NFS is fine if you can lock it down at the network level, but otherwise it’s Not For Security.
Comment on Homelab upgrade - "Modern" alternatives to NFS, SSHFS?
possiblylinux127@lemmy.zip 2 months ago
What’s wrong with NFS? It is performant and simple.
vext01@lemmy.sdf.org 2 months ago
Appoxo@lemmy.dbzer0.com 2 months ago
NFS + Kerberos?
But everything I read about NFS amd so on: You deploy it on a dedicated storage LAN and not in your usual networking LAN.
vext01@lemmy.sdf.org 2 months ago
I tried it once. NFSv4 isn’t simple like NFSv3 is. Fewer systems support it too.
linuxguy@lemmy.gregw.us 2 months ago
Gotta agree. Even better if backed by zfs.
forbiddenlake@lemmy.world 2 months ago
By default, unencrypted, and unauthenticated, and permissions rely on IDs the client can fake.
May or may not be a problem in practice, one should think about their personal threat model.
Mine are read only and unauthenticated because they’re just media files, but I did add unneeded encryption via ktls because it wasn’t too hard to add (I already had a valid certificate to reuse)
possiblylinux127@lemmy.zip 2 months ago
NFS is good for hypervisor level storage. If someone compromises the host system you are in trouble.
486@lemmy.world 2 months ago
Not only the host. You have to trust every client to behave, as @forbiddenlake already mentioned, NFS relies on IDs that clients can easily fake to pretend they are someone else. Without rolling out all the Kerberos stuff, there really is no security when it comes to NFS.
possiblylinux127@lemmy.zip 2 months ago
You misunderstand. The hypervisor is the client. Stuff higher in the stack only sees raw storage. (By hypervisors I also mean docker and kubernetes) From a security perspective you just set an IP allow list