glusterfs service: Add settings to disable rpcbind and the events daemon.

See also https://github.com/NixOS/nixpkgs/pull/22225#pullrequestreview-26459886
This commit is contained in:
Niklas Hambüchen 2017-05-07 00:32:41 +02:00
parent 5e2815dfb7
commit bd54b72676

View File

@ -41,6 +41,25 @@ in
default = "INFO"; default = "INFO";
}; };
useRpcbind = mkOption {
type = types.bool;
description = ''
Enable use of rpcbind. This is required for Gluster's NFS functionality.
You may want to turn it off to reduce the attack surface for DDoS reflection attacks.
See https://davelozier.com/glusterfs-and-rpcbind-portmap-ddos-reflection-attacks/
and https://bugzilla.redhat.com/show_bug.cgi?id=1426842 for details.
'';
default = true;
};
enableGlustereventsd = mkOption {
type = types.bool;
description = "Whether to enable the GlusterFS Events Daemon";
default = true;
};
extraFlags = mkOption { extraFlags = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
description = "Extra flags passed to the GlusterFS daemon"; description = "Extra flags passed to the GlusterFS daemon";
@ -89,7 +108,7 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.glusterfs ]; environment.systemPackages = [ pkgs.glusterfs ];
services.rpcbind.enable = true; services.rpcbind.enable = cfg.useRpcbind;
environment.etc = mkIf (cfg.tlsSettings != null) { environment.etc = mkIf (cfg.tlsSettings != null) {
"ssl/glusterfs.pem".source = cfg.tlsSettings.tlsPem; "ssl/glusterfs.pem".source = cfg.tlsSettings.tlsPem;
@ -104,8 +123,8 @@ in
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
requires = [ "rpcbind.service" ]; requires = lib.optional cfg.useRpcbind "rpcbind.service";
after = [ "rpcbind.service" "network.target" "local-fs.target" ]; after = [ "network.target" "local-fs.target" ] ++ lib.optional cfg.useRpcbind [ "rpcbind.service" ];
preStart = '' preStart = ''
install -m 0755 -d /var/log/glusterfs install -m 0755 -d /var/log/glusterfs
@ -133,7 +152,7 @@ in
}; };
}; };
systemd.services.glustereventsd = { systemd.services.glustereventsd = mkIf cfg.enableGlustereventsd {
inherit restartTriggers; inherit restartTriggers;
description = "Gluster Events Notifier"; description = "Gluster Events Notifier";