Add Fedora 18+ and Kerberized NFS4 support

README.md

@@ -10,6 +10,10 @@ to clients.
 
 Optional nfs4-support.
 
+Management of daemons required for Kerberized nfs4
+servers and clients (Red Hat and Fedora only for now).
+
+
 Dependencies
 ----------------------
 
@@ -18,9 +22,12 @@ Clients need to support augeas.
 
 Check Modulesfile for module dependencies
 
-I have tested the module on lucid, precise, centos5 and centos6.
+${original_author} has tested the module on lucid, precise, centos5 and centos6.
 Chances are good it will work on rhel and sles aswell.
 
+18-Jun-2013: Added Fedora 18 support.
+
+
 Examples
 ----------------------
 
@@ -169,13 +176,18 @@ This will export /data/folder on the server and automagically mount it on client
 
 ### NFSv4 insanely overcomplicated reference example
 
-
 <pre>
 
   # and on individual nodes.
   node server {
     class { 'nfs::server':
-      nfs_v4              => true,
+      nfs_v4                 => true,
+      nfs_v4_kerberos_realm  => 'EXAMPLE.COM',
+      nfs_v4_kerberized      => true,
+      rpcgssd_opts	     => '-v',
+      rpcsvcgssd_opts        => '-v',
+      rpcidmapd_opts         => '-v',
+
       # Below are defaults
       nfs_v4_idmap_domain => $::domain,
       nfs_v4_export_root  => '/export',
@@ -215,6 +227,11 @@ This will export /data/folder on the server and automagically mount it on client
     class { 'nfs::server':
       nfs_v4              => true,
       nfs_v4_idmap_domain => $::domain
+      nfs_v4_kerberos_realm  => 'EXAMPLE.COM',
+      nfs_v4_kerberized      => true,
+      rpcgssd_opts	     => '-v',
+      rpcsvcgssd_opts        => '-v',
+      rpcidmapd_opts         => '-v',
       nfs_v4_mount_root   => '/srv',
     }
 
@@ -241,7 +258,10 @@ This will export /data/folder on the server and automagically mount it on client
 
 Author
 -----------------
-Harald Skoglund <haraldsk@redpill-linpro.com>
+Original by Harald Skoglund <haraldsk@redpill-linpro.com>
+
+Simon Fraser University Research Computing Group
+      (Kerberized NFS4 support; Fedora 18+ support)
 
 Webpage
 -----------------

manifests/client.pp

@@ -16,13 +16,33 @@
 #  Domain setting for idmapd, must be the same across server
 #  and clients.
 #
+# [nfs_v4_kerberized]
+#  (RHEL only) Toggles SECURE_NFS in /etc/sysconfig/nfs;
+#  enables and runs rpc.gssd and rpc.svgssd
+#
+# [nfs_v4_kerberos_realm]
+#  (RHEL only) For /etc/idmapd.conf's Local-Realms parameter.
 #  Default is to use $::domain fact.
 #
+# [rpcgssd_opts]
+#  (RHEL only) Passes options to rpc.gssd in /etc/sysconfig/nfs.
+#
+# [rpcsvcgssd_opts]
+#  (RHEL only) Passes options to rpc.svcgssd in /etc/sysconfig/nfs.
+#
+# [rpcidmapd_opts]
+#  (RHEL only) Passes options to rpc.idmapd in /etc/sysconfig/nfs.
+#
 # === Examples
 #
 #
 #  class { 'nfs::client':
 #    nfs_v4              => true,
+#    nfs_v4_kerberos_realm  => 'EXAMPLE.COM',
+#    nfs_v4_kerberized      => true,
+#    rpcgssd_opts	    => '-v',
+#    rpcsvcgssd_opts        => '-v',
+#    rpcidmapd_opts         => '-v',
 #    # Generally parameters below have sane defaults.
 #    nfs_v4_mount_root  => "/srv",
 #    nfs_v4_idmap_domain => $::domain,
@@ -39,14 +59,25 @@
 #
 
 class nfs::client (
-  $nfs_v4              = $nfs::params::nfs_v4,
-  $nfs_v4_mount_root   = $nfs::params::nfs_v4_mount_root,
-  $nfs_v4_idmap_domain = $nfs::params::nfs_v4_idmap_domain
+  $nfs_v4                 = $nfs::params::nfs_v4,
+  $nfs_v4_mount_root      = $nfs::params::nfs_v4_mount_root,
+  $nfs_v4_idmap_domain    = $nfs::params::nfs_v4_idmap_domain,
+  $nfs_v4_kerberized      = $nfs::params::nfs_v4_kerberized,
+  $nfs_v4_kerberos_realm  = $nfs::params::nfs_v4_kerberos_realm,  
+  $rpcgssd_opts           = $nfs::params::rpcgssd_opts,
+  $rpcsvcgssd_opts        = $nfs::params::rpcsvcgssd_opts,
+  $rpcidmapd_opts         = $nfs::params::rpcidmapd_opts,
+
 ) inherits nfs::params {
 
