Nfsv4 configuration

From Linux NFS

(Difference between revisions)
Jump to: navigation, search
(Base configuration)
Line 10: Line 10:
The following steps need only be done once. It maybe skiped most recent distribution.
The following steps need only be done once. It maybe skiped most recent distribution.
-
#Add the following lines to /etc/fstab to mount the rpc_pipefs and nfsd filesystems automatically:
+
Add the following lines to /etc/fstab to mount the rpc_pipefs and nfsd filesystems automatically:
  rpc_pipefs /var/lib/nfs/rpc_pipefs rpc_pipefs defaults 0 0
  rpc_pipefs /var/lib/nfs/rpc_pipefs rpc_pipefs defaults 0 0
  nfsd /proc/fs/nfsd nfsd defaults 0 0
  nfsd /proc/fs/nfsd nfsd defaults 0 0
Line 20: Line 20:
*mount nfsd
*mount nfsd
-
#Modify the fstab line for filesystem you plan to export on the server to add the "acl" option to the mount options.
+
Modify the fstab line for filesystem you plan to export on the server to add the "acl" option to the mount options.
-
#Create a directory to export on the server:
+
Create a directory to export on the server:
*mkdir /export
*mkdir /export
*chmod a+rwxt /export
*chmod a+rwxt /export
Line 28: Line 28:
The following steps need to be performed on every boot; this should really be done by init scripts. The necessary init scripts already exist in recent Fedora distributions. See also debian/nfs-common.init and debian/nfs-kernel-server.init in the patched nfs-utils tarball for example init scripts.
The following steps need to be performed on every boot; this should really be done by init scripts. The necessary init scripts already exist in recent Fedora distributions. See also debian/nfs-common.init and debian/nfs-kernel-server.init in the patched nfs-utils tarball for example init scripts.
-
#On your server, run rpc.mountd, rpc.svcgssd, rpc.idmapd, and rpc.nfsd:
+
On your server, run rpc.mountd, rpc.svcgssd, rpc.idmapd, and rpc.nfsd:
  rpc.mountd
  rpc.mountd
Line 38: Line 38:
  rpc.gssd -m
  rpc.gssd -m
  rpc.idmapd
  rpc.idmapd
-
 
== Exporting directories ==
== Exporting directories ==

Revision as of 15:30, 16 June 2005

from CITI documentation.

NFSv4 Configuration

Base configuration

This section maybe skiped on most recent distribution. If so, go here

You should have already built and installed the kernel and user utilities and setup krb5.

The following steps need only be done once. It maybe skiped most recent distribution.

Add the following lines to /etc/fstab to mount the rpc_pipefs and nfsd filesystems automatically:

rpc_pipefs	/var/lib/nfs/rpc_pipefs	rpc_pipefs	defaults	0	0
nfsd	/proc/fs/nfsd	nfsd	defaults	0	0

and create the mountpoint for rpc_pipefs, and mount both filesystems:

  • mkdir /var/lib/nfs/rpc_pipefs
  • mount rpc_pipefs
  • mount nfsd

Modify the fstab line for filesystem you plan to export on the server to add the "acl" option to the mount options.

Create a directory to export on the server:

  • mkdir /export
  • chmod a+rwxt /export

The following steps need to be performed on every boot; this should really be done by init scripts. The necessary init scripts already exist in recent Fedora distributions. See also debian/nfs-common.init and debian/nfs-kernel-server.init in the patched nfs-utils tarball for example init scripts.

On your server, run rpc.mountd, rpc.svcgssd, rpc.idmapd, and rpc.nfsd:

rpc.mountd
rpc.idmapd
rpc.svcgssd
rpc.nfsd 8

On the client, run rpc.gssd and rpc.idmapd:

rpc.gssd -m
rpc.idmapd

Exporting directories

Export your server directory (in this case, to anyone, using any authentication flavor), by adding the following lines to /etc/exports

/export  *(rw,fsid=0,insecure,no_subtree_check)
/export  gss/krb5(rw,fsid=0,insecure,no_subtree_check)
/export  gss/krb5i(rw,fsid=0,insecure,no_subtree_check)
/export  gss/krb5p(rw,fsid=0,insecure,no_subtree_check)

and then running

exportfs -r

(Note that if your server is connected to the internet the first line will give everyone in the world read and write access to /export and (with a little work) to anything on the same disk partition as /export! See the exports man page for more information.)

To access this export from a client:

Create a mountpoint on your client:

mkdir /mnt/nfs4/

and mount the server:

mount -t nfs4 yourserver:/ /mnt/nfs4/

or, to mount with kerberos,

mount -t nfs4 -o sec=krb5 yourserver:/ /mnt/nfs4/

Play around with the mounted filesystem:

cd /mnt/nfs4/
echo "Hello World!" >FOO
cat FOO
getfacl FOO

etc.

Exporting and mounting can be automated using /etc/fstab and /etc/exports; see the man pages fstab(5) and exports(5). Note that exports behave quite differently under v4 and v3, so some additional explanation may be called for: NFSv4 exports on linux

NFSv4 no longer has a separate "mount" protocol. Instead of exporting a number of distinct exports, an NFSv4 client sees the NFSv4 server's exports as existing inside a single filesystem, called the nfsv4 "pseudofilesystem".

On the current linux implementation, the pseudofilesystem is a single real filesystem, identified at export with the fsid=0 option.

In the example above, we exported only a single filesystem, which the client mounted as "/". You can provide clients with multiple filesystems to mount, producing NFSv3-like-behavior, by creative use of mount --bind. For example, you could export /usr/local/bin to clients as /bin and /usr/local/etc as /etc as follows:

mkdir /export
mkdir /export/bin
mkdir /export/etc
mount --bind /usr/local/bin /export/bin
mount --bind /usr/local/etc /export/etc
exportfs -ofsid=0,insecure,no_subtree_check *:/export
exportfs -orw,nohide,insecure,no_subtree_check *:/export/bin
exportfs -orw,nohide,insecure,no_subtree_check *:/export/etc

Note that the paths returned by the "showmount" program are meaningful only to clients using nfs versions 2 and 3; in the above example, "showmount" will list the paths /export, /export/bin/, and /export/etc, but nfsv4 clients should mount yourserver:/, yourserver:/bin, or yourserver:/etc. Mounting and exporting krb5

To mount a filesystem using krb5, provide the "-osec=krb5" option to mount. To export a filesystem using krb5, export it to the special client named "gss/krb5". Replace "krb5" by "krb5i" or "krb5p" for integrity or for privacy, respectively. The -osec= options should also work for NFSv3 exports and mounts.

Personal tools