Bind rsyncd service to admin network only
For security reasons rsyncd service should listen on admin network only. This change configures both global rsyncd and xinetd files. Also, it contains some styling cleanups. Change-Id: I76987935edbae602636b556d26b2fca83eff29d8 Closes-Bug: #1614101 Signed-off-by: Maksim Malchuk <mmalchuk@mirantis.com>
This commit is contained in:
parent
5c6cbf7d47
commit
73ae62e18c
|
@ -4,11 +4,13 @@ Exec {path => '/usr/bin:/bin:/usr/sbin:/sbin'}
|
|||
|
||||
$fuel_settings = parseyaml($astute_settings_yaml)
|
||||
|
||||
class { "fuel::puppetsync": }
|
||||
class { 'fuel::puppetsync':
|
||||
bind_address => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
|
||||
}
|
||||
|
||||
fuel::systemd {['rsyncd']:
|
||||
start => true,
|
||||
start => true,
|
||||
template_path => 'fuel/systemd/restart_template.erb',
|
||||
config_name => 'restart.conf',
|
||||
require => Class["fuel::puppetsync"],
|
||||
config_name => 'restart.conf',
|
||||
require => Class['fuel::puppetsync'],
|
||||
}
|
||||
|
|
|
@ -2,7 +2,8 @@ class fuel::puppetsync (
|
|||
$puppet_folder = '/etc/puppet',
|
||||
$xinetd_config = '/etc/xinetd.d/rsync',
|
||||
$rsync_config = '/etc/rsyncd.conf',
|
||||
){
|
||||
$bind_address = '0.0.0.0',
|
||||
){
|
||||
|
||||
File {
|
||||
ensure => present,
|
||||
|
@ -11,11 +12,13 @@ class fuel::puppetsync (
|
|||
mode => '0644',
|
||||
}
|
||||
|
||||
# template uses $bind_address and $puppet_folder
|
||||
file { 'rsync_conf' :
|
||||
path => $rsync_config,
|
||||
content => template('fuel/rsyncd.conf.erb'),
|
||||
}
|
||||
|
||||
# template uses $bind_address
|
||||
file { 'rsync_xinetd' :
|
||||
path => $xinetd_config,
|
||||
content => template('fuel/rsyncd_xinetd.erb'),
|
||||
|
@ -25,8 +28,8 @@ class fuel::puppetsync (
|
|||
|
||||
if ! defined(Service['xinetd']) {
|
||||
service { 'xinetd':
|
||||
ensure => running,
|
||||
enable => true,
|
||||
ensure => running,
|
||||
enable => true,
|
||||
require => Package['xinetd'],
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,3 +1,5 @@
|
|||
address = <%= @bind_address %>
|
||||
|
||||
[puppet]
|
||||
path = <%= @puppet_folder %>
|
||||
read only = true
|
||||
|
@ -10,4 +12,5 @@ path = /var/www/nailgun/plugins
|
|||
read only = true
|
||||
uid = 0
|
||||
gid = 0
|
||||
use chroot = no
|
||||
use chroot = no
|
||||
|
||||
|
|
|
@ -5,7 +5,8 @@ service rsync
|
|||
wait = no
|
||||
user = root
|
||||
server = /usr/bin/rsync
|
||||
server_args = --daemon --log-file=/var/log/rsync.log
|
||||
server_args = --address=<%= @bind_address %> --daemon --log-file=/var/log/rsync.log
|
||||
bind = <%= @bind_address %>
|
||||
cps = 512 10
|
||||
flags = IPv4
|
||||
per_source = UNLIMITED
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
require 'spec_helper'
|
||||
require 'shared-examples'
|
||||
require 'yaml'
|
||||
manifest = 'master/puppetsync.pp'
|
||||
|
||||
# HIERA: master
|
||||
|
@ -7,7 +8,15 @@ manifest = 'master/puppetsync.pp'
|
|||
|
||||
describe manifest do
|
||||
shared_examples 'catalog' do
|
||||
it { is_expected.to contain_class 'fuel::puppetsync' }
|
||||
let(:fuel_settings) do
|
||||
YAML.load facts[:astute_settings_yaml]
|
||||
end
|
||||
|
||||
it 'should contain class "fuel::puppetsync" with parameters' do
|
||||
is_expected.to contain_class('fuel::puppetsync').with(
|
||||
:bind_address => fuel_settings['ADMIN_NETWORK']['ipaddress'],
|
||||
)
|
||||
end
|
||||
|
||||
it 'should contain "rsyncd" fuel::systemd service with parameters' do
|
||||
parameters = {
|
||||
|
|
Loading…
Reference in New Issue