Score:1

How to define a NFS root in a discrete directory tree?

cn flag

I would like to setup a NFS-server for multiple docker containers and I found documentation on the archlinux-wiki. I thought of this project as an useful example to get to know NFS-configuration and it's security details.

I am not sure what the following sentence means and how to do it.

A good security practice is to define a NFS root in a discrete directory tree which will keep users limited to that mount point.

Does that just mean to create a specific directory for the shared data and not have it accross multiple users home directory?

server OS: centos7 or 8

Human avatar
cn flag
I am having trouble matching concrete steps in the example to the description: mkdir -p /srv/nfs/music /mnt/music creates two directories + /srv/nfs if it does not exist. So I can assume that /srv/nfs is the nfs root directory, right?
Score:1
cz flag

I think I know what's going on here and why the Arch wiki is confusing.

Ancient versions of NFS from back in the 1990s (version 3 and previous) could simply export arbitrary directories which were located anywhere in the filesystem. This changed with NFSv4, which requires all exported directories to be subdirectories of a top-level "root" export which is defined by the system administrator and carries the export option fsid=0 to distinguish it as the root. There is no predefined root; the admin makes an explicit choice to define the root.

Thus if you define /srv/nfs as the root, all other NFSv4 exports must be subdirectories of that directory.

However, it is likely that the directory you want to export is not actually under /srv/nfs. For example you may want to export /var/lib/docker/volumes. To do this, instead of moving the files around which might break things that depend on them being in their original location, you can create a bind mount so that the files remain in their original place in the filesystem but are also visible under the bind-mounted path.

mkdir /srv/nfs/volumes
mount --bind /var/lib/docker/volumes /srv/nfs/volumes

Now the files are available in both places in the filesystem tree, and because of that, NFSv4 can export them.

The only bit I am still confused about is why the Arch wiki calls it a "good security practice" when it is just how NFSv4 works.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.