NAS Share Management

Comprehensive guide for creating and managing Synology NAS shares via CLI for all infrastructure services.

Quick Reference

Create Share + NFS Export (Complete Workflow)

CRITICAL: Do NOT create directories first. synoshare --add creates the directory automatically. If directory exists, synoshare fails with 0xE700.

ssh nas-01

# 1. Create DSM share (synoshare creates /volume1/<name> automatically)
sudo synoshare --add <name> "<description>" /volume1/<name> "" administrators "" 1 1

# 2. Create subdirectories AFTER share exists
sudo mkdir -p /volume1/<name>/{subdir1,subdir2}

# 3. Add NFS export
echo '/volume1/<name>    10.50.1.0/24(rw,async,no_wdelay,no_root_squash,insecure_locks,sec=sys,anonuid=1024,anongid=100)' | sudo tee -a /etc/exports

# 4. Reload NFS
sudo exportfs -ra

# 5. Verify
sudo synoshare --enum ALL | grep <name>
sudo exportfs -v | grep <name>

Test Mount from Client

ssh <client-host>
sudo mkdir -p /mnt/test
sudo mount -t nfs nas-01:/volume1/<name> /mnt/test
ls -la /mnt/test
sudo umount /mnt/test && sudo rmdir /mnt/test

Architecture

NAS Storage Architecture

NAS Share Architecture

Share Categories

Category Purpose NFS Clients

Runtime

Live application data (metrics, logs, dashboards)

Application servers (k3s nodes)

Backups

Configuration exports, snapshots, archives

Backup clients, management hosts

Infrastructure

VM images, ISOs, system data

Hypervisors (kvm-01, kvm-02)

synoshare CLI Reference

Syntax

synoshare --add <name> <desc> <path> <na> <rw> <ro> <browsable> <adv_privilege>

Arguments

Argument Position Description

name

1

Share name (no spaces)

desc

2

Description (quote if spaces)

path

3

Filesystem path (e.g., /volume1/k3s)

na

4

No access users ("" for none)

rw

5

Read-write users (administrators)

ro

6

Read-only users ("" for none)

browsable

7

Show in network browser (1=yes, 0=no)

adv_privilege

8

Advanced permissions (1=enabled)

Common Commands

# List all shares
sudo synoshare --enum ALL

# Get share details
sudo synoshare --get <sharename>

# Delete share (TRUE = delete data, FALSE = keep data)
sudo synoshare --del FALSE <sharename>

# Rename share
sudo synoshare --rename <old_name> <new_name>

NFS Export Configuration

Export Options

Option Description

rw

Read-write access

async

Async writes (better performance)

no_wdelay

Don’t delay writes

no_root_squash

Allow root access (needed for k3s)

all_squash

Map all users to anonymous (safer for backups)

insecure_locks

Allow insecure file locking

sec=sys

System authentication

anonuid=1024

Anonymous user ID

anongid=100

Anonymous group ID

When to Use Each Squash Option

Option Use Case Example

no_root_squash

Apps need root write access

k3s PVs, container storage

all_squash

Backup clients, read-heavy workloads

ISE backups, config exports

(default)

Standard user access

General file shares

Infrastructure Shares

Complete Share Inventory

Share Purpose NFS Clients Status

/volume1/k3s

k3s runtime PVs (Prometheus, Grafana, Loki)

10.50.1.0/24

Active

/volume1/k3s_backups

k3s etcd snapshots, manifests

10.50.1.0/24

Active

/volume1/ise_backups

ISE configuration exports

10.50.1.0/24, 10.50.10.111

Active

/volume1/wlc_backups

WLC configuration backups

10.50.10.111

Active

/volume1/firewall_backups

pfSense XML configs

10.50.10.111

Active

/volume1/switch_backups

IOS switch configs

10.50.10.111

Active

/volume1/kvm_backups

VM XML definitions

10.50.10.111

Active

/volume1/borg_backups

Workstation Borg repositories

10.50.10.0/24

Active

/volume1/VMs

VM disk images (qcow2)

192.168.1.181 (kvm-01), 10.50.1.111 (kvm-02)

Active (kvm-02 pending Phase 0)

/volume1/ISOs

Installation media

192.168.1.181 (kvm-01), 10.50.1.111 (kvm-02)

Active (kvm-02 pending Phase 0)

/volume1/vault_backups

Vault snapshots

10.50.1.0/24

Active

/volume1/keycloak_backups

Keycloak realm exports (manual)

10.50.1.0/24

Active

/volume1/Backups/keycloak

Keycloak (netapi upload path)

synology-api

Active

/volume1/bind_backups

BIND zone files

10.50.1.0/24

Active

/volume1/ipa_backups

FreeIPA backups

10.50.1.0/24

Active

Phase 0: Add kvm-02 NFS Access (HA Prerequisite)

BLOCKER: kvm-02 (10.50.1.111) cannot access NAS shares until added to NFS exports.

