Setting up an NFS server: Difference between revisions

From Alpine Linux
(Added export information)
m (bin name: exports -> exportfs)
 
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
= Installation =
== Installation ==
Install package:
Install the following package for both NFS client and NFS server service.
{{Cmd|apk add nfs-utils}}


= Make it autostart =
{{Cmd|# apk add nfs-utils}}
Export dirs in /etc/exports, then
{{Cmd|rc-update add nfs}}


If you need just to mount nfs share from fstab file at booting of the system
== Configuration ==
Setting up NFS service on Alpine Linux is no different from other Linux distributions.


{{Cmd|rc-update add nfsmount}}
=== NFS Server ===


or
Setup export dirs in /etc/exports. For example:
{{Cmd|rc-update add netmount}}
{{Cat|/etc/exports|<nowiki>/data 10.10.10.0/24(rw,nohide,no_subtree_check,no_root_squash)   
</nowiki>}}


You can check your boot services:
After editing /etc/exports, reload your setting
{{Cmd|rc-status}}
{{Cmd|# exportfs -afv}}
 
To make NFS server service to autostart on boot:
 
{{Cmd|# rc-update add nfs}}
 
To start NFS server service now
 
{{Cmd|# rc-service nfs start}}
 
=== NFS Client ===
 
To mount NFS shares automatically, an entry needs to made to /etc/fstab. To mount nfs share from /etc/fstab file at booting of the system
 
{{Cmd|# rc-update add nfsmount}}


= Start it up now =
To mount the nfs shares from /etc/fstab file now:
{{Cmd|rc-service nfs start}}
{{Cmd|# rc-service nfsmount start}}


or if you need to mount nfs share from fstab file now
{{Cmd|# rc-update add netmount}}
{{Cmd|rc-service nfsmount start}}


or
You can check your boot services:
{{Cmd|# rc-status}}


{{Cmd|rc-service netmount start}}
{{Cmd|# rc-service netmount start}}


= Adding Kerberos Authentication =
== Kerberos Authentication ==


By default, NFS security only validates the IP of the client. You can add user level authentication with a Kerberos installation ([https://pkgs.alpinelinux.org/package/edge/main/armhf/krb5 MIT KRB5] or [https://pkgs.alpinelinux.org/package/edge/main/x86/heimdal Heimdal]). It is recommended to have the same Kerberos flavor across the network as both implementations are not completely mutually compatible.
By default, NFS security only validates the IP of the client. You can add user level authentication with a Kerberos installation ([https://pkgs.alpinelinux.org/package/edge/main/armhf/krb5 MIT KRB5] or [https://pkgs.alpinelinux.org/package/edge/main/x86/heimdal Heimdal]). It is recommended to have the same Kerberos flavor across the network as both implementations are not completely mutually compatible.


== Server Configuration ==
=== Server Configuration ===


Assuming you setup Kerberos in the in the network, create ticket to your NFS machine (examples are in MIT KRB5 syntax):
Assuming you setup Kerberos in the in the network, create ticket to your NFS machine (examples are in MIT KRB5 syntax):


{{Cmd| kadmin: addprinc -randkey nfs/nfs1.example.com@EXAMPLE.COM}}
{{Cmd|# kadmin: addprinc -randkey nfs/nfs1.example.com@EXAMPLE.COM}}


And add it to the machines krb5.keytab file:
And add it to the machines krb5.keytab file:
{{Cmd| kadmin: ktadd nfs/nfs1.example.com@EXAMPLE.COM}}
{{Cmd|# kadmin: ktadd nfs/nfs1.example.com@EXAMPLE.COM}}


Then, edit your /etc/exports, and add sec=krb5 (only authentication), sec=krb5i (also hmac signing) or sec=krb5p (also encryption). For example:
Then, edit your /etc/exports, and add sec=krb5 (only authentication), sec=krb5i (also hmac signing) or sec=krb5p (also encryption). For example:
<pre>
 
