.
# See description in nfs::server::export.
insecure => true,
require => File['/srv/nfs_share']
}
file { '/srv/nfs_share':
ensure => 'directory',
owner => 'root',
group => 'root',
mode => '0644'
}
Mount with stunnel
To enable use of stunnel at the NFS client, set the following in hieradata:
nfs::stunnel: true
To mount /srv/nfs_share
statically to /mnt/nfs
on the NFS client,
add the following to the NFS client's manifest:
$mount_dir = '/mnt/nfs'
nfs::client::mount { $mount_dir:
nfs_server => '<NFS server IP>',
remote_path => '/srv/nfs_share',
autofs => false
}
# mount directory must exist if not using autofs
file { $mount_dir:
ensure => 'directory',
owner => 'root',
group => 'root',
mode => '0644'
}
File[$mount_dir] -> Nfs::Client::Mount[$mount_dir]
In this simple case, the mount manifest looks exactly the same as in the unencrypted case. Only the hieradata has changed.
NFSv4 stunnel, multiple NFS servers
In this scenario, we will consider a site with two NFS servers. The example shown can be extrapolated to any number of NFS servers.
Server 1 export with stunnel
The first NFS server will be configured exactly as is done with the single server example above.
Server 1 hieradata:
nfs::is_server: true
nfs::stunnel: true
Server 1 manifest:
nfs::server::export { 'nfs4_root':
client => [ <trusted networks> ]
export_path => '/srv/nfs_share',
# This MUST be set to true due to a NFS exports processing bug
insecure => true,
require => File['/srv/nfs_share']
}
file { '/srv/nfs_share':
ensure => 'directory',
owner => 'root',
group => 'root',
mode => '0644'
}
Server 2 export with stunnel
The second NFS server requires a little more configuration.
To enable use of stunnel at this NFS server and prevent port conflicts with Server 1 on any client that wants to mount from both servers over stunnel, set the following in hieradata:
nfs::is_server: true
nfs::stunnel: true
# The nfsd port must be unique among all NFS servers at the site.
# The stunnel nfsd port is configured here for consistency, but
# could be left at the default.
nfs::nfsd_port: 2050
nfs::stunnel_nfsd_port: 20500
To export /srv/nfs_share2
, add the following to Server 2's manifest:
nfs::server::export { 'nfs4_root':
client => [ <trusted networks> ]
export_path => '/srv/nfs_share2',
# This MUST be set to true due to a NFS exports processing bug
insecure => true,
require => File['/srv/nfs_share2']
}
file { '/srv/nfs_share2':
ensure => 'directory',
owner => 'root',
group => 'root',
mode => '0644'
}
Mounts to servers with stunnel
To enable use of stunnel at the NFS client, set the following in hieradata:
nfs::stunnel: true
To mount /srv/nfs_share
from Server 1 statically to /mnt/nfs
and /srv/nfs_share2
from Server 2 statically to /mnt/nfs2
,
add the following to the NFS client's manifest:
# this mount uses the defaults, because Server 1 uses nfs
# module defaults
$mount_dir = '/mnt/nfs'
nfs::client::mount { $mount_dir:
nfs_server => '<NFS Server 1 IP>',
remote_path => '/srv/nfs_share',
autofs => false
}
# this mount sets ports to match those of Server 2
$mount_dir2 = '/mnt/nfs2'
nfs::client::mount { $mount_dir2:
nfs_server => '<NFS Server 2 IP>',
remote_path => '/srv/nfs_share2',
autofs => false,
nfsd_port => 2050,
stunnel_nfsd_port => 20500
}
# mount directories must exist if not using autofs
file { [ $mount_dir, $mount_dir2 ]:
ensure => 'directory',
owner => 'root',
group => 'root',
mode => '0644'
}
File[$mount_dir] -> Nfs::Client::Mount[$mount_dir]
File[$mount_dir2] -> Nfs::Client::Mount[$mount_dir2]
NFSv3 considerations
NFSv3 traffic cannot be encrypted with stunnel
because of two key reasons:
-
The NFS client sends the NFS server Network Status Manager (NSM) notifications via UDP, exclusively.
stunnel
only handles TCP traffic.- Loss of these notification may affect NFS performance.
-
In multi-NFS-server environments, there is no mechanism to configure
rpcbind
to use a non-standard port.- NFSv3 heavily relies upon
rpcbind
to determine the side-band channel ports in use on the NFS nodes. This includes thestatd
andlockd
ports used in NSM and NLM, respectively. - A unique
rpcbind
port per server is required in order for a NFS client to be able tunnel its server-specific RPC requests to the appropriate server.
- NFSv3 heavily relies upon
Despite this limitation, this module still fully supports unencrypted NFSv3 and allows the NFS server and client to use unencrypted NFSv3 concurrently with stunneled NFSv4.
-
If a NFS server is configured to both allow NFSv3 and to use stunnel, it will accept unencrypted NFSv3 connections, unencrypted NFSv4 connections and stunneled NFSv4 connections.
The hieradata for this configuration is:
nfs::is_server: true nfs::nfsv3: true nfs::stunnel: true
-
If a NFS client is configured to both allow NFSv3 and to use stunnel, it can use unencrypted NFSv3 mounts and stunneled NFSv4 mounts.
The hieradata for this configuration is:
nfs::nfsv3: true nfs::stunnel: true
Other security features
This module can be configured to automatically add firewall rules and allow
NFS services in TCP wrappers using the
SIMP iptables
module and the
SIMP tcpwrappers
module,
respectively.
To enable these features on the NFS server and NFS client nodes, add the following to their hieradata:
simp_options::firewall: true
simp_options::tcpwrappers: true
Reference
Please refer to the REFERENCE.md.
Limitations
This module does not yet manage the following:
-
/etc/nfsmounts.conf
-
gssproxy
configuration- If you are using a custom keytab location, you must fix the
cred_store
entries in/etc/gssproxy/24-nfs-server.conf
and/etc/gssproxy/99-nfs-client.conf
. - If a node's keytab has changed content and the old keytab entries
are no longer valid, you will have to manually clear the
gssproxy
credential cache usingkdestroy -c <gssproxy cache>
. Simply restarting thegssproxy
service does not clear the cache and re-read the keytab!
- If you are using a custom keytab location, you must fix the
-
RDMA packages or its service
-
idmapd
configuration for theumich_ldap
translation method- If you need to configure this, consider using
nfs::idmapd::config::content
to specify full contents of the/etc/idmapd.conf
file.
- If you need to configure this, consider using
This module does not address an intermittent systemd issue in which the
rpc.statd
NFSv3 daemon is not always stopped when the rpc-statd
service is
stopped. When this occurs,
-
systemd
no longer has a record of that daemon's PID and cannot fix the problem. -
The
rpc-statd
service cannot be subsequently started.- When the service tries to start another instance of
rpc.statd
, the new instance detects the running instance and then immediately exits with a failed exit code.
- When the service tries to start another instance of
-
You must manually kill the running
rpc.statd
daemon to recover.
SIMP Puppet modules are generally intended for use on Red Hat Enterprise Linux
and compatible distributions, such as CentOS. Please see the metadata.json
file
for the most up-to-date list of supported operating systems, Puppet versions,
and module dependencies.
