Distributed File SystemsObjectivesto understand Unix network file sharingContentsInstalling NFSHow To Get NFS StartedThe /etc/exports FileActivating Modifications The Exports FileNFS And DNSConfiguring The NFS ClientOther NFS ConsiderationsPracticalto share and mount NFS file systemsSummary

NFS/DFS: An OverviewUnix distributed filesystems are used tocentralise administration of disksprovide transparent file sharing across a networkThree main systems:NFS: Network File Systems developed by Sun Microsystems 1984AFS: Andrew Filesystem developed by Carnegie-Mellon University Unix NFS packages usually include client and server componentsA DFS server shares local files on the networkA DFS client mounts shared files locallya Unix system can be a client, server or both depending on which commands are executedCan be fast in comparasion to many other DFSVery little overheadSimple and stable protocolsBased on RPC (The R family and S family)

General Overview of NFSDeveloped by Sun Microsystems 1984Independent of operating system, network, and transport protocols.Available on many platforms including:Linux, Windows, OS/2, MVS, VMS, AIX, HP-UX.Restrictions of NFSstateless open architectureUnix filesystem semantics not guaranteedNo access to remote special files (devices, etc.)Restricted lockingfile locking is implemented through a separate lock daemonIndustry standard is currently nfsV3 as default inRedHat, SuSE, OpenBSD, FreeBSD, Slackware, Solaris, HP-UX, GentooKernel NFS or UserSpace NFS

Three versions of NFS availableVersion 2:Supports files up to 4GB long (most common 2GByte)Requires an NFS server to successfully write data to its disks before the write request is considered successful Has a limit of 8KB per read or write request. (1 TCP Window)Version 3 is the industry standard:Supports extremely large file sizes of up to 264 - 1 bytes Supports files up to 8 ExabyteSupports the NFS server data updates as being successful when the data is written to the server's cache Negotiates the data limit per read or write request between the client and server to a mutually decided optimal value.Version 4 is coming:File locking and mounting are integrated in the NFS daemon and operate on a single, well known TCP port, making network security easier Support for the bundling of requests from each client provides more efficient processing by the NFS server.File locking is mandatory, whereas before it was optional

Important NFS DaemonsPortmap The primary daemon upon which all the RPC relyManages connections for applications that use the RPC specificationListens to TCP port 111 for initial connectionnegotiate a range of TCP ports, usually above port 1024, for further comms.You need to run portmap on both the NFS server and client.Nfs (rpc.nfsd)Starts the RPC processes needed to serve shared NFS file systemsListens to TCP or UDP port 2049 (port can vary)The nfs daemon needs to be run on the NFS server only. Nfslock (rpc.mountd)Used to allow NFS clients to lock files on the server via RPC processes.Neogated port UDP/TCP portThe nfslock daemon needs to be run on both the NFS server and clientnetfsAllows RPC processes run on NFS clients to mount NFS filesystems on the server.The nfslock daemon needs to be run on the NFS client only.

MOUNTThe NFS Protocol Stack aka. VFSRPCXDRTRANSPORT, NETWORK, LINK & PHYSICAL LAYERSNFSserverclient RPC depend on PORTMAP which is on both client and server

Installing kernelNFS, LinuxCheck if NFS is installed with rpm

Check if RPC portmap package installed rpm

If not Install them, allways begin with portmap

If you are not running SuSEInstall: portmap, nfs-utils,nfs-server (should be implemented in kernel)suse93:~ # rpm -qa | grep nfsnfs-utils-1.0.7-3yast2-nfs-client-2.11.7-3yast2-nfs-server-2.11.5-3# rpm -qa | grep portmapportmap-5beta-733# rpm ivh http://ftp.sunet.se/pub/os/Linux/distributions/suse/suse/i386/9.3/suse/i586/portmap-5beta-733.i586.rpm# rpm ivh http://ftp.sunet.se/pub/os/Linux/distributions/suse/suse/i386/9.3/suse/i586/nfs-utils-1.0.7-3.i586.rpm

How To Get kernelNFS server StartedActivate the 3 nessesary servers for NFS at bootNFS server demonNFS file lockingRPC portmapStart the PORTMAPPER and NFS serverWhich starts all dependent servicesWhatever you do allways start PORTMAP firstCheck that services for NFS is running with rpcinfo

