Table of Contents

• Description
  • This is a SIMP module
• Setup
  • What nfs affects
  • Setup requirements
  • Beginning with nfs
• Usage
  • Basic Usage
  • Usage with krb5
  • Usage with stunnel
  • Other security features
• Reference
• Limitations
• Development - Guide for contributing to the module
  • Acceptance Tests - Beaker env variables

Description

The is a module for managing the exporting and mounting of NFS devices. It provides all the infrastructure needed to share folders over the network.

The module is broken into two parts: the server and the client. It supports security with either krb5 or stunnel, but not both, as these security services conflict at a system level. It also manages firewall and TCP wrapper settings, when enabled.

This is a SIMP module

This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.

If you find any issues, they may be submitted to our bug tracker.

This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:

• When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
• If used independently, all SIMP-managed security subsystems are disabled by default and must be explicitly opted into by administrators. See the SIMP simp_options module for more detail.

Setup

What nfs affects

The nfs module installs NFS packages, configures services for the NFS server and/or client and manages most NFS configuration files.

Setup Requirements

The only requirement is to include the nfs module and its dependencies in your modulepath.

• If you are using any of the nfs module's optional dependencies, e.g. autofs, please also include those modules in the module path as well. The list of optional dependencies can be found in the nfs module's metadata.json file under simp/optional_dependencies.

Beginning with nfs

You can use the nfs module to manage NFS settings for a node that is a NFS client, a NFS server or both.

NFS client

Including one or more nfs::client::mount defines in a node's manifest will automatically include the nfs::client class, which, in turn, will ensure the appropriate packages are installed and appropriate services are configured and started.

NFS server

Including one or more nfs::server::export defines in a node's manifest and setting the hiera below will automatically include the nfs::server class, which, in turn, will ensure the appropriate packages are installed and appropriate services are configured.

nfs::is_server: true
nfs::is_client: false

NFS server and client

Including one or more nfs::server::export or nfs::client::mount defines in a node's manifest and setting the hiera below will automatically include the nfs::server and nfs::client classes. This will, in turn, ensure the appropriate packages are installed and appropriate services are configured for both roles.

nfs::is_server: true

Usage

Basic Usage

Exporting a filesystem

To export /srv/nfs_share, add the following to the NFS server's manifest:

  nfs::server::export { 'nfs4_root':
    client      => [ <trusted networks> ]
    export_path => '/srv/nfs_share',
    require     => File['/srv/nfs_share']
  }

  file { '/srv/nfs_share':
    ensure => 'directory',
    owner  => 'root',
    group  => 'root',
    mode   => '0644'
  }

Be sure to set the following in hiera, as well:

nfs::is_server: true

Mounting

Static mount

To mount /srv/nfs_share statically to /mnt/nfs on the NFS client using NFSv4, add the following to the NFS client's manifest:

$mount_dir = '/mnt/nfs'

nfs::client::mount { $mount_dir:
  nfs_server  => '<NFS server IP>',
  remote_path => '/srv/nfs_share',
  autofs      => false
}

# mount directory must exist if not using autofs
file { $mount_dir:
  ensure => 'directory',
  owner  => 'root',
  group  => 'root',
  mode   => '0644'
}

File[$mount_dir] -> Nfs::Client::Mount[$mount_dir]

Automatic direct mount

To automount /exports/data as /data using an direct mount, add the following to the NFS client's manifest:

nfs::client::mount { '/data':
  nfs_server  => '<NFS server IP>',
  remote_path => '/exports/data'
}

Automatic indirect mount

To automount /exports/apps as /apps using an indirect mount with key substitution, add the following to the NFS client's manifest:

nfs::client::mount { '/apps':
  nfs_server              => '<NFS server IP>',
  remote_path             => '/exports/apps',
  autofs_indirect_map_key => '*',
  autofs_add_key_subst    => true
}

Automatic mount of home directories for LDAP users

Please reference the SIMP documentation for details on how to implement this feature.

Usage with krb5

---

WARNING

This functionality requires some manual configuration and when keys change may require manual purging of the gssproxy cache.

---

This module, used with the SIMP krb5 module, can automatically use kerberos to secure the exported filesystem. The module can create and manage the entire kerberos configuration automatically, but check the krb5 module itself if you want more control.

Modify the examples provided above to include the following hieradata on all nodes:

simp_options::kerberos: true
nfs::secure_nfs: true

krb5::config::dns_lookup_kdc: false
krb5::kdc::auto_keytabs::global_services:
  - 'nfs'

On the node intended to be the KDC, include the following class:

include 'krb5::kdc'

On the NFS server and client nodes, add the following to each node's manifest:

# If your realm is not your domain name then change this
# to the string that is your realm
$myrealm = upcase($facts['domain'])

krb5::setting::realm { $myrealm:
  admin_server   => <KDC fqnd>,
  default_domain => $myrealm
}

SIMP does not have kerberos set up to work automatically with LDAP yet. You must add a principal for each user you want to give access to the krb5 protected directories. To do this log onto the KDC and run:

kadmin.local
# Note the prompt is now kadmin.local!
kadmin.local:  add_principal -pw <password> <username>
...
kadmin.local:  exit

When the user logs on after kerberos has been configured they must run:

kinit

It will ask them for their password. Once the have done this they should be able to access any shares from that realm.

Usage with stunnel

When use of kerberos is not viable, but you want to encrypt NFS traffic, you can configure the NFS server and client to use stunnel automatically on NFSv4 connections.

This module uses the SIMP stunnel module for stunnel management.

NFSv4 stunnel, one NFS server

In this scenario, we will consider a site with one NFS server.

Export with stunnel

To enable use of stunnel at the NFS server, set the following in hieradata:

nfs::is_server: true
nfs::stunnel: true

To export /srv/nfs_share, add the following to the NFS server's manifest:

nfs::server::export { 'nfs4_root':
  client      => [ <trusted networks> ]
  export_path => '/srv/nfs_share',
  # This MUST be set to true due to a NFS exports processing bug.
  # See description in nfs::server::export.
  insecure    => true,
  require     => File['/srv/nfs_share']
}

file { '/srv/nfs_share':
  ensure => 'directory',
  owner  => 'root',
  group  => 'root',
  mode   => '0644'
}

Mount with stunnel

To enable use of stunnel at the NFS client, set the following in hieradata:

nfs::stunnel: true

To mount /srv/nfs_share statically to /mnt/nfs on the NFS client, add the following to the NFS client's manifest:

$mount_dir = '/mnt/nfs'

nfs::client::mount { $mount_dir:
  nfs_server  => '<NFS server IP>',
  remote_path => '/srv/nfs_share',
  autofs      => false
}

# mount directory must exist if not using autofs
file { $mount_dir:
 ensure => 'directory',
 owner  => 'root',
 group  => 'root',
 mode   => '0644'
}

File[$mount_dir] -> Nfs::Client::Mount[$mount_dir]

In this simple case, the mount manifest looks exactly the same as in the unencrypted case. Only the hieradata has changed.

NFSv4 stunnel, multiple NFS servers

In this scenario, we will consider a site with two NFS servers. The example shown can be extrapolated to any number of NFS servers.

Server 1 export with stunnel

The first NFS server will be configured exactly as is done with the single server example above.

Server 1 hieradata:

nfs::is_server: true
nfs::stunnel: true

Server 1 manifest:

nfs::server::export { 'nfs4_root':
  client      => [ <trusted networks> ]
  export_path => '/srv/nfs_share',
  # This MUST be set to true due to a NFS exports processing bug
  insecure    => true,
  require     => File['/srv/nfs_share']
}

file { '/srv/nfs_share':
  ensure => 'directory',
  owner  => 'root',
  group  => 'root',
  mode   => '0644'
}

Server 2 export with stunnel

The second NFS server requires a little more configuration.

