tablet/nfs-krb
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: tablet:debug
Branches Tags
tablet:master
tablet:v0.0.4
tablet:v0.0.3
tablet:debug
tablet:v0.0.2
tablet:v0.0.1
...
compare: tablet:master
Branches Tags
tablet:master
tablet:v0.0.4
tablet:v0.0.3
tablet:debug
tablet:v0.0.2
tablet:v0.0.1

4 Commits
debug ... master

Author SHA1 Message Date
☙◦ The Tablet ❀ GamerGirlandCo ◦❧
2ac4b483ea
tag alpine image as latest 2025-10-30 00:22:43 -04:00
☙◦ The Tablet ❀ GamerGirlandCo ◦❧
e12b8dc9a0
add readme.md 2025-10-30 00:17:49 -04:00
☙◦ The Tablet ❀ GamerGirlandCo ◦❧
6f0b01aeca
alpine: workarounds for use cases with custom exports files 2025-10-30 00:15:51 -04:00
☙◦ The Tablet ❀ GamerGirlandCo ◦❧
a75674f812
ensure debug tag isn't pushed to docker 2025-10-29 18:13:45 -04:00
3 changed files with 66 additions and 7 deletions
Show Stats Expand all files Collapse all files

45
README.md Normal file
View File

@ -0,0 +1,45 @@
# thealmightydrawingtablet/nfs-krb
it's an NFS server with kerberos integrated out of the box !
## why?
because nobody else has made one for some reason ¯\\\_(ツ)\_/¯
# usage
### sharing directory via env var
```bash
# works for both ubuntu and alpine images
docker run -d --privileged -v /path/on/host:/container/srv \
-e SHARED_DIRECTORY=/container/srv -e PERMITTED=10.0.0.0/8 \
-e NFS_KRB_PRINC=nfs/localhost.local -e NFS_KRB_REALM=LOCALHOST.LOCAL -e NFS_KRB_PWD='unguessable!'
```
### bring your own `/etc/exports`
```bash
# ubuntu
docker run -d --privileged -v /path/on/host:/container/srv -v ./exports:/etc/exports \
-e PERMITTED=10.0.0.0/8 \
-e NFS_KRB_PRINC=nfs/localhost.local -e NFS_KRB_REALM=LOCALHOST.LOCAL -e NFS_KRB_PWD='unguessable!'
# alpine
docker run -d --privileged -v /path/on/host:/container/srv/folder-1 -v /another/thing:/container/srv/folder-2 -v ./exports:/etc/exports.mnt \
-e PERMITTED=10.0.0.0/8 \
-e NFS_KRB_PRINC=nfs/localhost.local -e NFS_KRB_REALM=LOCALHOST.LOCAL -e NFS_KRB_PWD='unguessable!'
```
## recognized configuration environment variables
| Variable | Default | Required | Alpine | Ubuntu | Description |
| ------------------ | ------------------ | -------- | ------ | ------ | ------------------------------------------------------------------------------- |
| `NFS_KRB_REALM` | - | yes | ✅ | ✅ | Kerberos realm to authenticate with. |
| `NFS_KRB_PRINC` | - | yes | ✅ | ✅ | the service principal which will be added to the keytab. |
| `NFS_KRB_PWD` | - | yes | ✅ | ✅ | kerberos database master password, as well as the password for `NFS_KRB_PRINC`. |
| `RW_MODE` | `rw` | no | ✅ | ✅ | controls NFS export read/write mode and the per-share option string. |
| `SRV_TZ` | `America/New_York` | no | ✅ | ❌ | overrides the system timezone. |
| `SHARED_DIRECTORY` | - | no | ✅ | ✅ | determines whether to configure a singular export. |
| `PERMITTED` | `*` | no | ✅ | ✅ | provides the allowed client list for a single exported directory. |

4
build.sh
View File

@ -1,10 +1,10 @@
#!/bin/bash #!/bin/bash
IMAGE=${IMAGE:-"thealmightydrawingtablet/nfs-krb"} IMAGE=${IMAGE:-"thealmightydrawingtablet/nfs-krb"}
VERSION=$(git tag --sort=-committerdate | head -n 1) VERSION=$(git tag --sort=-committerdate | grep -vi debug | head -n 1)
docker build --progress=plain -t "${IMAGE}:ubuntu" -t "${IMAGE}:${VERSION}-ubuntu" -f ./Dockerfile.ubuntu . docker build --progress=plain -t "${IMAGE}:ubuntu" -t "${IMAGE}:${VERSION}-ubuntu" -f ./Dockerfile.ubuntu .
docker build --progress=plain -t "${IMAGE}:alpine" -t "${IMAGE}:${VERSION}-alpine" . docker build --progress=plain -t "${IMAGE}:alpine" -t "${IMAGE}:${VERSION}-alpine" -t "${IMAGE}:latest" .
if [ "$1" == "push" ]; then if [ "$1" == "push" ]; then
docker push --all-tags "${IMAGE}" docker push --all-tags "${IMAGE}"

24
entrypoint.sh
View File

@ -1,5 +1,5 @@
#!/bin/bash #!/bin/bash
set -xuo pipefail set -xo pipefail
trap "stop; exit 0;" SIGTERM SIGINT trap "stop; exit 0;" SIGTERM SIGINT
stop() stop()
@ -13,7 +13,7 @@ stop()
exit exit
} }
DEFALUT_TIMEZONE="America/New York" DEFALUT_TIMEZONE="America/New_York"
DEFAULT_PERMITTED="*" DEFAULT_PERMITTED="*"
RW_MODE="rw" RW_MODE="rw"
UID=${NFS_UID:-0} UID=${NFS_UID:-0}
@ -39,6 +39,23 @@ if [ -n "${SHARED_DIRECTORY}" ]; then
EOE EOE
chmod 777 "${SHARED_DIRECTORY}" chmod 777 "${SHARED_DIRECTORY}"
else
cp /etc/exports.mnt /etc/exports
grep -vi "^[[:space:]]*#" /etc/exports | while read -r line; do
if [ -n "${line}" ]; then
trimmed="${line##*([[:space:]])}"
# shellcheck disable=SC2001
rcdir="$(eval "declare -a str=($( echo "$trimmed" | sed 's/[][`~!@#$%^&*():;<>.,?|{}=+-]/\\&/g' )); echo \${str[0]}")"
cdir="${rcdir##*(\")}"
echo "${cdir}"
mkdir -p "/exports${cdir}"
mount --bind -o rw "${cdir}" "/exports${cdir}"
chmod 777 "/exports${cdir}"
fi
done
sed -i -r '/^[[:space:]]*#/!s/^("?)/\1\/exports/' /etc/exports
# root entry
echo -e "\n/exports *(rw,no_root_squash,insecure,no_subtree_check,nohide,fsid=0,sync,sec=krb5p:krb5i:krb5)" >> /etc/exports
fi fi
# setup logging # setup logging
@ -48,9 +65,6 @@ syslogd
exportfs -rvaf exportfs -rvaf
echo "${NFS_KRB_REALM}" > /etc/hostname
export OPTS_RPC_MOUNTD='--debug all -t 8 -N 3' export OPTS_RPC_MOUNTD='--debug all -t 8 -N 3'
cat >> /etc/conf.d/nfs <<EOC cat >> /etc/conf.d/nfs <<EOC
OPTS_RPC_MOUNTD="${OPTS_RPC_MOUNTD}" OPTS_RPC_MOUNTD="${OPTS_RPC_MOUNTD}"