In some Unixes you need to separately start/etc/init.d/portmap startor shortly portmap(d)/etc/init.d/nfs startor shortly nfs(d)/etc/init.d/nfslock start or shortly nfslock(d)# insserv portmap# insserv nfsserver# rcportmap start# rcnfsserver start# rpcinfo -p localhost program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100227 3 udp 2049 nfs_acl 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs 100227 3 tcp 2049 nfs_acl 100024 1 udp 1034 status 100021 1 udp 1034 nlockmgrprogram vers proto port 100021 4 udp 1034 nlockmgr 100024 1 tcp 1029 status 100021 1 tcp 1029 nlockmgr 100021 3 tcp 1029 nlockmgr 100021 4 tcp 1029 nlockmgr 100005 1 udp 835 mountd 100005 1 tcp 838 mountd 100005 2 udp 835 mountd 100005 2 tcp 838 mountd 100005 3 udp 835 mountd 100005 3 tcp 838 mountd

How To Get NFS client StartedActivate the 2 nessesary servers for NFS at bootNFS file locking nfslockRPC portmapStart the PORTMAPPER and NFS serverWith rc

Check that services for NFS is running with rpcinfo

Note! There can be more services running dependent on your system setupIn some Unixes you need to separately start /etc/init.d/netfs startor shortly netfs(d)/etc/init.d/nfslockstartor shortly nfslock(d)Allways start portmap first then netfs and last nfslock

# insserv portmap# rcportmap start# rpcinfo -p localhostrpcinfo -p program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper

NFS And DNSCheck FORWARD resolution

Check REVERSE resolution

Both forward and reverse must be sameIf not, fix your DNS zonefiles (review netadmin chapter 3)Syncronized /etc/hosts in server and client will also doSome common error messagesLookup: host resolution errorTimeout: firewall port setup Not registered: portmap is not running# host 192.168.0.11.0.168.192.in-addr.arpa domain name pointer a01.my-site.com.# host a01.my-site.coma01.my-site.com has address 192.168.0.1forward lookudoesn't exist pRPC: Program not registeredRPC: Timeoutfailed: server is down.

The NFS Server sharing directoriesThe exportfs command is used to share directories on the networkany directory can be exportedsubdirectories of an exported directory may not be exported unless they are on a different diskparents of an exported directory may not be exported unless they are on a different diskonly local filesystems can be exportedSome exportfs o sharing options

We share the home directory in v verbose mode

rw = Read Write (default)squash_uids, squash_gids = make user and group ids specifiedto be squashed to user with identity nobodydirectory is shared to host rosies only# exportfs v -o rw,squash_uids=0-499,squash_gids=0-499 rosies:/homeexporting rosies:/homero read only accessrw read and write accesssyncwrite when requestedwdelay wait for synchide dont show subdirs that is exported of other exportno_all_squash remote uids & gids become equal of clientroot_squash remote root uid become anonymous on the clientno_root_squash remote root equals to local root usersquash_uids remote uids & gids are threated as identity nobody

More on Shared DirectoriesIf someone is using the shared directory, you will not be able unshare.Check if someone is accessing RPC, using a shareThe first red line show that someone is using RPC against our server. The second red line show that someone have accessed /home

Unshare a share in v verbose mode

Check what the server is sharing# exportfs -v -u rosies:/homeunexporting roseis:/home# showmount a localhostAll mount points on server:*,192.168.1.0/24:/home*:/home*:/install/suse9.3rosies:*rosies:*,192.168.1.0/24# exportfs -v/home 192.168.1.0/24(rw,wdelay,root_squash)/exports/network-install/SuSE/9.3 (ro,wdelay,root_squash)/install/suse9.3 (ro,wdelay,root_squash)

The /etc/exports File, static sharesSample exports file

Some options in exports file (same as exportfs)

Squash changes remote identity to selectable local identityLinux uses another format in /etc/exports than BSD systems

# cat /etc/exports/data/files*(ro,sync)/home192.168.0.0/24(rw,sync)/data/test*.my-site.com(rw,sync)/data/database192.168.0.203/32(rw,sync)ro read only accessrw read and write accesssyncwrite when requestedwdelay wait for synchide dont show subdirs that is exported of other exportno_all_squash remote uids & gids become equal of clientroot_squash remote root uid become anonymous on the clientno_root_squash remote root equals to local root usersquash_uids remote uids & gids are threated as identity nobody

