FedFsNfsDomainRoot0.9

From Linux NFS

(Difference between revisions)
Jump to: navigation, search
(Backwards compatibility)
(Explicit sec= setting on domain root is required due to mountd bug)
 
Line 53: Line 53:
Now make the domain root export and its subdirectories visible to clients by editing the server's /etc/exports file.  Add the following line to /etc/exports:
Now make the domain root export and its subdirectories visible to clients by editing the server's /etc/exports file.  Add the following line to /etc/exports:
-
   /.domainroot    *(ro,insecure)
+
   /.domainroot    *(ro,sec=sys,insecure)
NFS clients should not be allowed to write these directories, particularly because there is no mechanism in the NFS protocol that can create a junction.  Junctions must be created locally on the NFS server.  Of course, you can restrict access to it or add other export options here as needed.
NFS clients should not be allowed to write these directories, particularly because there is no mechanism in the NFS protocol that can create a junction.  Junctions must be created locally on the NFS server.  Of course, you can restrict access to it or add other export options here as needed.

Latest revision as of 16:42, 21 March 2013

Contents

Project: fedfs-utils

[ Project Home | News | Downloads | Docs | Mailing Lists | Source Control | Issues ]


Introduction

A FedFS domain root directory is the top-level directory of a FedFS domain. It is what is visible when a FedFS-enabled client mounts the top of a FedFS domain namespace. Typically a FedFS-enabled NFS client mounts the directory at /nfs4/fedfs-domain-name .

A FedFS domain root usually contains nothing but junctions that refer clients to file servers that hold more interesting content, like user directories. The domain root is simply a starting point for accessing the rest of a domain's name space.

This article describes an easy way to set up a FedFS domain root on a Linux NFS server.

Select one or more NFS servers to host the domain root export

The domain root directory typically sees little traffic, particularly since an individual domain root directory contains little data. However, clients depend on the domain root directory being available to access all other files in a FedFS domain. A server with high availability is recommended for this role.

The NFS server you choose for this role can host the domain root directory for more than one FedFS domain. It can export other filesystems as well.

Several servers can play host to the same domain root export, as long as there is a mechanism for keeping the content of the domain root export precisely in sync across all the NFS servers (for example, try rsync with the --xattrs option to sync junctions). The DNS SRV format which is used by clients to find FedFS domain root directories can list one or more servers as a FedFS domain's root directory server.

Once you have chosen an NFS server, set it up as a FedFS enabled NFS server.

Create the domain root export and directories

FedFS-enabled clients use a well-known export pathname when contacting the NFS server that exports a FedFS domain root. That pathname is /.domainroot/fedfs-domain-name .

The easiest method for creating a domain root export is to create a directory called "/.domainroot" readable by everyone. Log into the NFS server that will host the domain root export and use the following commands:

 $ sudo mkdir /.domainroot
 $ sudo chmod 755 /.domainroot

While this directory does not typically contain much data, it is slightly more secure to create a new local file system on the NFS server and mount it on /.domainroot. This is entirely optional, however.

FedFS domain root directories are created under this directory. For example, if you want to create the domain root directory for the "example.net" FedFS domain, use the following command:

 $ sudo mkdir -p /.domainroot/example.net
 $ sudo chmod 755 /.domainroot/example.net

You can create more than one domain root directory here.

Read about how to add content to your FedFS domain root directory in Setting up junction resolution support on your Linux NFS Server and Managing junctions with the nfsref command.

Export the domain root directory

Now make the domain root export and its subdirectories visible to clients by editing the server's /etc/exports file. Add the following line to /etc/exports:

 /.domainroot    *(ro,sec=sys,insecure)

NFS clients should not be allowed to write these directories, particularly because there is no mechanism in the NFS protocol that can create a junction. Junctions must be created locally on the NFS server. Of course, you can restrict access to it or add other export options here as needed.

With mountd from nfs-utils 1.2.7 or later, junctions below this export automatically inherit the export options set for /.domainroot. Have a look at exports(8) for an explanation of what these export options mean.

If there is already an NFS service running on this host, update the kernel exports list with the following command:

 $ sudo exportfs -rv

Otherwise, if there is no NFS service running, start one:

 $ sudo systemctl enable nfs-server.service
 $ sudo systemctl start nfs-server.service

Backwards compatibility

The standard export path for FedFS domain root directories is specified in RFC 6641. Preliminary versions of this document specified a different and incompatible export path for domain root directories. If your domain must support legacy FedFS clients (for example, clients still using fedfs-utils-0.8) you may want to provide both types of domain root directories.

See Setting up a FedFS domain root server in the fedfs-utils-0.8 Installation Guide for more details.

Personal tools