Bind rsyncd service to admin network only

For security reasons rsyncd service should listen on admin network only. This change configures both global rsyncd and xinetd files. Also, it contains some styling cleanups. Change-Id: I76987935edbae602636b556d26b2fca83eff29d8 Closes-Bug: #1614101 Signed-off-by: Maksim Malchuk <mmalchuk@mirantis.com>
2016-08-18 00:27:57 +03:00 · 2016-08-18 00:27:57 +03:00 · 73ae62e18c
parent 5c6cbf7d47
commit 73ae62e18c
5 changed files with 28 additions and 10 deletions
--- a/deployment/puppet/fuel/examples/puppetsync.pp
+++ b/deployment/puppet/fuel/examples/puppetsync.pp
@ -4,11 +4,13 @@ Exec  {path => '/usr/bin:/bin:/usr/sbin:/sbin'}

 $fuel_settings = parseyaml($astute_settings_yaml)

-class { "fuel::puppetsync": }
+class { 'fuel::puppetsync':
+  bind_address => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
+}

 fuel::systemd {['rsyncd']:
-  start => true,
+  start         => true,
  template_path => 'fuel/systemd/restart_template.erb',
-  config_name => 'restart.conf',
-  require => Class["fuel::puppetsync"],
+  config_name   => 'restart.conf',
+  require       => Class['fuel::puppetsync'],
 }
--- a/deployment/puppet/fuel/manifests/puppetsync.pp
+++ b/deployment/puppet/fuel/manifests/puppetsync.pp
@ -2,7 +2,8 @@ class fuel::puppetsync (
  $puppet_folder = '/etc/puppet',
  $xinetd_config = '/etc/xinetd.d/rsync',
  $rsync_config  = '/etc/rsyncd.conf',
-  ){
+  $bind_address  = '0.0.0.0',
+){

  File {
    ensure => present,
@ -11,11 +12,13 @@ class fuel::puppetsync (
    mode   => '0644',
  }

+  # template uses $bind_address and $puppet_folder
  file { 'rsync_conf' :
    path    => $rsync_config,
    content => template('fuel/rsyncd.conf.erb'),
  }

+  # template uses $bind_address
  file { 'rsync_xinetd' :
    path    => $xinetd_config,
    content => template('fuel/rsyncd_xinetd.erb'),
@ -25,8 +28,8 @@ class fuel::puppetsync (

  if ! defined(Service['xinetd']) {
    service { 'xinetd':
-      ensure => running,
-      enable => true,
+      ensure  => running,
+      enable  => true,
      require => Package['xinetd'],
    }
  }
--- a/deployment/puppet/fuel/templates/rsyncd.conf.erb
+++ b/deployment/puppet/fuel/templates/rsyncd.conf.erb
@ -1,3 +1,5 @@
+address         = <%= @bind_address %>
+
 [puppet]
 path            = <%= @puppet_folder %>
 read only       = true
@ -10,4 +12,5 @@ path            = /var/www/nailgun/plugins
 read only       = true
 uid             = 0
 gid             = 0
-use chroot      = no
+use chroot      = no
+
--- a/deployment/puppet/fuel/templates/rsyncd_xinetd.erb
+++ b/deployment/puppet/fuel/templates/rsyncd_xinetd.erb
@ -5,7 +5,8 @@ service rsync
    wait            = no
    user            = root
    server          = /usr/bin/rsync
-    server_args     = --daemon --log-file=/var/log/rsync.log
+    server_args     = --address=<%= @bind_address %> --daemon --log-file=/var/log/rsync.log
+    bind            = <%= @bind_address %>
    cps = 512 10
    flags = IPv4
    per_source = UNLIMITED
--- a/tests/noop/spec/hosts/master/puppetsync_spec.rb
+++ b/tests/noop/spec/hosts/master/puppetsync_spec.rb
@ -1,5 +1,6 @@
 require 'spec_helper'
 require 'shared-examples'
+require 'yaml'
 manifest = 'master/puppetsync.pp'

 # HIERA: master
@ -7,7 +8,15 @@ manifest = 'master/puppetsync.pp'

 describe manifest do
  shared_examples 'catalog' do
-    it { is_expected.to contain_class 'fuel::puppetsync' }
+    let(:fuel_settings) do
+      YAML.load facts[:astute_settings_yaml]
+    end
+
+    it 'should contain class "fuel::puppetsync" with parameters' do
+      is_expected.to contain_class('fuel::puppetsync').with(
+          :bind_address => fuel_settings['ADMIN_NETWORK']['ipaddress'],
+      )
+    end

    it 'should contain "rsyncd" fuel::systemd service with parameters' do
      parameters = {