Tunneling NFS4 over SSH
Today we had the need to mount a filesystem from a system that was almost completely isolated and instead of having to transfer a huge amount of data over a tunneled SSH connection, I thought, why not pursue mounting NFS over an SSH tunnel.
Since NFS4 by default does TCP if both client and server can do that, this would be the perfect opportunity to test the new capability. In fact, it should not be hard at all.
Consider the folowing situation:
some-server (EL4) <-> mgmt-server (Solaris) <-> nfs-server (EL4)
So we connect to our server using SSH from the mgmt-server using:
ssh -R 3049:nfs-server:2049 some-server
If "AllowTcpForwarding yes" is set in your sshd_config, this will create a tunnel back from our server to our nfs-server over the mgmt-server SSH connection. So that connecting to port 3049 on some-server will take us to port 2049 on nfs-server.
If you have a dedicated management server, you may want to hardcode this in your ~/.ssh/config as:
RemoteForward 3049 nfs-server:2049
On the nfs-server side, things become a bit more complicated. Configuring NFS4 is a bit different than what I was used to do. Look at the next example config:
The difference is that the export with "fsid=0" is considered the root of the exported directories. No longer does NFS expect directories to be exported with the same location on the NFS server.
The downside is that you may have to bind-mount your real path to the tree that you export. In my case I would have to do:
mount -o bind /path/share /srv/nfs/share
And as a result, /srv/nfs/share will be exported as /share.
All nice and dandy.
Yes, now let's do the mount:
mount -t nfs4 -o port=3049,hard,intr localhost:/share /path
And this should work. At least if the permissions are set correctly. If you do have problems, the kernel messages and mountd message in /var/log/messages usually give a good indication of what the cause is. If you are unlucky, nothing is logged and it becomes guesswork.
Update: My original article indicated that doing this was not completely possible. But the problem was related to the new NFS4 configuration.