From e54b91f170ce559a4712d16f8caccf87eabe7fdc Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Mon, 21 Mar 2022 14:28:24 +0100 Subject: [PATCH] Add tasks that configure NFS ganesha. --- README.md | 8 ++-- defaults/main.yml | 42 ++++++++++++++++++ tasks/ganesha-nfs.yml | 73 ++++++++++++++++++++++++++++++++ tasks/main.yml | 3 +- templates/ganesha-export.conf.j2 | 40 +++++++++++++++++ templates/ganesha.conf.j2 | 26 ++++++++++++ 6 files changed, 188 insertions(+), 4 deletions(-) create mode 100644 tasks/ganesha-nfs.yml create mode 100644 templates/ganesha-export.conf.j2 create mode 100644 templates/ganesha.conf.j2 diff --git a/README.md b/README.md index 52d000c..fc2e781 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -Role Name +basic-system-setup ========= This role runs a set of tasks that perform some basic systems configurations @@ -6,7 +6,9 @@ This role runs a set of tasks that perform some basic systems configurations Role Variables -------------- -timezone: 'Europe/Rome' +```yaml +See the `defaults/main.yml` file +``` License ------- @@ -16,4 +18,4 @@ EUPL-1.2 Author Information ------------------ -An optional section for the role authors to include contact information, or a website (HTML is not allowed). +Andrea Dell'Amico diff --git a/defaults/main.yml b/defaults/main.yml index 1f4e86d..06d3285 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -43,6 +43,48 @@ autofs_packages_el: autofs_maps: [] # - { map_name: 'data', mountpoint_prefix: '/', path: 'data', nfs_server: 'nfs.example.com', remote_export: '/export', is_home: False } +nfs_server_enabled: False +nfs_server_ganesha_enabled: '{{ nfs_server }}' + +nfs_server_ganesha_el_repos: + - centos-release-nfs-ganesha28 + - centos-release-ceph-nautilus +nfs_server_ganesha_el_pkgs: + - nfs-utils + - nfs4-acl-tools + - nfs-ganesha + - nfs-ganesha-vfs + - librados2 + +nfs_server_ganesha_deb_pkgs: + - 'nfs-ganesha' + - 'nfs-ganesha-vfs' + - 'nfs-ganesha-xfs' + +#Protocols = 3,4,9P; +nfs_server_ganesha_server_protocols: '4' +nfs_server_ganesha_path_pseudo: False +nfs_server_ganesha_mdcache: False +nfs_server_ganesha_mdcache_hwmark: 100000 +nfs_server_ganesha_exports: [] +# name, id, path, pseudo_path, access_type (RW, RO), protocols (global), squash (true,false), disable_actl (true,false), sectype, fsal (VFS, XFS), clients +# (*) indicate an optional parameter +# - name: export_filename +# id: 1 +# path: /export +# pseudo: /nfs_export +# access_type(*): 'RW' +# protocols(*): '{{ nfs_server_ganesha_server_protocols }}' +# squash(*): 'root_squash' +# disable_acl(*): 'false' +# sectype(*): 'sys' +# nfs_commit(*): 'false' +# delegations(*): 'none' +# fsal: 'VFS' +# clients: +# - host1 +# - hostN + # tmpreaper tmpreaper_install: False tmpreaper_protect_extra: '' diff --git a/tasks/ganesha-nfs.yml b/tasks/ganesha-nfs.yml new file mode 100644 index 0000000..d397971 --- /dev/null +++ b/tasks/ganesha-nfs.yml @@ -0,0 +1,73 @@ +--- +- name: Create the export directory trees + block: + - name: Create the directory of the nextcloud NFS export + ansible.builtin.file: + dest: '{{ san_nextcloud_data_directory_for_export }}' + state: directory + owner: root + group: root + mode: 0755 + + tags: [ 'san', 'nfs', 'storage', 'ganesha', 'ganesha_export' ] + +- name: Repositories and packages on EL + block: + - name: Install storage SIG repositories + ansible.builtin.yum: + name: '{{ nfs_server_ganesha_el_repos }}' + state: present + + - name: Install the SAN NFS packages + ansible.builtin.yum: + name: '{{ san_nfs_packages }}' + state: present + + - name: Install the files needed to produce a SELinux policy for ganesha + ansible.builtin.copy: + src: '{{ item }}' + dest: '/usr/local/lib/{{ item }}' + owner: root + group: root + mode: 0600 + loop: + - ganesha_selinux.pp + - ganesha_selinux.te + register: ganesha_selinux_policy + + - name: Generate the SELinux policy module + ansible.builtin.shell: semodule -i /usr/local/lib/ganesha_selinux.pp && touch /usr/local/lib/.ganesha_selinux + when: ganesha_selinux_policy is changed + + when: ansible_distribution_file_variety == "RedHat" + +- name: Repositories and packages on Ubuntu/Debian + block: + - name: Install the nfs ganesha packages on deb systems + ansible.builtin.apt: + pkg: '{{ nfs_server_ganesha_deb_pkgs }}' + state: present + cache_valid_time: 1800 + + when: ansible_distribution_file_variety == "Debian" + +- name: Install and configure ganesha exports using the VFS backend + block: + - name: Install the ganesha configuration files + template: src={{ item }}.j2 dest=/etc/ganesha/{{ item }} owner=root group=root mode=0644 + loop: '{{ san_ganesha_conf_files }}' + register: ganesha_conf_files + + - name: Install the ganesha export files + template: src={{ item }}.j2 dest=/etc/ganesha/{{ item }} owner=root group=root mode=0644 + loop: '{{ san_ganesha_export_files }}' + register: ganesha_conf_files + + - name: Ensure that ganesha is started and enabled + service: name=nfs-ganesha state=started enabled=yes + + - name: Reload ganesha after a reconfiguration + service: name=nfs-ganesha state=reloaded + when: ganesha_conf_files is changed + + tags: [ 'san', 'nfs', 'storage', 'ganesha', 'ganesha_conf' ] diff --git a/tasks/main.yml b/tasks/main.yml index 6aad689..d42b823 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -9,4 +9,5 @@ when: autofs_client_mountpoint - import_tasks: tmpreaper.yml - import_tasks: trusted_ca.yml - +- ansible.builtin.import_tasks: ganesha-nfs.yml + when: nfs_server_ganesha_enabled diff --git a/templates/ganesha-export.conf.j2 b/templates/ganesha-export.conf.j2 new file mode 100644 index 0000000..f4f4eab --- /dev/null +++ b/templates/ganesha-export.conf.j2 @@ -0,0 +1,40 @@ +EXPORT +{ + # Export Id (mandatory, each EXPORT must have a unique Export_Id) + Export_Id = {{ item.id }}; + + # Exported path (mandatory) + Path = {{ item.path }}; + + # Pseudo Path (required for NFS v4) + Pseudo = {{ item.pseudo }}; + + # Required for access (default is None) + # Could use CLIENT blocks instead + Access_Type = {{ item.access_type | default('RW') }}; + + ## Restrict the protocols that may use this export. This cannot allow + ## access that is denied in NFS_CORE_PARAM. + Protocols = {{ nfs_server_ganesha_server_protocols | default('4') }}; + + ## Whether to squash various users. + Squash = {{ item.squash | default('root_squash') }}; + + NFS_Commit = {{ item.nfs_commit | default('false') }}; + + Delegations= {{ item.delegations | default('None') }}; + + Disable_ACL = {{ item.disable_acl | default('false') }}; + ## Allowed security types for this export + Sectype = {{ item.sectype | default('sys') }}; + + # Exporting FSAL + FSAL { + Name = {{ item.fsal }}; + } + CLIENT + { + Clients = {% for nfs_client in item.clients %}{{ nfs_client }}{% if not loop.last %},{% endif %}{% endfor %}; + Access_Type = {{ item.access_type }}; + } +} diff --git a/templates/ganesha.conf.j2 b/templates/ganesha.conf.j2 new file mode 100644 index 0000000..861ec1b --- /dev/null +++ b/templates/ganesha.conf.j2 @@ -0,0 +1,26 @@ +## These are core parameters that affect Ganesha as a whole. +NFS_CORE_PARAM { + {% if nfs_server_ganesha_path_pseudo %} + ## Allow NFSv3 to mount paths with the Pseudo path, the same as NFSv4, + ## instead of using the physical paths. + mount_path_pseudo = true; + {% endif %} + + ## Configure the protocols that Ganesha will listen for. This is a hard + ## limit, as this list determines which sockets are opened. This list + ## can be restricted per export, but cannot be expanded. + #Protocols = 3,4,9P; + Protocols = {{ nfs_server_ganesha_server_protocols }}; +} + +{% if nfs_server_ganesha_mdcache %} +## Configure settings for the object handle cache +MDCACHE { + ## The point at which object cache entries will start being reused. + Entries_HWMark = {{ nfs_server_ganesha_mdcache_hwmark }}; +} +{% endif %} + +{% for export_file in nfs_server_ganesha_exports %} +%include "{{ export_file.name }}.conf" +{% endfor %}