To enable use of stunnel at this NFS server and prevent port conflicts with Server 1 on any client that wants to mount from both servers over stunnel, set the following in hieradata:

nfs::is_server: true
nfs::stunnel: true

# The nfsd port must be unique among all NFS servers at the site.
# The stunnel nfsd port is configured here for consistency, but
# could be left at the default.
nfs::nfsd_port: 2050
nfs::stunnel_nfsd_port: 20500

To export /srv/nfs_share2, add the following to Server 2's manifest:

nfs::server::export { 'nfs4_root':
  client      => [ <trusted networks> ]
  export_path => '/srv/nfs_share2',
  # This MUST be set to true due to a NFS exports processing bug
  insecure    => true,
  require     => File['/srv/nfs_share2']
}

file { '/srv/nfs_share2':
  ensure => 'directory',
  owner  => 'root',
  group  => 'root',
  mode   => '0644'
}

Mounts to servers with stunnel

To enable use of stunnel at the NFS client, set the following in hieradata:

nfs::stunnel: true

To mount /srv/nfs_share from Server 1 statically to /mnt/nfs and /srv/nfs_share2 from Server 2 statically to /mnt/nfs2, add the following to the NFS client's manifest:

# this mount uses the defaults, because Server 1 uses nfs
# module defaults
$mount_dir = '/mnt/nfs'
nfs::client::mount { $mount_dir:
  nfs_server  => '<NFS Server 1 IP>',
  remote_path => '/srv/nfs_share',
  autofs      => false
}

# this mount sets ports to match those of Server 2
$mount_dir2 = '/mnt/nfs2'
nfs::client::mount { $mount_dir2:
  nfs_server        => '<NFS Server 2 IP>',
  remote_path       => '/srv/nfs_share2',
  autofs            => false,
  nfsd_port         => 2050,
  stunnel_nfsd_port => 20500
}

# mount directories must exist if not using autofs
file { [ $mount_dir, $mount_dir2 ]:
 ensure => 'directory',
 owner  => 'root',
 group  => 'root',
 mode   => '0644'
}

File[$mount_dir] -> Nfs::Client::Mount[$mount_dir]
File[$mount_dir2] -> Nfs::Client::Mount[$mount_dir2]

NFSv3 considerations

NFSv3 traffic cannot be encrypted with stunnel because of two key reasons:

• The NFS client sends the NFS server Network Status Manager (NSM) notifications via UDP, exclusively.

  • stunnel only handles TCP traffic.
  • Loss of these notification may affect NFS performance.

• In multi-NFS-server environments, there is no mechanism to configure rpcbind to use a non-standard port.

  • NFSv3 heavily relies upon rpcbind to determine the side-band channel ports in use on the NFS nodes. This includes the statd and lockd ports used in NSM and NLM, respectively.
  • A unique rpcbind port per server is required in order for a NFS client to be able tunnel its server-specific RPC requests to the appropriate server.

Despite this limitation, this module still fully supports unencrypted NFSv3 and allows the NFS server and client to use unencrypted NFSv3 concurrently with stunneled NFSv4.

• If a NFS server is configured to both allow NFSv3 and to use stunnel, it will accept unencrypted NFSv3 connections, unencrypted NFSv4 connections and stunneled NFSv4 connections.

  The hieradata for this configuration is:

  nfs::is_server: true
  nfs::nfsv3: true
  nfs::stunnel: true
  

• If a NFS client is configured to both allow NFSv3 and to use stunnel, it can use unencrypted NFSv3 mounts and stunneled NFSv4 mounts.

  The hieradata for this configuration is:

  nfs::nfsv3: true
  nfs::stunnel: true
  

Other security features

This module can be configured to automatically add firewall rules and allow NFS services in TCP wrappers using the SIMP iptables module and the SIMP tcpwrappers module, respectively.

To enable these features on the NFS server and NFS client nodes, add the following to their hieradata:

simp_options::firewall: true
simp_options::tcpwrappers: true

Reference

Please refer to the REFERENCE.md.

Limitations

This module does not yet manage the following:

• /etc/nfsmounts.conf

• gssproxy configuration

  • If you are using a custom keytab location, you must fix the cred_store entries in /etc/gssproxy/24-nfs-server.conf and /etc/gssproxy/99-nfs-client.conf.
  • If a node's keytab has changed content and the old keytab entries are no longer valid, you will have to manually clear the gssproxy credential cache using kdestroy -c <gssproxy cache>. Simply restarting the gssproxy service does not clear the cache and re-read the keytab!

• RDMA packages or its service

• idmapd configuration for the umich_ldap translation method

  • If you need to configure this, consider using nfs::idmapd::config::content to specify full contents of the /etc/idmapd.conf file.

This module does not address an intermittent systemd issue in which the rpc.statd NFSv3 daemon is not always stopped when the rpc-statd service is stopped. When this occurs,

• systemd no longer has a record of that daemon's PID and cannot fix the problem.

• The rpc-statd service cannot be subsequently started.

  • When the service tries to start another instance of rpc.statd, the new instance detects the running instance and then immediately exits with a failed exit code.

• You must manually kill the running rpc.statd daemon to recover.

SIMP Puppet modules are generally intended for use on Red Hat Enterprise Linux and compatible distributions, such as CentOS. Please see the metadata.json file for the most up-to-date list of supported operating systems, Puppet versions, and module dependencies.

Development

Please read our Contribution Guide.

Acceptance tests

This module includes Beaker acceptance tests using the SIMP Beaker Helpers. By default the tests use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests run the following:

bundle install
bundle exec rake beaker:suites

Please refer to the SIMP Beaker Helpers documentation for more information.

Reference

Table of Contents

Classes

Public Classes

• nfs: Provides the base configuration and services for an NFS server and/or client.
• nfs::idmapd::client: Manage the idmapd client configuration
• nfs::idmapd::config: Manage idmapd configuration
• nfs::lvm2: Class to counterract a packaging bug with nfs-utils.

Private Classes

• nfs::base::config: Manage configuration common to an NFS server and an NFS client
• nfs::base::service: Manage services common to an NFS server and an NFS client
• nfs::client: Manage configuration and services for a NFS client
• nfs::client::config: Manage NFS client-specific configuration
• nfs::client::service: Manage NFS client-specific services
• nfs::client::tcpwrappers: Configure TCP wrappers for NFS client services
• nfs::idmapd::server: Manage the idmapd server configuration and service
• nfs::install: Manage the required NFS packages
• nfs::selinux_hotfix: Provides hotfix for broken SElinux policy
• nfs::server: Manage configuration and services for a NFS server
• nfs::server::config: Manage NFS server-specific configuration
• nfs::server::firewall: NFS server firewall configuration
• nfs::server::firewall::nfsv3and4: NFS server firewall configuration for NFSv3 and NFSv4
• nfs::server::firewall::nfsv4: NFS server firewall configuration for NFSv4 only
• nfs::server::service: Manage NFS server-specific services
• nfs::server::stunnel: Configures a server for NFSv4 over stunnel
• nfs::server::tcpwrappers: Configure TCP wrappers for NFS server services

Defined types

Public Defined types

• nfs::client::mount: Set up a NFS client mount, optionally using autofs
• nfs::server::export: Create entries in /etc/exports for a filesystem to export

Private Defined types

• nfs::client::mount::connection: Manage cross-system connectivity parts of a mount
• nfs::client::stunnel: Connect to an NFSv4 server over stunnel

Data types

• Nfs::LegacyDaemonArgs: Legacy NFS daemon *ARGS environment variables set in /etc/sysconfig/nfs and automatically converted to the environment variables needed by th
• Nfs::MountEnsure: Ensure for non-autofs mounts
• Nfs::NfsConfHash: Hash representing nfs.conf configuration in which the key is the section name and the value is a Hash of key/value options for that section.
• Nfs::SecurityFlavor: NFS security flavor

Classes

nfs

Provides the base configuration and services for an NFS server and/or client.

