Commit 3e299b1d authored by Hinrikus Wolf's avatar Hinrikus Wolf

Merge branch 'kerberized-nfs'

parents 4bbf52f0 927e1d14
#!/bin/bash
if [ ! -h /$1 ]; then
rm /$1
rmdir /$1
ln -s /net/$1 /$1
fi
options nfs nfs4_disable_idmapping=N
......@@ -7,8 +7,5 @@
- name: restart nfs-common
service: name=nfs-common state=restarted
- name: reload sysfs.conf
service: name=sysfsutils state=restarted
- name: reload sysctl
command: sysctl -p
......@@ -2,42 +2,30 @@
# file: roles/nfs-client/tasks/main.yml
- name: ensure nfs client utils are installed
apt: name=nfs-common state=latest
tags:
- nfs-client
- packages
- name: ensure CIFS utils are installed
apt: name=cifs-utils,smbclient state=latest
tags:
- nfs-client
- cifs-client
- packages
- name: ensure sysfs-utils are installed
apt: name=sysfsutils state=present
apt: name="{{ item }}" state=installed
with_items:
- nfs-common
- libgssrpc4
- librpcsecgss3
- autofs
tags:
- nfs-client
- packages
- name: ensure we use the idmapper
command: 'echo "N" > /sys/module/nfs/parameters/nfs4_disable_idmapping'
notify:
- restart nfs-common
tags:
- nfs-client
- sysfs
- config
- name: ensure we use the idmapper after a reboot
lineinfile: line="module/nfs/parameters/nfs4_disable_idmapping = N" dest=/etc/sysfs.conf create=yes
notify:
- reload sysfs.conf
- restart nfs-common
tags:
- nfs-client
- sysfs
- config
#- name: ensure we use the idmapper
# copy: content="N" dest=/sys/module/nfs/parameters/nfs4_disable_idmapping
# notify:
# - restart nfs-common
# - restart autofs
# tags:
# - nfs-client
# - config
#
#- name: ensure we use the idmapper after a reboot
# copy: src=modprobe-nfs.conf dest=/etc/modprobe.d/nfs.conf owner=root group=root mode=0644
# tags:
# - nfs-client
# - config
- name: ensure the kernel key storage quote used for idmapping is sufficiently high
sysctl: name=kernel.keys.root_maxkeys state=present value=1000 # default is 200, this quote was reached
......@@ -59,13 +47,12 @@
- sysctl
- config
# makes life much easier to have an automounter and not /etc/fstab
- name: ensure automounter is installed
apt: name=autofs state=latest
- name: ensure there is a base directory for automount
file: state=directory path=/net owner=root group=root mode=0755
notify:
- restart autofs
tags:
- nfs-client
- autofs
- packages
- name: ensure automounter is configured
copy: src=auto.master dest=/etc/auto.master owner=root group=root mode=0644
......@@ -73,39 +60,33 @@
- restart autofs
tags:
- nfs-client
- autofs
- config
- name: ensure mounts from central storage are available
template: src=auto.nfs.j2 dest=/etc/auto.nfs owner=root group=root mode=0644
notify:
- nfs-client
- restart autofs
tags:
- autofs
- nfs-client
- config
- name: ensure automounter is enabled
service: name=autofs state=running enabled=yes
tags:
- nfs-client
- autofs
- service
- name: ensure linking of home
script: create_netdir.sh home
- name: ensure linking of netdirs
file: src="/net/{{ item.netdir }}" dest="/{{ item.dest }}" state=link force=yes
with_items: "{{ nfs_shares }}"
tags:
- nfs-client
- fsmpi
- autofs
- name: ensure linking of pub
script: create_netdir.sh pub
- name: configure default umask and other user related stuff
copy: src=login.defs dest=/etc/login.defs owner=root group=root mode=0644
tags:
- nfs-client
- fsmpi
- autofs
- umask
- config
- meta: flush_handlers
- include: umask.yml
- meta: flush_handlers
---
# file: roles/client/tasks/main.yml
- name: configure default umask and other user related stuff
copy: src=login.defs dest=/etc/login.defs owner=root group=root mode=0644
tags:
- umask
- config
- name: activate pam.d session modules to set default umask
lineinfile: dest=/etc/pam.d/common-session line="session optional pam_umask.so"
tags:
- umask
- pam
- config
{% for share in nfsshares %}
{{ share }}
{% endfor %}
{%- for share in nfs_shares %}
{{ share.netdir }} -{{ share.options }} {{ share.src }}
{% endfor -%}
#
# Sample auto.master file
# This is an automounter map and it has the following format
# key [ -mount-options-separated-by-comma ] location
# For details of the format look at autofs(5).
#
#/misc /etc/auto.misc
#
# NOTE: mounts done from a hosts map will be mounted with the
# "nosuid" and "nodev" options unless the "suid" and "dev"
# options are explicitly given.
#
#/net -hosts
/net /etc/auto.nfs
#
# Include central master map if it can be found using
# nsswitch sources.
#
# Note that if there are entries for /net or /misc (as
# above) in the included master map any keys that are the
# same will not be seen as the first read key seen takes
# precedence.
#
+auto.master
This diff is collapsed.
