Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
- Puppet >= 6.22.1 < 8.0.0
- , ,
Start using this module
Add this module to your Puppetfile:
mod 'simp-simp_nfs', '1.1.0'
Learn more about managing modules with a PuppetfileDocumentation
Table of Contents
Description
This module is a SIMP Puppet profile for setting up common NFS configurations as supported by the SIMP ecosystem
This is a SIMP module
This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.
If you find any issues, they may be submitted to our bug tracker.
This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:
- When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
- If used independently, all SIMP-managed security subsystems are disabled by
default and must be explicitly opted into by administrators. Please review
the parameters in
simp/simp_options
for details.
Setup
What simp_nfs affects
This module provides commonly used configurations for NFS server and client systems.
Usage
Serve NFS Home Directories over Stunnel
To export home directories for your users, over an Stunnel encrypted connection, use the following code and Hiera data:
include 'simp_nfs'
---
simp_options::stunnel: true
simp_nfs::export_home_dirs: true
Mount NFS Home Directories
To mount your exported home directories, over an Stunnel encrypted connection, use the following code and Hiera data:
include 'simp_nfs'
---
simp_options::stunnel: true
simp_nfs::home_dir_server : <your NFS server IP>
Mount Home NFS Directories on another NFS server
To mount home directories on another NFS server do not include the simp_nfs
class. This will try to call the nfs
class a second time. Instead
create a site manifest and call the simp_nfs::mount::home
class directly.
Note: Use the port parameter if you are using stunnel and set it to a different
port then the one the local NFS server is using.
class mounthome {
class { simp_nfs::mount::home:
nfs_server => $home_server,
port => 12049,
autodetect_remote => false
}
}
include mounthome
Reference
See REFERENCE.md for details.
Known Issues
The autofs
package that was released with CentOS 7.3 (5.0.7-56)
worked properly over a stunnel
connection.
The release shipped with with CentOS 7.4 (5.0.7-69) prevents any connection
from happening to the local stunnel
process and breaks mounts to remote systems
over stunnel
connections.
The release that ship with CentOS 7.6 (5.0.7-99) has fixed the issue.
To use NFS over stunnel
and automount
directories with old
CentOS 7 releases, you must use the appropriate autofs
package.
To determine what version of autofs
is installed, run automount -V
.
To force the package to the desired version:
- Make sure the package is available via your package-management facility then set the package version in Hiera data:
autofs::autofs_package_ensure: '5.0.7-99'
- Alternatively, ensure that the latest packages are available and set the following:
autofs::autofs_package_ensure: 'latest'
The associated bug reports can be found at:
Limitations
This is a SIMP Profile. It will not expose all options of the underlying modules, only the ones that are conducive to a supported SIMP infrastructure. If you need to do things that this module does not cover, you may need to create your own profile or inherit this profile and extend it to meet your needs.
SIMP Puppet modules are generally intended for use on Red Hat Enterprise Linux
and compatible distributions, such as CentOS. Please see the
metadata.json
file for the most up-to-date list of
supported operating systems, Puppet versions, and module dependencies.
Development
Please read our Contribution Guide.
Acceptance tests
This module includes Beaker acceptance tests using the SIMP Beaker Helpers. By default the tests use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests run the following:
bundle install
bundle exec rake beaker:suites
Please refer to the SIMP Beaker Helpers documentation for more information.
Reference
Table of Contents
Classes
simp_nfs
: A SIMP Profile for common NFS configurationssimp_nfs::create_home_dirs
: Adds a script to create user home directories for directory server by pulling users from LDAPsimp_nfs::export::home
: Configures an NFS server to share centralized home directories via NFSv4simp_nfs::mount::home
: Set up anNFS4
client to point to mount your remote home directories
Classes
simp_nfs
A SIMP Profile for common NFS configurations
Parameters
The following parameters are available in the simp_nfs
class:
export_home_dirs
Data type: Boolean
Set up home directory exports for this system
- The
simp_options::trusted_nets
parameter will govern what clients may connect to the share by default. - Further configuration for home directory exports can be tweaked via the
parameters in
simp_nfs::export_home
Default value: false
home_dir_server
Data type: Optional[Simplib::Ip]
If set, specifies the server from which you want to mount NFS home directories for your users
- If
$export_home_dirs
is also set, this class will assume that you want to mount on the local server if this is set at all - Further configuration for the home directory mounts can be tweaked via
the parameters in
simp_nfs::mount::home
Default value: undef
autodetect_remote
Data type: Boolean
Use inbuilt autodetection to determine if the local system is the server from which we should be mouting directories
- Generally, you should set this to
false
if you have issues with the system mounting to127.0.0.1
when your home directories are actually on another system
Default value: true
use_autofs
Data type: Boolean
Use autofs
for home directory mounts
Default value: true
simp_nfs::create_home_dirs
https://github.com/simp/pupmod-simp-simp_nfs/graphs/contributors
Parameters
The following parameters are available in the simp_nfs::create_home_dirs
class:
uri
enable
create_home_script
run_schedule
base_dn
bind_dn
bind_pw
export_dir
skel_dir
ldap_scope
port
tls
quiet
syslog_facility
syslog_severity
strip_128_bit_ciphers
tls_cipher_suite
pki
app_pki_external_source
app_pki_dir
app_pki_key
app_pki_cert
app_pki_ca_dir
package_ensure
uri
Data type: Array[Simplib::URI]
The uri(s) of the LDAP servers
Default value: simplib::lookup('simp_options::ldap::uri')
enable
Data type: Boolean
Enable or disable the systemd timer that runs the script to create home directories for users.