Parameters

The following parameters are available in the nfs class:

• is_server
• is_client
• nfsv3
• gssd_avoid_dns
• gssd_limit_to_legacy_enctypes
• gssd_use_gss_proxy
• lockd_port
• lockd_udp_port
• nfsd_port
• sm_notify_outgoing_port
• statd_port
• statd_outgoing_port
• custom_nfs_conf_opts
• custom_daemon_args
• idmapd
• secure_nfs
• sunrpc_udp_slot_table_entries
• sunrpc_tcp_slot_table_entries
• ensure_latest_lvm2
• kerberos
• keytab_on_puppet
• firewall
• tcpwrappers
• stunnel
• stunnel_nfsd_port
• stunnel_socket_options
• stunnel_verify
• tcpwrappers
• trusted_nets

is_server

Data type: Boolean

Explicitly state that this system should be an NFS server

• Further configuration can be made via the nfs::server class

Default value: false

is_client

Data type: Boolean

Explicitly state that this system should be an NFS client

• Further configuration can be be made via the nfs::client class

Default value: true

nfsv3

Data type: Boolean

Allow use of NFSv3. When false, only NFSv4 will be allowed.

Default value: false

gssd_avoid_dns

Data type: Boolean

Use a reverse DNS lookup, even if the server name looks like a canonical name

• Sets the avoid-dns option in the gssd section of /etc/nfs.conf

Default value: true

gssd_limit_to_legacy_enctypes

Data type: Boolean

Restrict sessions to weak encryption types

• Sets the limit-to-legacy-enctypes option in the gssd section of /etc/nfs.conf

Default value: false

gssd_use_gss_proxy

Data type: Boolean

Use the gssproxy daemon to hold the credentials used in secure NFS and perform GSSAPI operations on behalf of NFS.

• Sets the use-gss-proxy option in the gssd section of /etc/nfs.conf This is not yet documented in the rpc.gssd man page for EL8, but is available in the example /etc/nsf.conf file packaged with nfs-utils.
• Sets GSS_USE_PROXY in /etc/sysconfig/nfs in EL7, because the use-gss-proxy option in /etc/nfs.conf is not yet used in EL7.

Default value: true

lockd_port

Data type: Simplib::Port

The TCP port upon which lockd should listen on both the NFS server and the NFS client (NFSv3)

• Sets the port option in the lockd section of /etc/nfs.conf
• Corresponds to the nlockmgr service TCP port reported by rpcinfo

Default value: 32803

lockd_udp_port

Data type: Simplib::Port

The UDP port upon which lockd should listen on both the NFS server and the NFS client (NFSv3)

• Sets the udp-port option in the lockd section of /etc/nfs.conf
• Corresponds to the nlockmgr service UDP port reported by rpcinfo

Default value: 32769

nfsd_port

Data type: Simplib::Port

The port upon which NFS daemon on the NFS server should listen

• Sets the port option in the nfsd section of /etc/nfs.conf
• Corresponds to the nfs and nfs_acl service ports reported by rpcinfo

Default value: 2049

sm_notify_outgoing_port

Data type: Simplib::Port

The port that sm-notify will use when notifying NFSv3 peers

• Sets the outgoing-port option in the sm-notify section of /etc/nfs.conf

Default value: 2021

statd_port

Data type: Simplib::Port

The port upon which statd should listen on both the NFS server and the NFS client (NFSv3)

• Sets the port option in the statd section of /etc/nfs.conf
• Corresponds to the status service port reported by rpcinfo

Default value: 662

statd_outgoing_port

Data type: Simplib::Port

The port that statd will use when communicating with NFSv3 peers

• Sets the outgoing-port option in the status section of /etc/nfs.conf

Default value: 2020

custom_nfs_conf_opts

Data type: Nfs::NfsConfHash

Hash that allows other configuration options to be set in /etc/nfs.conf

• Each key is a known section of /etc/nfs.conf, such as nfsd.
• Each value is a Hash of config parameter names and values.
• Configuration values are not validated.
• If a new section needs to be added to /etc/nfs.conf, you can use concat::fragment.

@example Set NFS server's grace and lease times in Hiera nfs::custom_nfs_conf_opts: nfsd: grace-time: 60 lease-time: 60

Default value: {}

custom_daemon_args

Data type: Nfs::LegacyDaemonArgs

Hash that allows other configuration options to be set as daemon arguments in /etc/sysconfig/nfs in EL7

• Necessary to address /etc/nfs.conf limitations - Not all configuration options in EL7 can be specified in /etc/nfs.conf

• Each key is the name of the shell variables processed by /usr/lib/systemd/scripts/nfs-utils_env.sh

  • nfs-utils_env.sh generates /run/sysconfig/nfs-utils which contains the NFS daemon command line shell variables used by NFS services
  • Unfortunately, not all shell variable names in /etc/sysconfig/nfs match the generated variable names in /run/sysconfig/nfs-utils. For example, STATDARG gets transformed into STATDARGS.

• Each value is the argument string which will be wrapped in double quotes in /etc/sysconfig/nfs.

@example Disable syslog messages from the NFSv3 rpc.statd daemon in Hiera nfs::custom_daemon_args: STATDARG: "--no-syslog"

Default value: {}

idmapd

Data type: Boolean

Whether to use idmapd for NFSv4 ID to name mapping

Default value: false

secure_nfs

Data type: Boolean

Whether to enable secure NFS mounts

Default value: false

sunrpc_udp_slot_table_entries

Data type: Integer[1]

Set the default UDP slot table entries in the kernel

• Most NFS performance guides seem to recommend this setting
• If you have a low memory system, you may want to reduce this

Default value: 128

sunrpc_tcp_slot_table_entries

Data type: Integer[1]

Set the default TCP slot table entries in the kernel

• Most NFS performance guides seem to recommend this setting
• If you have a low memory system, you may want to reduce this

Default value: 128

ensure_latest_lvm2

Data type: Boolean

See nfs::lvm2 for further description

Default value: true

kerberos

Data type: Boolean

Use the SIMP krb5 module for Kerberos support

• You may need to set variables in krb5::config via Hiera or your ENC if you do not like the defaults.

Default value: simplib::lookup('simp_options::kerberos', { 'default_value' => false })

keytab_on_puppet

Data type: Boolean

Whether the NFS server will pull its keytab directly from the Puppet server

• Only applicable if $kerberos is `true.
• If false, you will need to ensure the appropriate services are restarted and cached credentials are destroyed (e.g., gssproxy cache), when the keytab is changed.

Default value: simplib::lookup('simp_options::kerberos', { 'default_value' => true})

firewall

Data type: Boolean

Use the SIMP iptables module to manage firewall connections

Default value: simplib::lookup('simp_options::firewall', { 'default_value' => false})

tcpwrappers

Data type: Boolean

Use the SIMP tcpwrappers module to manage TCP wrappers

Default value: simplib::lookup('simp_options::tcpwrappers', { 'default_value' => false })

stunnel

Data type: Boolean

Wrap stunnel around critical NFSv4 connections

• This is intended for environments without a working Kerberos setup and may cause issues when used with Kerberos.

• Use of Kerberos is preferred.

• This will configure the NFS server and client mount to only use TCP communication

• Cannot be used for NFSv4.0 connections, because NFSv4.0 uses a side channel to each NFS client to recall delegation responsibilities.

• The following connections will not be secured, due to tunneling limitations in deployments using multiple NFS servers

  • Connections to the rbcbind service
  • Connections to the rpc-rquotad service

• Use of stunnel for an individual client mount can be controlled by the stunnel parameter in the nfs::client::mount define.