Execution Log

Step Task Date Status

0.1

Check current exports

[ ]

0.2

Add kvm-02 to /volume1/VMs

[ ]

0.3

Add kvm-02 to /volume1/ISOs

[ ]

0.4

Add kvm-02 to /volume1/Backups

[ ]

0.5

Reload NFS exports

[ ]

0.6

Test mount from kvm-02

[ ]

0.7

Configure /etc/fstab on kvm-02

[ ]

0.8

Create libvirt storage pools

[ ]

Architecture

Both hypervisors mount the same NAS shares for shared storage:

nas-01 (Synology)
├── /volume1/VMs      ──► kvm-01:/mnt/nas/vms
│                     ──► kvm-02:/mnt/nas/vms    (adding now)
├── /volume1/ISOs     ──► kvm-01:/mnt/nas/isos
│                     ──► kvm-02:/mnt/nas/isos   (adding now)
└── /volume1/Backups  ──► kvm-01:/mnt/nas/backups
                      ──► kvm-02:/mnt/nas/backups (adding now)

Benefits:

  • Shared storage - Both hypervisors access same VM images

  • Live migration ready - VMs can move between hosts without copying

  • Centralized backups - Single target for all VM backups

Current State

Share Current Clients kvm-02 Access

/volume1/VMs

192.168.1.181 (kvm-01 OOB)

DENIED

/volume1/ISOs

192.168.1.181 (kvm-01 OOB)

DENIED

/volume1/Backups

Various

DENIED

Step 1: Check Current Exports

Synology requires interactive SSH session for sudo commands. Vault SSH CA signs the key but sudo still needs password. 
# 1. Load credentials and sign SSH key
ds d000 dev/vault && vault-ssh-sign

# 2. Copy NAS admin password to clipboard (45s timeout)
gopass show -c v3/domains/d000/storage/nas-01/admin

# 3. SSH interactively (paste password when sudo prompts)
ssh nas-01
# On nas-01: View current exports
sudo exportfs -v | grep -E "VMs|ISOs|Backups"
Example output (before adding kvm-02)
/volume1/Backups
/volume1/VMs  	192.168.1.181(rw,async,no_wdelay,hide,no_subtree_check,insecure_locks,anonuid=1024,anongid=100,sec=sys,insecure,root_squash,all_squash)
/volume1/ISOs 	192.168.1.181(rw,async,no_wdelay,hide,no_subtree_check,insecure_locks,anonuid=1024,anongid=100,sec=sys,insecure,root_squash,all_squash)
192.168.1.181 is kvm-01’s OOB IP (modem DHCP). We’re adding kvm-02’s proper IP: 10.50.1.111.

Step 2: Add kvm-02 to VMs Share

# On nas-01: Add kvm-02 (10.50.1.111) to /volume1/VMs
echo '/volume1/VMs    10.50.1.111(rw,async,no_wdelay,no_root_squash,insecure_locks,sec=sys,anonuid=1024,anongid=100)' | sudo tee -a /etc/exports

Step 3: Add kvm-02 to ISOs Share

# On nas-01: Add kvm-02 (10.50.1.111) to /volume1/ISOs
echo '/volume1/ISOs    10.50.1.111(rw,async,no_wdelay,no_root_squash,insecure_locks,sec=sys,anonuid=1024,anongid=100)' | sudo tee -a /etc/exports

Step 4: Add kvm-02 to Backups Share

# On nas-01: Add kvm-02 (10.50.1.111) to /volume1/Backups
echo '/volume1/Backups    10.50.1.111(rw,async,no_wdelay,no_root_squash,insecure_locks,sec=sys,anonuid=1024,anongid=100)' | sudo tee -a /etc/exports