The /etc/exports File, SquashingSample exports file using map_static

Map_static file =/etc/squash.map

Squash changes remote identity to selectable local identity# cat /etc/exports/data/files*(ro,sync)/home192.168.0.0/24(map_static=/etc/squash.map,rw,sync)/data/test*.my-site.com(rw,sync)/data/database192.168.0.203/32(rw,sync)# /etc/squash.map# remote local commentuid 0-100-# squash to user nobodygid 0-100-# squash to group nobodyuid 1-2001000# map to uid 1000 - 1100gid 1-200500# map to gid 500 - 600uid 0-1002001# map individual user to uid 2001gid 0-1002001# map individual user to gid 2001

Activating Modifications in Exports FileRe-reading all entries in /etc/exports fileWhen no directories have been exported to NFS, then the "exportfs -a" command is used:

After adding share(s) to /etc/exports fileWhen adding a share you can use the "exportfs -r" command to export only the new entries:

Deleting, Moving Or Modifying A ShareIn this case it is best to temporarily unmount the NFS directories using the "exportfs -ua" command followed by the "exportfs -a" command.

Termporary export /usr/src to hosts on net 192.168.0.0

# exportfs -a# exportfs -r# exportfs -ua# exportfs -a# exportfs 192.168.0.0/24:/usr/src o rw

Exercise - Sharing DirectoriesWrite down the commands to do the following?With one command share /usr/share readonly for all clients in your net#Permanently Share /etc readonly for rosies and tokyo and read/write for seoul#list the file containing the permanent shares#two commands showing what your host has shared##check who has mounted your shared directories#check who has mounted directories on rosies#check the server nfs status#From the server, with one command check that the nfs-client has portmapper running#

The nfsstat CommandServer statisticsA large table arrives after command is issuedClient statistics

Server numbers of filehandlersUsage information on the server's file handle cache, including the total number of lookups, and the number of hits and misses.

The server has a limited number of filehandlers that can be tuned

# nfsstat -s# nfsstat -c # nfsstat -o fhServer file handle cache:lookup anon ncachedir ncachedir stale0 0 0 0 0Server nfs v3:null getattr setattr lookup access readlink0 0% 15 31% 0 0% 0 0% 0 0% 0 0%read write create mkdir symlink mknod0 0% 0 0% 0 0% 0 0% 0 0% 0 0%remove rmdir rename link readdir readdirplus0 0% 0 0% 0 0% 0 0% 0 0% 0 0%fsstat fsinfo pathconf commit17 35% 16 33% 0 0% 0 0%

Error Thresholds For The "nfsstat" Command

The NFS Client sideEnsure Portmap Is RunningClients need portmap only to be runningAlso check that server is up

If not, start portmapShow exported shares on a remote server

Temporary mount nfs shares on client with default options

umount temporaty mounted nfs shares on client

# rpcinfo -p localhost# rcportmap start# mkdir /mnt/nethome# mount t nfs 192.168.0.10:/home /mnt/nethome# umount /mnt/nethome# showmount -e 192.168.0.10Export list for 192.168.0.10:/home */exports/network-install/SuSE/9.3 *# rpcinfo -p 192.168.0.10

To see what is mounted on client sideUsing the df command show disk usage:

The mount command is most detailed about mount options

The showmount shows all exported shares on a remote server plus all mounts from client

Client nfsstat will show statistics# df F NFSFilesystem 1k-blocks Used Available Use% Mounted on192.168.0.10:/install/suse9.3 79366688 58235488 21131200 74% /mnt/a# showmount -a 192.168.1.60All mount points on 192.168.1.60:*,192.168.1.0/24:/home*:/home*:/install/suse9.3192.168.0.2:*# mount | grep nfs192.168.0.10:/install/suse9.3 on /mnt/a type nfs (rw,addr=192.168.0.10)# nfsstat cClient rpc stats:calls retrans authrefrsh129 0 0

mount o t nfsNFS clients access network shared directories using the mount commandNFS mount o options:rw/roread-write (default) or read-onlyhardretry mount operation until server responds (default) orsoft try mount once and allow to timeoutretrans &transmission and timeout parameters for soft mounted operations timeoutbgafter first mount failure, retry mount in the backgroundintrallow operations on filesystems to be interrupted with kill signalsnfsvers=n The version of NFS the mount command should attempt to useUse /etc/fstab to make NFS mounts permanenta02:/tmp/mnt/nethomenfssoft,intr,nfsvers=300Manually mounting /tmp as /mnt/nethome on local host from a02:

# hostnamea01# mount o rw,soft -t nfs a02:/tmp /mnt/nethome

Mount nfs-shares at boot in clientMake entries in /etc/fstab

Some /etc/fstab mount options

Mount all unmountedIf you made changes on live system in fstab, you can mount all unmounted filesystem with:

mount a#/etc/fstab#Directory MountPointType Options Dump FSCK192.168.0.10:/data/files/mnt/nfsnfssoft,nfsvers=3 00automount this when mount a is useddefaults (rw suid dev exec auto nouser async)userallow regular users to mount/umountsyncuse syncron I/O most safesoft skip mount if server not respondinghardtry until server respondsretry=minutesbg/fg retry mounting in background or foreground

Possible NFS Mount options

Exercise - Using mount with NFSWhat command will mount /usr/share from mash4077 on the local mount point /usr/share?

How do I check what filesystems are mounted locally?

Make a static mount in a01 /mnt/nethome of exported a02:/tmp in /etc/fstab:

Manually mount exported a02:/usr/share as read only on a01:How can I show what is nfs exported on the server#####

NFS securityNFS is inherently insecureNFS can be run in encrypted mode which encrypts data over the networkAFS more appropriate for security conscious sitesUser IDs must be co-ordinated across all platformsUIDs and not user names are used to control file access (use LDAP or NIS)mismatched user id's cause access and security problemsFortunately root access is denied by defaultover NFS root is mapped to user nobody

# mount | grep "/share"mail:/share on /share# iduid=318(hawkeye) gid=318(hawkeye)# touch /share/hawkeye# ssh mail ls -l /share/hawkeye-rwxr-xr-x 2 soonlee sonlee 0 Jan 11 11:21 /share/hawkeye

NFS HangingRun NFS on a reliable network

Avoid having NFS servers that NFS mount each other's filesystems or directories

Always use the sync option whenever possible

Mission critical computers shouldn't rely on an NFS server to operate

Dont have NFS shares in search path

NFS Hanging continuedFile LockingKnown issues exist, test your applications carefull

Nesting ExportsNFS doesn't allow you to export directories that are subdirectories of directories that have already been exported unless they are on different partitions.

Limiting "root" Accessno_root_squash

Restricting Access to the NFS serverYou can add user named "nfsuser" on the NFS client to let this user squash access for all other users on that client

Use nfsV3 if possible

NFS Firewall considerationsNFS uses many portsRPC uses TCP port 111NFS server itself uses port 2049MOUNTD listens on neogated UDP/TCP portsNLOCKMGR listens on neogated UDP / TCP portsExpect almost any TCP/UDP port over 1023 can be allocated for NFSNFS need a STATEFUL firewallA stateful firewall will be able dealing with traffic that originates from inside a network and block traffic from outsideSPI can demolish NFSStateful packet inspection on cheaper routers/firewalls can missinteprete NFS traffic as DOS attacks and start drop packagesNFSSHELLThis is a hacker tool, it can hack some NFSInvented by Leendert van DoomUse VPN and IPSEC tunnelsWith complex services like NFS IPSEC or some kind of VPN should be considered if used in untrusted networks.

Common NFS error messages

NFS Automounter for clients or serversAutomatically mount directories from server when neededTo activate automount manually and at boot

Management of shares centralized on serverIncreases security and reduces lockup problems with static sharesMain configuration sit in /etc/auto.masterSimple format is: MOUNT-KEYMOUNT-OPTIONSLOCATION

MOUNT-KEY is local mountpoint, here /doc, /- (from root) and /homeMOUNT-OPTIONS is the standard mount options previously described, here -roLOCATION can be a direct share on a server like server and map file auto.direct and indirect like /etc/auto.home.Common configuration /etc/auto.misc is for floppy/cd/dvd.Centralized administration need to set /etc/nsswitch.conf/doc-roserver:/usr/doc/-/etc/auto.direct/home /etc/auto.home# rcautofs start# insserv autofsautomount: files nis ldap

Direct And Indirect Map Files structureFile /etc/auto.master sets the mandatory automount configmap files always try to mount in auto.master mount keyDirect map file /etc/auto.direct

Direct Maps are used to define NFS filesystems that are mounted on different servers or that all don't start with the same prefix.