• Use of stunnel for just the NFS server on this host can be controlled by the stunnel parameter in the nfs::server class.

Default value: simplib::lookup('simp_options::stunnel', { 'default_value' => false })

stunnel_nfsd_port

Data type: Simplib::Port

Listening port on the NFS server for the tunneled connection to the NFS server daemon

• Decrypted traffic will be forwarded to $nfsd_port on the NFS server

Default value: 20490

stunnel_socket_options

Data type: Array[String]

Additional socket options to set for all stunnel connections

• Stunnel socket options for an individual client mount can be controlled by the stunnel_socket_options parameter in the nfs::client::mount define.
• Stunnel socket options for just the NFS server on this host can be controlled by the stunnel_socket_options parameter in the nfs::server class.

Default value: ['l:TCP_NODELAY=1','r:TCP_NODELAY=1']

stunnel_verify

Data type: Integer

The level at which to verify TLS connections

• Levels:

  • level 0 - Request and ignore peer certificate.
  • level 1 - Verify peer certificate if present.
  • level 2 - Verify peer certificate.
  • level 3 - Verify peer with locally installed certificate.
  • level 4 - Ignore CA chain and only verify peer certificate.

• Stunnel verify for an individual client mount can be controlled by the stunnel_verify parameter in the nfs::client::mount define.

• Stunnel verify for just the NFS server on this host can be controlled by the stunnel_verify parameter in the nfs::server class.

Default value: 2

tcpwrappers

Use the SIMP tcpwrappers module to manage TCP wrappers

Default value: simplib::lookup('simp_options::tcpwrappers', { 'default_value' => false })

trusted_nets

Data type: Simplib::Netlist

The systems that are allowed to connect to this service

• Set to 'any' or 'ALL' to allow the world

Default value: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1'] })

nfs::idmapd::client

When using idmapd, an NFSv4 client uses nfsidmap, directly, instead of nfs-idmapd.service. nfsidmap is configured by /etc/idmapd.conf, but must be hooked into /sbin/request-key via /etc/request-key.conf.

Parameters

The following parameters are available in the nfs::idmapd::client class:

• timeout

timeout

Data type: Integer[0]

nfsidmap key expiration timeout in seconds

Default value: 600

nfs::idmapd::config

Manage idmapd configuration

• See also
  • idmapd.conf(5)

Parameters

The following parameters are available in the nfs::idmapd::config class:

• verbosity
• domain
• no_strip
• reformat_group
• local_realms
• nobody_user
• nobody_group
• trans_method
• gss_methods
• static_translation
• content

verbosity

Data type: Optional[Integer]

Default value: undef

domain

Data type: Optional[String[1]]

Default value: undef

no_strip

Data type: Optional[Enum['user','group','both','none']]

Default value: undef

reformat_group

Data type: Optional[Boolean]

Default value: undef

local_realms

Data type: Optional[Array[String[1],1]]

Default value: undef

nobody_user

Data type: String

Default value: 'nobody'

nobody_group

Data type: String

Default value: 'nobody'

trans_method

Data type: Array[Enum['nsswitch','static'],1]

[Translation] Method

• Method is a reserved word in Ruby
• umich_ldap is not yet supported

Default value: ['nsswitch']

gss_methods

Data type: Optional[Array[Enum['nsswitch','static'],1]]

Default value: undef

static_translation

Data type: Optional[Hash[String[1],String[1]]]

Will be translated into the [Static] section variables as presented in the man page

• For example: { 'foo' => 'bar' } will be foo = bar in the output file

Default value: undef

content

Data type: Optional[String]

Use this as the explicit content for the idmapd configuration file

• Overrides all other options

Default value: undef

nfs::lvm2

Unless lvm2 is ensured latest, nfs-utils cannot upgrade. The class will be removed once the bug is fixed upstream.

Parameters

The following parameters are available in the nfs::lvm2 class:

• ensure

ensure

Data type: String

The ensure status of the lvm2 package

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'latest' })

Defined types

nfs::client::mount

Set up a NFS client mount, optionally using autofs

Examples

Static mount

nfs::client::mount { '/mnt/apps1':
  nfs_server  => '10.0.1.2',
  remote_path => '/exports/apps1',
  autofs      => false
}

Direct automount

nfs::client::mount { '/mnt/apps2':
  nfs_server  => '10.0.1.3',
  remote_path => '/exports/apps2'
}

Indirect automount with map key substitution

nfs::client::mount { '/home':
  nfs_server              => '10.0.1.4',
  remote_path             => '/exports/home',
  autofs_indirect_map_key => '*',
  autofs_add_key_subst    => true
}

NFSv3 mount

nfs::client::mount { '/mnt/apps3':
  nfs_server  => '10.0.1.5',
  nfs_version => 3,
  remote_path => '/exports/apps3',
  autofs      => false
}

Parameters

The following parameters are available in the nfs::client::mount defined type:

• name
• nfs_server
• remote_path
• autodetect_remote
• nfs_version
• sec
• options
• ensure
• at_boot
• autofs
• autofs_indirect_map_key
• autofs_add_key_subst
• nfsd_port
• stunnel
• stunnel_nfsd_port
• stunnel_socket_options
• stunnel_verify
• stunnel_wantedby

name

The local mount path

• When not using autofs ($autofs is false), this will be a static mount and you must ensure the target directory exists. This define will NOT create the target directory for you.

• When using autofs ($autofs is true)

  • autofs will create the target directory for you (full path).

  • If $autofs_indirect_map_key is unset, a direct mount will be created for this path.

  • If $autofs_indirect_map_key is set, an indirect mount will be created:

    • $name will be the mount point
    • $autofs_indirect_map_key will be the map key

nfs_server

Data type: Simplib::Ip

The IP address of the NFS server to which you will be connecting

• If this host is also the NFS server, please set this to 127.0.0.1.

remote_path

Data type: Stdlib::Absolutepath

The NFS share that you want to mount

autodetect_remote

Data type: Boolean

Attempts to figure out if this host is also the NFS server and adjust the connection to the local IP address, 127.0.0.1, in lieu of the IP address specified in $nfs_server.

• When you know this host is also the NFS server, setting $nfs_server to 127.0.0.1 is best.
• Auto-detect logic only works with IPv4 addresses.

Default value: true

nfs_version

Data type: Integer[3,4]

The NFS major version that you want to use.

• Used to set the nfsvers mount option
• If you need to specify an explicit minor version of NFSv4, include 'minorversion=<#>' in $options.

Default value: 4

sec

Data type: Nfs::SecurityFlavor

The security flavor for the mount

• Used to set the sec mount option for NFSv4 mounts
• Ignored for NFSv3 mounts

Default value: 'sys'

options

Data type: String

String containing comma-separated list of additional mount options

• fstype will already be set for you
• If using stunnel with NFSv4, proto will be set to tcp for you

Default value: 'soft'

ensure

Data type: Nfs::MountEnsure

The mount state of the specified mount point

• mounted => Ensure that the mount point is actually mounted
• present => Just add the entry to the fstab and do not mount it
• unmounted => Add the entry to the fstab and ensure that it is not mounted
• Has no effect if $autofs is true

Default value: 'mounted'

at_boot

Data type: Boolean

Ensure that this mount is mounted at boot time

• Has no effect if $autofs is true

Default value: true

autofs

Data type: Boolean

Enable automounting with Autofs

Default value: true

autofs_indirect_map_key

Data type: Optional[String[1]]

Autofs indirect map key

• May be '*', the wildcard map key

Default value: undef

autofs_add_key_subst

Data type: Boolean

This enables map key substitution for a wildcard map key in an indirect map.

• Appends '/&' to the remote location.
• Only makes sense if $autofs_indirect_map_key is set to '*', the wildcard map key.