Development
Please read our Contribution Guide.
Acceptance tests
This module includes Beaker acceptance tests using the SIMP Beaker Helpers. By default the tests use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests run the following:
bundle install
bundle exec rake beaker:suites
Please refer to the SIMP Beaker Helpers documentation for more information.
Reference
Table of Contents
Classes
Public Classes
nfs
: Provides the base configuration and services for an NFS server and/or client.nfs::idmapd::client
: Manage theidmapd
client configurationnfs::idmapd::config
: Manageidmapd
configurationnfs::lvm2
: Class to counterract a packaging bug withnfs-utils
.
Private Classes
nfs::base::config
: Manage configuration common to an NFS server and an NFS clientnfs::base::service
: Manage services common to an NFS server and an NFS clientnfs::client
: Manage configuration and services for a NFS clientnfs::client::config
: Manage NFS client-specific configurationnfs::client::service
: Manage NFS client-specific servicesnfs::client::tcpwrappers
: Configure TCP wrappers for NFS client servicesnfs::idmapd::server
: Manage theidmapd
server configuration and servicenfs::install
: Manage the required NFS packagesnfs::selinux_hotfix
: Provides hotfix for broken SElinux policynfs::server
: Manage configuration and services for a NFS servernfs::server::config
: Manage NFS server-specific configurationnfs::server::firewall
: NFS server firewall configurationnfs::server::firewall::nfsv3and4
: NFS server firewall configuration for NFSv3 and NFSv4nfs::server::firewall::nfsv4
: NFS server firewall configuration for NFSv4 onlynfs::server::service
: Manage NFS server-specific servicesnfs::server::stunnel
: Configures a server for NFSv4 over stunnelnfs::server::tcpwrappers
: Configure TCP wrappers for NFS server services
Defined types
Public Defined types
nfs::client::mount
: Set up a NFS client mount, optionally using autofsnfs::server::export
: Create entries in/etc/exports
for a filesystem to export
Private Defined types
nfs::client::mount::connection
: Manage cross-system connectivity parts of a mountnfs::client::stunnel
: Connect to an NFSv4 server over stunnel
Data types
Nfs::LegacyDaemonArgs
: Legacy NFS daemon *ARGS environment variables set in /etc/sysconfig/nfs and automatically converted to the environment variables needed by thNfs::MountEnsure
: Ensure for non-autofs mountsNfs::NfsConfHash
: Hash representing nfs.conf configuration in which the key is the section name and the value is a Hash of key/value options for that section.Nfs::SecurityFlavor
: NFS security flavor
Classes
nfs
Provides the base configuration and services for an NFS server and/or client.
Parameters
The following parameters are available in the nfs
class:
is_server
is_client
nfsv3
gssd_avoid_dns
gssd_limit_to_legacy_enctypes
gssd_use_gss_proxy
lockd_port
lockd_udp_port
nfsd_port
sm_notify_outgoing_port
statd_port
statd_outgoing_port
custom_nfs_conf_opts
custom_daemon_args
idmapd
secure_nfs
sunrpc_udp_slot_table_entries
sunrpc_tcp_slot_table_entries
ensure_latest_lvm2
kerberos
keytab_on_puppet
firewall
tcpwrappers
stunnel
stunnel_nfsd_port
stunnel_socket_options
stunnel_verify
tcpwrappers
trusted_nets
is_server
Data type: Boolean
Explicitly state that this system should be an NFS server
- Further configuration can be made via the
nfs::server
class
Default value: false
is_client
Data type: Boolean
Explicitly state that this system should be an NFS client
- Further configuration can be be made via the
nfs::client
class
Default value: true
nfsv3
Data type: Boolean
Allow use of NFSv3. When false, only NFSv4 will be allowed.
Default value: false
gssd_avoid_dns
Data type: Boolean
Use a reverse DNS lookup, even if the server name looks like a canonical name
- Sets the
avoid-dns
option in thegssd
section of/etc/nfs.conf
Default value: true
gssd_limit_to_legacy_enctypes
Data type: Boolean
Restrict sessions to weak encryption types
- Sets the
limit-to-legacy-enctypes
option in thegssd
section of/etc/nfs.conf
Default value: false
gssd_use_gss_proxy
Data type: Boolean
Use the gssproxy daemon to hold the credentials used in secure NFS and perform GSSAPI operations on behalf of NFS.
- Sets the
use-gss-proxy
option in thegssd
section of/etc/nfs.conf
This is not yet documented in the rpc.gssd man page for EL8, but is available in the example/etc/nsf.conf file
packaged withnfs-utils
. - Sets GSS_USE_PROXY in
/etc/sysconfig/nfs
in EL7, because theuse-gss-proxy
option in/etc/nfs.conf
is not yet used in EL7.
Default value: true
lockd_port
Data type: Simplib::Port
The TCP port upon which lockd
should listen on both the NFS server and
the NFS client (NFSv3)
- Sets the
port
option in thelockd
section of/etc/nfs.conf
- Corresponds to the
nlockmgr
service TCP port reported byrpcinfo
Default value: 32803
lockd_udp_port
Data type: Simplib::Port
The UDP port upon which lockd
should listen on both the NFS server and
the NFS client (NFSv3)
- Sets the
udp-port
option in thelockd
section of/etc/nfs.conf
- Corresponds to the
nlockmgr
service UDP port reported byrpcinfo
Default value: 32769
nfsd_port
Data type: Simplib::Port
The port upon which NFS daemon on the NFS server should listen
- Sets the
port
option in thenfsd
section of/etc/nfs.conf
- Corresponds to the
nfs
andnfs_acl
service ports reported byrpcinfo
Default value: 2049
sm_notify_outgoing_port
Data type: Simplib::Port
The port that sm-notify
will use when notifying NFSv3 peers
- Sets the
outgoing-port
option in thesm-notify
section of/etc/nfs.conf
Default value: 2021
statd_port
Data type: Simplib::Port
The port upon which statd
should listen on both the NFS server
and the NFS client (NFSv3)
- Sets the
port
option in thestatd
section of/etc/nfs.conf
- Corresponds to the
status
service port reported byrpcinfo
Default value: 662
statd_outgoing_port
Data type: Simplib::Port
The port that statd
will use when communicating with NFSv3 peers
- Sets the
outgoing-port
option in thestatus
section of/etc/nfs.conf
Default value: 2020
custom_nfs_conf_opts
Data type: Nfs::NfsConfHash
Hash that allows other configuration options to be set in /etc/nfs.conf
- Each key is a known section of
/etc/nfs.conf
, such asnfsd
. - Each value is a Hash of config parameter names and values.
- Configuration values are not validated.
- If a new section needs to be added to
/etc/nfs.conf
, you can useconcat::fragment
.
@example Set NFS server's grace and lease times in Hiera nfs::custom_nfs_conf_opts: nfsd: grace-time: 60 lease-time: 60
Default value: {}
custom_daemon_args
Data type: Nfs::LegacyDaemonArgs
Hash that allows other configuration options to be set as daemon
arguments in /etc/sysconfig/nfs
in EL7
-
Necessary to address
/etc/nfs.conf
limitations - Not all configuration options in EL7 can be specified in/etc/nfs.conf
-
Each key is the name of the shell variables processed by
/usr/lib/systemd/scripts/nfs-utils_env.sh
nfs-utils_env.sh
generates/run/sysconfig/nfs-utils
which contains the NFS daemon command line shell variables used by NFS services- Unfortunately, not all shell variable names in
/etc/sysconfig/nfs
match the generated variable names in/run/sysconfig/nfs-utils
. For example,STATDARG
gets transformed intoSTATDARGS
.
-
Each value is the argument string which will be wrapped in double quotes in
/etc/sysconfig/nfs
.
@example Disable syslog messages from the NFSv3 rpc.statd
daemon in Hiera
nfs::custom_daemon_args:
STATDARG: "--no-syslog"
Default value: {}
idmapd
Data type: Boolean
Whether to use idmapd
for NFSv4 ID to name mapping
Default value: false
secure_nfs
Data type: Boolean
Whether to enable secure NFS mounts
Default value: false
sunrpc_udp_slot_table_entries
Data type: Integer[1]
Set the default UDP slot table entries in the kernel
- Most NFS performance guides seem to recommend this setting
- If you have a low memory system, you may want to reduce this
Default value: 128
sunrpc_tcp_slot_table_entries
Data type: Integer[1]
Set the default TCP slot table entries in the kernel
- Most NFS performance guides seem to recommend this setting
- If you have a low memory system, you may want to reduce this
Default value: 128
ensure_latest_lvm2
Data type: Boolean
See nfs::lvm2
for further description
Default value: true
kerberos
Data type: Boolean
Use the SIMP krb5
module for Kerberos support
- You may need to set variables in
krb5::config
via Hiera or your ENC if you do not like the defaults.
Default value: simplib::lookup('simp_options::kerberos', { 'default_value' => false })
keytab_on_puppet
Data type: Boolean
Whether the NFS server will pull its keytab directly from the Puppet server
- Only applicable if
$kerberos
is `true. - If
false
, you will need to ensure the appropriate services are restarted and cached credentials are destroyed (e.g., gssproxy cache), when the keytab is changed.
Default value: simplib::lookup('simp_options::kerberos', { 'default_value' => true})
firewall
Data type: Boolean
Use the SIMP iptables
module to manage firewall connections
Default value: simplib::lookup('simp_options::firewall', { 'default_value' => false})
tcpwrappers
Data type: Boolean
Use the SIMP tcpwrappers
module to manage TCP wrappers
Default value: simplib::lookup('simp_options::tcpwrappers', { 'default_value' => false })
stunnel
Data type: Boolean
Wrap stunnel
around critical NFSv4 connections
-
This is intended for environments without a working Kerberos setup and may cause issues when used with Kerberos.
-
Use of Kerberos is preferred.
-
This will configure the NFS server and client mount to only use TCP communication
-
Cannot be used for NFSv4.0 connections, because NFSv4.0 uses a side channel to each NFS client to recall delegation responsibilities.
-
The following connections will not be secured, due to tunneling limitations in deployments using multiple NFS servers
- Connections to the rbcbind service
- Connections to the rpc-rquotad service
-
Use of stunnel for an individual client mount can be controlled by the
stunnel
parameter in thenfs::client::mount
define. -
Use of stunnel for just the NFS server on this host can be controlled by the
stunnel
parameter in thenfs::server
class.
Default value: simplib::lookup('simp_options::stunnel', { 'default_value' => false })
stunnel_nfsd_port
Data type: Simplib::Port
Listening port on the NFS server for the tunneled connection to the NFS server daemon
- Decrypted traffic will be forwarded to
$nfsd_port
on the NFS server
Default value: 20490
stunnel_socket_options
Data type: Array[String]
Additional socket options to set for all stunnel connections
- Stunnel socket options for an individual client mount can be controlled
by the
stunnel_socket_options
parameter in thenfs::client::mount
define. - Stunnel socket options for just the NFS server on this host can be
controlled by the
stunnel_socket_options
parameter in thenfs::server
class.
Default value: ['l:TCP_NODELAY=1','r:TCP_NODELAY=1']
stunnel_verify
Data type: Integer
The level at which to verify TLS connections
-
Levels:
- level 0 - Request and ignore peer certificate.
- level 1 - Verify peer certificate if present.
- level 2 - Verify peer certificate.
- level 3 - Verify peer with locally installed certificate.
- level 4 - Ignore CA chain and only verify peer certificate.
-
Stunnel verify for an individual client mount can be controlled by the
stunnel_verify
parameter in thenfs::client::mount
define. -
Stunnel verify for just the NFS server on this host can be controlled by the
stunnel_verify
parameter in thenfs::server
class.
Default value: 2
tcpwrappers
Use the SIMP tcpwrappers
module to manage TCP wrappers
Default value: simplib::lookup('simp_options::tcpwrappers', { 'default_value' => false })
trusted_nets
Data type: Simplib::Netlist
The systems that are allowed to connect to this service
- Set to 'any' or 'ALL' to allow the world
Default value: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1'] })
nfs::idmapd::client
When using idmapd
, an NFSv4 client uses nfsidmap
, directly, instead
of nfs-idmapd.service
. nfsidmap
is configured by /etc/idmapd.conf
,
but must be hooked into /sbin/request-key
via /etc/request-key.conf
.
Parameters
The following parameters are available in the nfs::idmapd::client
class:
timeout
Data type: Integer[0]
nfsidmap
key expiration timeout in seconds
Default value: 600
nfs::idmapd::config
Manage idmapd
configuration
- See also
- idmapd.conf(5)
Parameters
The following parameters are available in the nfs::idmapd::config
class:
verbosity
domain
no_strip
reformat_group
local_realms
nobody_user
nobody_group
trans_method
gss_methods
static_translation
content
verbosity
Data type: Optional[Integer]
Default value: undef
domain
Data type: Optional[String[1]]
Default value: undef
no_strip
Data type: Optional[Enum['user','group','both','none']]
Default value: undef
reformat_group
Data type: Optional[Boolean]
Default value: undef
local_realms
Data type: Optional[Array[String[1],1]]
Default value: undef
nobody_user
Data type: String
Default value: 'nobody'
nobody_group
Data type: String
Default value: 'nobody'
trans_method
Data type: Array[Enum['nsswitch','static'],1]
[Translation]
Method
Method
is a reserved word in Rubyumich_ldap
is not yet supported
Default value: ['nsswitch']
gss_methods
Data type: Optional[Array[Enum['nsswitch','static'],1]]
Default value: undef
static_translation
Data type: Optional[Hash[String[1],String[1]]]
Will be translated into the [Static]
section variables as presented in
the man page
- For example:
{ 'foo' => 'bar' }
will befoo = bar
in the output file
Default value: undef
content
Data type: Optional[String]
Use this as the explicit content for the idmapd
configuration file
- Overrides all other options
Default value: undef
nfs::lvm2
Unless lvm2
is ensured latest, nfs-utils
cannot upgrade.
The class will be removed once the bug is fixed upstream.
