My Use case
To establish a seamless synchronization of project files between a MacBook (working station) and a Raspberry Pi (hosting server), allowing for automatic updates and accessibility of the project from both devices.
device/tool | version |
---|---|
DS420+ | DSM 7.2-64570 |
Raspberry PI | 400 |
The user begins working on the project using the IDE on the MacBook, editing and updating project files within the synchronized folder. As changes are made, they are automatically reflected in the synchronized folder and accessible on the Raspberry Pi in read-only mode.
1. Create folder on NAS
1.1 Set up NFS rules
To start with, create a shared folder Control Panel -> Create -> Create Shared Folder
Follow all steps though Shared Folder Creation Wizard panel. Once you are done, select your folder (in my case it is yuklia_projects
) click on Edit
, navigate to NFS permissions
tab. Create NFS rule.
rule | value | note |
---|---|---|
Hostname or IP | raspberrypi_local_ip |
🔒 limit access only to trusted IP to reduce the surface attack. |
Priviledge | Read only | read-only since I don’t need my files to be changed on the raspberryPi side. |
Squash | Map all users to guest | Assigns access privileges to all users of NFS client equivalent to the guest access privileges on your system. |
Security | AUTH_SYS | Use the NFS client’s UID (user identifier) and GID (group identifier) to check access permissions. |
2. SSH to raspberryPI
2.1 Connect to your PI
ssh username@raspberrypi_local_ip
2.2 Create mount point
sudo mkdir /mnt/nas_yuklia_projects
2.3 Mount folder
sudo mount -t nfs {SYNOLOGY_IP}:{MOUNT_POINT} /mnt/nas_yuklia_projects
MOUNT_POINT
- open Control Panel -> Shared Folder -> Edit SharedFolder, navigate to NFS permissions tab, in the left bottom side you’ll see Mount path: /volume1/yuklia_projects (in my case)
SYNOLOGY_IP
- local IP address of you Synology device
3. Validation
✅ Execute df -h
to display the list of mounted points; your mounted point should be visible.
✅ Attempt to modify any files on the Raspberry Pi; you should encounter the warning:
Error writing lock file /mnt/nas_yuklia_projects/.test3.md.swp: Read-only file system
4. Security Measures for NFS 🛡️
NFS (Network File System) is not inherently secure when used in its basic configuration. It was designed with a focus on ease of use and performance rather than security. However, there are ways to enhance the security of NFS:
1️⃣ Use NFS Versions with Security Features:
NFSv4 introduced significant security enhancements compared to older versions (NFSv2 and NFSv3). It includes features like strong authentication and encryption. It’s highly recommended to use NFSv4 or later versions for better security.
2️⃣ Kerberos Authentication:
Implement Kerberos-based authentication for NFSv4. Kerberos provides secure authentication, preventing unauthorized access to the NFS shares.
3️⃣ Firewall Configuration:
Use firewalls to control and restrict access to NFS services. Limit access only to trusted IP addresses or subnets to reduce the attack surface. Network Segmentation:
4️⃣ Network Segmentation:
Place NFS servers on a separate network segment, isolating them from potentially insecure parts of the network. This can help contain security breaches.
5️⃣ Access Controls:
Utilize NFS access controls effectively. Set appropriate permissions and access rules on the NFS server to limit access to authorized users and hosts.
6️⃣ Secure the Underlying Operating System: Ensure that the operating system on both the NFS server and client is securely configured. Regularly apply security patches and updates to address any known vulnerabilities.
7️⃣ VPN or SSH Tunneling: Use a VPN (Virtual Private Network) or SSH (Secure Shell) tunneling when accessing NFS over untrusted networks. This adds an additional layer of encryption and security.
Summary
In this guide, I show you how to seamlessly sync project files between a MacBook and a Raspberry Pi using Synology NAS and NFS. The step-by-step process ensures updates from the MacBook are automatically reflected on the Raspberry Pi, granting read-only access. Happy syncing!