Nfsv4 configuration
From Linux NFS
(→Exporting directories) |
(→Exporting directories) |
||
Line 74: | Line 74: | ||
getfacl FOO | getfacl FOO | ||
- | etc. | + | etc. |
- | + | To mount a filesystem using krb5, provide the "-osec=krb5" option to mount. To export a filesystem using krb5, export it to the special client named "gss/krb5". Replace "krb5" by "krb5i" or "krb5p" for integrity or for privacy, respectively. The -osec= options should also work for NFSv3 exports and mounts. | |
- | + | ||
- | + | Exporting and mounting can be automated using /etc/fstab and /etc/exports; see the man pages fstab(5) and exports(5). | |
- | + | Tecnical note: NFSv4 no longer has a separate "mount" protocol. Instead of exporting a number of distinct exports, an NFSv4 client sees the NFSv4 server's exports as existing inside a single filesystem, called the nfsv4 "pseudofilesystem". | |
- | + | The linux implementation allows you to designate a real filesystem as the pseudofilesystem, identifying that export with the fsid=0 option; we no longer recommend this. Instead, on any recent linux distribution, just list exports in /etc/exports exactly as you would for NFSv2 or NFSv3. |
Revision as of 22:43, 24 July 2011
from CITI documentation.
NFSv4 configuration
Base configuration
This section maybe skiped on most recent distribution. If so, go here
You should have already built and installed the kernel and user utilities and setup krb5.
The following steps need only be done once. It maybe skiped most recent distribution.
Add the following lines to /etc/fstab to mount the rpc_pipefs and nfsd filesystems automatically:
rpc_pipefs /var/lib/nfs/rpc_pipefs rpc_pipefs defaults 0 0 nfsd /proc/fs/nfsd nfsd defaults 0 0
and create the mountpoint for rpc_pipefs, and mount both filesystems:
- mkdir /var/lib/nfs/rpc_pipefs
- mount rpc_pipefs
- mount nfsd
Modify the fstab line for filesystem you plan to export on the server to add the "acl" option to the mount options.
Create a directory to export on the server:
- mkdir /export
- chmod a+rwxt /export
The following steps need to be performed on every boot; this should really be done by init scripts. The necessary init scripts already exist in recent Fedora distributions. See also debian/nfs-common.init and debian/nfs-kernel-server.init in the patched nfs-utils tarball for example init scripts.
On your server, run rpc.mountd, rpc.svcgssd, rpc.idmapd, and rpc.nfsd:
rpc.mountd rpc.idmapd rpc.svcgssd -> this is obsolete as of nfs-utils version 1.0.8-1 rpc.nfsd 8
On the client, run rpc.gssd and rpc.idmapd:
rpc.gssd -m rpc.idmapd
Exporting directories
Export your server directory (in this case, to anyone, using any authentication flavor), by adding the following lines to /etc/exports
/export gss/krb5(rw,fsid=0,insecure,no_subtree_check) /export gss/krb5i(rw,fsid=0,insecure,no_subtree_check) /export gss/krb5p(rw,fsid=0,insecure,no_subtree_check)
and then running
exportfs -r
(Note that if your server is connected to the internet the first line will give everyone in the world read and write access to /export and (with a little work) to anything on the same disk partition as /export! See the exports man page for more information.)
To access this export from a client:
Create a mountpoint on your client:
mkdir /mnt/nfs4/
and mount the server:
mount -t nfs4 yourserver:/export /mnt/nfs4/
or, to mount with kerberos,
mount -t nfs4 -o sec=krb5 yourserver:/export /mnt/nfs4/
Play around with the mounted filesystem:
cd /mnt/nfs4/ echo "Hello World!" >FOO cat FOO getfacl FOO
etc.
To mount a filesystem using krb5, provide the "-osec=krb5" option to mount. To export a filesystem using krb5, export it to the special client named "gss/krb5". Replace "krb5" by "krb5i" or "krb5p" for integrity or for privacy, respectively. The -osec= options should also work for NFSv3 exports and mounts.
Exporting and mounting can be automated using /etc/fstab and /etc/exports; see the man pages fstab(5) and exports(5).
Tecnical note: NFSv4 no longer has a separate "mount" protocol. Instead of exporting a number of distinct exports, an NFSv4 client sees the NFSv4 server's exports as existing inside a single filesystem, called the nfsv4 "pseudofilesystem".
The linux implementation allows you to designate a real filesystem as the pseudofilesystem, identifying that export with the fsid=0 option; we no longer recommend this. Instead, on any recent linux distribution, just list exports in /etc/exports exactly as you would for NFSv2 or NFSv3.