This is a total rewrite since FreeBSD and ZFS have the ability to export nfs directly. You can always not use the sharenfs function in zfs (ie, sharenfs=off) and use the standard way of exporting. ZFS running nfs actually is not as pretty as the old way, but it is very efficient for maintenance.
The following assumes you have a zpool named storage and you will create a tree of nfs exportable directories under that.
For our needs, we want some exports that will go to our Linux Xen machines, which will have common data between them. For example, our xen configuration files should be available across all of our DOM0's. That allows us to migrate from one DOM0 to another. Additionally, we need some space to store installer images (iso's), and another one where we just put some stuff that is handy to have on DOM0's.
We also want to export to a couple of running virtuals to store large amounts of data. Since they have public interfaces, we need to set up our nfs server to only allow limited access to our nfs server, both by limiting through nfs and also with firewalls.
First, we need some directories to export. Since we want to configure space, etc…, we will do this by creating zfs entries.
zfs create -o atime=off -o dedup=off -o mountpoint=/media/nfs_root storage/nfs_root zfs create -o quota=100G storage/nfs_root/dom0 mkdir -p /media/nfs_root/dom0/xen-configs mkdir -p /media/nfs_root/dom0/xen-store mkdir -p /media/nfs_root/dom0/xen-images chmod 777 /media/nfs_root/dom0/xen* zfs create storage/nfs_root/simon zfs create storage/nfs_root/strax
Note that we created storage/nfs_root so we could set some options that will be inherited by subdirectories, in this case, the mount point, atime=off and dedup=off (that is the default anyway).
We then created storage/nfs_root/dom0 under it, and gave it a quota of 100G. The dom0 stuff should be fairly secure since their firewalls limit the access, so we just put the alldirs option in to allow the dom0's to mount subdirectories wherever they want.
Finally, we create two stores for some servers to put their stuff in, and we limit access to them to only the server itself.
NFS can be exported via ZFS, but that appears to be a little flaky still, so I went back to the old, tried and true (v1 was built by Sun Microsystems in 1984). On FreeBSD (and everything else I've worked on), this is done via the /etc/exports file. Following will export our stuff:
/media/nfs_root/dom0 -alldirs 10.81.210.37 10.81.210.32 /media/nfs_root/simon -maproot=root 192.168.150.68 /media/nfs_root/strax -maproot=root strax.example.com
service mountd reload
must be run any time the exports file is modified.
This allows servers at IP addresses 10.81.210.37 and 10.81.210.32 to access /media/nfsroot/dom0, and mount specific directories under it independantly. We then set up simon and strax to mount the other two, limiting simon by IP address and strax by it's DNS name. In this case, we allow the root user to mark files/directories as the root user (vs nobody).
There are tons of other options. See https://www.freebsd.org/doc/handbook/network-nfs.html for a brief discussion and/or man 5 exports on any Unix system for details.
You can now start nfs by
service nfsd onestart
which will start rpcbind and nfsd. If you have an error, you can shut it down with two commands:
service nfsd onestop service rpcbind onestop
When you have no errors, you can set this up to be permenant by adding the following to /etc/rc.conf
rpcbind_enable="YES" nfs_server_enable="YES" # the -h below binds nfsd to a specific IP, so a machine with # multiple IP's will only respond if this one is used for the # request mountd_flags="-r -h 192.168.0.1" # uncomment the following lines if server side file locks are # needed. Note you must replicate this on the clients #rpc_lockd_enable="YES" #rpc_statd_enable="YES"
nfs will now be enabled at boot time. Note the two commented lines beginning with rpc_. Enabling these if you ever need server side locking on your nfs mounts. You must also enable them on each client. Locks will then be honored for all clients which access this mount.
Note the mountd_flags entry. mountd is what actually handles the mount request from clients. The -r flag allows individual files to be mounted, such as swap a swap file, or a virtual image. Additional flags may be specified. See man 5 mountd for more information. Two nice ones are the -h and -p flags which allow you to specify the IP and Port mountd will listen on.