FreeBSD NFSv4 permissions and [un]priviliged LXCs; two different configurations and their resulting effects.
I rely heavily on a FreeBSD VM (codenamed AVALON) for my data, which I
export via NFS. My containers, however, are Debian-based LXCs, often
unprivileged. That means I get a mismatch where files appear owned by
nobody:nobody and things break. This isn't a solved problem yet and
for now I'm running any container that needs NFS as privileged which is
sub-optimal.
Using NFS to restrict access is effectively inferior to SMB since someone simply needs to present themselves as my desktop IP to gain access. A simple Live ISO USB drive would be sufficient or simply changing the root password in a pre-boot environment. In either case, physical access to my desktop isn't part of my threat model (yet) so this is sufficient for now.
NFS Permissions and for LXCs
Here are some reference export-fstab pairs for a FreeBSD host and Arch
Linux client:
Restricted Access: inheriting setting In /etc/exports:
V4: / -network 10.10.10.0 -mask 255.255.255.0
/AVALON/data/Shared -mapall=1000:1000
/AVALON/data/ISOs -mapall=1000:1000
/AVALON/data/Archive -mapall=1000:1000
/AVALON/data/Meta -mapall=1000:1000
/AVALON/data/Temp -mapall=1000:1000
/AVALON/data/Secret -mapall=1000:1000 -network 10.10.10.200 -mask 255.255.255.255
/AVALON/data
Note that 'orphaned' /AVALON/data at the bottom. I am expecting it to
inherit the parameters from the "V4" line.
In /etc/fstab:
avalon.internal:/AVALON/data/Secret /mnt/AVALON/Secret nfs defaults 0 0
I could mount everything as long as I exported /AVALON/data as shown
above:
❯ ls /mnt/test/
Archive/ Meta/ ISOs/ Secret/ Shared/ Temp/
If I remove /AVALON/data from /etc/exports and run
service mountd onerestart on the host... and try and mount again on
the client:
❯ ls /mnt/test/
ls: reading directory '/mnt/test/': Input/output error
But that's because my export might be invalid.
Restricted Access: fully enumerated This may not be necessary but I re-worked the exports on Avalon:
V4: /
/AVALON/data/Shared -mapall=1000:1000 -network 10.10.10.0 -mask 255.255.255.0
/AVALON/data/ISOs -mapall=1000:1000 -network 10.10.10.0 -mask 255.255.255.0
/AVALON/data/Archive -mapall=1000:1000 -network 10.10.10.0 -mask 255.255.255.0
/AVALON/data/Meta -mapall=1000:1000 -network 10.10.10.0 -mask 255.255.255.0
/AVALON/data/Temp -mapall=1000:1000 -network 10.10.10.0 -mask 255.255.255.0
/AVALON/data/Secret -mapall=1000:1000 -network 10.10.10.200 -mask 255.255.255.255
In /etc/fstab (no change):
avalon.internal:/AVALON/data/Secret /mnt/AVALON/Secret nfs defaults 0 0
sudo umount /mnt/AVALON && sudo mount -a