fileserver.conf file configures custom static mount points for Puppet’s file server. If custom mount points are present,
file resources can access them with their
fileserver.conf isn’t necessary — Puppet automatically serves files from the
files directory of modules, and most users find this sufficient. (More info on serving files from modules is available here.)
However, some use cases make custom mount points more attractive: for example, large files that shouldn’t be checked into version control along with your Puppet modules, or sensitive credentials that likewise shouldn’t go into version control.
fileserver.conf file is located at
$confdir/fileserver.conf by default. Its location is configurable with the
The location of the
confdir varies; it depends on the OS, Puppet distribution, and user account. See the confdir documentation for details.
# Files in the /path/to/files directory will be served # at puppet:///extra_files/. [extra_files] path /etc/puppetlabs/puppet/extra_files allow *
fileserver.conf file would create a new mount point named
allow * directive would leave access control to the main auth.conf file.
fileserver.conf file consists of a collection of mount-point stanzas, and looks like a hybrid of
auth.conf. Each stanza should consist of:
[mount_point_name], surrounded by square brackets. This will become the name used in
puppet:///URLs for files in this mount point.
pathdirective, pointing to an absolute path on disk. This is where the mount point’s files are stored.
denydirectives. In this version of Puppet, we recommend using only a
allow *directive in
deny directives in a mount point stanza can be used to control which nodes may access the files in it. However, this feature predates the
auth.conf file used in this version of Puppet, and we recommend against using it. If possible, you should keep all authorization rules centralized in
auth.conf. To do this, put a single
allow * rule in each custom mount point.
auth.conf will allow all agent nodes with valid certificates to access files, and will block access for any client that doesn’t have a certificate. For most use cases, this is good enough. However, if you are serving sensitive credentials via custom mount points, you may wish to add more restrictive rules to
auth.conf. To do this, add a rule to
auth.conf for each mount point. These rules should begin with:
path ~ ^/file_(metadata|content)s?/NAME_OF_MOUNT_POINT/
You can then configure
auth.conf restrictions as per normal.
For more information on how the old
deny directives in
fileserver.conf work, see the file serving documentation.