2

What I have:

  • Synology NAS (IP x.x.x.11)
    • Docker installed, and a docker user and group,
    • running many containers using the docker user,
    • all containers' storage inside /volume1/docker/,
    • NFS share for /volume1/docker/ (see footnote 1 below);
  • Linux PC (IP x.x.x.10)
    • Docker installed, no docker user and group yet,
    • mounted NFS share as /media/docker on the PC (see footnote 1 below),
    • this user only has read access,
    • sudo has write access, but I don't want to run everything as root!

What I want:

  • Run the containers using the PC's CPU,
  • Keep the containers' storage on the NAS,
  • only this PC (or possibly only a particular user on the PC?)
    shall have network access to the NFS share.

Questions:

  1. On the NAS, how do I prevent READ access to the share from anywhere except that PC?
  2. On the NAS, how do I grant WRITE access to the share, but only to this PC? (And only to a particular user??)
  3. Do I need to set up a docker user and group on the PC? I could just use the existing (non-root) user, uid=1001.
  4. On the PC, how do I configure /etc/fstab to give write access to that non-root user on the PC?

Footnote:

  1. On the NAS, sudo cat /etc/exports gives:
/volume1/docker 192.168.1.10(rw,async,no_wdelay,crossmnt,no_root_squash,insecure_locks,sec=sys,anonuid=1025,anongid=100)
  1. On the PC, cat /etc/fstab gives:
192.168.1.11:/volume1/docker /media/docker nfs rw,vers=4 0 0
Improve this question
8
  • Have you try to export it twice, one with r/w for only IP, second with r/o for all.
    – Romeo Ninov
    Commented Sep 17, 2022 at 18:14
  • What I understand from your questions 1 and 2 is that you want to grant read AND write access to only PC ?
    – PierU
    Commented Sep 17, 2022 at 18:28
  • @RomeoNinov, r/o for all is incorrect, it should be disallowed for all except the server's docker user.
    – Torben Gundtofte-Bruun
    Commented Sep 17, 2022 at 19:42
  • @PierU, yes correct! It's vital that the server's docker user can write; it's optional but desirable that nobody else can even read.
    – Torben Gundtofte-Bruun
    Commented Sep 17, 2022 at 19:44
  • @TorbenGundtofte-Bruun, I just give idea how to make the share r/w for someone/some IP and r/o for other.
    – Romeo Ninov
    Commented Sep 17, 2022 at 19:48

1 Answer 1

Reset to default
1

/etc/exports on the server (NAS) export the desired path:

/volume1/foo  192.168.1.10(async,rw,all_squash,anonuid=1038,anongid=65544)
# 192.168.1.10 is the only allowed client IP
# connections will be made as if with local user 1038, local group 65544

Then enter exportfs -r to refresh (activate the new settings).

/etc/fstab on the client (PC):

192.168.1.11:/volume1/foo /media/bar nfsvers=3 0 0
# 192.168.1.11 is the server
# forcing NFS version 3 because Synology NAS does not support version 4!

Then enter mount -a to activate the new settings.

On the client, touch /media/bar/foo.txt should now work, and ls -l will show that the file is created with uid=1038 and gid=65544.

Improve this answer
3
  • 1
    Unless I missed something, this does not answer this part of the question 2: "how do I grant WRITE access to the share, but only to this PC? And only to a particular user". The all_squash option will de facto give the write access to all users.
    – PierU
    Commented Oct 17, 2022 at 15:35
  • Thank you, good point! I would be happy if you could improve the answer (or post another).
    – Torben Gundtofte-Bruun
    Commented Oct 17, 2022 at 15:48
  • As I wrote in a previous comment, I can't see obvious solutions apart from creating on the PC a user with the same uid/gid (at least the same uid) than on the NAS.
    – PierU
    Commented Oct 17, 2022 at 16:41

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .