Puppet Class: nfs::server::tcpwrappers

Defined in:
manifests/server/tcpwrappers.pp

Summary

Configure TCP wrappers for NFS server services

Overview

Author:



6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
 
# File 'manifests/server/tcpwrappers.pp', line 6

class nfs::server::tcpwrappers
{
  assert_private()

  # TCP wrappers was dropped in EL8
  if $nfs::manage_tcpwrappers {
    include 'tcpwrappers'

    # On EL7, the following NFS-server-related executables are dynamically
    # linked to libwrap:
    # * rpc.rquotad; man page says TCP wrappers service name 'rquotad'
    # * rpc.statd; man page says TCP wrappers under daemon name 'statd'
    # * rpc.mountd; man page says TCP wrappers under daemon name 'mountd'
    # * exportfs; not a daemon so not appropriate
    # * rpcbind
    #
    # stunnel also uses TCP wrappers with a service name that matches the
    # tunnel's service name. The tcpwrappers::allow is handled by the stunnel
    # module.

    $_allow_options = { pattern => $nfs::trusted_nets }

    # Resource in common with nfs::client, which may be on this node.
    ensure_resource('tcpwrappers::allow', 'rpcbind', $_allow_options)

    if $nfs::server::nfsd_vers3 {
      # Resource in common with nfs::client, which may be on this node.
      ensure_resource('tcpwrappers::allow', 'statd', $_allow_options)

      $_allow = [ 'mountd', 'rquotad' ]
    } else {
      $_allow = ['rquotad']
    }

    tcpwrappers::allow { $_allow:
      pattern => $nfs::server::trusted_nets
    }
  }
}