Skip to content

TheSerapher/chef-vsftpd

Repository files navigation

Description Travis-CI

A vsftpd Chef cookbook to install and configure a standard vsftpd installation.

Requirements

Platform:

  • CentOS
  • RHEL
  • Debian
  • Ubuntu

Cookbooks:

openssl >= 4.2.0

Attributes

Attribute Description Default
node['vsftpd']['enabled'] Enable and start vsftpd after installation true
node['vsftpd']['etcdir'] Where to store additional configuration files /etc/vsftpd
node['vsftpd']['allowed'] Array of local users that are allowd to connect via FTP [ ]
node['vsftpd']['chroot'] Array of users that will not be chroot'ed [ ]
node['vsftpd']['config'] Configuration array with key/value pairs. See Manpage for details
SSL
node['vsftpd']['ssl']['']
node['vsftpd']['ssl']['enabled'] Whether to turn on SSL and create and/or use key and cert files. false
node['vsftpd']['ssl']['tlsv1_enabled'] If SSL is used, whether to use TLS. true when SSL is enabled
node['vsftpd']['ssl']['sslv2_enabled'] If SSL is enabled, whether to use SSLv2 or not. false
node['vsftpd']['ssl']['sslv3_enabled'] If SSL is enabled, whether to use SSLv3 or not. false
node['vsftpd']['ssl']['allow_anon'] Whether or not anonymous users are allowed to use SSL. true
node['vsftpd']['ssl']['force_local_data'] If SSL is enabled and this is set to true, all non-anonymous users must use encrypted connections for sending data. true
node['vsftpd']['ssl']['force_local_logins'] If SSL is enabled and this is set to true, all non-anonymous users must use SSL to send password. true
node['vsftpd']['ssl']['cert']['public_cert_file'] The path to the public certificate file that will be created if it doesn't exist. node['vsftpd']['etcdir'] + '/vsftpd.pem'
node['vsftpd']['ssl']['key']['private_key_file'] The path to the private key file used to sign the cert. Will be created without a password if it does not exist. If it exists, it will be used to sign the public cert using the passphrase specified in node['vsftpd']['ssl']['pass'] attribute if set. node['vsftpd']['etcdir'] + '/vsftpd.key'
node['vsftpd']['ssl']['cert']['common_name'] Value for the `CN` certificate field. 'www.example.com'
node['vsftpd']['ssl']['cert']['org'] Value for the 'O' certificate field. 'Example Company'
node['vsftpd']['ssl']['cert']['org_unit'] Value for the 'OU' certificate field. 'RND'
node['vsftpd']['ssl']['cert']['country'] Value for the 'C' SSL field. 'US'
node['vsftpd']['ssl']['cert']['expire_days'] Value representing the number of days from now through which the issued certificate cert will remain valid. The certificate will expire after this period. Defaults to no expiration. nil
node['vsftpd']['ssl']['key']['length'] Length of private key in bits. 4096
node['vsftpd']['ssl']['key']['user'] Owner of the public certificate and private key file if they are created by this cookbook. 'root'
node['vsftpd']['ssl']['key']['group'] Group owning the public certificate and private key file created by this cookbook. 'root'
node['vsftpd']['ssl']['key']['mode'] Security permissions (in *NIX chmod(1) format) for the public certificate and private key files. 00400
node['vsftpd']['ssl']['key']['pass'] The password for an existing key file (if using your own). This is incredibly insecure. Consider using an encrypted data bag or chef-vault instead of this attribute. nil

Recipes

vsftpd::default

Installs/configures vsftpd, includes some sub-tasks via include_recipe.

Known Issue

When using Ubuntu 12.04 or Debian Wheezy you will have issues with this cookbook and running chroot_local_users=YES in the configuration.

There are some workarounds to overcome this problem:

The basic gist of these articles:

  • revoke write permissions on the users home
  • setup a different chroot environment via passwd_chroot_enable=YES
  • install a patched version of the vsftpd 2.x branch and set allow_writeable_chroot=YES to ignore this error
  • use vsftpd 3.x and set allow_writeable_chroot=YES to ignore this error

Testing

The cookbook comes with some testing facilities allowing you to iterate quickly on cookbook changes.

Rake

You can execute the tests with Rake. The Rakefile provides the following tasks:

$ rake -T
rake chefspec    # Run ChefSpec examples
rake foodcritic  # Run Foodcritic lint checks
rake knife       # Run knife cookbook test
rake rubocop     # Run rubocop checks
rake test        # Run all tests

Bundler

If you prefer to let Bundler install all required gems (you should), run the tests this way:

$ # I like to install them in a parent folder so all cookbooks can use it
$ bundle install --path=../vendor/bundle
$ bundle exec rake test

Berkshelf

Berkshelf is used to set up the cookbook and its dependencies (as defined in Berksfile) prior to testing with Rake and Vagrant.

Kitchen

This cookbook is using test-kitchen to create machines. You can review the boxes by using:

$ bundle exec kitchen list

To run the full kitchen suite included in this cookbook simply execute:

$ bundle exec kitchen test

You can also verify/converge/test any specific machine from the previous list output:

$ bundle exec kitchen verify <instance>

License and Author

Author:: Sebastian Grewe (sebastian.grewe@gmail.com)

Copyright:: 2013, Sebastian Grewe

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.