aboutsummaryrefslogtreecommitdiff
path: root/scripts/hostclass/nfs_server/10-nfs
diff options
context:
space:
mode:
Diffstat (limited to 'scripts/hostclass/nfs_server/10-nfs')
-rw-r--r--scripts/hostclass/nfs_server/10-nfs50
1 files changed, 50 insertions, 0 deletions
diff --git a/scripts/hostclass/nfs_server/10-nfs b/scripts/hostclass/nfs_server/10-nfs
new file mode 100644
index 0000000..a775859
--- /dev/null
+++ b/scripts/hostclass/nfs_server/10-nfs
@@ -0,0 +1,50 @@
+#!/bin/sh
+
+# Jails serving NFS need 'allow.nfsd' option.
+
+: ${nfsuserd_cache_size:='256'}
+: ${nfsuserd_num_servers:='4'}
+: ${nfsuserd_cache_timeout:='1'}
+: ${nfsd_srvmaxio:='1048576'}
+
+nfs_root=/share
+nfs_dataset="${state_dataset}/nfs"
+
+# Create ZFS dataset for NFS share.
+create_dataset -o "mountpoint=${nfs_root}" "${nfs_dataset}"
+
+# Allow NFSv4 ACLs to propagate.
+zfs set aclinherit=passthrough aclmode=passthrough "$nfs_dataset"
+
+# Create nfs service principal and keytab.
+add_principal -nokey -x "containerdn=${services_basedn}" "nfs/${fqdn}"
+ktadd -k "${keytab_dir}/host.keytab" "nfs/${fqdn}"
+
+if [ "$BOXCONF_VIRTUALIZATION_TYPE" != jail ]; then
+ set_sysctl \
+ vfs.nfsd.issue_delegations=1 \
+ vfs.nfsd.enable_locallocks=0
+fi
+
+sysrc -v \
+ nfs_server_managegids=YES \
+ nfsuserd_enable=YES \
+ nfsuserd_flags="-usermax ${nfsuserd_cache_size} -usertimeout ${nfsuserd_cache_timeout} ${nfsuserd_num_servers}" \
+ gssd_enable=YES \
+ nfs_server_enable=YES \
+ nfs_server_flags='-t' \
+ nfs_server_maxio="$nfsd_srvmaxio" \
+ nfsv4_server_only=YES \
+ mountd_enable=YES \
+ mountd_flags='-R -S'
+
+# Our krb5.conf assumes MIT Kerberos, but the gssd in base uses the base
+# Heimdal kerberos, which doesnt support %{euid} expansion. So we must
+# override the keytab path with an environment variable.
+sysrc -v gssd_env="KRB5_KTNAME=${keytab_dir}/host.keytab"
+
+install_template -m 0644 /etc/exports
+
+for service in gssd nfsuserd mountd nfsd; do
+ service "$service" status || service "$service" start
+done