Newer
Older
# Configure a remctl server.
#
# The client installation is handled separately.
package { 'remctl-server': ensure => installed }
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# Install the xinetd configuration. Force a PATH setting since remctld
# scripts may be assuming they have a sane PATH but xinetd may not have
# any PATH set.
base::xinetd::config { 'remctl':
server => '/usr/sbin/remctld',
description => 'Remote authenticated command server',
cps => '100 5',
env => 'PATH=/sbin:/bin:/usr/sbin:/usr/bin',
}
# Switch RH boxes to 4373
# TODO: remove this after the migration is complete and all systems are
# on a modern enough branch to have picked up the change.
if $::operatingsystem == 'redhat' {
base::filter { '/etc/services':
regex => 'remctl[ \t]*4444/tcp',
value => 'remctl 4373/tcp',
require => Package['remctl-server'],
notify => Service['xinetd'],
}
}
# Our default iptables rules for remctl opens connections to all of
# Stanford. Allow the legacy port as well for the time being, although
# we've mostly switched away from it now.
base::iptables::rule { 'remctl':
description => 'Allow remctl connections from all Stanford subnets',
source => [ '10.0.0.0/8',
'68.65.160.0/20',
'128.12.0.0/16',
'134.79.0.0/16',
'171.64.0.0/14',
'172.16.0.0/12',
'192.168.0.0/16',
'204.63.224.0/21' ],
protocol => 'tcp',
port => 4373,
}
# Ignore standard remctl log messages. This doesn't ignore any of the
# remctl commands, just messages from starting or stopping the generic
# daemon and messages caused by port scans or common client errors.
file { '/etc/filter-syslog/remctl':
source => 'puppet:///modules/base/remctl/etc/filter-syslog/remctl',
}