NFS on OS X 10.4 and earlier

From OS X Scientific Computing

Jump to: navigation, search

Contents

Creating NFS networks

OS X, like other unix operating systems, can function as both an NFS server and NFS client. Canonical unix systems permit the system administrator to configure this by editing two ascii text files. The file /etc/fstab controls what remote disks (i.e., those served by another machine) will be mounted, and the file /etc/exports controls what files will be served via NFS to other computers, and can restrict access according to the system administrator's needs.

All of this is true of OS X as well, except that the information from these ascii text files must somehow be transfered into the netinfo database, a peculiarly OS X construct. Fortunately, this can be accomplished without too much pain.

Mounting remote filesystems with NFS

To mount a filesystem from a remote NFS server, you need to do the following.


Create a mountpoint of your choosing.

You can do this anywhere, but I find making a directory a the root level to be the most convenient. For example, let's say we want to mount two filesystems that are being exported from another computer called Simpson with the domain name simpson.springfield.org. We'll assume it has the OS X filesystem structure, but any unix filesystem will behave analogously. The first filesystem we will want to mount will be the remote /Users directory, and the second will be /Volumes/Homer, as the computer simpson.springfield.org has a second hard-drive creatively named Homer. Hence we will create two mountpoint directories as follows:

sudo mkdir -p /nfs_mountpoint/Simpson  /nfs_mountpoint/Homer

Next we need to create the file /etc/fstab

with the following two lines in it:

simpson.springfield.org:/Users  /nfs_mountpoint/Simpson nfs -i,-P,-b 0 0
simpson.springfield.org:/Volumes/Homer  /nfs_mountpoint/Homer nfs -i,-P,-b 0 0

The first field is the domain name (it is safest to give the whole thing), and the second, separated by a colon, is the filesystem that has been exported. The third field is the corresponding mount point you just made, the fourth tells the system that this is an nfs device that is being mounted, and the remaining arguments control access and mounting protocols. man fstab and man mount_nfsfor details. The disk is read/write accessible by default, but the user's numerical uid (eg: 503) must be the same on both the host an client machine. (Be aware that if joe on the server has uid 503 and sarah on the client has uid 503, sarah will have read-write access to joe's files!) (OS X, and at least some GNU/Linux systems, assigns uid numbers sequentially to each new user, starting with 501. Other systems assign large random numbers, which makes the appearance of this sort of security anomaly (or hole) statistically much more unlikely.)

Now read the information into the netinfo database. (10.4 and earlier)

On 10.5, you no longer have to do this, nor can you. niload is history!!

It is a good idea not to screw this up.

sudo niload -m -v fstab . < /etc/fstab

You can now mount the remote filesystems with the commands

sudo mount /nfs_mountpoint/Simpson
sudo mount /nfs_mountpoint/Homer

or to mount all at once, issue

sudo mount -a

Next time you reboot, the automounter and the NFS Startup Item will handle the mounting for you. I'll mention a couple of tweaks you might want to make in a moment, but first let's look at how to export a filesystem.

A shell script (and zsh function) to help

This is useful only for 10.4.X and earlier. On 10.5, you simply create the /etc/fstab file (just like with real unix machines).


nfs_niloader is a function that runs the following command

      sudo niload -m -v fstab . < /etc/fstab

that loads the information contained in the file /etc/fstab into the NetInfo database. This step is required before the filesystems listed in /etc/fstab can be mounted for the first time. The script then runs the command df -h to show the user what is already mounted, and prints the relevant column of the contents of the file /etc/fstab, and finally suggest to the user that the command sudo mount /filesystem be used to mount then new filesystem(s) contained in /etc/fstab. The main point of this function is to help with the hard-to-remember niload syntax.

Exporting your filesystems with NFS

The previous section assumed your computer was a client machine. Now let's assume it is a server. Any machine can be both, so we'll export our filesystem /Users to the machine called Simpson for this example.

To export a filesystem, you need to do the following:

1. Get a static IP address for each of your NFS server machines. Also, be sure to get a corresponding qualified domain name such as simpson.springfield.org that won't change.

2. Create a file called /etc/exports and put the following line into it:

/Users  -maproot=nobody simpson.springfield.org   

3. Reboot, or run the following commands with sudo:

On 10.5:

sudo /sbin/nfsd reload


On 10.4.X and below:

rm -f /var/db/mountdtab
mountd
nfsd   -t -u -n 6 


This is more or less equivalent to issuing exportfs -a on other unix systems.

This common set of tasks can be automated (10.4.X and below) using the following shell script:

A Shell Script (or zsh function) to help (10.4.X and below only)

exportfs is a function that emulates (crudely) the exportfs -a command on canonical unix systems. Mac OS X does not currently have an exportfs command. This makes a minimal attempt at filling the gap.

If exportfs finds something to export (either using /etc/exports or the exports NetInfo directory), then start the NFS daemons (which service NFS requests) and the mount server (which services NFS mount requests).

Parts of this come from Apple's NFS startup file, modified by W. G. Scott and many important improvements were then added by Gary Kerbaugh. Specifically, the script now checks for successful outcome of disk arbitration, which can take awhile for really big disks and RAID devices.

If NFS with automount is problematic...

Unfortunately, there might be glitches. For example, I found that mounting a disk severed from an old Sun computer gave me endless headaches until I turned off automount. To do so, do the following:

1. Edit the file /etc/hostconfig and change the line

AUTOMOUNT=-AUTOMATIC-   

to

AUTOMOUNT=-NO-   

2. I also turned off NFS locking

NFSLOCKS=-NO-   

I recommend that you try the default settings first, and if trouble is brewing, these are possible things to try.

3. If you turn off the automounter, and reboot, you will find you have to manually issue sudo mount -a before you have your disks mounted. Hence it is a good idea to stick mount -a (you don't need sudo as it is run by root at startup) into the file /System/Library/StartupItems/NFS/NFS around line numer 95, i.e., just before you get to the part that is supposed to start the automounter. I also changed the file /System/Library/StartupItems/NFS/StartupParameters.plist in the same directory to look like this:

     1 {
     2   Description     = "network file system";
     3   Provides        = ("NFS");
     4   Uses            = ("Disks");
     5   OrderPreference = "First";
     6 }

This makes mounting go smoother if it done early in the bootup sequence.

NFS Manager automates NFS exports and mounts

NFSIcon.png

Another way of handling this is to get ahold of NFS Manager, donation-ware that provides a convenient interface for setting up both NFS mounts and NFS exports. If you can live with automounter, which is on by default, this will get you going without complications within minutes. The documentation is superbly written.


Security

Kerberized NFS

In OS X, 10.5, NFS has the option to use Kerberos authentication.

Common Sense

You should only export filesystems to specific static IP addresses, not domains or to the whole world. Although spoofing an IP address to overcome this is not difficult, it still requires some effort.

TCP Wrappers and firewall

Use the hosts.allow file to set up rules for access

nfsd: your.favorite.machine:ALLOW
mountd: your.favorite.machine:ALLOW

Use IPFW to restrict NFS port access to friendly static IP addresses

Personal tools