Account Management

Sharing Files Across Systems

Computer Science uses NFS (Network File System) to access files on file servers. It can also be used to access files on your own server or even desktop.

NOTE: This page assumes that the computers you are using (both the one accessing the files and the one sharing the files) are integrated with our Kerberos system. If not, please see Integrating your computer into Kerberos.

There are two ways to get to files on another computer:

What files you can access

As we will explain below, you can only access files of systems that allow it. They do that be adding lines to /etc/exports. In general files on communis.lcsr's /common/home will be available to all systems within LCSR. If you want to make file systems from your computer available to other computers in your group, you'll need to add appropriate lines to /etc/exports. See the next section for how to do that.

Note that at the moment the Netapp only checks for new hosts every 24 hours. So it may take up to a day to be able to mount /common/home on a system that has just been added. Linux systems that export file systems also do some caching, but normally they work a few minutes after a system is added.

Quick start

Here's a summary of how to add a system to /etc/exports. This assumes you've integrated your computer into Kerberos.

If you want /home on your system to be available to other computers:

How it works

For this all to work, your system has to be part of the computer science Kerberos system. See for instructions on adding your system.

When your system is integrated with Kerberos, you login via Kerberos. The central Kerberos server issues a ticket to identify you. That ticket is presented to other systems to allow you to access files there. (I'm greatly simplifying the way it's actually done.)

If you follow our instructions file access will use NFS version 4, with Kerberos authentication. Note that sec=krb5 uses Kerberos to authenticate, but it doesn't encrypt the actual data transfer. If you want to encrypt data transmission, you can use sec=krb5p. However krb5p has to be enabled on both ends.

How to make your files avaiable

If you want to make your files available to other systems, you need to "export" the file system. Obviously we don't want people to be able to see files without permission. So the export gives permission.

SECURITY NOTE: If you export a file system to another computer, anyone on that computer can see your file system. Whether they can see your files depends upon your permissions. Many Linux systems default to fairly open permissions. If you want only you to be able to see your files, do chmod 700 ~ (where ~ represents your home directory or some other directory you want to restrict). If you want only you and members of your group to be able to see them do chmod 750 ~ but make sure that the group is set properly. Over NFS only groups registered in our central group management system will work.

To do this, create a file /etc/exports. It should have a line like this:

/home -rw,sec=krb5,fsid=1,insecure @dcsresearch @dcsfac @research-user-maint
If there is more than one file system being exported, use different numbers in the fsid option. insecure is mis-named. It doesn't really affect security, but rather what port numbers can be used.

Following the options there are netgroups, each prefixed by @. Netgroups are groups of hosts, maintained by LCSR.

If you want to be able to access your files from shared systems such as aurora, you should include dcsresearch and probably also dcsfac. If you want them to be accessible from lab systems, also include research-user-maint.

You can also list specific hostnames. So you could list just the names of your own lab machines. Ask if you would like to create a netgroup listing all of the systems in your lab.

Every time you change /etc/exports you must use the command exportfs -va

WARNING: If this is the first time you've put something into /etc/exports, see the next section.

If you remove an export from /etc/exports, you'll also have to do exports -u host:/path.

exportfs with no arguments will show the list of current exports.

Doing your first NFS export

Our instructions for setting up systems include all the necessary software. So all you should need is to create /etc/exports. Unfortunately some of the daemons to handle file sharing exit if there are no exports.

That means that the first time you put something other than a comment into /etc/exports you need to start some daemons manually. Or just reboot.

The following should be enough.

This restart isn't necessary every time you change /etc/exports; just the first time you put something there.

Remember that whenever you add something to /etc/exports, whether the first time or not, you must do exportfs -va. If you remove an export from /etc/exports you must do exportfs -u host:/path.

Firewall and security issues

On both Centos 7 and Ubuntu, firewall software is installed by default. It's not turned on by default for Ubuntu. It may be for Centos. If the firewall isn't on, you don't need this section. If you turned on the firewall, and you want to share files from your system, you'll need to open ports for NFS. Note that this isn't needed to access files on other systems, just to export them.

Here are commands for Centos 7's firewalld. Some people don't use firewalld, but work directly with iptables. If you do that, the corresponding iptables changes should be clear from these commands.

#This is enough if you want other systems to be able to use the mount command:
firewall-cmd --permanent --zone=public --add-port=2049/tcp
# if you want other systems to be able to use /net to access your files, you also need these:
firewall-cmd --permanent --zone=public --add-port=111/tcp
firewall-cmd --permanent --zone=public --add-port=111/udp
firewall-cmd --permanent --zone=public --add-port=20048/udp
# in any case you need this:
firewall-cmd --reload

On Ubuntu, things are more complex. Remember, this section only applies if you've turned on the firewall. The normal firewall for Ubuntu is ufw. Some people don't use ufw, but work directly with iptables. If you do that, the corresponding iptables changes should be clear from these commands. ufw allow 2049/tcp will allow mounts with the mount command or /etc/fstab.

However to allow /net on other systems to access your files, you have to include port 111 and the port used by mountd. On Ubuntu, mountd doesn't use a fixed port. In /etc/default/nfs-kernel-server, you'll find a line

If will need to be replaced by a line declaring a specific port number, e.g.
RPCMOUNTDOPTS="--port 20048"
and then service nfs-kernel-server restart. At that point you can do
ufw allow 111
ufw allow 20048