Step 5: Reload NFS Exports

# On nas-01: Reload and verify
sudo exportfs -ra

# Capture result with command substitution
result=$(sudo exportfs -v | grep 10.50.1.111) && echo "$result" || echo "ERROR: kvm-02 not in exports"
Expected output
/volume1/VMs      10.50.1.111(rw,async,wdelay,no_root_squash,insecure_locks,sec=sys,anonuid=1024,anongid=100)
/volume1/ISOs     10.50.1.111(rw,async,wdelay,no_root_squash,insecure_locks,sec=sys,anonuid=1024,anongid=100)
/volume1/Backups  10.50.1.111(rw,async,wdelay,no_root_squash,insecure_locks,sec=sys,anonuid=1024,anongid=100)
# Exit nas-01 when done
exit

Step 6: Test Mount from kvm-02

# Exit nas-01, SSH to kvm-02
exit
ssh kvm-02
# Check if exports are visible (should show 10.50.1.111)
showmount -e nas-01 | grep -E "vms|isos|backups"
Expected output
/volume1/backups          10.50.1.111,192.168.1.181
/volume1/isos             10.50.1.111,192.168.1.181
/volume1/vms              10.50.1.111,192.168.1.181
# Test mount (use sudo for ls - regular user may lack perms)
sudo mkdir -p /mnt/test
sudo mount -t nfs nas-01:/volume1/vms /mnt/test
sudo ls -la /mnt/test
sudo umount /mnt/test
sudo rmdir /mnt/test

Step 7: Configure Permanent Mounts on kvm-02

# Create mount directories
sudo mkdir -p /mnt/nas/{vms,isos,backups}
# Add fstab entries
sudo tee -a /etc/fstab << 'EOF'

# NAS NFS Mounts (added 2026-03-01)
nas-01:/volume1/vms      /mnt/nas/vms     nfs  defaults,_netdev  0 0
nas-01:/volume1/isos     /mnt/nas/isos    nfs  defaults,_netdev  0 0
nas-01:/volume1/backups  /mnt/nas/backups nfs  defaults,_netdev  0 0
EOF
# Mount all and verify
sudo mount -a && df -h | grep nas
Expected output
nas-01:/volume1/vms       21T  2.1T   19T  10% /mnt/nas/vms
nas-01:/volume1/isos      21T  2.1T   19T  10% /mnt/nas/isos
nas-01:/volume1/backups   21T  2.1T   19T  10% /mnt/nas/backups
# Reload systemd to pick up fstab changes
sudo systemctl daemon-reload

Step 8: Create libvirt Storage Pools

# Define nas-vms pool
sudo virsh pool-define-as nas-vms dir --target /mnt/nas/vms
sudo virsh pool-autostart nas-vms
sudo virsh pool-start nas-vms
# Define nas-isos pool
sudo virsh pool-define-as nas-isos dir --target /mnt/nas/isos
sudo virsh pool-autostart nas-isos
sudo virsh pool-start nas-isos
# Verify pools
sudo virsh pool-list --all
Expected output
 Name       State    Autostart
--------------------------------
 default    active   yes
 nas-isos   active   yes
 nas-vms    active   yes

Validation Checklist

Run from workstation (not kvm-02):

# Load Vault SSH credentials first
ds d000 dev/vault && vault-ssh-sign
# kvm-02 checks (Vault SSH works)
echo "=== kvm-02 Mount Check ===" && \
ssh kvm-02 "df -h | grep nas" && \
echo -e "\n=== libvirt Pool Check ===" && \
ssh kvm-02 "sudo virsh pool-list --all | grep nas"
# NAS check (requires interactive session - sudo needs password)
# Copy password first: gopass show -c v3/domains/d000/storage/nas-01/admin
ssh nas-01
sudo exportfs -v | grep 10.50.1.111
exit

Rollback (if needed)

ssh nas-01

# Remove kvm-02 entries from exports
sudo sed -i '/10.50.1.111/d' /etc/exports
sudo exportfs -ra

# Verify removed
sudo exportfs -v | grep 10.50.1.111  # Should return nothing

Create All Pending Shares

Vault Backups

sudo synoshare --add vault_backups "Vault snapshots and config" /volume1/vault_backups "" administrators "" 1 1
sudo mkdir -p /volume1/vault_backups/{snapshots,config,audit}
echo '/volume1/vault_backups    10.50.1.0/24(rw,async,no_wdelay,all_squash,insecure_locks,sec=sys,anonuid=1024,anongid=100)' | sudo tee -a /etc/exports

