Alpine Linux - User contributions [en]

Setting up an NFS server

2024-07-05T20:48:49Z

Tmrlvi: idmapd is replaced by nfsidmap

= Installation =
Install package:
{{Cmd|apk add nfs-utils}}

= Make it autostart =
Export dirs in /etc/exports, then
{{Cmd|rc-update add nfs}}

If you need just to mount nfs share from fstab file at booting of the system

{{Cmd|rc-update add nfsmount}}

or
{{Cmd|rc-update add netmount}}

You can check your boot services:
{{Cmd|rc-status}}

= Start it up now =
{{Cmd|rc-service nfs start}}

or if you need to mount nfs share from fstab file now
{{Cmd|rc-service nfsmount start}}

or

{{Cmd|rc-service netmount start}}

= Adding Kerberos Authentication =

By default, NFS security only validates the IP of the client. You can add user level authentication with a Kerberos installation ([https://pkgs.alpinelinux.org/package/edge/main/armhf/krb5 MIT KRB5] or [https://pkgs.alpinelinux.org/package/edge/main/x86/heimdal Heimdal]). It is recommended to have the same Kerberos flavor across the network as both implementations are not completely mutually compatible.

== Server Configuration ==

Assuming you setup Kerberos in the in the network, create ticket to your NFS machine (examples are in MIT KRB5 syntax):

{{Cmd| kadmin: addprinc -randkey nfs/nfs1.example.com@EXAMPLE.COM}}

And add it to the machines krb5.keytab file:
{{Cmd| kadmin: ktadd nfs/nfs1.example.com@EXAMPLE.COM}}

Then, edit your /etc/exports, and add sec=krb5 (only authentication), sec=krb5i (also hmac signing) or sec=krb5p (also encryption). For example:
<pre>
/data 10.10.10.0/24(rw,nohide,no_subtree_check,sec=krb5p,no_root_squash)
</pre>
After editing /etc/exports, reload your setting
{{Cmd|exports -afv}}

User id mapping is managed by nfsidmap.

== Client Configuration ==

In order for the client to connect to NFS via kerberos, enable and start rpc.gssd.
{{Cmd|rc-update add rpc.gssd
rc-service rpc.gssd start}}

[[Category:Server]]

Setting up an NFS server

2024-07-05T19:16:13Z

Tmrlvi: Added export information

= Installation =
Install package:
{{Cmd|apk add nfs-utils}}

= Make it autostart =
Export dirs in /etc/exports, then
{{Cmd|rc-update add nfs}}

If you need just to mount nfs share from fstab file at booting of the system

{{Cmd|rc-update add nfsmount}}

or
{{Cmd|rc-update add netmount}}

You can check your boot services:
{{Cmd|rc-status}}

= Start it up now =
{{Cmd|rc-service nfs start}}

or if you need to mount nfs share from fstab file now
{{Cmd|rc-service nfsmount start}}

or

{{Cmd|rc-service netmount start}}

= Adding Kerberos Authentication =

By default, NFS security only validates the IP of the client. You can add user level authentication with a Kerberos installation ([https://pkgs.alpinelinux.org/package/edge/main/armhf/krb5 MIT KRB5] or [https://pkgs.alpinelinux.org/package/edge/main/x86/heimdal Heimdal]). It is recommended to have the same Kerberos flavor across the network as both implementations are not completely mutually compatible.

== Server Configuration ==

Assuming you setup Kerberos in the in the network, create ticket to your NFS machine (examples are in MIT KRB5 syntax):

{{Cmd| kadmin: addprinc -randkey nfs/nfs1.example.com@EXAMPLE.COM}}

And add it to the machines krb5.keytab file:
{{Cmd| kadmin: ktadd nfs/nfs1.example.com@EXAMPLE.COM}}

Then, edit your /etc/exports, and add sec=krb5 (only authentication), sec=krb5i (also hmac signing) or sec=krb5p (also encryption). For example:
<pre>
/data 10.10.10.0/24(rw,nohide,no_subtree_check,sec=krb5p,no_root_squash)
</pre>
After editing /etc/exports, reload your setting
{{Cmd|exports -afv}}

If you want to use Kerberos for the user permission on the filesystem, you should enable id mapping available in NFSv4 by editing the following line in /etc/conf.d/nfs:
<pre>
NFS_NEEDED_SERVICES="rpc.idmapd"
</pre>

By default, the domain user will be mapped directly to an existing local user (or nobody). To change this behavior, edit /etc/idmapd.conf and restart rpc.idmapd. Note that by default the realm it considers is the domain from the hostname, and the user is the username under that realm.