Default value: false

nfsd_port

Data type: Optional[Simplib::Port]

The NFS server daemon listening port

• Used to set the port mount option
• If left unset, the value will be taken from $nfs::nfsd
• When using stunnel, must be a different value for each distinct NFS server for which a stunneled mount connection is to be made.

Default value: undef

stunnel

Data type: Optional[Boolean]

Controls enabling stunnel to encrypt NFSv4 connection to the NFS server

• If left unset, the value will be taken from $nfs::client::stunnel

• May be set to false to ensure that stunnel will not be used for this connection

• May be set to true to force the use of stunnel on this connection

• Unused when $nfs_version is 3.

  • stunneled connections are not viable for NFSv3 because of the UDP-only NFS client NSM notifications and the inability to effectively configure the rpcbind port.
  • If you know the NFS version negotiated with the NFS server will fallback to NFSv3, you must set $nfs_version to 3 or $stunnel to false. The mount will fail otherwise.

• Will attempt to determine if the host is trying to connect to itself and use a direct, local connection in lieu of a stunnel in this case.

  • When you know this host is also the NFS server, setting this to false and $nfs_server to 127.0.0.1 is best.
  • Auto-detect logic only works with IPv4 addresses.

Default value: undef

stunnel_nfsd_port

Data type: Optional[Simplib::Port]

Listening port on the NFS server for the tunneled connection to the NFS server daemon

• Decrypted traffic will be forwarded to nfsd_port on the NFS server
• If left unset, the value will be taken from $nfs::stunnel_nfsd_port
• Unused when $stunnel is false

Default value: undef

stunnel_socket_options

Data type: Optional[Array[String]]

Additional stunnel socket options to be applied to the stunnel to the NFS server

• If left unset, the value will be taken from $nfs::client::stunnel_socket_options
• Unused when $stunnel is false

Default value: undef

stunnel_verify

Data type: Optional[Integer]

The level at which to verify TLS connections

• Levels:

  • level 0 - Request and ignore peer certificate.
  • level 1 - Verify peer certificate if present.
  • level 2 - Verify peer certificate.
  • level 3 - Verify peer with locally installed certificate.
  • level 4 - Ignore CA chain and only verify peer certificate.

• If left unset, the value will be taken from $nfs::client::stunnel_socket_verify

• Unused when $stunnel is false

Default value: undef

stunnel_wantedby

Data type: Optional[Array[String]]

The systemd targets that need stunnel to be active prior to being activated

• If left unset, the value will be taken from $nfs::client::stunnel_wantedby
• Unused when $stunnel is false

Default value: undef

nfs::server::export

Be careful! The name of these mounts must be unique, but the only unique combination is mountpoint + client. Therefore, you can actually have duplicate entries.

NFS will function fine with this but the last duplicate entry in the file will win!

• See also
  • exports(5)

Parameters

The following parameters are available in the nfs::server::export defined type:

• export_path
• clients
• comment
• insecure
• rw
• async
• no_wdelay
• nohide
• crossmnt
• subtree_check
• insecure_locks
• mountpoint
• fsid
• nordirplus
• refer
• replicas
• pnfs
• security_label
• sec
• no_root_squash
• all_squash
• anonuid
• anongid
• custom

export_path

Data type: Stdlib::Absolutepath

The path on the filesystem to export

clients

Data type: Array[String]

NFS export-compatible clients to which the export should be served.

• The entry will be repeated for each client
• Use ['*'] for client wildcard

comment

Data type: Optional[String]

A comment to be added to the set of entries

Default value: undef

insecure

Data type: Boolean

Do not require that requests originate on a Port less than 1024

• Due to a NFS kernel bug when processing exports, you must set this to true when allowing stunneled NFSv4 connections.

  • The export rule processor is supposed to select the most specific rule that matches. However, when rules overlap and one rule is has insecure enabled and another does not, the rule without insecure specified is selected, even when it is less specific.
  • See https://bugzilla.redhat.com/show_bug.cgi?id=1804912

Default value: false

rw

Data type: Boolean

Allow both reads and writes on this volume

Default value: false

async

Data type: Boolean

Allow the NFS server to reply to request before changes have been committed to stable storage

Default value: false

no_wdelay

Data type: Boolean

Disable write delays

• Has no effect if $async is set

Default value: false

nohide

Data type: Boolean

Disable hiding of subordinate filesystems

Default value: false

crossmnt

Data type: Boolean

Allow clients to access all filesystems mounted on a filesystem marked with crossmnt

Default value: false

subtree_check

Data type: Boolean

Enable subtree checking

Default value: false

insecure_locks

Data type: Boolean

Do not require authentication of locking requests

Default value: false

mountpoint

Data type: Optional[Variant[Stdlib::Absolutepath,Boolean]]

Require this path to be successfully mounted on disk

• If a Boolean, require the export path to be successfully mounted

Default value: undef

fsid

Data type: Optional[String]

A specific ID for the exported filesystem

Default value: undef

nordirplus

Data type: Boolean

Disable READDIRPLUS request handling on NFSv3 clients

Default value: false

refer

Data type: Optional[Array[Pattern['^/.+@.+$']]]

A list of alternate locations for the filesystem

• This should be in the form specified by the man page: path@host[+host]
• There will be minimal validation and they will be joined by :

Default value: undef

replicas

Data type: Optional[Array[Pattern['^/.+@.+$']]]

Alternative locations for the export point

• This should be in the form specified by the man page: path@host[+host]
• There will be minimal validation and they will be joined by :

Default value: undef

pnfs

Data type: Boolean

Enables use of pNFS extensions for NFSv4.1 or higher and the filesystem supports pNFS exports

Default value: false

security_label

Data type: Boolean

Allow clients using NFSv4.2 or higher to set and retrieve security labels (such as those used by SELinux)

Default value: true

sec

Data type: Array[Nfs::SecurityFlavor]

Security flavors, in order of preference

Default value: ['sys']

no_root_squash

Data type: Boolean

Disable root squashing

• This should only be done if you really know what you are doing!

Default value: false

all_squash

Data type: Boolean

Map all uids and gids to the anonymous user

Default value: false

anonuid

Data type: Simplib::Port

Explicity set the UID of the anonymous user

Default value: 65534

anongid

Data type: Simplib::Port

Explicity set the GID of the anonymous user

Default value: 65534

custom

Data type: Optional[String]

A custom set of options

• If set, all other options will be ignored
• $mountpoint and $client must still be set
• Do not include the parenthesis if you are writing a custom options string.

Default value: undef

Data types

Nfs::LegacyDaemonArgs

Legacy NFS daemon *ARGS environment variables set in /etc/sysconfig/nfs and automatically converted to the environment variables needed by the daemons in their service scripts by /usr/lib/systemd/scripts/nfs-utils_env.sh

Alias of

Struct[{
  Optional['GSSDARGS']      => String,
  Optional['RPCIDMAPDARGS'] => String,
  Optional['RPCMOUNTDARGS'] => String,
  Optional['RPCNFSDARGS']   => String,
  Optional['SMNOTIFYARGS']  => String,
  # This is converted to STATDARGS
  Optional['STATDARG']      => String
}]

Nfs::MountEnsure

Ensure for non-autofs mounts

Alias of Enum['mounted', 'present', 'unmounted']

Nfs::NfsConfHash

Hash representing nfs.conf configuration in which the key is the section name and the value is a Hash of key/value options for that section.

