Sharing Files Across Systems

Computer Science uses NFS (Network File System) to access files on file servers. It can also be used to access files on your own server or even desktop.

NOTE: This page assumes that the computers you are using (both the one accessing the files and the one sharing the files) are integrated with our Kerberos system. If not, please see Integrating your computer into Kerberos.

There are two ways to get to files on another computer:

Mount it using the mount command. E.g. on ilab systems, user home directories are on a Netapp file server. This is permanently mounted at /common/home. So smith's home directory would be /common/home/smith. If your computer doesn't have it mounted, you can use the command:
mount communis.lcsr.rutgers.edu:/common/home /common/home.
This assumes that a directory /common/home exists on your system. You can do mkdir -p /common/home to create it.
If you use the same file server a lot, you'll probably want to mount files from it all the time. To do that, create an entry in /etc/fstab. Here's a line that mounts /common/home from communis.lcsr:
```
communis.lcsr.rutgers.edu:/common/home /common/home nfs defaults 0 0
```
After adding a line to /etc/fstab the mount will happen every tine you restart the system. To make it happen immediatlely you still have to do the mount. In this case mount /common/home

What files you can access

As we will explain below, you can only access files of systems that allow it. They do that be adding lines to /etc/exports. In general files on communis.lcsr's /common/home will be available to all systems within LCSR. If you want to make file systems from your computer available to other computers in your group, you'll need to add appropriate lines to /etc/exports. See the next section for how to do that.

Note that at the moment the Netapp only checks for new hosts every 24 hours. So it may take up to a day to be able to mount /common/home on a system that has just been added. Linux systems that export file systems also do some caching, but normally they work a few minutes after a system is added.

Quick start

Here's a summary of how to add a system to /etc/exports. This assumes you've integrated your computer into Kerberos.

If you want /home on your system to be available to other computers:

Edit or create /etc/export, and add a line
```
 /home -rw,sec=krb5,fsid=NN,insecure system1.cs.rutgers.edu system2.cs.rutgers.edu
```
insecure is a misnomer. It allows NFS to use any port. There are no real security implications to this.
NN should be a unique number. That is, if you export more than one file system, each should use a different number. Exports of the same file system to different computers should use the same number.
If you have a group of computers there may be a netgroup for them. You can export to a netgroup using @ and the netgroup name. E.g.
```
 /home -rw,sec=krb5,fsid=NN,insecure @lcsrcf
```
would export to all LCSR systems.
Run the command exportfs -va
If this is the first time you've done an export on this system, do
- Ubuntu 16 and higher: systemctl restart nfs-kernel-server
- Centos 7: systemctl restart nfs

If you are on Centos 7, and this is the first time you've done an export on this system, do

firewall-cmd --permanent --zone=public --add-port=2049/tcp
firewall-cmd --permanent --zone=public --add-port=111/tcp
firewall-cmd --permanent --zone=public --add-port=111/udp
firewall-cmd --permanent --zone=public --add-port=20048/udp
firewall-cmd --reload

How it works

For this all to work, your system has to be part of the computer science Kerberos system. See for instructions on adding your system.

When your system is integrated with Kerberos, you login via Kerberos. The central Kerberos server issues a ticket to identify you. That ticket is presented to other systems to allow you to access files there. (I'm greatly simplifying the way it's actually done.)

If you follow our instructions file access will use NFS version 4, with Kerberos authentication. Note that sec=krb5 uses Kerberos to authenticate, but it doesn't encrypt the actual data transfer. If you want to encrypt data transmission, you can use sec=krb5p. However krb5p has to be enabled on both ends.

How to make your files avaiable

If you want to make your files available to other systems, you need to "export" the file system. Obviously we don't want people to be able to see files without permission. So the export gives permission.

SECURITY NOTE: If you export a file system to another computer, anyone on that computer can see your file system. Whether they can see your files depends upon your permissions. Many Linux systems default to fairly open permissions. If you want only you to be able to see your files, do chmod 700 ~ (where ~ represents your home directory or some other directory you want to restrict). If you want only you and members of your group to be able to see them do chmod 750 ~ but make sure that the group is set properly. Over NFS only groups registered in our central group management system will work.