-  class{ "nfs::client::${osfamily}":
-    nfs_v4              => $nfs_v4,
-    nfs_v4_idmap_domain => $nfs_v4_idmap_domain,
+  class{ "nfs::client::${lsbdistid}":
+    nfs_v4                 => $nfs_v4,
+    nfs_v4_idmap_domain    => $nfs_v4_idmap_domain,
+    nfs_v4_kerberized      => $nfs_v4_kerberized,
+    nfs_v4_kerberos_realm  => $nfs_v4_kerberos_realm,
+    rpcgssd_opts           => $rpcgssd_opts,
+    rpcsvcgssd_opts        => $rpcsvcgssd_opts,
+    rpcidmapd_opts         => $rpcidmapd_opts,
   }
 
 }

manifests/client/fedora.pp

@@ -0,0 +1,20 @@
+# Shamefully stolen from https://github.com/frimik/puppet-nfs
+# refactored a bit
+
+class nfs::client::fedora (
+  $nfs_v4 = false,
+  $nfs_v4_idmap_domain = undef,
+  $nfs_v4_kerberized = false,
+  $nfs_v4_kerberos_realm = undef,
+  $rpcgssd_opts = undef,
+  $rpcsvcgssd_opts = undef,
+  $rpcidmapd_opts = undef,
+  $rpcmountd_opts = undef
+
+
+) inherits nfs::client::fedora::params {
+
+  include nfs::client::fedora::install, 
+    nfs::client::fedora::configure, 
+    nfs::client::fedora::service
+}

manifests/client/fedora/configure.pp

@@ -0,0 +1,41 @@
+# Shamefully stolen from https://github.com/frimik/puppet-nfs
+# refactored a bit
+
+class nfs::client::fedora::configure {
+
+  # Because rhel/fedora /etc/sysconfig/nfs doesn't want true/false
+  # it wants yes/no
+  if $nfs::client::fedora::nfs_v4_kerberized {
+     $nfs_v4_secure = 'yes'
+  } else {
+     $nfs_v4_secure = 'no'
+  }
+
+  concat { '/etc/idmapd.conf':
+    warn    => true,
+    mode    => '0644',
+    owner   => 'root',
+    group   => 'root',
+  }
+  concat { '/etc/sysconfig/nfs':
+    warn    => true,
+    mode    => '0644',
+    owner   => 'root',
+    group   => 'root',
+  }
+  concat::fragment { 'idmapd.conf.erb':
+    target  => '/etc/idmapd.conf',
+    order   => 01,
+    content => template('nfs/idmapd.conf.erb'),
+    notify  => Service['nfs-idmap'],
+  }
+
+  # yes, the old /etc/init.d/nfs is called nfs-server now
+  # no, there is no nfs-client on Fedora 17+
+  concat::fragment { 'rhel-sysconfig-nfs':
+    target  => '/etc/sysconfig/nfs',
+    order   => 02,
+    content => template('nfs/rhel-sysconfig-nfs.erb'),
+    notify  => Service['nfs-secure', 'nfs-idmap', 'nfs-server'],
+  }  
+}

manifests/client/fedora/install.pp

@@ -0,0 +1,22 @@
+# Shamefully stolen from https://github.com/frimik/puppet-nfs
+# refactored a bit
+
+class nfs::client::fedora::install {
+
+  Package {
+    before => Class['nfs::client::fedora::configure']
+  }
+  package { 'nfs-utils':
+    ensure => present,
+  }
+  package {'rpcbind':
+      ensure => present,
+  }
+
+  if $nfs::client::fedora::nfs_v4_kerberized {
+    package { ['krb5-libs', 'krb5-workstation', 'krb5-devel',]:
+      ensure => present,
+    }    
+  }
+}
+

manifests/client/fedora/params.pp

@@ -0,0 +1,8 @@
+# Shamefully stolen from https://github.com/frimik/puppet-nfs
+# refactored a bit
+
+class nfs::client::fedora::params {
+
+}
+
+

