Hey folks,
sshfs
I first set up sshfs. Unfortunately, it left the HOST FS corrupted (I think I needed
fsck or possibly just a reboot.) I forgot the details. I did not loose data but, I was so horrified,
I figured I would not touch it again and did not
try to troubleshoot.
tunneling NFS
I did get NFS tunneling to work. I read some guides and had to do some hacking. I think part
of the problem was a mismatch of guides & software versions.
I use gentoo. This was involved & I think most any difference in SW version or dist will
manifest itself as some permutation on the steps :-)
The ssh does use some cpu overhead, but it is not horrid.
Off hand, 25% of a core in a non-ancient core 2 system (Q6600)
seems reasonable from my observations.
Good luck,
Chip
Below is a NFS/SSH HOWTO I wrote Nov 2008 for my internal use w/a gentoo system:
----------------------------------------------------------------
----------------------------------------------------------------
I prolly did not need the no_root_squash, but I'm trying to make sure this works
It is safer to remove the no_root_squash if possible.
I set up ssh so I could ssh from root on one machine to root on another without a password or phrase.
I assume the port forwarded needs to be done as root.
This was tested Oct 2008.
NFS thinks it is only mounting the local host.
SSH maps the local host ports between machines.
==============================================================
HOST 192.168.1.10:
1) /etc/exports
BACKGROUND
Export to the local host, NOT the remote. Yes, "insecure" is required. "localhost" in place of the local IP did not seem to work.
EDIT /etc/exports
/home/to_export 192.168.1.10(rw,no_root_squash,no_subtree_check,insecure)
/mnt/md10/md10_home/tcvm 192.168.1.10(rw,no_root_squash,no_subtree_check,insecure)
2) /etc/conf.d/nfs
BACKGROUND
We need to have ports of mountd easily accessible,
Without this, mountd would use 2 ports. Not only did I need to run
pmap_dump to see the numbers, but I needed to use trial and error to find which of the 2.
Bind moutnd via /etc/conf.d/nfs
I also bound statd just to reduce dynamic port numbers
EDIT: /etc/conf.d/nfs
OPTS_RPC_MOUNTD="-p 32767"
OPTS_RPC_STATD="-p 32765 -o 32766"
3) sysctl.conf
BACKGROUND
This is not essential to ssh or nfs, but I find it desireable to also bind the nlockmgr ports.
As far as I know, this will remove the last dynamic ports from the system.
EDIT: (bottom of) /etc/sysctl.conf
# TCP Port for lock manager
fs.nfs.nlm_tcpport = 32771
# UDP Port for lock manager
fs.nfs.nlm_udpport = 34090
--------------------------------------------------------------
CLIENT (arbitrary IP#)"
1) ssh
BACKGROUND
ssh
-c blowfish cipher seems fast & secure
-f go into background
-L 4444:192.168.1.10:2049 forward client's 4444 to server 2049
2049 is static socket of nfs
-L 5555:192.168.1.10:32767 32767 is above binding of moundd
-l root 192.168.1.10 login as root on the server
/bin/sleep 600d sleep for 600d (stay alive during forwarding).
I think the forwarding itself may keep the ssh alive,
but I don't want to count on that. We can always kill.
4444 & 5555 are abitrary as long as they are mirrored on the mount lines
COMMANDS
ssh -c blowfish-cbc -f -L 4444:192.168.1.10:2049 -l root 192.168.1.10 /bin/sleep 600d
ssh -c blowfish-cbc -f -L 5555:192.168.1.10:32767 -l root 192.168.1.10 /bin/sleep 600d
2) mount
BACKGROUND
mount
-t nfs ssh operates over nfs I don't know if the ssh -L bind works for udp. Experimentally, "-t nfs" was required.
port= & mountport= must match our client port #
localhost: NFS thinks it is purely local.
COMMANDS
mount -t nfs -o tcp,port=4444,mountport=5555 localhost:/home/to_export /home/to_export__mnt
mount -t nfs -o tcp,port=4444,mountport=5555 localhost:/mnt/md10/md10_home/tcvm /home/tcvm
=====================================================================
FIREWALL
I think we need only open the ssh ports for this to work.
=====================================================================
/etc/hosts.deny & /etc/hosts.allow
Allows specification of services & clients. Obviously susceptible
to IP# spoofing, but still useful
SAMPLE
/etc/hosts.deny
portmap: ALL
/etc/hosts.allow
portmap: 192.168.1.10
The allow overrides the overall blacklist via all
This works with function hosts_ctl(), which I've a program that uses.
=====================================================================
Last step on alan (client) when the mount command in the script did not work was
to run
/etc/init.d/nfs restart
even though nfs normally does not appear to need to be running.
I had set the nfs settngs in /etc/sysctl.conf back to the original.
I guess the mods are only for the server.
Maybe it started the portmap which had not been running.
Now it is started at boot.
=====================================================================
REFERENCES:
There are a few good web pages, but no single one that is completely definitive.
http://www.linuxsecurity.com/content/view/117705/171/
http://nfs.sourceforge/nfs-howto/ar01s06.html
http://tldp.org/HOWTO/NFS-HOWTO/security.html
NFS4 & Kerberos
https://help.ubuntu.com/community/NFSv4Howto