options nfs nfs4_disable_idmapping=N
---
# file: roles/nfs-client/handlers/main.yml
- name: restart autofs
service: name=autofs state=restarted
- name: restart nfs-common
service: name=nfs-common state=restarted
- name: reload sysctl
command: sysctl -p
---
# file: roles/nfs-server/tasks/main.yml
- name: ensure nfs server utils are installed
apt: name="{{ item }}" state=installed
with_items:
- nfs-common
- nfs-kernel-server
- msktutils
- librpcsecgss3
- libgssrpc4
tags:
- nfs-server
- packages
- name: ensure default umask and other user related stuff
copy: src=login.defs dest=/etc/login.defs owner=root group=root mode=0644
tags:
- nfs-server
- umask
- config
- name: ensure exports configuration is in place
template: src=exports.j2 dest=/etc/exports owner=root group=root mode=0644
notify:
- restart nfs-server
tags:
- nfs-server
- config
- name: ensure nfs-common is configured
copy: src=nfs-common dest=/etc/default/nfs-common owner=root group=root mode=0644
notify:
- restart nfs-server
tags:
- nfs-server
- config
- name: ensure nfs-kernel-server is configured
copy: src=nfs-kernel-server dest=/etc/default/nfs-kernel-server owner=root group=root mode=0644
notify:
- restart nfs-server
tags:
- nfs-server
- config
- name: ensure nfs-server is enabled and running
service: name=nfs-server state=running enabled=yes
tags:
- nfs-server
- service
- name: ensure that there is a keytab available
file: path=/etc/krb5.keytab state=present
tags:
- nfs-server
- service-principal
- name: check that we have a valid service principal
shell: klist -k /etc/krb5.keytab | grep nfs/{{ ansible_fqdn }}
register: principal
failed_when: False
tags:
- nfs-server
- service-principal
- block:
- name: test if there is a nfs-user account
shell: samba-tool user list | grep nfs-user
register: nfsuser
failed_when: False
delegate_to: "{{ authservers[0] }}"
tags:
- nfs-server
- service-principal
- name: ensure there is a nfs-user account
command: samba-tool user create nfs-user --random-password
when: nfsuser.rc == 1
delegate_to: "{{ authservers[0] }}"
tags:
- nfs-server
- service-principal
- name: create service principal
command: "samba-tool spn add nfs/{{ ansible_fqdn }} nfs-user"
delegate_to: "{{ authservers[0] }}"
tags:
- nfs-server
- service-principal
- name: export keytab
command: "samba-tool domain exportkeytab /root/{{ ansible_fqdn }}.keytab --principal nfs/{{ ansible_fqdn }}"
creates: "/root/{{ ansible_fqdn }}.keytab"
delegate_to: "{{ authservers[0] }}"
tags:
- nfs-server
- service-principal
- name: copy keytab
synchronize:
src: "/root/{{ ansible_fqdn }}.keytab"
dest: "{{ ansible_fqdn }}:/root/{{ ansible_fqdn }}.keytab"
delegate_to: "{{ authservers[0] }}"
tags:
- nfs-server
- service-principal
- name: ensure pexpect is installed
apt: name=python-pexpect state=installed
tags:
- nfs-server
- service-principal
- name: merge keytabs
- expect:
command: ktutil
responses:
ktutil(.*):
- rkt /etc/krb5.keytab
- "rkt /root/{{ ansible_fqdn }}.keytab"
- wkt /etc/krb5.keytab
- exit
notify:
- restart nfs-server
tags:
- nfs-server
- service-principal
- name: remove keytab at kdc
file: path="/root/{{ ansible_fqdn }}.keytab" state=absent
delegate_to: "{{ authservers[0] }}"
tags:
- nfs-server
- service-principal
- name: remove keytab at host
file: path="/root/{{ ansible_fqdn }}.keytab" state=absent
tags:
- nfs-server
- service-principal
when: principal.rc == 1
- meta: flush_handlers
{%- for share in nfs_shares %}
{{ share.netdir }} -{{ share.options }} {{ share.src }}
{% endfor -%}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment