dockerized_nfs_server
dockerized_nfs_server copied to clipboard
ErezHorev
Added Host Security Options via ENV file
First of all, I think your Repo is great and it really helped me out, but I think you should increase the security configuration a bit. In your approach you allow connections form every IP Adress (/etc/export - /path/to/export *(rw,sync...)) I thought why don't you add permissions for predefined IPs only.
Therefore, I created a new .env file which can be added to the docker run command and provides the NFS options. In the run.sh script I separate the IPs and add the NFS_CONFIG_TEMPLATE for each IP.
/exports/a 10.0.0.1(rw,sync,insecure,no_subtree_check,no_root_squash) 10.0.0.2(rw,sync,insecure,no_subtree_check,no_root_squash)
/exports/b 10.0.0.1(rw,sync,insecure,no_subtree_check,no_root_squash) 10.0.0.2(rw,sync,insecure,no_subtree_check,no_root_squash)
Now only those IPs can mount the directories and everybody is happy
Hi wakonp, I'm really glad you found it useful and appreciate much your contribution. I know i didn't cover a lot of places and indeed this is one of them. It was waiting for a user like yourself:) Your idea sounds really good and would like to adopt. I'm currently on vacation though and away from my pc (using mobile) so have a hard time to review. In about 2 weeks from now i'll attend to it and respond again. Thanks again:)
Waah. I've just seen this PR now, after having implemented something similar on my own (https://github.com/qqilihq/dockerized_nfs_server). At first sight, @wakonp's solution looks nicer than mine.
Anyhow, I would really appreciate to this functionality merged! :)
Hi @wakonp , Please excuse my late response (got back from vacation and was very busy at work). Looks good, few remarks:
- Maybe consider unhiding the env file, instead of '.envNFS' maybe 'NFS.env'. we want users to be aware of it. (not 100% sure so you'll decide) what do you think?
- What will happen if no IPs are defined? we should then allow from any IP as it was until today. I currently have some trouble to test it.
- Also I think that by default we shouldn't limit to a specific ips (put the line on the env file under a comment with an example)
- Please add the relevant info and usage of the new env file on README file (like @qqilihq did +1).
Also @wakonp do you want to help this project by being a collaborator? I'll be happy to add you.
Hi @ErezHorev , Sry for my late response but now it was my turn for a vacation 😄.
Maybe consider unhiding the env file, instead of '.envNFS' maybe 'NFS.env'. we want users to be aware of it. (not 100% sure so you'll decide) what do you think?
Jeah you are right!
What will happen if no IPs are defined? we should then allow from any IP as it was until today. I currently have some trouble to test it.
for export in "${exports[@]}"; do
src=`echo "$export" | sed 's/^\///'` # trim the first '/' if given in export path
- src="$export_base$src"
+ src="$export_base$src" #add export_base
mkdir -p $src
chmod 777 $src
- echo "$src *(rw,sync,insecure,no_subtree_check,no_root_squash)" | tee -a /etc/exports
+ line="$src "
+ while IFS=',' read -ra HOSTS; do
+ for i in "${HOSTS[@]}"; do
+ line="$line $i$NFS_CONFIG_TEMPLATE"
+ done
+ done <<< $NFS_CONFIG_HOSTS
+ echo "$line" | tee -a /etc/exports
done
First of all the "root" of the NFS folder gets written into /etc/exports by this command (no matter if any HOST is defined in the "env" file):
echo "$src *(rw,sync,insecure,no_subtree_check,no_root_squash)" | tee -a /etc/exports
I was not able to test it yet, but if the $NFS_CONFIG_HOST is empty, the for loop does not get any "${HOSTS[@]}" and no lines are written.
Also I think that by default we shouldn't limit to a specific ips (put the line on the env file under a comment with an example)
You surely can do that. It should be a optional feature to define security.
Please add the relevant info and usage of the new env file on README file (like @qqilihq did +1).
I will try to edit it this week.
That would be awesome!!! I really want to help making this docker-nfs-server a great and easy-to-use docker container!