Mac OS X as an NFS Server

Overview
This covers the steps necessary to export filesystems on Mac OS X via NFS. This was originally written in the 10.1 days, but is still applicable as of 10.4.2 (non-server versions).
Like setting up a client, configuring OS X to be a server involves updating NetInfo. For a server, there are several Unix daemons which need to run (one of which needs to be notified if it is already running).
The example filesystem to be exported in this document will be /external/path; obviously change this to something useful.
The steps are to add a new directory to NetInfo, called /exports, and add directories to that which are to be exported.


NetInfo Changes, via Graphical Interface

1. To accomplish this in Aqua, run NetInfo Manager (located in /Applications/Utilities) and authenticate as an administrator (the little lock at the bottom of the window).
   
   
   Authenticate lock



2. We need to create a new directory, so click on the left-most directory (called simply, /), and create a new directory (through the button, menu option, or shortcut Cmd-N).
   This will create a new directory called new_directory, which we need to rename.
   
   
   root in the directory browser
   
   
   
   Ways to create a directory



3. In the bottom-part of the window, double-click on new_directory in the Value(s) column, which will highlight new_directory and place the insertion point there. Simply type exports to rename it, then save changes (Cmd-S or Domain menu, and select Save) to update the browser portion of the window.
   
   
   Renaming the newly-created directory
   
   
   
   Now renamed, but not saved
   
   
   
   Now renamed and saved
   
   All exported filesystems will be listed under this new directory. Let's add one.



4. Click on exports in the browser, and create a new directory. The value of the name property for each subdirectory in exports specifies the local filesystem to be exported (in our example, /external/path).
   Double-click new_directory in Value(s), and enter /external/path (make sure there is no trailing slash on this). This specifies the local path to export to clients, but nothing about which clients should be allowed access, or what options to use. For that, we need to add two more properties.



5. Under the Directory menu is a command, New Property, which is what we will use to add the properties. Select this command twice, as we'll be specifying the clients who will be allowed access, and the export options.
   
   
   Two new properties added



6. Double-click the first new_property and rename it to opts; set the value of this property to ro to export this filesystem as read-only (see the manpage for exports for the options which can be used). Change the second new_property to clients, and set the value to a blank (delete what is currently there), which means export to all clients (see the note about default entry, below).
   
   
   Properties are now set



7. Save changes. All required information is now in NetInfo for the system to export filesystems via NFS. What's left is to notify or start the NFS server-related daemons.

You can repeat this procedure for any other directories you wish to export (but be sure to read the note about default entry, below, if you export several directories to empty clients properties).

NetInfo Changes, Command Line
Adding NFS export information to NetInfo from a command line involves running a few simple commands: one to create the entry, and two more to add the necessary options.

1. To create the new entry, run
   

   
   sudo nicl . -create /exports/\\/external\\/path
   

   
   Since NetInfo uses the / to separate path components, and we have / characters in the entry we want to create, those / have to be escaped. This is done with the backslash, \, and since we are running in a shell, we need to double them up. After the shell is done examining the command, the string \\/ becomes \/ which is what we need to pass to nicl. If we don't use any backslashes, nicl will end up creating an entry /exports/external which has a subdirectory path. This is definitely not what we want.
   Basically, double-backslash the forward slashes in the path to export (/external/path), but not the NetInfo path (/exports/). Note also the part /\\/ as the path we are exporting is /external/path which includes the leading /.
   If you added /exports/external\\/path then the path exported would be external/path which is a relative path, but relative to what?
   Make sure to not put in a trailing slash on the path.



2. Now we need to add the two properties which specify the allowed clients and any options we need. These properties are clients which we'll set to an empty string (which means all clients, but read the note on default entry, below); and opts, set to ro so the directory is mounted read-only (see the manpage for exports for the options which can be used). The commands to accomplish this are:
   

   
   sudo nicl . -append /exports/\\/external\\/path clients ""
   sudo nicl . -append /exports/\\/external\\/path opts ro
   

   
   

You can repeat this procedure for any other directories you wish to export (but be sure to read the note about default entry, below, if you export several directories to empty clients properties).

