prevent nfs tunnelling through login node

sjpb · sjpb · commit 5fadd4eb4fac · 2025-02-27T16:09:20.000Z
diff --git a/docs/networks.md b/docs/networks.md
@@ -14,6 +14,15 @@ as an SSH proxy to access the other nodes, this can create problems in recoverin
 the cluster if the login node is unavailable and can make Ansible problems harder
 to debug.
 
+> [!WARNING]
+> If home directories are on a shared filesystem with no authentication (such
+> as the default NFS share) then the network(s) the fileserver is attached to
+> form a security boundary. If an untrusted user can access these networks they
+> could mount the home directories setting any desired uid/gid.
+>
+> Ensure there is no external access to these networks and that no untrusted
+> instances are attached to them.
+
 This page describes supported configurations and how to implement them using
 the OpenTofu variables. These will normally be set in
 `environments/site/tofu/terraform.tfvars` for the site base environment. If they
diff --git a/environments/.stackhpc/inventory/group_vars/all/nfs.yml b/environments/.stackhpc/inventory/group_vars/all/nfs.yml
@@ -0,0 +1,17 @@
+nfs_configurations:
+  - comment: Export /exports/home from Slurm control node as /home
+    nfs_enable:
+        server:  "{{ inventory_hostname in groups['control'] }}"
+        # Don't mount share on server where it is exported from...
+        # Could do something like `nfs_clients: "{{ 'nfs_servers' not in group_names }}"` instead.
+        clients: "{{ inventory_hostname in groups['cluster'] and inventory_hostname not in groups['control'] }}"
+    nfs_server: "{{ nfs_server_default }}"
+    nfs_export: "/exports/home" # assumes skeleton TF is being used
+    nfs_client_mnt_point: "/home"
+
+  # EXPERIMENTAL - not generally secure
+  - comment: Export /exports/cluster from Slurm control node
+    nfs_enable:
+        server: "{{ inventory_hostname in groups['control'] }}"
+        clients: false
+    nfs_export: "/exports/cluster"
diff --git a/environments/common/inventory/group_vars/all/nfs.yml b/environments/common/inventory/group_vars/all/nfs.yml
@@ -16,8 +16,6 @@ nfs_configurations:
     nfs_export: "/exports/home" # assumes skeleton TF is being used
     nfs_client_mnt_point: "/home"
 
-  - comment: Export /exports/cluster from Slurm control node
-    nfs_enable:
-        server: "{{ inventory_hostname in groups['control'] }}"
-        clients: false
-    nfs_export: "/exports/cluster"
+# Set 'secure' to prevent tunneling nfs mounts
+# Cannot set 'root_squash' due to home directory creation
+nfs_export_options: 'rw,secure,no_root_squash'