Default value: true
create_home_script
Data type: Stdlib::AbsolutePath
The path where to place the script.
Default value: '/usr/local/bin/create_home_directories.rb'
run_schedule
Data type: String
The time schedule for the systemd timer. See systemd.timer man page for correct format.
Default value: '1 h'
base_dn
Data type: String
The root DN that should be used when searching for entries
Default value: simplib::lookup('simp_options::ldap::base_dn')
bind_dn
Data type: String
The DN to use when binding to the LDAP server
Default value: simplib::lookup('simp_options::ldap::bind_dn')
bind_pw
Data type: String
The password to use when binding to the LDAP server
Default value: simplib::lookup('simp_options::ldap::bind_pw')
export_dir
Data type: Stdlib::Absolutepath
The location of the home directories being exported
- This location must be a puppet managed
File
resource - See the
simp_nfs::export_home
class for an example
Default value: '/var/nfs/home'
skel_dir
Data type: Stdlib::Absolutepath
The location of sample skeleton files for user directories
Default value: '/etc/skel'
ldap_scope
Data type: Enum['one','sub','base']
The search scope to use
Default value: 'one'
port
Data type: Simplib::Port
The target port on the LDAP server
- If none specified, defaults to
389
for regular andstart_tls
connections, and636
for legacy SSL connections
Default value: 389
tls
Data type: Enum['ssl','start_tls','none']
Whether or not to enable SSL/TLS for the connection
-
ssl
LDAPS
on port636
unless differentport
specified- Uses
simple_tls
; No validation of the LDAP server's SSL certificate is performed
- Uses
-
start_tls
- Start TLS on port
389
unless differentport
specified
- Start TLS on port
-
none
- LDAP without encryption on port
389
unless differentport
specified
- LDAP without encryption on port
Default value: 'start_tls'
quiet
Data type: Boolean
Whether or not to print potentially useful warnings
Default value: true
syslog_facility
Data type: Simplib::Syslog::CFacility
The syslog facility at which to log, must be Ruby syslog
compatible
Default value: 'LOG_LOCAL6'
syslog_severity
Data type: Simplib::Syslog::CSeverity
The syslog severity at which to log, must be Ruby syslog
compatible
Default value: 'LOG_NOTICE'
strip_128_bit_ciphers
Data type: Boolean
Deprecated This option does not affect any supported OSes
Default value: true
tls_cipher_suite
Data type: Array[String[1]]
The TLS ciphers that should be used for the connection to LDAP
- This option was primarily provided for EL6 system support and may be deprecated in the future
Default value: simplib::lookup('simp_options::openssl::cipher_suite', { 'default_value' => ['DEFAULT','!MEDIUM'] })
pki
Data type: Variant[Enum['simp'],Boolean]
- If 'simp', include SIMP's pki module and use pki::copy to manage application certs in /etc/pki/simp_apps/nfs_home_server/x509
- If true, do not include SIMP's pki module, but still use pki::copy to manage certs in /etc/pki/simp_apps/nfs_home_server/x509
- If false, do not include SIMP's pki module and do not use pki::copy
to manage certs. You will need to appropriately assign a subset of:
- app_pki_dir
- app_pki_key
- app_pki_cert
- app_pki_ca
- app_pki_ca_dir
Default value: simplib::lookup('simp_options::pki', { 'default_value' => false })
app_pki_external_source
Data type: String
-
If pki = 'simp' or true, this is the directory from which certs will be copied, via pki::copy. Defaults to /etc/pki/simp/x509.
-
If pki = false, this variable has no effect.
Default value: simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509' })
app_pki_dir
Data type: Stdlib::Absolutepath
This variable controls the basepath of $app_pki_key, $app_pki_cert, $app_pki_ca, $app_pki_ca_dir, and $app_pki_crl. It defaults to /etc/pki/simp_apps/nfs_home_server/pki.