To do this, create a file /etc/exports. It should have a line like this:

/home -rw,sec=krb5,fsid=1,insecure @dcsresearch @dcsfac @research-user-maint

If there is more than one file system being exported, use different numbers in the fsid option. insecure is mis-named. It doesn't really affect security, but rather what port numbers can be used.

Following the options there are netgroups, each prefixed by @. Netgroups are groups of hosts, maintained by LCSR.

dcsresearch is all research systems maintained by LCSR, both servers and desktops.
dcsfac are faculty system. The difference between the two is that faculty systems are only for faculty. Research systems can include students, if they are sponsored by a faculty member.
research-user-maint are research systems run by faculty or grad students for faculty. That is, they aren't run by LCSR staff. While they are probably less secure, remember that users on them are authenticated directly with the Kerberos server, so it is probably safe to export to those systes.

If you want to be able to access your files from shared systems such as aurora, you should include dcsresearch and probably also dcsfac. If you want them to be accessible from lab systems, also include research-user-maint.

You can also list specific hostnames. So you could list just the names of your own lab machines. Ask help@cs.rutgers.edu if you would like to create a netgroup listing all of the systems in your lab.

Every time you change /etc/exports you must use the command exportfs -va

WARNING: If this is the first time you've put something into /etc/exports, see the next section.

If you remove an export from /etc/exports, you'll also have to do exports -u host:/path.

exportfs with no arguments will show the list of current exports.

Doing your first NFS export

Our instructions for setting up systems include all the necessary software. So all you should need is to create /etc/exports. Unfortunately some of the daemons to handle file sharing exit if there are no exports.

That means that the first time you put something other than a comment into /etc/exports you need to start some daemons manually. Or just reboot.

The following should be enough.

Ubuntu 14: service nfs-kernel-server restart
Ubuntu 16 and later: systemctl restart nfs-kernel-server
Centos 7: systemctl restart nfs

This restart isn't necessary every time you change /etc/exports; just the first time you put something there.

Remember that whenever you add something to /etc/exports, whether the first time or not, you must do exportfs -va. If you remove an export from /etc/exports you must do exportfs -u host:/path.

Firewall and security issues

On both Centos 7 and Ubuntu, firewall software is installed by default. It's not turned on by default for Ubuntu. It may be for Centos. If the firewall isn't on, you don't need this section. If you turned on the firewall, and you want to share files from your system, you'll need to open ports for NFS. Note that this isn't needed to access files on other systems, just to export them.

Here are commands for Centos 7's firewalld. Some people don't use firewalld, but work directly with iptables. If you do that, the corresponding iptables changes should be clear from these commands.

#This is enough if you want other systems to be able to use the mount command:
firewall-cmd --permanent --zone=public --add-port=2049/tcp
# if you want other systems to be able to use /net to access your files, you also need these:
firewall-cmd --permanent --zone=public --add-port=111/tcp
firewall-cmd --permanent --zone=public --add-port=111/udp
firewall-cmd --permanent --zone=public --add-port=20048/udp
# in any case you need this:
firewall-cmd --reload

On Ubuntu, things are more complex. Remember, this section only applies if you've turned on the firewall. The normal firewall for Ubuntu is ufw. Some people don't use ufw, but work directly with iptables. If you do that, the corresponding iptables changes should be clear from these commands. ufw allow 2049/tcp will allow mounts with the mount command or /etc/fstab.

However to allow /net on other systems to access your files, you have to include port 111 and the port used by mountd. On Ubuntu, mountd doesn't use a fixed port. In /etc/default/nfs-kernel-server, you'll find a line

RPCMOUNTDOPTS="--manage-gids"

If will need to be replaced by a line declaring a specific port number, e.g.

RPCMOUNTDOPTS="--port 20048"

and then service nfs-kernel-server restart. At that point you can do

ufw allow 111
ufw allow 20048