Description 
A vsftpd Chef cookbook to install and configure a standard vsftpd installation.
Requirements
Platform:
- CentOS
- RHEL
- Debian
- Ubuntu
Cookbooks:
openssl >= 4.2.0
Attributes
| Attribute | Description | Default |
node['vsftpd']['enabled'] |
Enable and start vsftpd after installation | true |
node['vsftpd']['etcdir'] |
Where to store additional configuration files | /etc/vsftpd |
node['vsftpd']['allowed'] |
Array of local users that are allowd to connect via FTP | [ ] |
node['vsftpd']['chroot'] |
Array of users that will not be chroot'ed | [ ] |
node['vsftpd']['config'] |
Configuration array with key/value pairs. | See Manpage for details |
node['vsftpd']['ssl'][''] |
|
|
node['vsftpd']['ssl']['enabled'] |
Whether to turn on SSL and create and/or use key and cert files. | false |
node['vsftpd']['ssl']['tlsv1_enabled'] |
If SSL is used, whether to use TLS. | true when SSL is enabled |
node['vsftpd']['ssl']['sslv2_enabled'] |
If SSL is enabled, whether to use SSLv2 or not. | false |
node['vsftpd']['ssl']['sslv3_enabled'] |
If SSL is enabled, whether to use SSLv3 or not. | false |
node['vsftpd']['ssl']['allow_anon'] |
Whether or not anonymous users are allowed to use SSL. | true |
node['vsftpd']['ssl']['force_local_data'] |
If SSL is enabled and this is set to true, all non-anonymous users must use encrypted connections for sending data. | true |
node['vsftpd']['ssl']['force_local_logins'] |
If SSL is enabled and this is set to true, all non-anonymous users must use SSL to send password. | true |
node['vsftpd']['ssl']['cert']['public_cert_file'] |
The path to the public certificate file that will be created if it doesn't exist. | node['vsftpd']['etcdir'] + '/vsftpd.pem' |
node['vsftpd']['ssl']['key']['private_key_file'] |
The path to the private key file used to sign the cert. Will be created without a password if it does not exist. If it exists, it will be used to sign the public cert using the passphrase specified in node['vsftpd']['ssl']['pass'] attribute if set. | node['vsftpd']['etcdir'] + '/vsftpd.key' |
node['vsftpd']['ssl']['cert']['common_name'] |
Value for the `CN` certificate field. | 'www.example.com' |
node['vsftpd']['ssl']['cert']['org'] |
Value for the 'O' certificate field. | 'Example Company' |
node['vsftpd']['ssl']['cert']['org_unit'] |
Value for the 'OU' certificate field. | 'RND' |
node['vsftpd']['ssl']['cert']['country'] |
Value for the 'C' SSL field. | 'US' |
node['vsftpd']['ssl']['cert']['expire_days'] |
Value representing the number of days from now through which the issued certificate cert will remain valid. The certificate will expire after this period. Defaults to no expiration. | nil |
node['vsftpd']['ssl']['key']['length'] |
Length of private key in bits. | 4096 |
node['vsftpd']['ssl']['key']['user'] |
Owner of the public certificate and private key file if they are created by this cookbook. | 'root' |
node['vsftpd']['ssl']['key']['group'] |
Group owning the public certificate and private key file created by this cookbook. | 'root' |
node['vsftpd']['ssl']['key']['mode'] |
Security permissions (in *NIX chmod(1) format) for the public certificate and private key files. | 00400 |
node['vsftpd']['ssl']['key']['pass'] |
The password for an existing key file (if using your own). This is incredibly insecure. Consider using an encrypted data bag or chef-vault instead of this attribute. | nil |
Recipes
vsftpd::default
Installs/configures vsftpd, includes some sub-tasks via include_recipe.
Known Issue
When using Ubuntu 12.04 or Debian Wheezy you will have issues with
this cookbook and running chroot_local_users=YES in the configuration.
There are some workarounds to overcome this problem:
The basic gist of these articles:
- revoke write permissions on the users home
- setup a different chroot environment via
passwd_chroot_enable=YES - install a patched version of the vsftpd 2.x branch and set
allow_writeable_chroot=YESto ignore this error - use vsftpd 3.x and set
allow_writeable_chroot=YESto ignore this error
Testing
The cookbook comes with some testing facilities allowing you to iterate quickly on cookbook changes.
Rake
You can execute the tests with Rake. The Rakefile
provides the following tasks:
$ rake -T
rake chefspec # Run ChefSpec examples
rake foodcritic # Run Foodcritic lint checks
rake knife # Run knife cookbook test
rake rubocop # Run rubocop checks
rake test # Run all testsBundler
If you prefer to let Bundler install all required gems (you should), run the tests this way:
$ # I like to install them in a parent folder so all cookbooks can use it
$ bundle install --path=../vendor/bundle
$ bundle exec rake testBerkshelf
Berkshelf is used to set up the cookbook and its
dependencies (as defined in Berksfile) prior to testing with Rake and Vagrant.
Kitchen
This cookbook is using test-kitchen to create machines. You can review the boxes by using:
$ bundle exec kitchen listTo run the full kitchen suite included in this cookbook simply execute:
$ bundle exec kitchen testYou can also verify/converge/test any specific machine from the previous list output:
$ bundle exec kitchen verify <instance>License and Author
Author:: Sebastian Grewe (sebastian.grewe@gmail.com)
Copyright:: 2013, Sebastian Grewe
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.