manifests/client/fedora/service.pp

@@ -0,0 +1,62 @@
+# Shamefully stolen from https://github.com/frimik/puppet-nfs
+# refactored a bit
+
+class nfs::client::fedora::service {
+
+  Service {
+    require => Class['nfs::client::fedora::configure']
+  }
+
+  if $nfs::client::fedora::nfs_v4 {
+    $nfs4_services_ensure = 'running'
+  } else {
+    $nfs4_services_ensure = 'stopped'
+  }
+
+  if $nfs::client::fedora::nfs_v4_kerberized {
+    $nfs4_kerberized_services_ensure = 'running'
+  } else {
+    $nfs4_kerberized_services_ensure = 'stopped'
+  }
+
+  if $nfs::client::fedora::nfs_v4_kerberized {
+    service { 'nfs-secure': 
+      provider  => 'systemd',
+      ensure    => $nfs4_kerberized_services_ensure,
+      enable    => $nfs::client::fedora::nfs_v4_kerberized,
+      hasstatus => true,
+   }
+  }
+
+  service { 'nfs-idmap':
+    provider  => 'systemd',
+    ensure    => $nfs4_services_ensure,
+    enable    => $nfs::client::fedora::nfs_v4,
+    hasstatus => true,
+  }
+
+
+  if !defined(Service['nfs-server']) {
+    service { 'nfs-server':
+      provider  => 'systemd',
+      name      => 'nfs-server',
+      ensure    => running,
+      enable    => true,
+      hasstatus => true,
+    }    
+  }
+
+  service {'nfs-lock':
+    ensure     => running,
+    enable     => true,
+    hasstatus  => true,
+    require    => Package["nfs-utils"]
+  }
+
+  service {"rpcbind":
+    ensure    => running,
+    enable    => true,
+    hasstatus => true,
+    require   => [Package["rpcbind"], Package["nfs-utils"]],
+  }
+}

manifests/client/rhel.pp

@@ -0,0 +1,20 @@
+# Shamefully stolen from https://github.com/frimik/puppet-nfs
+# refactored a bit
+
+class nfs::client::rhel (
+  $nfs_v4 = false,
+  $nfs_v4_idmap_domain = undef,
+  $nfs_v4_kerberized = false,
+  $nfs_v4_kerberos_realm = undef,
+  $rpcgssd_opts = undef,
+  $rpcsvcgssd_opts = undef,
+  $rpcidmapd_opts = undef,
+  $rpcmountd_opts = undef
+
+
+) inherits nfs::client::rhel::params {
+
+  include nfs::client::rhel::install, 
+    nfs::client::rhel::configure, 
+    nfs::client::rhel::service
+}

manifests/client/rhel/configure.pp

@@ -0,0 +1,38 @@
+# Shamefully stolen from https://github.com/frimik/puppet-nfs
+# refactored a bit
+
+class nfs::client::rhel::configure {
+
+  # Because RHEL /etc/sysconfig/nfs doesn't want true/false;
+  # it wants yes/no
+  if $nfs::client::rhel::nfs_v4_kerberized {
+     $nfs_v4_secure = 'yes'
+  } else {
+     $nfs_v4_secure = 'no'
+  }
+
+  concat { '/etc/idmapd.conf':
+    warn    => true,
+    mode    => '0644',
+    owner   => 'root',
+    group   => 'root',
+  }
+  concat { '/etc/sysconfig/nfs':
+    warn    => true,
+    mode    => '0644',
+    owner   => 'root',
+    group   => 'root',
+  }
+  concat::fragment { 'idmapd.conf.erb':
+    target  => '/etc/idmapd.conf',
+    order   => 01,
+    content => template('nfs/idmapd.conf.erb'),
+    notify  => Service['rpcidmapd'],
+  }
+  concat::fragment { 'rhel-sysconfig-nfs':
+    target  => '/etc/sysconfig/nfs',
+    order   => 02,
+    content => template('nfs/rhel-sysconfig-nfs.erb'),
+    notify  => Service['rpcgssd', 'rpcsvcgssd', 'rpcidmapd', 'nfs'],
+  }  
+}

manifests/client/rhel/install.pp

@@ -0,0 +1,30 @@
+# Shamefully stolen from https://github.com/frimik/puppet-nfs
+# refactored a bit
+
+class nfs::client::rhel::install {
+
+  Package {
+    before => Class['nfs::client::rhel::configure']
+  }
+  package { 'nfs-utils':
+    ensure => present,
+  }
+
+  if $nfs::client::rhel::osmajor == 6 {
+    package {'rpcbind':
+      ensure => present,
+    }
+  }
+  elsif $nfs::client::rhel::osmajor == 5 {
+    package { 'portmap':
+      ensure => present,
+    }
+  }
+
+  if $nfs::client::rhel::nfs_v4_kerberized {
+    package { ['krb5-libs', 'krb5-workstation', 'krb5-devel',]:
+      ensure => present,
+    }    
+  }
+}
+

manifests/client/rhel/params.pp

@@ -0,0 +1,13 @@
+# Shamefully stolen from https://github.com/frimik/puppet-nfs
+# refactored a bit
+
+class nfs::client::rhel::params {
+
+  if versioncmp($::operatingsystemrelease, "6.0") > 0 {
+    $osmajor = 6
+  } elsif versioncmp($::operatingsystemrelease, "5.0") > 0 {
+    $osmajor = 5
+  }
+}
+
+