Parameters
The following parameters are available in the nfs::lvm2
class:
ensure
Data type: String
The ensure status of the lvm2 package
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'latest' })
Defined types
nfs::client::mount
Set up a NFS client mount, optionally using autofs
Examples
Static mount
nfs::client::mount { '/mnt/apps1':
nfs_server => '10.0.1.2',
remote_path => '/exports/apps1',
autofs => false
}
Direct automount
nfs::client::mount { '/mnt/apps2':
nfs_server => '10.0.1.3',
remote_path => '/exports/apps2'
}
Indirect automount with map key substitution
nfs::client::mount { '/home':
nfs_server => '10.0.1.4',
remote_path => '/exports/home',
autofs_indirect_map_key => '*',
autofs_add_key_subst => true
}
NFSv3 mount
nfs::client::mount { '/mnt/apps3':
nfs_server => '10.0.1.5',
nfs_version => 3,
remote_path => '/exports/apps3',
autofs => false
}
Parameters
The following parameters are available in the nfs::client::mount
defined type:
name
nfs_server
remote_path
autodetect_remote
nfs_version
sec
options
ensure
at_boot
autofs
autofs_indirect_map_key
autofs_add_key_subst
nfsd_port
stunnel
stunnel_nfsd_port
stunnel_socket_options
stunnel_verify
stunnel_wantedby
name
The local mount path
-
When not using autofs (
$autofs
isfalse
), this will be a static mount and you must ensure the target directory exists. This define will NOT create the target directory for you. -
When using autofs (
$autofs
istrue
)-
autofs will create the target directory for you (full path).
-
If
$autofs_indirect_map_key
is unset, a direct mount will be created for this path. -
If
$autofs_indirect_map_key
is set, an indirect mount will be created:$name
will be the mount point$autofs_indirect_map_key
will be the map key
-
nfs_server
Data type: Simplib::Ip
The IP address of the NFS server to which you will be connecting
- If this host is also the NFS server, please set this to
127.0.0.1
.
remote_path
Data type: Stdlib::Absolutepath
The NFS share that you want to mount
autodetect_remote
Data type: Boolean
Attempts to figure out if this host is also the NFS server and adjust
the connection to the local IP address, 127.0.0.1
, in lieu of the
IP address specified in $nfs_server
.
- When you know this host is also the NFS server, setting
$nfs_server
to127.0.0.1
is best. - Auto-detect logic only works with IPv4 addresses.
Default value: true
nfs_version
Data type: Integer[3,4]
The NFS major version that you want to use.
- Used to set the
nfsvers
mount option - If you need to specify an explicit minor version of NFSv4, include
'minorversion=<#>' in
$options
.
Default value: 4
sec
Data type: Nfs::SecurityFlavor
The security flavor for the mount
- Used to set the
sec
mount option for NFSv4 mounts - Ignored for NFSv3 mounts
Default value: 'sys'
options
Data type: String
String containing comma-separated list of additional mount options
fstype
will already be set for you- If using stunnel with NFSv4,
proto
will be set totcp
for you
Default value: 'soft'
ensure
Data type: Nfs::MountEnsure
The mount state of the specified mount point
mounted
=> Ensure that the mount point is actually mountedpresent
=> Just add the entry to the fstab and do not mount itunmounted
=> Add the entry to the fstab and ensure that it is not mounted- Has no effect if
$autofs
istrue
Default value: 'mounted'
at_boot
Data type: Boolean
Ensure that this mount is mounted at boot time
- Has no effect if
$autofs
istrue
Default value: true
autofs
Data type: Boolean
Enable automounting with Autofs
Default value: true
autofs_indirect_map_key
Data type: Optional[String[1]]
Autofs indirect map key
- May be '*', the wildcard map key
Default value: undef
autofs_add_key_subst
Data type: Boolean
This enables map key substitution for a wildcard map key in an indirect map.
- Appends '/&' to the remote location.
- Only makes sense if
$autofs_indirect_map_key
is set to '*', the wildcard map key.
Default value: false
nfsd_port
Data type: Optional[Simplib::Port]
The NFS server daemon listening port
- Used to set the
port
mount option - If left unset, the value will be taken from
$nfs::nfsd
- When using stunnel, must be a different value for each distinct NFS server for which a stunneled mount connection is to be made.
Default value: undef
stunnel
Data type: Optional[Boolean]
Controls enabling stunnel
to encrypt NFSv4 connection to the NFS server
-
If left unset, the value will be taken from
$nfs::client::stunnel
-
May be set to
false
to ensure thatstunnel
will not be used for this connection -
May be set to
true
to force the use ofstunnel
on this connection -
Unused when
$nfs_version
is 3.- stunneled connections are not viable for NFSv3 because of the UDP-only NFS client NSM notifications and the inability to effectively configure the rpcbind port.
- If you know the NFS version negotiated with the NFS server will
fallback to NFSv3, you must set
$nfs_version
to 3 or$stunnel
to false. The mount will fail otherwise.
-
Will attempt to determine if the host is trying to connect to itself and use a direct, local connection in lieu of a stunnel in this case.
- When you know this host is also the NFS server, setting this to
false
and$nfs_server
to127.0.0.1
is best. - Auto-detect logic only works with IPv4 addresses.
- When you know this host is also the NFS server, setting this to
Default value: undef
stunnel_nfsd_port
Data type: Optional[Simplib::Port]
Listening port on the NFS server for the tunneled connection to the NFS server daemon
- Decrypted traffic will be forwarded to
nfsd_port
on the NFS server - If left unset, the value will be taken from
$nfs::stunnel_nfsd_port
- Unused when
$stunnel
isfalse
Default value: undef
stunnel_socket_options
Data type: Optional[Array[String]]
Additional stunnel socket options to be applied to the stunnel to the NFS server
- If left unset, the value will be taken from
$nfs::client::stunnel_socket_options
- Unused when
$stunnel
isfalse
Default value: undef
stunnel_verify
Data type: Optional[Integer]
The level at which to verify TLS connections
-
Levels:
- level 0 - Request and ignore peer certificate.
- level 1 - Verify peer certificate if present.
- level 2 - Verify peer certificate.
- level 3 - Verify peer with locally installed certificate.
- level 4 - Ignore CA chain and only verify peer certificate.
-
If left unset, the value will be taken from
$nfs::client::stunnel_socket_verify
-
Unused when
$stunnel
isfalse
Default value: undef
stunnel_wantedby
Data type: Optional[Array[String]]
The systemd
targets that need stunnel
to be active prior to being
activated
- If left unset, the value will be taken from
$nfs::client::stunnel_wantedby
- Unused when
$stunnel
isfalse
Default value: undef
nfs::server::export
Be careful! The name of these mounts must be unique, but the only unique combination is mountpoint + client. Therefore, you can actually have duplicate entries.
NFS will function fine with this but the last duplicate entry in the file will win!
- See also
- exports(5)
Parameters
The following parameters are available in the nfs::server::export
defined type:
export_path
clients
comment
insecure
rw
async
no_wdelay
nohide
crossmnt
subtree_check
insecure_locks
mountpoint
fsid
nordirplus
refer
replicas
pnfs
security_label
sec
no_root_squash
all_squash
anonuid
anongid
custom
export_path
Data type: Stdlib::Absolutepath
The path on the filesystem to export
clients
Data type: Array[String]
NFS export-compatible clients to which the export should be served.
