[PLUG] Exporting via nfs

Mel Andres mel97215 at comcast.net
Sun Dec 20 00:21:10 UTC 2009 

Mike Connors wrote:
> Mel Andres wrote:
>   
>> We recently purchased a MacPro notebook. I have most of my music and 
>> video files on my linux debian machine in subfolders under mounts 
>> /share1 and /share2. I have both of these in /etc/exports, and nfsd is 
>> running. However, I am unable to mount_nfs them from the Mac. I very 
>> likely could have something incorrect with my exports file. I think I 
>> also have to tweak my Belkin router. 
>>     
> Do you get an error mssg on the Mac when you attempt to mount the nfs 
> share?
>
> How about any nfs mssgs in syslog on the Debian box?
>
> I found this write-up on easy GUI-based NFS share access from a Mac OSX 
> client using Avahi / Zeroconf / Bonjour.
>
> Most of the online materials I've found that discuss setting up an OSX 
> client for NFS shares go through the cumbersome process of configuring 
> via NetManager. The downside I discovered to this, particularly for 
> iBooks, is that the Finder will rather ungracefully hang when I'm out 
> somewhere else and it tries to access the shares defined for my local 
> home LAN. Plus, the NetManager settings are essentially hard-coded in a 
> way, so any time I make changes to my server setup, I have to replicate 
> them in my iBook's NetManager configuration. How tedious.
>
> I stumbled across a much more elegant setup a while back (incidentally, 
> when researching how SMB broadcasts its presence) -- use Avahi / 
> Zeroconf / Bonjour. Avahi is the Linux daemon; Zeroconf is the spec; and 
> Bonjour is what Apple calls its implementation (formerly "Rendezvous"). 
> Setting up Avahi on your Ubuntu NFS server to broadcast announce your 
> NFS shares can greatly simplify GUI access from your Macs, and also 
> potentially simplify how your /etc/exports file is organized. There are 
> a couple useful links here in one of my previous posts which you should 
> read.
>
> Once you get Avahi installed and running on your Ubuntu server machine, 
> open a terminal and cd over to /etc/avahi/services. There shouldn't be 
> much of anything here to begin with, so start off by typing in sudo vim 
> nfs.service (pick your editor of choice; I just like vim ). Any config 
> files for announcing services via Avahi *must* be in this directory (or 
> linked to from it) and *must* have the extension service. Now type in 
> something like this:
>
> Code:
> <?xml version="1.0" standalone='no'?>
> <!DOCTYPE service-group SYSTEM "avahi-service.dtd">
> <service-group>
> <name>Zephyrus Shared Music</name>
> <service>
> <type>_nfs._tcp</type>
> <port>2049</port>
> <txt-record>path=/data/shared/Music</txt-record>
> </service>
> </service-group>
> The black text should be identical on your end; change the blue as 
> needed to suit your own setup. Also note the underscores in the <type> 
> tag -- these are required. The port is the NFS port used when you've got 
> the [font=courier]insecure[font] option specified in your /etc/exports 
> file, so that might need changing. And obviously you'll need to specify 
> your own path to your NFS share. One caveat here is that, as best as I 
> can figure, you can only specify one share per service file. The Avahi 
> daemon for Linux is still a young project, and documentation is limited, 
> but I expect better docs and software to help configure daemon options 
> will appear in due time.
>
> Once you've got your service files in place, restart the Avahi daemon by 
> typing in sudo /etc/init.d/avahi-daemon restart. Then go to your Mac 
> machine, open a Finder window, and click the Network globe thingy in the 
> upper left. You should now have a "My Network" folder here, which will 
> contain whatever NFS shares you've specified. And the nice thing is that 
> this is a purely dynamic setup -- automount takes care of mounting 
> automagically via the special Network folder, and the the Finder won't 
> hang now when you go somewhere else and happen to accidentally try to 
> access a non-existent share, unlike the NetManager setups I've often 
> seen described online when researching how to do this.
>
> I mentioned earlier that this can simplify your /etc/exports file 
> somewhat. The trick here is the <path> tag. As you see further above, my 
> exports file just shoves out the whole /data directory. Meanwhile, my 
> Avahi service config file here only broadcasts one subdirectory, so 
> that's all the GUI user will see (you can also see these via Konqueror 
> by typing zeroconf:/ into the address bar). That's also all the GUI user 
> can access.
>
> But -- the whole /data share is still available for anyone to mount via 
> the CLI, so be forewarned that this simplified /etc/exports file 
> approach is not a good way to limit access to any sensitive data. You 
> will need to spend some time setting up proper file permissions to 
> ensure that no one who shouldn't can mess with your files. For instance, 
> one of the subdirectories I advertise via Avahi is a user's documents 
> folder, at /data/[username]'s Docs. Although anyone on my LAN can see 
> this directory in any zeroconf-enabled browser (like Konq or the 
> Finder), I've set up permissions so only certain users can actually open 
> the directory to see the contents -- anyone else just gets an error that 
> they don't have the required permissions. In this case, I did this by 
> typing in sudo chmod 750 /path/to/directory. This way, the owner (the 
> first digit) gets full read/write/execute permission, group members (the 
> second digit) get read-only and execute (needed on a directory so you 
> can open it), and anyone else (the last digit) can't do anything to it 
> (except root, of course). Another useful trick for directories shared 
> within a group is the setgid bit, which I've set on the above-shown 
> Music folder by typing in sudo chmod 2770 /path/to/directory. The 2 on 
> the front ensures that any files or directories created within this 
> directory are created with the same group ID as the directory itself 
> (after the 2 come the usual user, group, and other permissions). Note 
> also that any binaries executed with the setgid bit set will run with 
> the permissions of the file's group, so make sure to choose an 
> unprivileged group when setting up your shared groups. Wikipedia has a 
> very useful article on file system permissions, particularly the section 
> Notation of traditional Unix permissions, which I'd recommend reading.
>
>
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>
>   
Thank you Mike. I am sure this will be helpful. It will take me some 
time to process all of it. I will report here as things develop.

  Mel

More information about the PLUG mailing list