== Client Configuration ==

In order for the client to connect to NFS via kerberos, enable and start rpc.gssd.
{{Cmd|rc-update add rpc.gssd
rc-service rpc.gssd start}}

And for correct id mapping (when using NFSv4), enable and start the rpc.idmapd
{{Cmd|rc-update add rpc.idmapd
rc-service rpc.idmapd start}}

[[Category:Server]]

Talk:Setting up an NFS server

2024-07-05T19:12:27Z

Tmrlvi: Created page with "= NFSClient service = The [https://pkgs.alpinelinux.org/contents?branch=edge&name=nfs-utils-openrc&arch=aarch64&repo=main pacakge] that includes rpc.idmapd and rpc.gssd also contains a metaservice nfsclient. It starts rpc.idmapd but not rpc.gssd. I wonder if we should advice people to use this instead of starting rpc.idmapd directly. On the other hand, it does not seem to be mandatory for nfsmounts (I was able to mount without it)."

= NFSClient service =

The [https://pkgs.alpinelinux.org/contents?branch=edge&name=nfs-utils-openrc&arch=aarch64&repo=main pacakge] that includes rpc.idmapd and rpc.gssd also contains a metaservice nfsclient. It starts rpc.idmapd but not rpc.gssd.

I wonder if we should advice people to use this instead of starting rpc.idmapd directly. On the other hand, it does not seem to be mandatory for nfsmounts (I was able to mount without it).

Setting up an NFS server

2024-07-05T19:05:38Z

Tmrlvi: Added basic configuration for kerberos

= Installation =
Install package:
{{Cmd|apk add nfs-utils}}

= Make it autostart =
Export dirs in /etc/exports, then
{{Cmd|rc-update add nfs}}

If you need just to mount nfs share from fstab file at booting of the system

{{Cmd|rc-update add nfsmount}}

or
{{Cmd|rc-update add netmount}}

You can check your boot services:
{{Cmd|rc-status}}

= Start it up now =
{{Cmd|rc-service nfs start}}

or if you need to mount nfs share from fstab file now
{{Cmd|rc-service nfsmount start}}

or

{{Cmd|rc-service netmount start}}

= Adding Kerberos Authentication =

By default, NFS security only validates the IP of the client. You can add user level authentication with a Kerberos installation ([https://pkgs.alpinelinux.org/package/edge/main/armhf/krb5 MIT KRB5] or [https://pkgs.alpinelinux.org/package/edge/main/x86/heimdal Heimdal]). It is recommended to have the same Kerberos flavor across the network as both implementations are not completely mutually compatible.

== Server Configuration ==

Assuming you setup Kerberos in the in the network, create ticket to your NFS machine (examples are in MIT KRB5 syntax):

{{Cmd| kadmin: addprinc -randkey nfs/nfs1.example.com@EXAMPLE.COM}}

And add it to the machines krb5.keytab file:
{{Cmd| kadmin: ktadd nfs/nfs1.example.com@EXAMPLE.COM}}

If you want to use Kerberos for the user permission on the filesystem, you should enable id mapping available in NFSv4 by editing the following line in /etc/conf.d/nfs:
<pre>
NFS_NEEDED_SERVICES="rpc.idmapd"
</pre>

By default, the domain user will be mapped directly to an existing local user (or nobody). To change this behavior, edit /etc/idmapd.conf and restart rpc.idmapd. Note that by default the realm it considers is the domain from the hostname, and the user is the username under that realm.

== Client Configuration ==

In order for the client to connect to NFS via kerberos, enable and start rpc.gssd.
{{Cmd|rc-update add rpc.gssd
rc-service rpc.gssd start}}

And for correct id mapping (when using NFSv4), enable and start the rpc.idmapd
{{Cmd|rc-update add rpc.idmapd
rc-service rpc.idmapd start}}

[[Category:Server]]