- The entry will be repeated for each client
- Use ['*'] for client wildcard
comment
Data type: Optional[String]
A comment to be added to the set of entries
Default value: undef
insecure
Data type: Boolean
Do not require that requests originate on a Port less than 1024
-
Due to a NFS kernel bug when processing exports, you must set this to
true
when allowing stunneled NFSv4 connections.- The export rule processor is supposed to select the most specific rule that matches. However, when rules overlap and one rule is has insecure enabled and another does not, the rule without insecure specified is selected, even when it is less specific.
- See https://bugzilla.redhat.com/show_bug.cgi?id=1804912
Default value: false
rw
Data type: Boolean
Allow both reads and writes on this volume
Default value: false
async
Data type: Boolean
Allow the NFS server to reply to request before changes have been committed to stable storage
Default value: false
no_wdelay
Data type: Boolean
Disable write delays
- Has no effect if
$async
is set
Default value: false
nohide
Data type: Boolean
Disable hiding of subordinate filesystems
Default value: false
crossmnt
Data type: Boolean
Allow clients to access all filesystems mounted on a filesystem marked with
crossmnt
Default value: false
subtree_check
Data type: Boolean
Enable subtree checking
Default value: false
insecure_locks
Data type: Boolean
Do not require authentication of locking requests
Default value: false
mountpoint
Data type: Optional[Variant[Stdlib::Absolutepath,Boolean]]
Require this path to be successfully mounted on disk
- If a
Boolean
, require the export path to be successfully mounted
Default value: undef
fsid
Data type: Optional[String]
A specific ID for the exported filesystem
Default value: undef
nordirplus
Data type: Boolean
Disable READDIRPLUS
request handling on NFSv3
clients
Default value: false
refer
Data type: Optional[Array[Pattern['^/.+@.+$']]]
A list of alternate locations for the filesystem
- This should be in the form specified by the man page:
path@host[+host]
- There will be minimal validation and they will be joined by
:
Default value: undef
replicas
Data type: Optional[Array[Pattern['^/.+@.+$']]]
Alternative locations for the export point
- This should be in the form specified by the man page:
path@host[+host]
- There will be minimal validation and they will be joined by
:
Default value: undef
pnfs
Data type: Boolean
Enables use of pNFS extensions for NFSv4.1 or higher and the filesystem supports pNFS exports
Default value: false
security_label
Data type: Boolean
Allow clients using NFSv4.2 or higher to set and retrieve security labels (such as those used by SELinux)
Default value: true
sec
Data type: Array[Nfs::SecurityFlavor]
Security flavors, in order of preference
Default value: ['sys']
no_root_squash
Data type: Boolean
Disable root squashing
- This should only be done if you really know what you are doing!
Default value: false
all_squash
Data type: Boolean
Map all uids and gids to the anonymous
user
Default value: false
anonuid
Data type: Simplib::Port
Explicity set the UID
of the anonymous
user
Default value: 65534
anongid
Data type: Simplib::Port
Explicity set the GID
of the anonymous
user
Default value: 65534
custom
Data type: Optional[String]
A custom set of options
- If set, all other options will be ignored
$mountpoint
and$client
must still be set- Do not include the parenthesis if you are writing a custom options string.
Default value: undef
Data types
Nfs::LegacyDaemonArgs
Legacy NFS daemon *ARGS environment variables set in /etc/sysconfig/nfs and automatically converted to the environment variables needed by the daemons in their service scripts by /usr/lib/systemd/scripts/nfs-utils_env.sh
Alias of
Struct[{
Optional['GSSDARGS'] => String,
Optional['RPCIDMAPDARGS'] => String,
Optional['RPCMOUNTDARGS'] => String,
Optional['RPCNFSDARGS'] => String,
Optional['SMNOTIFYARGS'] => String,
# This is converted to STATDARGS
Optional['STATDARG'] => String
}]
Nfs::MountEnsure
Ensure for non-autofs mounts
Alias of Enum['mounted', 'present', 'unmounted']
Nfs::NfsConfHash
Hash representing nfs.conf configuration in which the key is the section name and the value is a Hash of key/value options for that section.
Alias of
Struct[{
Optional['general'] => Hash[String,Variant[Boolean,Integer,Float,String]],
Optional['exportfs'] => Hash[String,Variant[Boolean,Integer,Float,String]],
Optional['gssd'] => Hash[String,Variant[Boolean,Integer,Float,String]],
Optional['lockd'] => Hash[String,Variant[Boolean,Integer,Float,String]],
Optional['mountd'] => Hash[String,Variant[Boolean,Integer,Float,String]],
Optional['nfsd'] => Hash[String,Variant[Boolean,Integer,Float,String]],
Optional['nfsdcltrack'] => Hash[String,Variant[Boolean,Integer,Float,String]],
Optional['sm-notify'] => Hash[String,Variant[Boolean,Integer,Float,String]],
Optional['statd'] => Hash[String,Variant[Boolean,Integer,Float,String]]
}]
Nfs::SecurityFlavor
NFS security flavor
Alias of Enum['none', 'sys', 'krb5', 'krb5i', 'krb5p']
- Wed Aug 21 2024 Steven Pritchard steve@sicura.us - 7.6.1
- Fix unmask_rpc-gssd.service exec resource (#109)
- Mon Oct 23 2023 Steven Pritchard steve@sicura.us - 7.6.0
- [puppetsync] Add EL9 support
- Wed Oct 11 2023 Steven Pritchard steve@sicura.us - 7.5.0
- [puppetsync] Updates for Puppet 8
- These updates may include the following:
- Update Gemfile
- Add support for Puppet 8
- Drop support for Puppet 6
- Update module dependencies
- These updates may include the following:
- Thu Sep 07 2023 Steven Pritchard steve@sicura.us - 7.4.0
- Add AlmaLinux 8 support
- Mon Jun 12 2023 Chris Tessmer chris.tessmer@onyxpoint.com - 7.3.0
- Add RockyLinux 8 support
- Fri Jun 03 2022 Chris Tessmer chris.tessmer@onyxpoint.com - 7.2.0
- Update from camptocamp/systemd to puppet/systemd
- Tue Jul 06 2021 Trevor Vaughan tvaughan@onyxpoint.com - 7.1.0
- Fixed
- Added _netdev to the default mount options
- Ensure that remote-fs.target is enabled
- Wed Jun 16 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 7.1.0
- Removed support for Puppet 5
- Ensured support for Puppet 7 in requirements and stdlib
- Mon Jan 11 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 7.0.2
- Fixed formatting in the metadata.json file.
- Thu Nov 12 2020 Trevor Vaughan tvaughan@onyxpoint.com - 7.0.1-0
- Update the required version of simp/svckill to the puppet 6 safe version.
- Fri Jan 10 2020 Liz Nemsick lnemsick.simp@gmail.com - 7.0.0-0
- Added EL8 support
- Dropped EL6 support
- Refactored the module. Notable feature/API changes:
- Overall changes
- Dropped stunnel support for NFSv3. This tunneling did not work because:
- The NFS client sends the NFS server Network Status Manager (NSM) notifications via UDP, exclusively.