Alias of

Struct[{
  Optional['general']     => Hash[String,Variant[Boolean,Integer,Float,String]],
  Optional['exportfs']    => Hash[String,Variant[Boolean,Integer,Float,String]],
  Optional['gssd']        => Hash[String,Variant[Boolean,Integer,Float,String]],
  Optional['lockd']       => Hash[String,Variant[Boolean,Integer,Float,String]],
  Optional['mountd']      => Hash[String,Variant[Boolean,Integer,Float,String]],
  Optional['nfsd']        => Hash[String,Variant[Boolean,Integer,Float,String]],
  Optional['nfsdcltrack'] => Hash[String,Variant[Boolean,Integer,Float,String]],
  Optional['sm-notify']   => Hash[String,Variant[Boolean,Integer,Float,String]],
  Optional['statd']       => Hash[String,Variant[Boolean,Integer,Float,String]]
}]

Nfs::SecurityFlavor

NFS security flavor

Alias of Enum['none', 'sys', 'krb5', 'krb5i', 'krb5p']

• Fri Sep 13 2024 Steven Pritchard steve@sicura.us - 7.7.0

• [puppetsync] Update module dependencies to support simp-iptables 7.x

• Wed Aug 21 2024 Steven Pritchard steve@sicura.us - 7.6.1

• Fix unmask_rpc-gssd.service exec resource (#109)

• Mon Oct 23 2023 Steven Pritchard steve@sicura.us - 7.6.0

• [puppetsync] Add EL9 support

• Wed Oct 11 2023 Steven Pritchard steve@sicura.us - 7.5.0

• [puppetsync] Updates for Puppet 8
  • These updates may include the following:
    • Update Gemfile
    • Add support for Puppet 8
    • Drop support for Puppet 6
    • Update module dependencies

• Thu Sep 07 2023 Steven Pritchard steve@sicura.us - 7.4.0

• Add AlmaLinux 8 support

• Mon Jun 12 2023 Chris Tessmer chris.tessmer@onyxpoint.com - 7.3.0

• Add RockyLinux 8 support

• Fri Jun 03 2022 Chris Tessmer chris.tessmer@onyxpoint.com - 7.2.0

• Update from camptocamp/systemd to puppet/systemd

• Tue Jul 06 2021 Trevor Vaughan tvaughan@onyxpoint.com - 7.1.0

• Fixed
  • Added _netdev to the default mount options
  • Ensure that remote-fs.target is enabled

• Wed Jun 16 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 7.1.0

• Removed support for Puppet 5
• Ensured support for Puppet 7 in requirements and stdlib

• Mon Jan 11 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 7.0.2

• Fixed formatting in the metadata.json file.

• Thu Nov 12 2020 Trevor Vaughan tvaughan@onyxpoint.com - 7.0.1-0

• Update the required version of simp/svckill to the puppet 6 safe version.

• Fri Jan 10 2020 Liz Nemsick lnemsick.simp@gmail.com - 7.0.0-0

• Added EL8 support
• Dropped EL6 support
• Refactored the module. Notable feature/API changes:
  • Overall changes
    • Dropped stunnel support for NFSv3. This tunneling did not work because:
      • The NFS client sends the NFS server Network Status Manager (NSM) notifications via UDP, exclusively.
      • At multi-NFS-server sites, a unique rpcbind port per server is required in order for a NFS client to be able tunnel its server-specific RPC requests to the appropriate server.
    • nfs class
      • Reworked parameters to reflect configuration of /etc/nfs.conf and, for limited EL7-only configuration, /etc/sysconfig/nfs. See the class documentation for full details.
    • Remove $stunnel_systemd_deps and $sunnel_tcp_nodelay parameters throughout the module.
      • These parameters were not consistently used in the manifest code (i.e., declared but not used) and were confusing.
      • The corresponding $stunnel_socket_options and $stunnel_wantedby parameters in classes/defines now use defaults that were intended to be set by those parameters.
    • Now masks NFS services that are not needed, so they are not unnecessarily started when the nfs-server.service or nfs-client.target are restarted.
    • Moved simp-autofs, simp-krb5, simp-iptables, simp-stunnel, and simp-tcpwrappers to simp/optional_dependencies in the metadata.json.
  • nfs::client
    • Added support for pNFS: Set $blkmap to true to enable the pNFS service, nfs-blkmap.service.
    • Added $nfs::stunnel_socket_options and $stunnel_wantedby parameters which provide the defaults for all nfs::client::mount instances.
  • nfs::client::mount define
    • $nfs_server must now be specified as an IP address. This change was necessary for firewalld.
    • In $options, changed the default mount type to 'soft' instead of 'hard' Also removed deprecated 'intr' option, as it has no effect.
    • Reworked the remote autodetect logic to detect a local mount based on IP address instead of simply whether the node is also configured to be an NFS server.
    • Added support for direct autofs mounts and simplified specification of indirect mounts. When $autofs_indirect_map_key is not specified, a direct mount is specified by $name. When $autofs_indirect_map_key is specified, an indirect mount is specified with $name as the mount point and $autofs_indirect_map_key as the mount key.
    • Renamed $autofs_map_to_user to $autofs_add_key_subst to better reflect automount terminology. This parameter simply adds key substitution to the remote location, which although can be used for user home directories, is not restricted to that use case.
    • Renamed $port to $nfsd_port to be consistent with the name of that parameter throughout the entire module.
    • Renamed $v4_remote_port to $stunnel_nfsd_port for clarity and to be consistent with the name of that parameter throught the entire module.
    • Exposed client stunnel configuration that was scattered throughout the module to this API. User can now specify $stunnel_socket_options and $stunnel_verify for each mount. When unspecified, the defaults from the nfs class are used.
  • nfs::server
    • Exposed server stunnel configuration that was scattered throughout the module to this API. User can now specify $stunnel_accept_address, $stunnel_nfsd_acccept_port, $stunnel_socket_options, $stunnel_verify, and $stunnel_wantedby in this class. When unspecified, the defaults for all but $stunnel_accept_address and $stunnel_wantedby are pulled from the nfs class.
    • Added the following parameters: $nfsd_vers4, $nfsd_vers4_0, $nfsd_vers4_1, $nfsd_vers4_2, and $custom_rpcrquotad_opts.
    • Renamed $nfsv3 to $nfsd_vers3 to reflect its use in /etc/nfs.conf.
    • Moved nfs::rpcquotad_port to this class and renamed $rpcrquotadopts to $custom_rpcrquotad_opts for clarity.
    • Moved nfs::mountd_port to this class and removed $rpcmountdopts. Custom configuration for that daemon should now be made via $nfs::custom_nfs_conf_opts or $nfs::custom_daemon_args as appropriate.
    • Removed the obsolete $nfsd_module parameter.
  • nfs::server::export define
    • Added $replicas, $pnfs, and $security_label parameters to support additional export configuration parameters.
  • nf::idmapd
    • Refactored into 3 classes to support distinct NFS server and client configuration
    • Added $no_strip and $reformat_group to nfs::idmapd::config to support support additional /etc/idmapd.conf configuration parameters.
• Fixed bugs:
  • rpc.rquotad service configuration was erroneously written to /etc/sysconfig/nfs for EL7. It is now written to the correct file, /etc/sysconfig/rpc-rquotad.
  • idmapd
    • idmapd was erroneously only enabled when NFSv3 was allowed. idmapd is a NFSv4 service.
    • The idmapd client was not configured to use nfsidmap. An nfsidmap entry has now been added to /etc/request-key.conf.
  • Fixed bugs in which bidirectional communication for NFSv3 was not properly configured.
    • NFSv3 lockd ports on the NFS client were not explicitly configured and thus not allowed through the firewall. This would have affected file locking using NLM.
    • rpcbind, statd, and lockd service names were not allowed by TCP wrappers for the NFS client. This would have affected server to client NFSv3 NSM and NLM protocol messages over TCP.
  • Fixed bugs in mount options
    • Previously used the deprecated 'nfs4' fstype. This has been replaced with the 'nfs' fstype and use of the 'nfsvers' option to specify the version of NFS to use.
    • The 'proto' previously was not set to 'tcp' when stunnel is being used.
  • Fixed bug with a duplicate exec resource in nfs::client::mount when stunnel was enabled.
  • Fixed erronously server-only/client-only configuration that appeared to be able to be set independently for the NFS client and NFS server on the same node, but because of shared services, actually applied to the node as a whole.
    • Removed $nfs::client::firewall and $nfs::server::firewall. Use $nfs::firewall instead.
    • Removed $nfs::server::tcpwrappers. Use $nfs::tcpwrappers instead.
    • Removed $nfs::server::nfsv3, $nfs::server::lockd_arg, $nfs::server::statdarg, $nfs::server::statd_ha_callout, $nfs::server::rpcgssdargs, and $nfs::server::rpcsvcgssdargs. Use appropriate parameters in the nfs class instead.
• Updated the upper bound of simp-simplib to < 5.0.0

