# nfs security?

## addeman

How secure is nfs, is it acceptable to share / on my server/router at home, setting the share for one internal ip only? Im considering to do so to chroot into that environment and so use my p4 to compile for my _slow_ server, as distcc doesn't seem to do the trick  :Sad:  Is it preferable to go through and install afs instead?

regards addeman

----------

## adsmith

Basically, nfs justy throws your data around willy-nilly.  Don't use it on an insecure network.  That is, make sure your firewall doesn't  allow the outside world to access its port.

That said, if the computers on your LAN are trusted and your file permissions are set well, there's no real problem.

By the way, the "chroot through NFS" thing works fairly well in desperate situations.  Here are two scripts I use to do this:

on the FAST Machine (tock), a file

/usr/local/sbin/emerge-closet-on-tock-remote.sh

```

#!/bin/bash

cd /tmp

mount closet:/ /mnt/closet && echo /mnt/closet mounted.

echo -n "Waiting for mount:"

for i in $(seq 5); do sleep 1 && echo -n .; done 

echo "!"

echo "Executing closet:/usr/local/sbin/emerge-closet-on-tock-local.sh $@"

chroot /mnt/closet /usr/local/sbin/emerge-closet-on-tock-local.sh $@ 2>&1

echo ""

echo -n "Waiting for unmount:"

for i in $(seq 5); do sleep 1 && echo -n .; done

echo "!"

umount /mnt/closet  && echo /mnt/closet unmounted.

```

on the SLOW machine (closet), a file /usr/local/sbin/emerge-closet-on-tock-local.sh:

```

#!/bin/bash

env-update ## added from below post

source /etc/profile ## added from below post

#source /etc/bashrc ## removed -- not standard for most people

mount -t tmpfs tmpfs  /mnt/tmp 

FEATURES="-distcc" MAKEOPTS="-j3" PORTAGE_TMPDIR="/mnt/tmp" emerge $@ 1>&2

rm -rf /mnt/tmp/*

umount /mnt/tmp

```

This just passes all arguments to the final emerge process, so I can do something like this on tock (FAST):

```
/usr/local/sbin/emerge-closet-on-tock-remote.sh -uDv --newuse world
```

to upgrade closet (SLOW) remotely

the tmpfs stuff is so that the remote, slow machine uses the RAM of the fast machine for all its temp stuff, otherwise network traffic makes everything super-slow.Last edited by adsmith on Fri Jan 28, 2005 6:38 pm; edited 1 time in total

----------

## addeman

I just love these forums and the people using them  :Wink: 

Thank you very much, i'll try this _now_ , an emerge -e system is not to fun to do on a pII 233  :Wink: 

Again, thank you very much!

Best regards

addeman

----------

## addeman

Just a little question though... Shouldn't there be some env-update somewhere after the chroot command?

regards addeman

----------

## adsmith

Sure, I guess that would help.  The /etc/profile stuff is solved for me by sourcing /etc/bashrc, since that sources /etc/profile for me, along with some other stuff.  I guess I didn't worry about ld.conf, since my two machines were closely configured, but yes -- that would certainly be good to do!

----------

## addeman

Would something like this do the job (it is from the alternative installation methods guide, for installing from existing linux...)

```

# env -i HOME=$HOME TERM=$TERM chroot /mnt/gentoo /bin/bash

# /usr/sbin/env-update

# source /etc/profile

```

regards addeman

----------

## adsmith

Yeah, that looks okay to me (though I wonder in env -i ... is overkill) 

In any case, there's only one way to find out  :Smile: 

shell scripts are all about experimentation..

----------

## addeman

I'm not to handy with shell-scripts, but I like experimenting  :Wink:  I'm actually doing it right now  :Wink: 

----------

## addeman

Well... There seems to be something wrong, i get the following error:

```

>>> Regenerating /etc/ld.so.cache...

 * Caching service dependencies...

Calculating dependencies ...done!

>>> emerge (1 of 9) sys-devel/gcc-config-1.3.8-r4 to /

>>> /tmp/sandboxpids.tmp fcntl file lock: No locks available

>>> pids file write: No locks available

bash-2.05b# nano /etc/exports 

bash-2.05b# 

```

What could cause this?

regards addeman

----------

## adsmith

I'm guessing /tmp isn't mounted properly, or it's looking in the wrong directory

Where is /tmp mounted, and what is your 

PORTAGE_TMPDIR set to?