Indirect map file /etc/auto.home

Indirect Maps define directories that can be mounted under the same mount point. Like users home directories./data/sales -rw server:/disk1/data/sales /sql/database -ro,softsnail:/var/mysql/database peterserver:/home/peter kalleakvarius:/home/bob walkeriss:/home/bunny

Wildcards In Map FilesWildcards In Map FilesThe asterisk (*), which means allthe ampersand (&), which instructs automounter to substitute the value of the key for the & character. Using the Ampersand Wildcard /etc/auto.home

the key is peter, so the ampersand wildcard is interpreted to mean peter too. This means you'll be mounting the server:/home/peter directory.

Using the Asterisk Wildcard /etc/auto.home

In the example below, the key is *, meaning that automounter will attempt to mount any attempt to enter the /home directory. But what's the value of the ampersand? It is actually assigned the value of the key that triggered the access to the /etc/auto.home file. If the access was for /home/peter, then the ampersand is interpreted to mean peter, and server:/home/peter is mounted. If access was for /home/kalle, then akvarius:/home/kalle would be mounted.peterserver:/home/& *bigboy:/home/&

Other DFS SystemsRFS: Remote File Sharingdeveloped by AT&T to address problems with NFSstateful system supporting Unix filesystem semanticsuses same SVR4 commands as NFS, just use rfs as file typestandard in SVR4 but not found in many other systemsAFS: Andrew Filesystemdeveloped as a research project at Carnegie-Mellon Universitynow distributed by a third party (Transarc Corporation)available for most Unix platforms and PCs running DOS, OS/2, Windowsuses its own set of commandsremote systems access through a common interface (the /afs directory)supports local data caching and enhanced security using Kerberosfast gaining popularity in the Unix community

SummaryUnix supports file sharing across a networkNFS is the most popular system and allows Unix to share files with other O/SServers share directories across the network using the share commandPermanent shared drives can be configured into /etc/fstabClients use mount to access shared drivesUse mount and exportfs to look at distributed files/catalogs

This chapter looks at NFS, Suns Network Filesystem. It focuses primarily on setting up NFS servers and clients and especially on the differences between BSD and SVR4 UNIX in terms of setting up NFS.Lastly it looks at disadvantages of NFS.NFS ( the network filesystem ) was developed by SUN Microsystems in the 1984 and licensed to many vendors. It essentially allows a server to make available its filesystems/directories, typically application and home directories to clients who mount from the server. The client then sees the data as if it were local, i.e. the mount should be transparent to the client. NFS then saves applications being installed on several machines.Other, less popular network filesystems are AFS ( the Andrew Filesystem ) and RFS (remote file system).Sometimes NFS is referred to as VFS, Virtual Filesystems.NFS openness and statelessness makes maintaining Unix filesystem semantics less straightforward. Because other operating systems such as VMS or DOS can so easily be accessed via NFS, operations like creating Unix-like symbolic links cannot be supported if the remote system does not support them. . Another example is that of deleting files while they are still open. A Unix program may do this to create a temporary file - the file is opened, then deleted. It is still accessible by the program, but it doesnt have a name in the filesystem; Unix doesnt free the disk blocks until the file has finally been closed. Supporting this in the NFS Protocol would mean introducing state into the server; it can be supported on the client, however.A special file in Unix accesses a device. NFS provides no support for this over a network. (AT&Ts RFS does.)File locking becomes difficult in a networked environment - we are trying to introduce state into a system that was designed to be stateless. A separate lock manager daemon does handle file locking, however.It is important to match the versions of NFS running on clients and server to help ensure the necessary compatibility to get NFS to work predictably.

NFS on WIKI, wiki is nice, here one can read the mandatorys of NFS plus some pros and cons.http://wiki.linux-nfs.org/index.php/Main_Page

nfsV4 is coming, but still support in Linux is under development, anyone can attend and test.It is not an easy story, it includes downloading of several sourcecodes and changing libraries, patching and recompiling the linux kernel for nfsv4 support.

Howto setup NFS from sourcecodeshttp://nfs.sourceforge.net/nfs-howto/intro.htmhttp://www.citi.umich.edu/projects/nfsv4/

NFS Version 1 was a prototype only!

NFS isn't a single program, but a suite of interrelated programs that work together to get the job done. Portmap MUST be running before NFSSERVER can start.