• Fri Aug 02 2019 Robert Vincent pillarsdotnet@gmail.com - 7.0.0-0

• Remove Puppet 4 support
• Add Puppet 6 support
• Add puppetlabs-stdlib 6 support
• Add puppetlabs-concat 6 support

• Fri Mar 22 2019 Liz Nemsick lnemsick.simp@gmail.com - 6.2.2-0

• Use simplib::host_is_me in lieu of simplib's Puppet 3 host_is_me

• Mon Mar 04 2019 Liz Nemsick lnemsick.simp@gmail.com - 6.2.1-0

• Expanded the upper limit of the concat and stdlib Puppet module versions
• Updated URLs in the README.md

• Thu Nov 01 2018 Jeanne Greulich jeanne,greulich@onyxpoint.com - 6.2.0-0

• Update static assets for puppet 5
• Update to onyxpoint OEL boxes in acceptance tests
• Update badges and contribution guide URL in README.md

• Sun Oct 21 2018 Trevor Vaughan tvaughan@onyxpoint.com - 6.2.0-0

• Added a nfs::client::mount::ensure parameter to allow users to set the state of the mountpoints

• Thu Jul 12 2018 Nick Miller nick.miller@onyxpoint.com - 6.2.0-0

• Added OEL and Puppet 5 support
• Change rpcbind service name on EL7 from rpcbind.socket to, rpcbind.service, but only on EL7.4+
• Changed all packages ensure parameter from 'latest' to 'installed'
  • They also respect simp_options::package_ensure
  • Added $nfs::install::tools_ensure and $nfs::lvm2::ensure

• Thu Jun 14 2018 Nick Miller nick.miller@onyxpoint.com - 6.1.1-0

• Update systemd fixtures and CI assets
• Add logging for exportfs failures
• Ensure that reexports happen after the NFS service has been started

• Mon Apr 16 2018 Trevor Vaughan tvaughan@onyxpoint.com - 6.1.1-0

• Added nfs::client::mount::autodetect_remote to override all autodetection of whether or not the remote host was the current NFS server so an NFS server can mount NFS directories from other servers.
• Added nfs::client::mount::stunnel to allow users to dictate the stunnel connection state for specific mounts.

• Wed Apr 04 2018 Nick Miller nick.miller@onyxpoint.com - 6.1.1-0

• On systemd systems, the stunnel service is now a dependency of the NFS servers and mounts managed by this module.

• Mon Feb 12 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.1.0-0

• Update upperbound on puppetlabs/concat version to < 5.0.0

• Wed Dec 13 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.1.0-0

• Changed all stunnel connections to use 'stunnel::instance' methods so that they are not interrupted by an issue with the global stunnel configuration and they can set the TCP_NODELAY option as suggested for small transaction, high bandwidth connections.
• Added parameters to allow users to tweak the stunnel socket options for all NFS stunnel connections.
• Added support for OEL and Puppet 5

• Fri Aug 18 2017 Liz Nemsick lnemsick.simp@gmail.com - 6.0.4-0

• Update concat version in metadata.json

• Mon Apr 24 2017 Nick Markowski nmarkowski@keywcorp.com - 6.0.3-0

• gssproxy ensured running when secure_nfs is true, el > 7.1
• Confine puppet version in metadata.json

• Tue Apr 11 2017 Nick Markowski nmarkowski@keywcorp.com - 6.0.3-0

• nfs_anon_write selboolean is only applied if selinux is on.

• Thu Mar 23 2017 Jeanne Greulich jeanne.greulich@onyxpoint.com - 6.0.2-0

• Fixed path for systemctl

• Fri Mar 10 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.1-0

• Fixed the metadata.json dependencies for simp-tcpwrappers

• Thu Dec 08 2016 Nick Markowski nmarkowski@keywcorp.com - 6.0.0-0

• Updated global catalysts and strong typed.
• Fix bug whereby the STATDARGS parameter in NFS sysconfig server configuration was not set.
• Fix bug whereby the LOCKD_ARG parameter in NFS sysconfig server configuration was improperly set.

• Thu Dec 01 2016 Nick Markowski nmarkowski@keywcorp.com - 5.0.1-0

• Removed pupmod-simp-sysctl in favor of augeas-sysctl

• Wed Nov 23 2016 Jeanne Greulich jgreulich.simp@onyxpoint.com - 5.0.0-0

• update requirement versions

• Tue Nov 15 2016 Liz Nemsick lnemsick.simp@gmail.com - 5.0.0-0

• Updated iptables dependency version

• Fri Sep 30 2016 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.0-0

• Updated to use the new 'simpcat' module that deconflicts with 'puppetlabs/concat'

• Thu Aug 25 2016 Nick Markowski nmarkowski@keywcorp.com - 4.5.2-0

• Defaulted export sec to sys.
• Updated documentation to reflect krb5 integration with manual changes.

• Fri Aug 12 2016 Nick Miller nick.miller@onyxpoint.com - 4.5.1-0

• Added a new README

• Mon Aug 01 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.5.0-0

• Added Kerberos Support

• Wed Jul 20 2016 Nick Markowski nmarkowski@keywcorp.com - 4.4.4-0

• Removed create_home_dirs functionality (and added it to the simp module).

• Mon May 16 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 4.4.3-0

• Sanitized cross-class variables for 'STRICT_VARIABLES=yes'

• Wed Mar 23 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.4.2-0

• Minor bug fix to ensure that $::nfs::stunnel variables are not called if the module is not using stunnel.

• Sat Mar 19 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.4.1-0

• Several bug fixes that ensure that the module will work without being bound to a Puppet master.

• Fri Mar 18 2016 Nick Markowski nmarkowski@keywcorp.com - 4.4.0-0

• Ensure that EL6.7+ uses SSSD over NSCD.

• Fri Mar 18 2016 Nick Markowski nmarkowski@keywcorp.com - 4.3.0-1

• Updated the augeas fixtures to reference the simp-master branch.

• Thu Mar 17 2016 Nick Markowski nmarkowski@keywcorp.com - 4.3.0-0

• Updated the exports template to convert clients 'all' or 'any' to '*'
• Added an lvm2 class to ensure nfs-utils can upgrade. This class should be removed once the bug is fixed upstream.

• Mon Mar 14 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.0-0

• Updated to Semantic Versioning
• Fixed the 'eval' variables in the templates

• Fri Dec 04 2015 Chris Tessmer chris.tessmer@onyxpoint.com - 4.1.0-15

• Replaced all 'lsb' facts with their (package-independent) 'operatingsystem' counterparts.
• Normalized common static module assets.
• Moved parameter validations to the top of each class.

• Mon Nov 09 2015 Chris Tessmer chris.tessmer@onypoint.com - 4.1.0-14

• migration to simplib and simpcat (lib/ only)

• Mon Nov 02 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-13

• Updated the dependency chain for the NFS client kernel module load ordering.

• Thu Feb 19 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-12

• Migrated to the new 'simp' environment.

