Version information
released May 3rd 2020
This version is compatible with:
- Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2016.4.x
- Puppet >= 4.10.0 < 7.0.0
- , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'pseiler-vsftpd', '8.0.1'Learn more about managing modules with a PuppetfileDocumentation
pseiler/vsftpd — version 8.0.1 May 3rd 2020
vsftpd Module
Overview
This module installs, configures and manages the vsftpd FTP server. Original module by aneesh. Forked and improved by pseiler
Description
A more Puppety way of managing the vsftpd daemon. Where possible, as many of the configuration options have remained the same with a couple of notable exceptions:
- Booleans are now used instead of
YES/NO. e.g.local_enable=YES==local_enable => true,local_enable=NO==local_enable => false. - parameter values seperated by a comma are now arrays. This also applies to parameters with surrounding curly brackets.
These parameters are affected:
cmds_allowed,cmds_denied,deny_fileandhide_file. Examples below
All configuration parameters vsftpd.conf supports, are also supported by this module. Please read the manpage of vsftpd for more informations about every parameter.
These additional parameters have a default and can be overwritten
package_name(String) - The name of the package from your package manager for your operating systemservice_name(String) - the service name. (e.g. systemd service, etc...)config_path(String) - The path where vsftpd.conf should be written totemplate(String) - path to the erb template used, if you want to provide your ownmanage_service(Boolean) - Control if the service should be started and enabled The defaults can be found in the params.pp
Usage
Default configuration (pretty empty configuration file with no parameter set is written and not recommended):
include vsftpd
Custom configuration:
class { 'vsftpd':
anonymous_enable => false,
anon_mkdir_write_enable => false,
anon_other_write_enable => false,
local_enable => true,
download_enable => true,
write_enable => true,
local_umask => '022',
dirmessage_enable => true,
xferlog_enable => true,
connect_from_port_20 => true,
xferlog_std_format => true,
chroot_local_user => true,
chroot_list_enable => true,
file_open_mode => '0666'
ftp_data_port => 20,
listen => true,
listen_ipv6 => false,
listen_port => 21,
pam_service_name => 'vsftpd',
tcp_wrappers => true,
allow_writeable_chroot => true,
pasv_enable => true,
pasv_min_port => 1024,
pasv_max_port => 1048,
pasv_address => '127.0.0.1',
}
A few advanced Configuration parameter examples
anon_umask => '077',
anon_root => '/var/ftp/anonymous',
anon_max_rate => 0,
ftpd_banner => 'My custom banner',
banner_file => '/etc/vsftpd/my_banner.txt',
max_clients => 0,
max_per_ip => 0,
ftp_username => 'ftp',
guest_enable => false,
guest_username => 'ftp',
anon_world_readable_only => false,
ascii_download_enable => false,
ascii_upload_enable => false,
chown_uploads => true,
chown_username => 'linux',
chroot_list_file => '/etc/vsftpd/my_chroot_list',
secure_chroot_dir => '/usr/share/empty',
user_config_dir => '/etc/vsftpd/user_config',
userlist_deny => true,
userlist_enable => true,
userlist_file => '/etc/vsftpd/my_userlist',
delete_failed_uploads => false,
cmds_allowed => ['PASV','RETR','QUIT'],
cmds_denied => ['PASV','RETR','QUIT'],
deny_file => ['*.mp3','*.mov','.private'],
hide_file => ['*.mp3','.hidden','hide*','h?'],
syslog_enable => false,
dual_log_enable => false,
hide_ids => false,
use_localtime => false,
local_max_rate => 0,
SSL integration (not a rocksolid configuration)
rsa_cert_file => '/etc/ssl/private/vsftpd.pem',
rsa_private_key_file => '/etc/ssl/private/vsftpd.pem',
ca_certs_file => '/etc/ssl/private/ca.pem',
ssl_enable => true,
allow_anon_ssl => true,
force_local_data_ssl => true,
force_local_logins_ssl => true,
ssl_tlsv1 => true,
ssl_sslv2 => false,
ssl_sslv3 => false,
require_ssl_reuse => true,
ssl_ciphers => 'HIGH',
Changelog
8.0.1
- drop support for outdated Debian 7 and add Debian 10 instead
8.0.0
- reworked module to use puppet booleans instead of 'YES'/'NO'
- a lot rspec tests added
- tests if every parameter is written correctly into the configuration
- tests for umasks
- tests for parameters which depend on another
- basic tests for all supported operating systems
- test if the catalog compiling fails for an unsupported operating system
- umasks in the configuration file now being checked for validity
- allowed/denied ftp commands are now being checked for valid FTP commands and are now an array
deny_file/hide_fileis now an array- configuration file cleanup and generalizing
- more additional parameters can be used and overriden:
- control if the service should be running and enabled
manage_service
- control if the service should be running and enabled
- the package name
package_name
- the package name
- the config file path
config_path
- the config file path
- the service name
service_name
- the service name
- the erb template used to render the configuration file
template
- the erb template used to render the configuration file
- added support for Suse based operating systems
- Added support for the following/all remaining configuration parameters
Boolean parameters
async_abor_enableallow_root_squashed_chrootbackgroundcheck_shellchmod_enabledebug_ssldeny_email_enabledirlist_enableforce_dot_filesforce_anon_data_sslforce_anon_logins_sslimplicit_ssllock_upload_fileslog_ftp_protocolls_recurse_enablemdtm_writeno_anon_passwordno_log_lockone_process_modelpasswd_chroot_enablepasv_addr_resolvepasv_promiscuousport_enableport_promiscuousrequire_certrun_as_launching_usersecure_email_list_enablesession_supportsetproctitle_enablessl_request_certstrict_ssl_read_eofstrict_ssl_write_shutdowntext_userdb_namestilde_user_enableuse_sendfilevalidate_certvirtual_use_local_privs
Numeric/Integer parameters
anon_max_rateaccept_timeoutaddress_space_limitchown_upload_modedata_connect_timeoutdelay_failed_logindelay_successful_loginmax_login_failstrans_chunk_sizeidle_session_timeoutdata_connection_timeout
String parameters
banned_email_fileca_certs_filedsa_cert_filedsa_private_key_fileemail_password_filelisten_addresslisten_address6local_rootmessage_fileuser_sub_tokenvsftpd_log_filenopriv_userxferlog_file
7.0.3
- fixed breaking syntax mistake anon_root in config template (thanks pingram3030)
7.0.2
- made module compatible with PDK
7.0.1
- configuration changes now restarts the vsftpd daemon if it's a RedHat based system
- changed project name, urls, etc. (upstream doesn't care about contributions)
7.0.0
- moved comments for configuration parameter into the if block of the config template
- Added support for the following configuration parameters
anon_mkdir_write_enable
anon_other_write_enable
download_enable
chroot_list_enable
file_open_mode
ftp_data_port
listen_port
anon_umask
anon_root
ftpd_banner
banner_file
max_clients
max_per_ip
ftp_username
guest_enable
guest_username
anon_world_readable_only
ascii_download_enable
ascii_upload_enable
chown_uploads
chown_username
chroot_list_file
secure_chroot_dir
user_config_dir
userlist_deny
userlist_enable
userlist_file
delete_failed_uploads
cmds_allowed
cmds_denied
deny_file
hide_file
syslog_enable
dual_log_enable
hide_ids
use_localtime
local_max_rate
Copyright 2018 Aneesh C
Copyright 2018-2020 Philipp Seiler
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.