In some NFS implementations nfslock & netfs is started automatically when nfsserver starts (NFSv3 on SuSE), in other Unixes it is nessesary to start them all manually in order to get the server up.In terms of the protocol stack NFS is an application. XDR (eXternal Data Representation) is our presentation layer and RPCs (Remote Procedure Calls) are our session layer entity.On the client side, we mount from the server using the mount command. On the server side,. mountd responds to the mount request and allows or disallows the mount.Data is represented in an Operating System independent fashion i.e. using XDR therefore allowing many OSs to share data including UNIX, DOS, OS/2 Netware, MVS, VMS and more..When the client wishes to communicate with the server it generates RPCs and the servers NFSD (network file system daemons) answer the clients calls.Record locking is implemented using the lockd and statd daemons which must be run on both the server and the client.Samba is usually the solution of choice when you want to share disk space between Linux and Windows machines. NFS is used when disks need to be shared between Linux servers. Directories on the NFS server are presented to the network as special NFS filesystems and the remote NFS clients use the mount command to gain access to them.

SuSE/RedHat Linux installs NFS by default and also by default it is activated when the system boots up. You can determine whether you have NFS installed using the RPM command, the main NFS package is called "nfs-utils". Also you might see nfs-client and nfs-server yast-packages for configuration or similar redhat tools.

You will also need to have the RPC portmap package installed as well. You can use the rpm command to determine whether it's installed on your system. This should be default, but since many people lack knowledge in RPC and howto secure it they avoid RPC.

If NFS and portmap are not installed, they can be added fairly easily. Most RedHat and Fedora Linux software products are available in the RPM format. Downloading and installing RPMs isn't hard. If you need a refresher, the chapter on RPMs covers how to do this in detail.

You will need to make sure that the nfsutil, and portmap software RPMs are installed. When searching for the RPMs, remember that the filename usually starts with the software package name by a version number like this: nfs-utils-1.0.7-3 and: portmap-5beta-733You can also use the chkconfig command to configure NFS and RPC portmap to start at boot. You will also have to activate NFS file locking to reduce the risk of corrupted data.

If your client or server is mounting nfs filesystem from /etc/fstab you can start rcnfs as well

You can also use the init scripts in the /etc/init.d directory to start/stop/restart NFS and RPC portmap after booting:# /etc/init.d/portmap start# /etc/init.d/nfsserver start

If services were running you will get an [Error] or [Fail] message. You can also usally stop and reload as well as check status in services directly from init scripts

rpcinfo is nice is but a bit to clunsy and to detailed. Normally you might only check with nfsserver status

If you installed NFS from other sources than rpm or rpms you need to add portmap and nfs to in RedHat /etc/init.d/rc.local or /etc/init.d/boot.local in SuSE

If you installed nfsv4 from sources, you might need to edit the /etc/init.d/nfsserver and /etc/init.d/portmap scripts to make the new sources work.You can also use the chkconfig command to configure RPC portmap to start at boot. You will also have to activate NFS file locking to reduce the risk of corrupted data.

You can also use the init scripts in the /etc/init.d directory to start/stop/restart RPC portmap after booting:# /etc/init.d/portmap start

If services were running you will get an [Error] or [Fail] message. You can also usally stop and reload as well as check status in services directly from init scripts

rpcinfo is nice is but a bit to clunsy and to detailed. Normally you might only check with rcportmap status

If you installed NFS from other sources than rpm or rpms you need to add portmap in RedHat /etc/init.d/rc.local or /etc/init.d/boot.local in SuSE

If you installed nfsv4 from sources, you might need to edit the /etc/init.d/portmap scripts to make the new sources work.The NFS client must have a matching pair of forward and reverse DNS entries on the DNS server used by the NFS server. In other words, a DNS lookup on the NFS server for the IP address of the NFS client must return a server name that will map back to the original IP address when a DNS lookup is done on that same server name.

This is a security precaution added into the nfs package that lessens the likelihood of unauthorized servers from gaining access to files on the NFS server. Failure to correctly register your server IPs in DNS can result in "fake hostname" errors.

Note! Most RPC services need forward and reverse lookup to be same. This also goes for many other services. To secure RPC use the service native mode allowing only certain IP addresses or users or domains to have access, next is to help the service with firewall like iptables, ipchains, ipf, pf or tcp-wrappers.

The exportfs command is a general purpose network sharing command which can be used for NFS (as here).

rw and root_sqash is standard sharing options. Extend this with o squash-options

If you recieve this error: exportfs: rosies has non-inet addr it means there is trouble with DNS or /etc/hosts file, name resolving does not work proper. Check your zonefiles and hosts file.

