glusterfs service: Add settings to disable rpcbind and the events daemon.

See also https://github.com/NixOS/nixpkgs/pull/22225#pullrequestreview-26459886
2017-05-07 00:32:41 +02:00 · 2017-05-07 00:32:41 +02:00 · bd54b72676
commit bd54b72676
parent 5e2815dfb7
1 changed files with 23 additions and 4 deletions
--- a/nixos/modules/services/network-filesystems/glusterfs.nix
+++ b/nixos/modules/services/network-filesystems/glusterfs.nix
@ -41,6 +41,25 @@ in
        default = "INFO";
      };

+      useRpcbind = mkOption {
+        type = types.bool;
+        description = ''
+          Enable use of rpcbind. This is required for Gluster's NFS functionality.
+
+          You may want to turn it off to reduce the attack surface for DDoS reflection attacks.
+
+          See https://davelozier.com/glusterfs-and-rpcbind-portmap-ddos-reflection-attacks/
+          and https://bugzilla.redhat.com/show_bug.cgi?id=1426842 for details.
+        '';
+        default = true;
+      };
+
+      enableGlustereventsd = mkOption {
+        type = types.bool;
+        description = "Whether to enable the GlusterFS Events Daemon";
+        default = true;
+      };
+
      extraFlags = mkOption {
        type = types.listOf types.str;
        description = "Extra flags passed to the GlusterFS daemon";
@ -89,7 +108,7 @@ in
  config = mkIf cfg.enable {
    environment.systemPackages = [ pkgs.glusterfs ];

-    services.rpcbind.enable = true;
+    services.rpcbind.enable = cfg.useRpcbind;

    environment.etc = mkIf (cfg.tlsSettings != null) {
      "ssl/glusterfs.pem".source = cfg.tlsSettings.tlsPem;
@ -104,8 +123,8 @@ in

      wantedBy = [ "multi-user.target" ];

-      requires = [ "rpcbind.service" ];
-      after = [ "rpcbind.service" "network.target" "local-fs.target" ];
+      requires = lib.optional cfg.useRpcbind "rpcbind.service";
+      after = [ "network.target" "local-fs.target" ] ++ lib.optional cfg.useRpcbind [ "rpcbind.service" ];

      preStart = ''
        install -m 0755 -d /var/log/glusterfs
@ -133,7 +152,7 @@ in
      };
    };

-    systemd.services.glustereventsd = {
+    systemd.services.glustereventsd = mkIf cfg.enableGlustereventsd {
      inherit restartTriggers;

      description = "Gluster Events Notifier";