- At multi-NFS-server sites, a unique
rpcbind
port per server is required in order for a NFS client to be able tunnel its server-specific RPC requests to the appropriate server.
- nfs class
- Reworked parameters to reflect configuration of /etc/nfs.conf and, for limited EL7-only configuration, /etc/sysconfig/nfs. See the class documentation for full details.
- Remove $stunnel_systemd_deps and $sunnel_tcp_nodelay parameters throughout
the module.
- These parameters were not consistently used in the manifest code (i.e., declared but not used) and were confusing.
- The corresponding $stunnel_socket_options and $stunnel_wantedby parameters in classes/defines now use defaults that were intended to be set by those parameters.
- Now masks NFS services that are not needed, so they are not unnecessarily started when the nfs-server.service or nfs-client.target are restarted.
- Moved simp-autofs, simp-krb5, simp-iptables, simp-stunnel, and simp-tcpwrappers to simp/optional_dependencies in the metadata.json.
- Dropped stunnel support for NFSv3. This tunneling did not work because:
- nfs::client
- Added support for pNFS: Set $blkmap to true to enable the pNFS service, nfs-blkmap.service.
- Added $nfs::stunnel_socket_options and $stunnel_wantedby parameters which provide the defaults for all nfs::client::mount instances.
- nfs::client::mount define
- $nfs_server must now be specified as an IP address. This change was necessary for firewalld.
- In $options, changed the default mount type to 'soft' instead of 'hard' Also removed deprecated 'intr' option, as it has no effect.
- Reworked the remote autodetect logic to detect a local mount based on IP address instead of simply whether the node is also configured to be an NFS server.
- Added support for direct autofs mounts and simplified specification of indirect mounts. When $autofs_indirect_map_key is not specified, a direct mount is specified by $name. When $autofs_indirect_map_key is specified, an indirect mount is specified with $name as the mount point and $autofs_indirect_map_key as the mount key.
- Renamed $autofs_map_to_user to $autofs_add_key_subst to better reflect automount terminology. This parameter simply adds key substitution to the remote location, which although can be used for user home directories, is not restricted to that use case.
- Renamed $port to $nfsd_port to be consistent with the name of that parameter throughout the entire module.
- Renamed $v4_remote_port to $stunnel_nfsd_port for clarity and to be consistent with the name of that parameter throught the entire module.
- Exposed client stunnel configuration that was scattered throughout the module to this API. User can now specify $stunnel_socket_options and $stunnel_verify for each mount. When unspecified, the defaults from the nfs class are used.
- nfs::server
- Exposed server stunnel configuration that was scattered throughout the module to this API. User can now specify $stunnel_accept_address, $stunnel_nfsd_acccept_port, $stunnel_socket_options, $stunnel_verify, and $stunnel_wantedby in this class. When unspecified, the defaults for all but $stunnel_accept_address and $stunnel_wantedby are pulled from the nfs class.
- Added the following parameters: $nfsd_vers4, $nfsd_vers4_0, $nfsd_vers4_1, $nfsd_vers4_2, and $custom_rpcrquotad_opts.
- Renamed $nfsv3 to $nfsd_vers3 to reflect its use in /etc/nfs.conf.
- Moved nfs::rpcquotad_port to this class and renamed $rpcrquotadopts to $custom_rpcrquotad_opts for clarity.
- Moved nfs::mountd_port to this class and removed $rpcmountdopts. Custom configuration for that daemon should now be made via $nfs::custom_nfs_conf_opts or $nfs::custom_daemon_args as appropriate.
- Removed the obsolete $nfsd_module parameter.
- nfs::server::export define
- Added $replicas, $pnfs, and $security_label parameters to support additional export configuration parameters.
- nf::idmapd
- Refactored into 3 classes to support distinct NFS server and client configuration
- Added $no_strip and $reformat_group to nfs::idmapd::config to support support additional /etc/idmapd.conf configuration parameters.
- Overall changes
- Fixed bugs:
- rpc.rquotad service configuration was erroneously written to /etc/sysconfig/nfs for EL7. It is now written to the correct file, /etc/sysconfig/rpc-rquotad.
- idmapd
- idmapd was erroneously only enabled when NFSv3 was allowed. idmapd is a NFSv4 service.
- The idmapd client was not configured to use nfsidmap. An nfsidmap entry has now been added to /etc/request-key.conf.
- Fixed bugs in which bidirectional communication for NFSv3 was not properly
configured.
- NFSv3 lockd ports on the NFS client were not explicitly configured and thus not allowed through the firewall. This would have affected file locking using NLM.
- rpcbind, statd, and lockd service names were not allowed by TCP wrappers for the NFS client. This would have affected server to client NFSv3 NSM and NLM protocol messages over TCP.
- Fixed bugs in mount options
- Previously used the deprecated 'nfs4' fstype. This has been replaced with the 'nfs' fstype and use of the 'nfsvers' option to specify the version of NFS to use.
- The 'proto' previously was not set to 'tcp' when stunnel is being used.
- Fixed bug with a duplicate exec resource in nfs::client::mount when stunnel was enabled.
- Fixed erronously server-only/client-only configuration that appeared to be
able to be set independently for the NFS client and NFS server on the same
node, but because of shared services, actually applied to the node as a
whole.
- Removed $nfs::client::firewall and $nfs::server::firewall. Use $nfs::firewall instead.
- Removed $nfs::server::tcpwrappers. Use $nfs::tcpwrappers instead.
- Removed $nfs::server::nfsv3, $nfs::server::lockd_arg, $nfs::server::statdarg, $nfs::server::statd_ha_callout, $nfs::server::rpcgssdargs, and $nfs::server::rpcsvcgssdargs. Use appropriate parameters in the nfs class instead.
- Updated the upper bound of simp-simplib to < 5.0.0
- Fri Aug 02 2019 Robert Vincent pillarsdotnet@gmail.com - 7.0.0-0
- Remove Puppet 4 support
- Add Puppet 6 support
- Add puppetlabs-stdlib 6 support
- Add puppetlabs-concat 6 support
- Fri Mar 22 2019 Liz Nemsick lnemsick.simp@gmail.com - 6.2.2-0
- Use simplib::host_is_me in lieu of simplib's Puppet 3 host_is_me
- Mon Mar 04 2019 Liz Nemsick lnemsick.simp@gmail.com - 6.2.1-0
- Expanded the upper limit of the concat and stdlib Puppet module versions
- Updated URLs in the README.md
- Thu Nov 01 2018 Jeanne Greulich jeanne,greulich@onyxpoint.com - 6.2.0-0
- Update static assets for puppet 5
- Update to onyxpoint OEL boxes in acceptance tests
- Update badges and contribution guide URL in README.md
- Sun Oct 21 2018 Trevor Vaughan tvaughan@onyxpoint.com - 6.2.0-0
- Added a nfs::client::mount::ensure parameter to allow users to set the state of the mountpoints
- Thu Jul 12 2018 Nick Miller nick.miller@onyxpoint.com - 6.2.0-0
- Added OEL and Puppet 5 support
- Change rpcbind service name on EL7 from
rpcbind.socket
to,rpcbind.service
, but only on EL7.4+ - Changed all packages ensure parameter from 'latest' to 'installed'
- They also respect
simp_options::package_ensure
- Added $nfs::install::tools_ensure and $nfs::lvm2::ensure
- They also respect
- Thu Jun 14 2018 Nick Miller nick.miller@onyxpoint.com - 6.1.1-0
- Update systemd fixtures and CI assets
- Add logging for exportfs failures
- Ensure that reexports happen after the NFS service has been started
- Mon Apr 16 2018 Trevor Vaughan tvaughan@onyxpoint.com - 6.1.1-0
- Added
nfs::client::mount::autodetect_remote
to override all autodetection of whether or not the remote host was the current NFS server so an NFS server can mount NFS directories from other servers. - Added
nfs::client::mount::stunnel
to allow users to dictate the stunnel connection state for specific mounts.
