Table of Contents

NFS with Owl

Owl currently does not officially support NFS - it does not include the corresponding userland tools such as a Sun RPC portmapper. However, recent Owl kernels are built with the required kernel modules enabled, which you may load and use at your own risk - provided that you install the userland tools from elsewhere (such as from CentOS).

NFS client

Non-Owl package: portmap-4.0-63 from CentOS 4.

/etc/sysconfig/portmap contents:

PMAP_ARGS=-l
chkconfig portmap on

In /etc/fstab:

serverhostnamehere:/export     /mnt/export         nfs     noauto,ro,intr,rsize=8192 0 0

In /etc/rc.d/rc.local:

modprobe nfs

To mount the remote filesystem:

mount /mnt/export

Note that even though the -l option (that's lowercase letter L) tells portmapper to listen on localhost only, it may nevertheless be attacked from directly connected systems (such as from those on the same Ethernet segments with the NFS client machine) via “properly” spoofed packets. Also, the kernel listens on some UDP ports (that it uses to talk to the NFS server). Thus, you may want to apply some iptables filtering, such as by network interface and/or using a default-deny policy.

NFS server

kernel-2.6.18-274.18.1.el5.028stab098.1.owl1 (from Owl-current, not 3.0-stable) or newer.

Non-Owl packages: portmap-4.0-63 and nfs-utils-1.0.6-93.EL4 from CentOS 4.

/etc/sysconfig/nfs contents:

#RPCMOUNTDOPTS="-d all"
#RPCNFSDCOUNT="8 -p 999"
RQUOTAD=no
MOUNTD_NFS_V2=no

In /etc/fstab:

nfsd            /proc/fs/nfsd           nfsd    noauto                  0 0

In /etc/exports:

/export clienthostnamehere(ro,all_squash,anonuid=999,anongid=999)

(The specified client host name should be in /etc/hosts.)

In /etc/rc.d/rc.local:

modprobe nfsd
mount /proc/fs/nfsd
service nfs start

(The order of these rc.local lines/actions is important!)

Don't forget to setup iptables rules to restrict access to the NFS service and RPC services ports - possibly by network interface if the machine has multiple NICs. While ports 2049 and 111 are fixed, ports of the individual RPC services may change, so you either need a default-deny policy at least on non-trusted interfaces or you need to pass additional options to force the use of fixed port numbers.