• Fri Jan 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-11

• Changed puppet-server requirement to puppet

• Wed Oct 22 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-10

• Update to account for the stunnel module updates in 4.2.0-0

• Fri Sep 19 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-9

• Added some necessary fixes to nfs::server_names

• Fri Sep 19 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-8

• Updated the module to be compatible with both RHEL6 and RHEL7. The main issue was the translation of service names between the two systems.
• The anongid/anonuid options were changed to 65534 since the NFS server daemon no longer recognizes -1 and will hang if you use those options.

• Wed Aug 27 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-7

• Updated to use the new sysctl::value define.

• Mon Jul 21 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-6

• Updated to use /var/nfs/home for nfs::create_home_dirs in SIMP>=5

• Sun Jun 22 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-5

• Removed MD5 file checksums for FIPS compliance.

• Thu May 29 2014 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-4

• Set sysctl sunrpc table entries only if secure_nfs is enabled. Both values depend on the rpcgssd service.

• Mon May 05 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-3

• Updated referecnes to newly named global LDAP variables.
• Refactored /etc/sysconfig/nfs to be managed only once instead of by both server and client.

• Mon Mar 17 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-2

• Added a tcpwrappers::allow statement allowing ALL NFS connections if Stunnel is used. This may be a bug in Red Hat itself. I'm not positive.
• Updated the export_home comment section to include a section of Hiera Variables.
• Modified the home_client defaults to hard,intr instead of soft.
• Fixed the create_home_directories script so that it wouldn't attempt to archive the ARCHIVED directory multiple times. Also added date stamping to the ARCHIVED directories in case a user is archived multiple times.

• Tue Mar 04 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-1

• Refactored manifests to pass all lint tests for hiera and puppet 3.
• Added rspec tests for test coverage.

• Wed Feb 12 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-0

• Updated all boolean strings to native booleans.

• Wed Jan 15 2014 Adam Yohrling ayohrling@onyxpoint.com - 4.1.0-0

• Add a class 'nfs::server::create_home_dirs' which allows for the simple creation of NFS home directories on an NFS server from an LDAP database.
• Added the option to turn on nfs::server::create_home_dirs in stock::export_home.

• Mon Oct 07 2013 Nick Markowski nmarkowski@keywcorp.com - 4.0.0-2

• Updated template to reference instance variables with @

• Wed Oct 02 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-1

• Use 'versioncmp' for all version comparisons.

• Wed Jul 31 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-0

• Updated the documentation for nfs::server::conf
• Added support for the NFSD_V4_GRACE option
• Removed the options $secure_nfs_mods and $rpcmtab since they have been deprecated
• Added the ports '111' and $rquotad_port to the list of ports to be opened by iptables in the non-stunnel version. This is due to the fact that the 'quota' command has not been modified to use the single interface instance of NFSv4.

• Mon Jan 07 2013 Kendall Moore kmoore@keywcorp.com - 2.0.0-11

• Create a Cucumber test which sets up the base segments for NFS server and client services.

• Thu Dec 13 2012 Maintenance 2.0.0-10

• Updated to require pupmod-common >= 2.1.1-2 so that upgrading an old system works properly.

• Tue Jun 26 2012 Maintenance 2.0.0-9

• Ensure that nfs-utils is installed before we try to do things with services.

• Thu Jun 07 2012 Maintenance 2.0.0-8

• Ensure that Arrays in templates are flattened.
• Call facts as instance variables.
• Updated the sysctl calls to maintain proper ordering with the service statements.
• Fixed the domain setting in /etc/idmapd.conf and fixed the way stunnel works. This fixes both the 'nobody' issue and issues with mounts via stunnel occasionally failing.
• Moved mit-tests to /usr/share/simp...
• Updated pp files to better meet Puppet's recommended style guide.

• Fri Mar 02 2012 Maintenance 2.0.0-7

• Improved test stubs.

• Tue Dec 20 2011 Maintenance 2.0.0-6

• Updated the spec file to not require a separate file list.
• Scoped all of the top level variables.
• Changed all instances of 'ipaddress' to 'primary_ipaddress'
• Fixed several bugs that cropped up when trying to use stunnel with the stock home_client.pp as well as some bugs relating to when the server was trying to connect with itself. The stock classes should "just work" now.

• Wed Nov 02 2011 Maintenance 2.0.0-5

• Added a parameterized class to handle the configuration of idmapd. In RHEL5 this was not necessary as the defaults handled most cases. In RHEL6, the defaults do not suffice for the stock class.
• Added a variable $portmap_name to the nfs class to be able to differentiate between the RHEL5 and RHEL6 versions.
• Fixed the NFS stock home client to actually call the client stanza.
• Fixed the NFS client to enable the NFSv4 callback port.

• Mon Oct 10 2011 Maintenance 2.0.0-4

• Updated to put quotes around everything that need it in a comparison statement so that puppet > 2.5 doesn't explode with an undef error.

• Fri Aug 12 2011 Maintenance 2.0.0-3

• Added a new init script to properly set the sysctl values for sunrpc.tcp_slot_table_entries and sunrpc.udp_slot_table_entries prior to NFS starting to work around a deficiency in Red Hat.
• Ensure that the sysctl values that are set in nfs::server::conf notify all services that rely on those values.
• Updated to have a cleaner status command for nfslock.

• Wed May 25 2011 Maintenance - 2.0.0-2

• Ensure that anonuid and anongid are set to -1 by default.

• Wed Apr 13 2011 Maintenance - 2.0.0-1

• Removed the original stock classes and moved them to pupmod since they were for clustering.
• Added stock classes for setting up an NFS server and client for home directory mounts using autofs.
• Now properly nail up the NFS callback port for NFSv4
• Now set sunrpc_udp_slot_table_entries and sunrpc_tcp_slot_table_entries to 128 by default.
• Changed all instances of defined(Class['foo']) to defined('foo') per the directions from the Puppet mailing list.
• Exports should be joined with "\n"
• Updated to use concat_build and concat_fragment types

• Tue Jan 11 2011 Maintenance 2.0.0-0

• Refactored for SIMP-2.0.0-alpha release

• Mon Jan 10 2011 Maintenance - 1-7

• Exports entries should not be joined with a hard return!

• Fri Dec 10 2010 Maintenance - 1-6

• Moved nfs::stunnel::client to nfs::client::stunnel::connect
• Added support and default configurations for NFSv3 over stunnel
• Added nfs::stock::stunnel_server and nfs::stock::stunnel_client as nfs setup for basic clustering.

• Tue Oct 26 2010 Maintenance - 1-5

• Converting all spec files to check for directories prior to copy.

• Tue Oct 26 2010 Maintenance - 1.0-4

• No files directory in source caused an RPM build failure.

• Thu Sep 09 2010 Maintenance 1.0-3

• Replaced tcpwrappers::tcpwrappers_allow with tcpwrappers::allow.

• Mon Jul 19 2010 Maintenance 1.0-2

• Fix for NFSv4 over Stunnel clients.
• Fix for using custom NFS server export.

• Wed Jul 14 2010 Maintenance 1.0-1

• Fix for NFSv4 over Stunnel.

• Wed May 19 2010 Maintenance 1.0-0

• Refactor and doc update.
• Fixed an issue with starting nfslock resulting from the nfslock application always returning 0.
• Updated the rpcidmapd service to take into account the case where the sunrpc filesystem is not mounted
• Added support for NFSv3 over Stunnel.
• Added stunnel_server and stunnel_client classes in stock namespace that will set up a basic nfs over stunnel server/client to make clustering work.

• Thu Feb 18 2010 Maintenance 0.1-0

• Initial module creation. Supports NFS v2,3,4. Supports NFSv4 over Stunnel natively. Does not yet support automatic Kerberos use.