You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Oct 6, 2023. It is now read-only.
Copy file name to clipboardExpand all lines: README.md
+93-34Lines changed: 93 additions & 34 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,76 +7,136 @@ A lightweight, robust, flexible, and containerized NFS server.
7
7
This is the only containerized NFS server that offers **all** of the following features:
8
8
9
9
- NFS versions 3, 4, or both simultaneously
10
+
- optional Kerberos security
11
+
- optional name/ID mapping via [`idmapd`](http://man7.org/linux/man-pages/man8/idmapd.8.html)
10
12
- clean teardown of services upon `SIGTERM` or `SIGKILL` (no lingering `nfsd` processes on Docker host)
11
13
- flexible construction of `/etc/exports` via a Docker bind mount *or* environment variables
12
-
- lightweight image based on [Alpine Linux](https://alpinelinux.org/)
13
-
- ability to control server parameters via environment variables
14
+
- extensive server configuration via environment variables
14
15
15
16
## Requirements
16
17
17
-
1. The Docker **host** kernel will need both the `nfs` and `nfsd` kernel modules. Usually you can enable them both with `modprobe nfs nfsd`.
18
-
1. The container will need to run with `CAP_SYS_ADMIN` (or `--privileged`). This is necessary as the server needs to mount several filesystems inside the container to support its operation.
19
-
1. You will need to bind mount your exported filesystems into this container. e.g. `-v /some/path/on/host:/some/container/path`
18
+
1. The Docker **host** kernel will need the following kernel modules
19
+
-`nfs`
20
+
-`nfsd`
21
+
-`rpcsec_gss_krb5` (*only if Kerberos is used*)
22
+
23
+
Usually you can enable these modules with: `modprobe {nfs,nfsd,rpcsec_gss_krb5}`
24
+
1. The container will need to run with `CAP_SYS_ADMIN` (or `--privileged`). This is necessary as the server needs to mount several filesystems inside the container to support its operation, and performing mounts from inside a container is impossible without these capabilities.
25
+
1. The container will need local access to the files you'd like to serve via NFS. You can use Docker volumes, bind mounts, or files baked into a custom image. e.g.
The container requires you to supply it with your desired [NFS exports](https://linux.die.net/man/5/exports) upon startup. You have **two choices** for doing this:
35
+
You will need to provide your desired [NFS exports](https://linux.die.net/man/5/exports)(`/etc/exports`) upon container startup. You have **three choices** for doing this:
26
36
27
-
1.**Bind mount a full exports file into the container at `/etc/exports`**.
37
+
1.**Bind mount `/etc/exports`into the container**
28
38
29
-
docker run \
30
-
-v /host/path/to/exports.txt:/etc/exports:ro \
31
-
-v /host/files:/nfs \
32
-
--cap-add SYS_ADMIN \
33
-
-p 2049:2049 \
34
-
erichough/nfs4-server:latest`
39
+
docker run \
40
+
-v /host/path/to/exports.txt:/etc/exports:ro \
41
+
-v /host/files:/nfs \
42
+
--cap-add SYS_ADMIN \
43
+
-p 2049:2049 \
44
+
erichough/nfs-server:latest
35
45
36
-
1.**Supply each line of `/etc/exports` as an environment variable**.
46
+
1.**Provide each line of `/etc/exports` as an environment variable**.
37
47
38
48
The container will look for environment variables that start with `NFS_EXPORT_` and end with an integer. e.g. `NFS_EXPORT_0`, `NFS_EXPORT_1`, etc.
If you'd like to run [`idmapd`](http://man7.org/linux/man-pages/man8/idmapd.8.html) to map between NFSv4 IDs (e.g. `[email protected]`) and local users, simply provide [`idmapd.conf`](https://linux.die.net/man/5/idmapd.conf) and `/etc/passwd` to the container. This step is required for Kerberos.
Via optional environment variables, you can adjust the server settings to your needs.
81
+
You can enable Kerberos security by performing the following additional actions:
82
+
83
+
1. set the environment variable `NFS_ENABLE_KERBEROS` to a non-empty value (e.g. `NFS_ENABLE_KERBEROS=1`)
84
+
1. set the server's hostname via the `--hostname` flag
85
+
1. provide `/etc/krb5.keytab` which contains a principal of the form `nfs/<hostname>`, where `<hostname>` is the hostname you supplied in the previous step.
86
+
1. provide [`/etc/krb5.conf`](https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html)
87
+
1. provide [`/etc/idmapd.conf`](https://linux.die.net/man/5/idmapd.conf)
88
+
1. provide `/etc/passwd` that contains your NFS client users
The following optional environment variables allow you to adjust the server settings to your needs.
52
108
53
109
-**`NFS_VERSION`** (default is `4.2`)
54
110
55
111
Set to `3`, `4`, `4.1`, or `4.2` to fine tune the NFS protocol version. Enabling any version will also enable any lesser versions. e.g. `4.2` will enable versions 4.2, 4.1, 4, **and** 3.
56
112
57
-
-**`NFS_VERSION_DISABLE_V3`** (*not set by default*)
113
+
-**`NFS_DISABLE_VERSION_3`** (*not set by default*)
58
114
59
-
Set to a non-empty value (e.g. `NFS_VERSION_DISABLE_V3=1`) to disable NFS version 3 and run a version-4-only server. This setting is not compatible with `NFS_VERSION=3`.
115
+
Set to a non-empty value (e.g. `NFS_DISABLE_VERSION_3=1`) to disable NFS version 3 and run a version-4-only server. This setting is not compatible with `NFS_VERSION=3`.
60
116
61
-
-**`NFSD_PORT`** (default is `2049`)
117
+
-**`NFS_PORT`** (default is `2049`)
62
118
63
119
Set this to any valid port number (`1` - `65535` inclusive) to change `rpc.nfsd`'s listening port.
64
120
65
-
-**`NFSD_SERVER_THREADS`** (default is *CPU core count*)
121
+
-**`NFS_SERVER_THREAD_COUNT`** (default is *CPU core count*)
66
122
67
123
Set this to a positive integer to control how many server threads `rpc.nfsd` will use. A good minimum is one thread per CPU core, but 4 or 8 threads per core is probably better.
68
124
69
-
-**`NFS_MOUNTD_PORT`** (default is `32767`)
125
+
-**`NFS_PORT_MOUNTD`** (default is `32767`)
70
126
71
127
*Only needed for NFS 3*. Set this to any valid port number (`1` - `65535` inclusive) to change `rpc.mountd`'s listening port.
72
128
73
-
-**`NFS_STATD_IN_PORT`** (default is `32765`)
129
+
-**`NFS_PORT_STATD_IN`** (default is `32765`)
74
130
75
131
*Only needed for NFS 3*. Set this to any valid port number (`1` - `65535` inclusive) to change `rpc.statd`'s listening port.
76
132
77
-
-**`NFS_STATD_OUT_PORT`** (default is `32766`)
133
+
-**`NFS_PORT_STATD_OUT`** (default is `32766`)
78
134
79
135
*Only needed for NFS 3*. Set this to any valid port number (`1` - `65535` inclusive) to change `rpc.statd`'s outgoing connection port.
136
+
137
+
-**`NFS_ENABLE_KERBEROS`** (*not set by default*)
138
+
139
+
Set to a non-empty value (e.g. `NFS_ENABLE_KERBEROS=1`) to enable Kerberos on this server. See "Kerberos" section above for further details.
80
140
81
141
### Mounting filesystems from a client
82
142
@@ -92,9 +152,8 @@ Via optional environment variables, you can adjust the server settings to your n
92
152
93
153
## Remaining tasks
94
154
155
+
- switch back to Alpine Linux once [this bug](https://bugs.alpinelinux.org/issues/8470) in `nfs-utils` is fixed
95
156
- figure out why `rpc.nfsd` takes 5 minutes to startup/timeout unless `rpcbind` is running
0 commit comments