----------

## addeman

The /tmp is as follows:

```

drwxrwxrwt   5 root root  168 Feb  4 07:03 tmp

```

and mount on the slow machine gives... when this was cpoied, the /mnt/tmp was not mounted, which it was during compilation tries.

```

/dev/ide/host0/bus0/target0/lun0/part3 on / type reiserfs (rw,noatime)

none on /dev type devfs (rw)

none on /proc type proc (rw)

none on /sys type sysfs (rw)

none on /dev/pts type devpts (rw)

/dev/ide/host0/bus0/target0/lun0/part1 on /boot type reiserfs (rw,noatime,notail)

/dev/ide/host0/bus0/target0/lun0/part4 on /backup type reiserfs (rw,noatime,notail)

/dev/ide/host0/bus0/target0/lun0/part6 on /mp3 type reiserfs (rw,noatime,notail)

none on /dev/shm type tmpfs (rw)

none on /proc/bus/usb type usbfs (rw)

nfsd on /proc/fs/nfs type nfsd (rw)

```

The error only occurs when trying to emerge from the chrooted env, an emerge started over ssh works without a hitch...

The PORTAGE_TMPDIR is set to /mnt/tmp , so i don't understand why portage goes looking in /tmp at all..

best regards

addeman

----------

## adsmith

hmm.. I'm really not sure why it wouldn't be looking in the right directory.

Silly question -- did you mkdir /mnt/tmp on the slow machine?

I presume you've gone through the chroot procedure by hand to look for problems?

Also, just as an experiment, maybe change the fast machines /etc/make.conf to point to /mnt/tmp.  It really, really shouldn't make any difference at all, but I'm baffled.

----------

## addeman

Well, i went a little crazy and did the following:

```

rm -rf /tmp

ln -s /mnt/tmp /tmp

```

And now it works, so i'll guess i just include it in the scripts  :Wink: 

Edit: At least i thought it worked, it compiled the package (i compiled samba as a test), but at unmergeing the previous installation i get this:

```

.

.

.

--- !empty dir /etc

--- !targe sym /usr/lib/libsmbclient.so.0

--- !targe sym /usr/lib/libsmbclient.so

--- !targe sym /usr/lib/cups/backend/smb

--- !targe sym /sbin/mount.smbfs

--- !targe sym /sbin/mount.cifs

>>> original instance of package unmerged safely.

Traceback (most recent call last):

  File "/usr/bin/emerge", line 3045, in ?

    mydepgraph.merge(mydepgraph.altlist())

  File "/usr/bin/emerge", line 1838, in merge

    retval=portage.doebuild(y,"merge",myroot,self.pkgsettings,edebug)

  File "/usr/lib/portage/pym/portage.py", line 2652, in doebuild

    return merge(mysettings["CATEGORY"],mysettings["PF"],mysettings["D"],mysettings["BUILDDIR"]+"/build-info",myroot,mysettings,myebuild=mysettings["EBUILD"])

  File "/usr/lib/portage/pym/portage.py", line 2785, in merge

    return mylink.merge(pkgloc,infloc,myroot,myebuild)

  File "/usr/lib/portage/pym/portage.py", line 6769, in merge

    return self.treewalk(mergeroot,myroot,inforoot,myebuild,cleanup=cleanup)

  File "/usr/lib/portage/pym/portage.py", line 6460, in treewalk

    mylock = portage_locks.lockfile(destroot+CONFIG_MEMORY_FILE)

  File "/usr/lib/portage/pym/portage_locks.py", line 93, in lockfile

    fcntl.lockf(myfd,fcntl.LOCK_EX|fcntl.LOCK_NB)

IOError: [Errno 37] No locks available

```

Well well, i'll try some other packages, see how it goes...

edit 2:

I think that the above error is caused by too little RAM, need to by more  :Wink:  Or maybe mount a tmp-space from my "fast" computer...

Best regards

addeman

----------

## bsdvodsky

If you get:

```
>>> /tmp/sandboxpids.tmp fcntl file lock: No locks available

>>> pids file write: No locks available 
```

Here's a solution! In short, use 'auto,rw,hard,intr,nolock' option at mount.

----------

