blob: a775859bc5c1d237c3e366c2fc53f8e717f813ba (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
#!/bin/sh
# Jails serving NFS need 'allow.nfsd' option.
: ${nfsuserd_cache_size:='256'}
: ${nfsuserd_num_servers:='4'}
: ${nfsuserd_cache_timeout:='1'}
: ${nfsd_srvmaxio:='1048576'}
nfs_root=/share
nfs_dataset="${state_dataset}/nfs"
# Create ZFS dataset for NFS share.
create_dataset -o "mountpoint=${nfs_root}" "${nfs_dataset}"
# Allow NFSv4 ACLs to propagate.
zfs set aclinherit=passthrough aclmode=passthrough "$nfs_dataset"
# Create nfs service principal and keytab.
add_principal -nokey -x "containerdn=${services_basedn}" "nfs/${fqdn}"
ktadd -k "${keytab_dir}/host.keytab" "nfs/${fqdn}"
if [ "$BOXCONF_VIRTUALIZATION_TYPE" != jail ]; then
set_sysctl \
vfs.nfsd.issue_delegations=1 \
vfs.nfsd.enable_locallocks=0
fi
sysrc -v \
nfs_server_managegids=YES \
nfsuserd_enable=YES \
nfsuserd_flags="-usermax ${nfsuserd_cache_size} -usertimeout ${nfsuserd_cache_timeout} ${nfsuserd_num_servers}" \
gssd_enable=YES \
nfs_server_enable=YES \
nfs_server_flags='-t' \
nfs_server_maxio="$nfsd_srvmaxio" \
nfsv4_server_only=YES \
mountd_enable=YES \
mountd_flags='-R -S'
# Our krb5.conf assumes MIT Kerberos, but the gssd in base uses the base
# Heimdal kerberos, which doesnt support %{euid} expansion. So we must
# override the keytab path with an environment variable.
sysrc -v gssd_env="KRB5_KTNAME=${keytab_dir}/host.keytab"
install_template -m 0644 /etc/exports
for service in gssd nfsuserd mountd nfsd; do
service "$service" status || service "$service" start
done
|