Keycloak Backups

sudo synoshare --add keycloak_backups "Keycloak realm exports" /volume1/keycloak_backups "" administrators "" 1 1
sudo mkdir -p /volume1/keycloak_backups/{realms,themes,providers}
echo '/volume1/keycloak_backups    10.50.1.0/24(rw,async,no_wdelay,all_squash,insecure_locks,sec=sys,anonuid=1024,anongid=100)' | sudo tee -a /etc/exports

BIND DNS Backups

sudo synoshare --add bind_backups "BIND zone files and config" /volume1/bind_backups "" administrators "" 1 1
sudo mkdir -p /volume1/bind_backups/{zones,config}
echo '/volume1/bind_backups    10.50.1.0/24(rw,async,no_wdelay,all_squash,insecure_locks,sec=sys,anonuid=1024,anongid=100)' | sudo tee -a /etc/exports

FreeIPA Backups

sudo synoshare --add ipa_backups "FreeIPA backups" /volume1/ipa_backups "" administrators "" 1 1
sudo mkdir -p /volume1/ipa_backups/{full,data,logs}
echo '/volume1/ipa_backups    10.50.1.0/24(rw,async,no_wdelay,all_squash,insecure_locks,sec=sys,anonuid=1024,anongid=100)' | sudo tee -a /etc/exports

Reload All Exports

sudo exportfs -ra
sudo exportfs -v

Troubleshooting

"Permission denied" on synoshare

# synoshare requires sudo
sudo synoshare --enum ALL

NFS Export Not Working

# Check exports syntax
sudo exportfs -ra 2>&1 | grep -i error

# Verify export is active
sudo exportfs -v | grep <sharename>

# Check from client
ssh <client> "showmount -e nas-01"

Mount Fails from NAS Itself

NFS exports often deny self-mounting. Test from the actual client:

# WRONG - on nas-01
sudo mount -t nfs nas-01:/volume1/k3s /mnt/test  # Will fail

# CORRECT - from k3s-master-01
ssh k3s-master-01
sudo mount -t nfs nas-01:/volume1/k3s /mnt/test  # Works

"Failed to resolve" Warnings

# Check for malformed entries
sudo cat /etc/exports | grep '\\'

# Fix backslash issues (e.g., \192.168.0.136)
sudo sed -i 's/\\192/192/g' /etc/exports
sudo exportfs -ra

Missing Newline in /etc/exports

If tee -a appends without newline, entries get concatenated:

# Check specific lines with awk (shows line numbers)
sudo awk 'NR==12,NR==18 {print NR": "$0}' /etc/exports
Example broken output (line 14 has two entries)
14: /volume1/backups 192.168.1.181(...)/volume1/vms 10.50.1.111(...)
# Fix concatenated lines with sed
sudo sed -i 's|anongid=100)/volume1/|anongid=100)\n/volume1/|g' /etc/exports

# Verify fix
sudo awk 'NR==12,NR==18 {print NR": "$0}' /etc/exports

scp Fails with "No such file or directory"

CRITICAL: Synology DSM restricts scp writes. Even with 777 permissions, scp may fail.

scp: dest open "/volume1/bind_backups/file.tar.gz": No such file or directory

Workaround: Use cat pipe instead of scp:

# WRONG - scp blocked by DSM
scp /tmp/backup.tar.gz nas-01:/volume1/share/backup.tar.gz

# CORRECT - cat pipe works
cat /tmp/backup.tar.gz | ssh nas-01 "cat > /volume1/share/backup.tar.gz"

Verify write works via SSH first:

ssh nas-01 "touch /volume1/share/test.txt && rm /volume1/share/test.txt && echo 'Write works'"

Validation Checklist

After creating shares:

# 1. Share exists in DSM
sudo synoshare --enum ALL | grep <name>

# 2. NFS export active
sudo exportfs -v | grep <name>

# 3. Client can see export
ssh <client> "showmount -e nas-01 | grep <name>"

# 4. Mount works
ssh <client> "sudo mount -t nfs nas-01:/volume1/<name> /mnt/test && ls /mnt/test && sudo umount /mnt/test"

Related Documentation