When using NFS it is imperative that UIDs are consistent across all systems in the network, the Squash tool helps a bit on the way. But we will later in this class learn LDAP who will open for uniform UID/GID in the enterprice enviroments.The exportfs switch -i can prevent you from disaster like unexporting all shares or the reverse, it ignores the /etc/exports file, so that only default options and options given on the command line are used.

showmounts e is also comfortable to see what the server is exporting. Showmounts can also monitor remote servers showmounts e server2

NFS And Symbolic Links, limitationsYou have to be careful with the use of symbolic links on exported NFS directories. If an absolute link points to a directory on the NFS server that hasn't been exported, then the NFS client won't be able to access it.

NFS and mounted image files, workaroundThis does currently not work, it is not possible to export mounted loopback filesystem images. Workaround is to export the image files and let client to do the loopback mount themself.At server with ISO files)exportfs rosies:/sharedAt client)mount t nfs o rw server.my-site.com:/shared /mnt/nethomemkdir /mnt/a ; mount o loop /mnt/nethome/image.iso /mnt/aThis is the main NFS configuration file and consists of two columns. The first column lists the directories you want to make available to the network. The second column has two parts. The first part lists the networks or DNS domains that can get access to the directory, the second part lists NFS options in brackets.

In the sample we have provided:Read only access to the /data/files directory to all networksRead/write access to the /home directory from all servers on the 192.168.0.0 /24 network, that is all addresses from 192.168.0.0 to 192.168.0.255Read/write access to the /data/test directory from servers in the my-site.com DNS domainRead/write access to the /data/database directory from a single server 192.168.0.203.

More options:squash_uids=0-50 squash uid 0-50 to uid nobodysquash_gids=0-50 squash gid 0-50 to gid nobogyno_root_squash opens system to much!anonuid=500 squash to uid 500anongid=500 squash to gid 500map_static=/etc/nfs/shrike.map file declares what to squash to what:# remote localuid 0-50 - # squash thesegid 0-50 - # squash theseuid 100-2001000# map 1000 to 1200gid 100-2001000# map 1000 to 1200uid 501500gid 501500In many cases UserID and GroupID can become a problem, specially if you have a large network and many clients. In order to make the NFS server a bit more uniform when it comes to UID and GID we use squash commands, ofter togeather with NIS and LDAP.

Here we use a special static mapping file for squashing client uid & gid to server uid & gid.

For central administration of squashing in enterprice enviroment we can use NIS/NIS+ or LDAP, then we can use map_nis and map_ldap. Both NIS and LDAP uses central databases to keep users and their attributes. Later we will look on LDAP.

The exports file is a complex file, there are many more options, check the manual pages: man exports for more information.Exportfs is used to both instruct rc.nfsd to read the /etc/exports file after changes and to do temporary shares from command line or from within varius appz.exportfs switches:-uunexport-aall entries in /etc/exports-rresync/refresh exports -vbe verboseAdd a temporary share: exportfs 192.168.0.10:/usr/srcRemove share temporary: exportfs u 192.168.0.10:/usr/srcThe nfsstat command provides useful error statistics. The -s option provides NFS server stats, while the -c option provides them of for clients.

NFS configuration on the client requires you to start the NFS application; create a directory on which to mount the NFS server's directories that you exported via the /etc/exports file in the server, and finally to mount the NFS server's directory on your local directory, or mount point. Here's how to do it all.

Use the rpcinfo command to make sure the portmap daemon is running. Start it if it isn't. NFS clients don't need NFS to be running to mount remote directories, but need to have portmap running to communicate correctly with the NFS server.

You mount nfs shares in your current client filetree with mount command, usally you mount local attached devices like: mount /dev/cdrom /mnt/cdrom For the cdrom but now you need to specify: mount o rw,soft t nfs hostname:/path/to/share /local/mount/point So the redirector is activated through portmapper.It is important to be able monitor what forigin filesystems are attached to a client,therefore it exist a range of tools that can literary do the same, but with minor differences.

NFSSTAT is on both client and server. It is usefull for analyzong nfs server and client progress in your enviroment.The initial mount command mounts the resource from the server. The client side mount command contacts the servers rpcbind (portmapper) to ask which port number the mount daemon (mountd) is listening on: the port number should be thought of as an applications address. Once the clients mount contacts the servers mountd the mount is either allowed or denied, based on rights specified by the server in /etc/exports.

