UP  |  HOME

NFS

Table of Contents

Each host using NFS should have a private key for the nfs/hostname.domain@DOMAIN principle in their keytab.

At kadmin.local prompt
addprinc -policy service -randkey nfs/<hostname>.domain
ktadd -k /path/to/file.keytab -norandkey nfs/<hostname>.domain

Copy the resulting file to the client at /etc/krb5.keytab. Restart the nfs-client service, and you should be able to mount NFS shares.

The Debian configuration file had a parsing bug at some point. If you have issues with NFS authentication try substituting y for yes in these options.

Listing 1: /etc/default/nfs-common (excerpt)
NEED_IDMAPD=yes
NEED_GSSD=yes

Exporting filesystems

For ZFS filesystems see Exporting ZFS over NFS

Create the root export tree 

mkdir /export

Mount directories to be exported under this tree.

Listing 2: /etc/fstab (excerpt)
/path/to/storage /export/storage none bind,x-systemd.requires=zfs-mount.service        0 0
/path/to/zvideo  /export/zvideo  none bind,x-systemd.requires=zfs-mount.service        0 0
/path/to/mp3     /export/mp3     none bind,noauto,x-systemd.requires=zfs-mount.service 0 0

Update exported directories.

(I used to use krb5i here, but it's extremely detrimental to transfer speeds)

Listing 3: /etc/exports
/export         *(sec=krb5,rw,async,fsid=0,crossmnt,no_subtree_check,root_squash)
/export/storage *(sec=krb5,rw,async,no_subtree_check,root_squash)
/export/zvideo  *(sec=krb5,ro,async,no_subtree_check,root_squash)
# mp3fs requires an fsid, because it doesn't have a uuid or device number
#/export/mp3     *(sec=krb5,ro,async,fsid=23948,no_subtree_check,root_squash)

Mounting filesystems

On workstation client machines

Listing 4: /etc/fstab (excerpt)
host.name:/export/storage /path/to/storage nfs4 _netdev,user,exec,rw,sec=krb5 0 0
host.name:/export/mp3 /mnt/mp3 nfs4 _netdev,user,exec,rw,sec=krb5 0 0

On mobile devices

A few things are different for mobile devices. Main differences:

  • noauto - don't automount, device may be on other networks
  • soft - error instead of waiting, may affect data integrity
  • retrans=10 - number of retries before error
  • x-systemd.requires=network-online.target - try to have systemd unmount before network is down, still not working correctly (systemd still gets stuck on unmount stop jobs during shutdown)
Listing 5: /etc/fstab (excerpt)
host.name:/export/storage       /path/to/storage nfs4 _netdev,user,exec,rw,sec=krb5,noauto,soft,retrans=10,x-systemd.requires=network-online.target 0   0
host.name:/export/zvideo        /path/to/zvideo nfs4 _netdev,user,exec,ro,sec=krb5,noauto,soft,retrans=10,x-systemd.requires=network-online.target 0    0

Mac OS (Common)

Disable .DS_Store file creation. May require a restart or re-login.http://hints.macworld.com/article.php?story=2005070300463515 

defaults write com.apple.desktopservices DSDontWriteNetworkStores true

Verify mounts are visible (assumes good kerberos setup): 

showmount -e host.name
Listing 6: /etc/nfs.conf (excerpt)
# Use kerberos for auth
nfs.client.mount.options=sec=krb5

Add auto_nfs file to auto_master

Listing 7: /etc/auto_master (excerpt)
/- auto_nfs -nobrowse,nosuid

Follow the version-specific directions below:

Mac OS (High Sierra)

Based on https://tisgoud.nl/2019/10/automount-nfs-on-macos/.

If it doesn not exist, create auto_nfs and set permissions to 644.

Listing 8: /etc/auto_nfs
/Users/username/storage -fstype=nfs,noowners,nolockd,resvport,hard,bg,intr,rw,tcp,nfc,rsize=8192,wsize=8192 nfs://host.name:/export/storage

Mac OS (Catalina)

Mounts under Catalina need to be on the Data volume to work properly. In order to get the mount points I want I used /System/Volumes/Data/mnt to mount NFS exports under. Then create a synthetic link (man synthetic.conf) that points to it. It is also worth noting some people had issues with mounts being mapped multiple times when under /System/Volumes/Data/Users/<username>/ so you should avoid that location.

Thunderbolt considerations

I did a little experimentation using IP over thunderbolt. Some notes:

  • Macs use a BSD style exports file. My exports looked like: /Volumes/macexportnfs -sec=krb5 -fsuuid=BEEFBEEF-BEEF-BEEF-BEEF-BEEFBEEFBEEF -network 192.168.2.0 -mask 255.255.255.0
  • UUID isn't strictly necessary, but I think it ensures an empty directory isn't exported in case the filesystem isn't available.
  • To export to multiple networks repeat the same line with different net/mask arguments.
  • Linux network manager wouldn't set a static IP for unknown reasons. So I settled on using my Mac host's internet sharing feature
  • Sometimes performance can be abyssmal (3s pings, 80k/sec transfers). I hooked up a Macbook Air for testing without issues. Then went back to my Linux client (same cable + TB3 TB2 adapter) and speed was as expected.
  • I used a separate IP subnet for simple setup, but my Kerberos auth uses hostnames as part of the deal. So it's important on the client to add the server's IP/hostname to your hosts file.
  • If permissions are a problem you probably let the password or kerberos principal expire for one of the involved host or nfs principals.

Performance

plain dd 4.3GB copied 34.7s 122 MB/s
dd bs=10M 4.3GB copied 6.4s 704 MB/s
dd bs=100M 4.3GB copied 4.7s 962 MB/s

References:

There were several mentions that auto_master may be reset during upgrades so check there first if mounts stop working. Mac OS will place a relocated items folder on the desktop when this happens usually.

Listing 9: /etc/auto_nfs
/System/Volumes/Data/path/to/storage -fstype=nfs,noowners,nolockd,resvport,hard,bg,intr,rw,tcp,nfc,rsize=65536,wsize=65536 nfs://host.name:/export/storage
/System/Volumes/Data/path/to/zvideo -fstype=nfs,noowners,nolockd,resvport,hard,bg,intr,ro,tcp,nfc,rsize=65536,wsize=65536 nfs://host.name:/export/zvideo
Listing 10: /etc/synthetic.conf
mnt     System/Volumes/Data/mnt

Mount the volume with automount. Note: synthetic links require a reboot to take effect. 

automount -cv