Starting Daemons or Notifying mountd
For serving NFS, Mac OS X has three daemons which need to be running: portmap which tells clients how to contact the NFS daemons, mountd which handles mounting of NFS filesystems, and nfsd which handles all the rest of serving NFS. See the respective man pages for more information on these.
The first thing to know is, if a machine has no exports listed, these daemons will not be started when the OS starts. portmap is started by /System/Library/StartupItems/Portmap/Portmap (prior to 10.4, and by launchd in 10.4 and later), and both mountd and nfsd are started by /System/Library/StartupItems/NFS/NFS. If you're curious, a look at these scripts will show where they check for exports before starting the respective daemons. The NFS script also starts the NFS client daemons, FYI.
The point of this information is, if this is the first time you add NFS exports, these daemons have to be started before anything works. If this is the case, you'll need to start the daemons (mentioned below). If they are already running, you merely need to notify mountd of export changes (also below).

Starting Daemons
If the daemons aren't running yet (ie, you just added your first exports), you can either start them up by hand, or simply reboot. To start them, run (don't start portmap if you're running on 10.4 or later):

cd /
sudo /usr/sbin/portmap
sudo /usr/sbin/mountd
sudo /sbin/nfsd -t -u -n 6

The order is important. The arguments given to nfsd are the default; if you've added your own to NetInfo's /config/nfsd, use those instead. Once they are started, you're ready to test them.

Notifying mountd
If the daemons are already running, modifying /exports requires a notification be sent to only mountd. This can be done simply by running:

sudo kill -1 `cat /var/run/mountd.pid`

Note those are backticks, not single quotes.

Testing The Exports
To see what mountd is offering, you can run:

showmount -e

This shows the exported filesystems on your machine. You can also run this against another machine as:

showmount -e nfsserver

The output from showmount should look like:

Exports list on localhost:
/external/path                      Everyone

This indicates the exports are setup properly and mountd is aware of them. The next test is to actually attempt to mount the filesystem. This is accomplished by running:

sudo mount localhost:/external/path /private/mnt

This mounts the exported filesystem into /private/mnt, so an ls of /private/mnt should show the same files as under /external/path.
Once this is verified, unmount it by running

sudo umount /private/mnt

The only testing left is to try mounting the filesystem on a different machine. If that doesn't work, you'll have to consult further documentation, as a full NFS troubleshooting discussion is beyond the scope of this document.

Notes About Being an NFS Server

• default entry
  One big issue is where you try to export more than one directory on the same filesystem to a blank clients property. The first one is picked up, labeled as the "default entry" for that filesystem, and any other directory on that same filesystem with a blank clients list will not in fact be exported. This is covered in the manpage for exports, but the wording is quite vague.
  The fix for this is to add the additional directories to the name property of the first one you add. For example, if you want to export /Users/user1 and /Users/user2 to everybody and both directories are on the same filesystem, you would set it up as follows,
  

  
  sudo nicl . -create /exports/\\/Users\\/user1
  sudo nicl . -append /exports/\\/Users\\/user1 name /Users/user2
  sudo nicl . -append /exports/\\/Users\\/user1 clients ""
  sudo nicl . -append /exports/\\/Users\\/user1 opts ro
  

  
  This then causes both /Users/user1 and /Users/user2 to be the default entry.



• Security Information
  One note about security. Be very careful with exports which use an empty clients property, as that means any machine can see the exported files. Whenever possible, only specify machines which need to access the exported filesystem. Also, whenever possible, export filesystems read-only (an opts value of ro).



• Viewing /exports from the command line
  If you want to look at what's currently in /exports from the command line, run
  

  
  nidump -r /exports .
  

  
  This will dump out the information recursively (what's in /exports, and all the information pertaining to it). It should look something like
  

  
  {
    "name" = ( "exports" );
    CHILDREN = (
      {
        "name" = ( "/external/path" );
        "clients" = ( "" );
        "opts" = ( "ro" );
      }
    )
  }