Default value: '/etc/pki/simp_apps/nfs_home_server/x509'
app_pki_key
Data type: Stdlib::AbsolutePath
Path and name of the private SSL key file
Default value: "${app_pki_dir}/private/${facts['fqdn']}.pem"
app_pki_cert
Data type: Stdlib::AbsolutePath
Path and name of the public SSL certificate
Default value: "${app_pki_dir}/public/${facts['fqdn']}.pub"
app_pki_ca_dir
Data type: Stdlib::Absolutepath
Path to the CA.
Default value: "${app_pki_dir}/cacerts"
package_ensure
Data type: String
The ensure status of the rubygem-net-ldap
package
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
simp_nfs::export::home
Sets up the export root at ${data_dir}/nfs/exports
and then adds
${data_dir}/nfs/home
and submounts it under ${data_dir}/nfs/exports
.
- The export root is the root NFS share directory for the NFSv4 pseudo filesystem. Each directory below that NFS share should be a bind mount to a directory on the NFS server.
- The exported home directory should be mounted as
$nfs_server:/home
from your clients, where$nfs_server
is the IP address of the NFS server.
Examples
NFS Server System Hieradata
---
nfs::is_server : true
simp::classes :
- simp_nfs::export::home
NFS Client Home Mount
---
simp_nfs::mount::home::nfs_server : <nfs_server_ip>
simp::classes :
- simp_nfs::mount::home
Parameters
The following parameters are available in the simp_nfs::export::home
class:
data_dir
Data type: Stdlib::Absolutepath
Default value: '/var'
trusted_nets
Data type: Simplib::Netlist
The networks that are allowed to mount this space
Default value: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1'] })
sec
Data type: Array[Enum['none','sys','krb5','krb5i','krb5p']]
An Array of sec modes for the export.
Default value: ['sys']
create_home_dirs
Data type: Boolean
Automatically create user home directories from LDAP data
Default value: simplib::lookup('simp_options::ldap', { 'default_value' => false })
simp_nfs::mount::home
If this system is also the NFS server, you need to set
nfs::client::is_server
to true
or set
simp_nfs::mount::home::nfs_server
to 127.0.0.1
.
Parameters
The following parameters are available in the simp_nfs::mount::home
class:
nfs_server
Data type: Simplib::IP
The NFS server to which you will be connecting
- If you are the server, please make sure that this is
127.0.0.1
remote_path
Data type: Stdlib::Absolutepath
The NFS share that you want to mount
Default value: '/home'
local_home
Data type: Stdlib::Absolutepath
The local base for home directories
-
Most sites will want this to be
/home
but some may opt for something like/exports/home
or the like. -
Top level directories will not be automatically managed
Default value: '/home'
port
Data type: Optional[Simplib::Port]
The NFS port to which to connect
Default value: undef
sec
Data type: Enum['sys','krb5','krb5i','krb5p']
The sec mode for the mount
- Only valid with NFSv4
Default value: 'sys'
options
Data type: Optional[String]
The mount options string that should be used
- fstype and port will already be set for you
Default value: undef
at_boot
Data type: Boolean
Ensure that this mount is mounted at boot time
- Has no effect if
$use_autofs
is set
Default value: true
autodetect_remote
Data type: Boolean
Use inbuilt autodetection to determine if the local system is the server from which we should be mouting directories
- Generally, you should set this to
false
if you have issues with the system mounting to127.0.0.1
when your home directories are actually on another system
Default value: true
use_autofs
Data type: Boolean
Enable automounting with Autofs
Default value: true
- Tue Jun 22 2021 Jeanne Greulich jeanne.greulich@onyxpoint.com - 1.1.0
- Add nfs server certificate information to create_home_directories script. 389ds has client authentication set to require so the certificate information must be sent in the Net::LDAP call.
- Changes the cron to a systemd timer and remove the script from /etc/cron.hourly. The script is now located in /usr/local/bin.
- Add tests with 389ds server
- Thu Jun 17 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 1.1.0
- Removed support for Puppet 5
- Ensured support for Puppet 7 in requirements and stdlib
- Wed Jun 16 2021 Jeanne Greulich jeanne.greulich@onyxpoint.com - 1.1.0
- Fixed:
- Bug where EL8 LDAP clients were unable to communicate with an EL7 LDAP
server in
/etc/cron.hourly/create_home_directories.rb
, when the servers were in FIPS mode.- EL8 in FIPS mode could not talk to LDAP server on EL7 because the ciphers did not match. The script was using the default policies, which only have TLS1_3 in them. EL7 uses an older version of openssl which does not have TLS1_3. Therefore, had to set the ciphers and CA path in the script.