- Wed Apr 04 2018 Nick Miller nick.miller@onyxpoint.com - 6.1.1-0
- On systemd systems, the stunnel service is now a dependency of the NFS servers and mounts managed by this module.
- Mon Feb 12 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.1.0-0
- Update upperbound on puppetlabs/concat version to < 5.0.0
- Wed Dec 13 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.1.0-0
- Changed all stunnel connections to use 'stunnel::instance' methods so that they are not interrupted by an issue with the global stunnel configuration and they can set the TCP_NODELAY option as suggested for small transaction, high bandwidth connections.
- Added parameters to allow users to tweak the stunnel socket options for all NFS stunnel connections.
- Added support for OEL and Puppet 5
- Fri Aug 18 2017 Liz Nemsick lnemsick.simp@gmail.com - 6.0.4-0
- Update concat version in metadata.json
- Mon Apr 24 2017 Nick Markowski nmarkowski@keywcorp.com - 6.0.3-0
- gssproxy ensured running when secure_nfs is true, el > 7.1
- Confine puppet version in metadata.json
- Tue Apr 11 2017 Nick Markowski nmarkowski@keywcorp.com - 6.0.3-0
- nfs_anon_write selboolean is only applied if selinux is on.
- Thu Mar 23 2017 Jeanne Greulich jeanne.greulich@onyxpoint.com - 6.0.2-0
- Fixed path for systemctl
- Fri Mar 10 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.1-0
- Fixed the metadata.json dependencies for simp-tcpwrappers
- Thu Dec 08 2016 Nick Markowski nmarkowski@keywcorp.com - 6.0.0-0
- Updated global catalysts and strong typed.
- Fix bug whereby the STATDARGS parameter in NFS sysconfig server configuration was not set.
- Fix bug whereby the LOCKD_ARG parameter in NFS sysconfig server configuration was improperly set.
- Thu Dec 01 2016 Nick Markowski nmarkowski@keywcorp.com - 5.0.1-0
- Removed pupmod-simp-sysctl in favor of augeas-sysctl
- Wed Nov 23 2016 Jeanne Greulich jgreulich.simp@onyxpoint.com - 5.0.0-0
- update requirement versions
- Tue Nov 15 2016 Liz Nemsick lnemsick.simp@gmail.com - 5.0.0-0
- Updated iptables dependency version
- Fri Sep 30 2016 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.0-0
- Updated to use the new 'simpcat' module that deconflicts with 'puppetlabs/concat'
- Thu Aug 25 2016 Nick Markowski nmarkowski@keywcorp.com - 4.5.2-0
- Defaulted export sec to sys.
- Updated documentation to reflect krb5 integration with manual changes.
- Fri Aug 12 2016 Nick Miller nick.miller@onyxpoint.com - 4.5.1-0
- Added a new README
- Mon Aug 01 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.5.0-0
- Added Kerberos Support
- Wed Jul 20 2016 Nick Markowski nmarkowski@keywcorp.com - 4.4.4-0
- Removed create_home_dirs functionality (and added it to the simp module).
- Mon May 16 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 4.4.3-0
- Sanitized cross-class variables for 'STRICT_VARIABLES=yes'
- Wed Mar 23 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.4.2-0
- Minor bug fix to ensure that $::nfs::stunnel variables are not called if the module is not using stunnel.
- Sat Mar 19 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.4.1-0
- Several bug fixes that ensure that the module will work without being bound to a Puppet master.
- Fri Mar 18 2016 Nick Markowski nmarkowski@keywcorp.com - 4.4.0-0
- Ensure that EL6.7+ uses SSSD over NSCD.
- Fri Mar 18 2016 Nick Markowski nmarkowski@keywcorp.com - 4.3.0-1
- Updated the augeas fixtures to reference the simp-master branch.
- Thu Mar 17 2016 Nick Markowski nmarkowski@keywcorp.com - 4.3.0-0
- Updated the exports template to convert clients 'all' or 'any' to '*'
- Added an lvm2 class to ensure nfs-utils can upgrade. This class should be removed once the bug is fixed upstream.
- Mon Mar 14 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.0-0
- Updated to Semantic Versioning
- Fixed the 'eval' variables in the templates
- Fri Dec 04 2015 Chris Tessmer chris.tessmer@onyxpoint.com - 4.1.0-15
- Replaced all 'lsb' facts with their (package-independent) 'operatingsystem' counterparts.
- Normalized common static module assets.
- Moved parameter validations to the top of each class.
- Mon Nov 09 2015 Chris Tessmer chris.tessmer@onypoint.com - 4.1.0-14
- migration to simplib and simpcat (lib/ only)
- Mon Nov 02 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-13
- Updated the dependency chain for the NFS client kernel module load ordering.
- Thu Feb 19 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-12
- Migrated to the new 'simp' environment.
- Fri Jan 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-11
- Changed puppet-server requirement to puppet
- Wed Oct 22 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-10
- Update to account for the stunnel module updates in 4.2.0-0
- Fri Sep 19 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-9
- Added some necessary fixes to nfs::server_names
- Fri Sep 19 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-8
- Updated the module to be compatible with both RHEL6 and RHEL7. The main issue was the translation of service names between the two systems.
- The anongid/anonuid options were changed to 65534 since the NFS server daemon no longer recognizes -1 and will hang if you use those options.
- Wed Aug 27 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-7
- Updated to use the new sysctl::value define.
- Mon Jul 21 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-6
- Updated to use /var/nfs/home for nfs::create_home_dirs in SIMP>=5
- Sun Jun 22 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-5
- Removed MD5 file checksums for FIPS compliance.
- Thu May 29 2014 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-4
- Set sysctl sunrpc table entries only if secure_nfs is enabled. Both values depend on the rpcgssd service.
- Mon May 05 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-3
- Updated referecnes to newly named global LDAP variables.
- Refactored /etc/sysconfig/nfs to be managed only once instead of by both server and client.
- Mon Mar 17 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-2
- Added a tcpwrappers::allow statement allowing ALL NFS connections if Stunnel is used. This may be a bug in Red Hat itself. I'm not positive.
- Updated the export_home comment section to include a section of Hiera Variables.
- Modified the home_client defaults to hard,intr instead of soft.