/data     10.10.10.0/24(rw,nohide,no_subtree_check,sec=krb5p,no_root_squash)
{{Cat|/etc/exports|<nowiki>/data 10.10.10.0/24(rw,nohide,no_subtree_check,sec=krb5p,no_root_squash)  
</pre>
</nowiki>}}
 
After editing /etc/exports, reload your setting
After editing /etc/exports, reload your setting
{{Cmd|exports -afv}}
{{Cmd|# exportfs -afv}}
 
If you want to use Kerberos for the user permission on the filesystem, you should enable id mapping available in NFSv4 by editing the following line in /etc/conf.d/nfs:
<pre>
NFS_NEEDED_SERVICES="rpc.idmapd"
</pre>


By default, the domain user will be mapped directly to an existing local user (or nobody). To change this behavior, edit /etc/idmapd.conf and restart rpc.idmapd. Note that by default the realm it considers is the domain from the hostname, and the user is the username under that realm.
User id mapping is managed by nfsidmap.


== Client Configuration ==
=== Client Configuration ===


In order for the client to connect to NFS via kerberos, enable and start rpc.gssd.
In order for the client to connect to NFS via kerberos, enable and start rpc.gssd.
{{Cmd|rc-update add rpc.gssd
{{Cmd|# rc-update add rpc.gssd}}
rc-service rpc.gssd start}}
{{Cmd|# rc-service rpc.gssd start}}


And for correct id mapping (when using NFSv4), enable and start the rpc.idmapd
== see Also ==
{{Cmd|rc-update add rpc.idmapd
* [https://wiki.archlinux.org/title/NFS NFS in Arch wiki]
rc-service rpc.idmapd start}}
* [https://wiki.gentoo.org/wiki/Nfs-utils NFS in Gentoo Wiki]


[[Category:Server]]
[[Category:Server]]

Latest revision as of 12:21, 26 September 2024

Installation

Install the following package for both NFS client and NFS server service.

# apk add nfs-utils

Configuration

Setting up NFS service on Alpine Linux is no different from other Linux distributions.

NFS Server

Setup export dirs in /etc/exports. For example:

Contents of /etc/exports

/data 10.10.10.0/24(rw,nohide,no_subtree_check,no_root_squash)

After editing /etc/exports, reload your setting

# exportfs -afv

To make NFS server service to autostart on boot:

# rc-update add nfs

To start NFS server service now

# rc-service nfs start

NFS Client

To mount NFS shares automatically, an entry needs to made to /etc/fstab. To mount nfs share from /etc/fstab file at booting of the system

# rc-update add nfsmount

To mount the nfs shares from /etc/fstab file now:

# rc-service nfsmount start

# rc-update add netmount

You can check your boot services:

# rc-status

# rc-service netmount start

Kerberos Authentication

By default, NFS security only validates the IP of the client. You can add user level authentication with a Kerberos installation (MIT KRB5 or Heimdal). It is recommended to have the same Kerberos flavor across the network as both implementations are not completely mutually compatible.

Server Configuration

Assuming you setup Kerberos in the in the network, create ticket to your NFS machine (examples are in MIT KRB5 syntax):

# kadmin: addprinc -randkey nfs/nfs1.example.com@EXAMPLE.COM

And add it to the machines krb5.keytab file:

# kadmin: ktadd nfs/nfs1.example.com@EXAMPLE.COM

Then, edit your /etc/exports, and add sec=krb5 (only authentication), sec=krb5i (also hmac signing) or sec=krb5p (also encryption). For example:

Contents of /etc/exports

/data 10.10.10.0/24(rw,nohide,no_subtree_check,sec=krb5p,no_root_squash)

After editing /etc/exports, reload your setting

# exportfs -afv

User id mapping is managed by nfsidmap.

Client Configuration

In order for the client to connect to NFS via kerberos, enable and start rpc.gssd.

# rc-update add rpc.gssd

# rc-service rpc.gssd start

see Also