How to define a NFS root in a discrete directory tree?
I would like to setup a NFS-server for multiple docker containers and I found documentation on the archlinux-wiki. I thought of this project as an useful example to get to know NFS-configuration and it's security details.
I am not sure what the following sentence means and how to do it.
A good security practice is to define a NFS root in a discrete directory tree which will keep users limited to that mount point.
Does that just mean to create a specific directory for the shared data and not have it accross multiple users home directory?
server OS: centos7 or 8
Solution 1:
I think I know what's going on here and why the Arch wiki is confusing.
Ancient versions of NFS from back in the 1990s (version 3 and previous) could simply export arbitrary directories which were located anywhere in the filesystem. This changed with NFSv4, which requires all exported directories to be subdirectories of a top-level "root" export which is defined by the system administrator and carries the export option fsid=0 to distinguish it as the root. There is no predefined root; the admin makes an explicit choice to define the root.
Thus if you define /srv/nfs as the root, all other NFSv4 exports must be subdirectories of that directory.
However, it is likely that the directory you want to export is not actually under /srv/nfs. For example you may want to export /var/lib/docker/volumes. To do this, instead of moving the files around which might break things that depend on them being in their original location, you can create a bind mount so that the files remain in their original place in the filesystem but are also visible under the bind-mounted path.
mkdir /srv/nfs/volumes
mount --bind /var/lib/docker/volumes /srv/nfs/volumes
Now the files are available in both places in the filesystem tree, and because of that, NFSv4 can export them.
The only bit I am still confused about is why the Arch wiki calls it a "good security practice" when it is just how NFSv4 works.