- Fixed the create_home_directories script so that it wouldn't attempt to archive the ARCHIVED directory multiple times. Also added date stamping to the ARCHIVED directories in case a user is archived multiple times.
- Tue Mar 04 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-1
- Refactored manifests to pass all lint tests for hiera and puppet 3.
- Added rspec tests for test coverage.
- Wed Feb 12 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-0
- Updated all boolean strings to native booleans.
- Wed Jan 15 2014 Adam Yohrling ayohrling@onyxpoint.com - 4.1.0-0
- Add a class 'nfs::server::create_home_dirs' which allows for the simple creation of NFS home directories on an NFS server from an LDAP database.
- Added the option to turn on nfs::server::create_home_dirs in stock::export_home.
- Mon Oct 07 2013 Nick Markowski nmarkowski@keywcorp.com - 4.0.0-2
- Updated template to reference instance variables with @
- Wed Oct 02 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-1
- Use 'versioncmp' for all version comparisons.
- Wed Jul 31 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-0
- Updated the documentation for nfs::server::conf
- Added support for the NFSD_V4_GRACE option
- Removed the options $secure_nfs_mods and $rpcmtab since they have been deprecated
- Added the ports '111' and $rquotad_port to the list of ports to be opened by iptables in the non-stunnel version. This is due to the fact that the 'quota' command has not been modified to use the single interface instance of NFSv4.
- Mon Jan 07 2013 Kendall Moore kmoore@keywcorp.com - 2.0.0-11
- Create a Cucumber test which sets up the base segments for NFS server and client services.
- Thu Dec 13 2012 Maintenance 2.0.0-10
- Updated to require pupmod-common >= 2.1.1-2 so that upgrading an old system works properly.
- Tue Jun 26 2012 Maintenance 2.0.0-9
- Ensure that nfs-utils is installed before we try to do things with services.
- Thu Jun 07 2012 Maintenance 2.0.0-8
- Ensure that Arrays in templates are flattened.
- Call facts as instance variables.
- Updated the sysctl calls to maintain proper ordering with the service statements.
- Fixed the domain setting in /etc/idmapd.conf and fixed the way stunnel works. This fixes both the 'nobody' issue and issues with mounts via stunnel occasionally failing.
- Moved mit-tests to /usr/share/simp...
- Updated pp files to better meet Puppet's recommended style guide.
- Fri Mar 02 2012 Maintenance 2.0.0-7
- Improved test stubs.
- Tue Dec 20 2011 Maintenance 2.0.0-6
- Updated the spec file to not require a separate file list.
- Scoped all of the top level variables.
- Changed all instances of 'ipaddress' to 'primary_ipaddress'
- Fixed several bugs that cropped up when trying to use stunnel with the stock home_client.pp as well as some bugs relating to when the server was trying to connect with itself. The stock classes should "just work" now.
- Wed Nov 02 2011 Maintenance 2.0.0-5
- Added a parameterized class to handle the configuration of idmapd. In RHEL5 this was not necessary as the defaults handled most cases. In RHEL6, the defaults do not suffice for the stock class.
- Added a variable $portmap_name to the nfs class to be able to differentiate between the RHEL5 and RHEL6 versions.
- Fixed the NFS stock home client to actually call the client stanza.
- Fixed the NFS client to enable the NFSv4 callback port.
- Mon Oct 10 2011 Maintenance 2.0.0-4
- Updated to put quotes around everything that need it in a comparison statement so that puppet > 2.5 doesn't explode with an undef error.
- Fri Aug 12 2011 Maintenance 2.0.0-3
- Added a new init script to properly set the sysctl values for sunrpc.tcp_slot_table_entries and sunrpc.udp_slot_table_entries prior to NFS starting to work around a deficiency in Red Hat.
- Ensure that the sysctl values that are set in nfs::server::conf notify all services that rely on those values.
- Updated to have a cleaner status command for nfslock.
- Wed May 25 2011 Maintenance - 2.0.0-2
- Ensure that anonuid and anongid are set to -1 by default.
- Wed Apr 13 2011 Maintenance - 2.0.0-1
- Removed the original stock classes and moved them to pupmod since they were for clustering.
- Added stock classes for setting up an NFS server and client for home directory mounts using autofs.
- Now properly nail up the NFS callback port for NFSv4
- Now set sunrpc_udp_slot_table_entries and sunrpc_tcp_slot_table_entries to 128 by default.
- Changed all instances of defined(Class['foo']) to defined('foo') per the directions from the Puppet mailing list.
- Exports should be joined with "\n"
- Updated to use concat_build and concat_fragment types
- Tue Jan 11 2011 Maintenance 2.0.0-0
- Refactored for SIMP-2.0.0-alpha release
- Mon Jan 10 2011 Maintenance - 1-7
- Exports entries should not be joined with a hard return!
- Fri Dec 10 2010 Maintenance - 1-6
- Moved nfs::stunnel::client to nfs::client::stunnel::connect
- Added support and default configurations for NFSv3 over stunnel
- Added nfs::stock::stunnel_server and nfs::stock::stunnel_client as nfs setup for basic clustering.
- Tue Oct 26 2010 Maintenance - 1-5
- Converting all spec files to check for directories prior to copy.
- Tue Oct 26 2010 Maintenance - 1.0-4
- No files directory in source caused an RPM build failure.
- Thu Sep 09 2010 Maintenance 1.0-3
- Replaced tcpwrappers::tcpwrappers_allow with tcpwrappers::allow.
- Mon Jul 19 2010 Maintenance 1.0-2
- Fix for NFSv4 over Stunnel clients.
- Fix for using custom NFS server export.
- Wed Jul 14 2010 Maintenance 1.0-1
- Fix for NFSv4 over Stunnel.
- Wed May 19 2010 Maintenance 1.0-0
- Refactor and doc update.
- Fixed an issue with starting nfslock resulting from the nfslock application always returning 0.
- Updated the rpcidmapd service to take into account the case where the sunrpc filesystem is not mounted
- Added support for NFSv3 over Stunnel.
- Added stunnel_server and stunnel_client classes in stock namespace that will set up a basic nfs over stunnel server/client to make clustering work.
- Thu Feb 18 2010 Maintenance 0.1-0
- Initial module creation. Supports NFS v2,3,4. Supports NFSv4 over Stunnel natively. Does not yet support automatic Kerberos use.
Dependencies
- puppet/systemd (>= 4.0.2 < 7.0.0)
- puppet/augeasproviders_sysctl (>= 2.4.0 < 4.0.0)
- puppetlabs/concat (>= 6.4.0 < 10.0.0)
- puppetlabs/stdlib (>= 8.0.0 < 10.0.0)
- simp/simplib (>= 4.9.0 < 5.0.0)
- simp/svckill (>= 3.6.1 < 4.0.0)
- simp/vox_selinux (>= 3.1.0 < 4.0.0)
pupmod-simp-nfs - A Puppet Module for managing NFS -- Per Section 105 of the Copyright Act of 1976, these works are not entitled to domestic copyright protection under US Federal law. The US Government retains the right to pursue copyright protections outside of the United States. The United States Government has unlimited rights in this software and all derivatives thereof, pursuant to the contracts under which it was developed and the License under which it falls. --- Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.