[Systems] nfs on sunjammer

Bernie Innocenti bernie at codewiz.org
Mon Nov 30 14:04:00 EST 2009


On Mon, 2009-11-30 at 06:35 -0600, dfarning at sugarlabs.org wrote:
> Shares:
> I have created a /srv/nfs namespace on sunjammer so we have a central
> location to put NFS exports.  For a.sl.o we need two shares:
> /srv/nfs/activities/files and
> /srv/nfs/activities/staging

I did not know that you had already picked another location, so I've
picked /export for the NFS root, which was the standard on SunOS and
seems to be still very popular also on Linux.

Anyway, it doesn't matter much: if we stick to nfs4 on the clients, the
prefix on the server does not have to be specified. All we need to do on
the server is add a bind mount in fstab for each share.

VERY IMPORTANT: we must make absolutely sure we do not backup the nfs
shares on the clients. Our system-full-backup script should probably be
calling duplicity with --exclude-other-filesystems, but this is
dangerous for machines which happen to have multiple local filesystems
(like sunjammer).

The bottom line is that we need to manually tweak the list of paths to
exclude when we add nfs shares on a machine. And We should add a
mechanism to change the list in /etc/system-full-backup.conf reather
than customizing the backup script on every client.

So, the full procedure for adding an export on sunjammer is:

 * mkdir /export/<share>

 * edit /etc/fstab and add: 

   /<original-path> /export/<share>       none    bind	0 2

 * edit /etc/exports and add:

   /export/<share> <host>.crosslink(rw,nohide,async,no_root_squash,no_subtree_check)

 * edit /etc/hosts in case you need to add <host>.crosslink
   (maybe one day we'll create a DNS zone for these)

 * Perform the bind-mount manually the first time:

   mount /export/<share>

 * Update nfs exports:

   exportfs -av


SECURITY NOTES:

 - never use public IPs for NFS. It is easy to spoof.

 - no broad exports: only share filesystems with hosts that need them

 - do not export filesystems rw unless really needed

 - don't set no_root_squash, unless really needed

 - always set the nosuid option on the client


> Imports web node:
> Both shares need to be imported (RW) to each web-node.
> - on sunjammer /srv/www-sugar/activities/files
>                    /srv/www-sugar/activities/staging
> - on aslo-web /srv/activities/files
>                       /srv/activities/staging

Ok, I added these under the nfs4 hierarchy on sunjammer.

Do they have to be rw? (scary)


> Imports download.sl.o:
> The staging dir will need to be imported read only to the download
> server.
> - on sunjammer staging is imported as /srv/upload/activities.

Ok, this will be done when we have a separate download server?
(are we planning to?)


> Currently:
> -- each of the nfs shares on sunjammer is set up with a symlink as a
> place holders.
> -- There are a few test nfs shares and mounts on aslo-root, these can
> all be deleted replace with proper mount as stated above.

I did not touch the client-side.


> If you ping me, I'll try to be on IRC while you work on this.

I have to run, but I'll be at the fsf shortly.

-- 
   // Bernie Innocenti - http://codewiz.org/
 \X/  Sugar Labs       - http://sugarlabs.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://lists.sugarlabs.org/private/systems/attachments/20091130/6957bd82/attachment.pgp 


More information about the Systems mailing list