- Bug where EL8 LDAP clients were unable to communicate with an EL7 LDAP
server in
- Added:
- PKI parameters to
simp_nfs::create_home_directories
. - Management of PKI certificates in
simp_nfs::create_home_directories
.
- PKI parameters to
- Wed Jan 13 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 1.1.0
- Deprecated
simp_nfs::create_home_dirs::strip_128_bit_ciphers
. This option no longer affects any supported OSes.
- Fri Oct 16 2020 Liz Nemsick lnemsick.simp@gmail.com - 1.0.1
- Fixed:
- Removed hostname as a possible entry for the NFS server in the sample code in the README. Specifying the NFS server as a hostname is no longer supported due to limitations of firewalld.
- Replaced deprecated 'classes' with 'simp:classes' in manifest documentation.
- Updated:
- In the README, removed EL6 from the autofs known issue discussion and added more details on how to work around the problem.
- Tue Mar 31 2020 Jeanne Greulich jeannegreulich@onyxpoint.com - 1.0.0
- Added support for EL8
- Removed support for EL6
- Updated to use pupmod-simp-nfs release 7.0.0
- Only accepts IP Adrresses for nfs server because firewalld needs IP Address.
- Wed Jul 03 2019 Trevor Vaughan tvaughan@onyxpoint.com - 0.2.0
- Documentation update
- Fix acceptance tests
- Remove pinning of autofs package
- Fri Jun 28 2019 Brandon Riden brandon.riden@onyxpoint.com - 0.2.0
- Add Compliance Engine 2.0 compatible data and tests
- Tue Apr 09 2019 Joseph Sharkey shark.bruhaha@gmail.com - 0.1.1
- Remove Elasticsearch and Grafana GPG Keys
- Updated tests in support of puppet6, and removed puppet4 support
- Mon Mar 04 2019 Liz Nemsick lnemsick.simp@gmail.com - 0.1.1
- Use simplib::nets2cidr in lieu of deprecated Puppet 3 nets2cidr
- Updated a URLs in the README.md
- Mon Nov 05 2018 Liz Nemsick lnemsick-simp@gmail.com - 0.1.0
- Update badges in README.md
- Thu Sep 13 2018 Nick Miller nick.miller@onyxpoint.com - 0.1.0
- Add support for Puppet 5 and OEL
- Upped stdlib dep to support version 5
- Add reference.md
- Added $simp_nfs::create_home_dirs::package_ensure parameter
- Changed the package from 'latest' to 'installed'
- It will also respect
simp_options::package_ensure
- Fri Sep 07 2018 Liz Nemsick lnemsick.simp@gmail.com - 0.1.0
- Drop Hiera 4 support
- Thu Jun 14 2018 Nick Miller nick.miller@onyxpoint.com - 0.0.5
- Update systemd fixtures and CI assets
- Wed Apr 18 2018 Trevor Vaughan tvaughan@onyxpoint.com - 0.0.5
- Allow users to properly disable autofs
- Added parameter, autodetect_remote, that allows users to disable the logic that determines if system is an NFS server and mounts directories locally. This allows the mounting of home directories to another NFS server.
- Fri Sep 01 2017 Jeanne Greulich jeannegreulich@onyxpoint.com - 0.0.4
- documented known bug and work around in CentOS 6.9 in the README file.
- Tue Apr 11 2017 Nick Markowski nmarkowski@keywcorp.com - 0.0.3
- Updated create_home_directories to handle multiple URIs
- Update puppet requirement in metadata.json
- Fri Apr 07 2017 Trevor Vaughan tvaughan@onyxpoint.com - 0.0.2
- Added the ability to override ciphers in the create_home_directories script for EL6 since the cipher order does not happen from strongest to weakest and breaks secure LDAP connections
- Added a check for create_home_directories to ensure that directories are not archived if the server doesn't respond for TLS reasons.
- Tue Jan 03 2017 Trevor Vaughan tvaughan@onyxpoint.com - 0.0.1
- Initial release
Dependencies
- simp/nfs (>= 7.0.0 < 8.0.0)
- simp/simplib (>= 4.1.0 < 5.0.0)
- puppetlabs/stdlib (>= 6.6.0 < 8.0.0)
simp_rsyslog - A SIMP Puppet Profile for standard Rsyslog configurations Per Section 105 of the Copyright Act of 1976, these works are not entitled to domestic copyright protection under US Federal law. The US Government retains the right to pursue copyright protections outside of the United States. The United States Government has unlimited rights in this software and all derivatives thereof, pursuant to the contracts under which it was developed and the License under which it falls. --- Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.