shared dir and files over nfs, with user & group preserved

[brendan_kearney]

i have 3 squid proxy instances and i want to play with TLS decryption and inspection. there is a directory structure where the decryption pieces are kept. cert & key pair for decryption, index of certs generated, sub-dir for generated certs, etc. i want to store this dir, sub-dir and all the nitty gritty bits on a NFS share where all 3 squid instances can access them and share. this would alleviate having each proxy create a cert for every site i decrypt. it would be a "generate once, share always" kind of scenario, and at scale would reduce overhead on the proxies. i am doing something similar already for my file based ACLs, where i modify the file with a new entry and can reconfigure squid, and have the updated ACLs enacted in the service. the difference with the certs pieces is that squid needs to write to the cert share, whereas the ACL share just needs to be read (i modify the files from my laptop, squid just reads the files).

setting ownership and access has gotten me a bit further in that i can see the files on the share and they can be read, but writing seems to be a sticky wicket. my NFS instance defaults to user and group "nobody" when a file is written. in the case of a generated cert used to decrypt a site, this seems to work if i set access to world readable. i would prefer not to do this, but i am not able to set ownership to squid:squid and have all new files created be owned by squid:squid. i thought setuid/setgid would take care of this, but that does not seem to work. that might be because the folder is shared of NFS, and is not local. i dunno.

what is the right way to have a NFS shared dir and all its contents be readable/writeable by squid:squid, all new files created in the dir or sub-dir be owned by squid:squid and not have to have everything world readable/writeable?

 

[continuum]

Oranging for interest. IIRC the actual UID (or group ID) numbers have to match not the names, but I have yet to find an elegant explanation anywhere.

(to be fair I'm sure there is one, I've just not seen it)

 

[brendan_kearney]

because i have kerberos/ldap/sssd working together, when i run id squid on my nas and all of my servers, they all come back with the same info. i have my posix groups set up in the directory and sssd points all the getent kind of requests to the directory. in essence, i can add my id to the dialout group in the directory and can then manage any modem on any machine participating in my realm/domain. there are of course nuances and exceptions, but this generally works. i want to dig more into systemd-sysusers and be able to keep my directory in sync with that, but for now what i have suffices.

with the syncing of the id's taken care of, i still have some digging to do.