If the mount is allowed, the server passes the client an identifier called a File Handle which the client machines kernel puts in its mount table. When it references the mounted structure in future it simply passes the server the File Handle to indicate what it is attempting to access.The make the mounts happen at boot time edit /etc/fstab. Mounts made on the command line like the ones in the above slide will be lost on a reboot.The /etc/fstab FileThe /etc/fstab file lists all the partitions that need to be auto-mounted when the system boots. Therefore you need to edit the /etc/fstab file if you need the NFS directory to be made permanently available to users on the NFS. In this case we're mounting the /data/files directory as an NFS type filesystem on the /mnt/nfs mount point. The NFS server is "bigserver" whose IP address is 192.168.0.10.

Note: With mount o (option) can you use almost all the options from command lines as well.The client, or worse a server can severely hang if you do not do soft mount and or bg mount of NFS filesystems!There are more options, look in the man pages for mount!NFS is very useful but there is a price: UIDs must be co-ordinated across all platforms otherwise users may have access to data they should not. In the above example, we used UID=318 for user hawkeye, but the same UID on the remote system was assigned to user soonlee.

NFS and portmap have had a number of known security deficiencies in the past and as a result, it is not recommended to use NFS over insecure networks. NFS doesn't encrypt data and it is possible for root users on NFS clients to have root access the server's filesystems.o Exercise caution with NFS.o Restrict its use to secure networkso Export only the most needed datao Consider using read only exports whenever data updates aren't necessary.o Use the root_squash option in /etc/exports (default) to reduce the risk of the abuse of privileges by NFS client "root" users on the NFS serveTesting NFS) useradd u 555 hawkeye4. ssh mail exportfs --export 192.168.0.0:/tmp passwd hawkeye5. ssh mail useradd g 555 sonlee id hawekeye6. mkdir /mnt/nethomeuid=555(hawkeye) gid=501(hawkeye) 7. mount o rw t nfs mail:/tmp /mnt/nethome8. su hawkeye ; touch /tmp/hawkeye9. ssh mail ls l /mnt/hawkeyeMost NFS transactions use the UDP protocol which doesn't keep track of the state of a connection. If the remote server fails, the NFS client will sometimes not be aware of the disruption in service. If this occurs, the NFS client will wait indefinitely for the return of the server. This will also force programs relying on the same client server relationship to wait indefinitely too.

It is for this reason that it's recommended to use the "soft" option in the NFS client's /etc/fstab file this will cause NFS to report I/O error to the calling program after a long timeout.

A hung NFS connection to a directory in your search path could cause your shell to pause at that point in the search path until the NFS session is regained. NFS mounted directories shouldn't be part of your search path.NFS allows multiple clients to mount the same directory but NFS has a history of not handling file locking well, though more recent versions are said to have rectified the problem. Test your network based applications thoroughly before considering using NFS.

NFS doesn't allow a "root" user on a NFS client to have "root" privileges on the NFS server. This can be disabled with the no_root_squash export option in the /etc/exports file.

NFS doesn't provide restrictions on a per user basis. If a user named "nfsuser" exists on the NFS client, then they will have access to all the files of a user named "nfsuser" on the NFS server. It is therefore best to use the /etc/exports file to limit access to certain trusted servers or networks.

You may also want to use a firewall to protect access to the NFS server. A main communication control channel is usually created between the client and server on TCP port 111, but the data is frequently transferred on a randomly chosen TCP port negotiated between them. There are ways to limit the TCP ports used, but that is beyond the scope of this book.

You may also want to eliminate any wireless networks between your NFS server and client, and it is not wise to mount an NFS share across the InternetThe permanent mounting of filesystems has its disadvantages. For example, the /etc/fstab file is unique per Linux server and has to be individually edited on each. NFS client management, therefore, becomes more difficult. Also, the mount is permanent, tying up system resources even when the NFS server isn't being accessed.

NFS uses an automounter feature that overcomes these shortcomings by allowing you to bypass the /etc/fstab file for NFS mounts, instead using an NFS-specific map file that can be distributed to multiple clients. In addition, you can use the file to specify the expected duration of the NFS mount, after which time it is unmounted automatically. However, automounter continues to report to the operating system kernel that the mount is still active. When the kernel makes an NFS file request, automounter intercepts it and mounts the remote directory on the mount point defined in the map file. The mount point directory is dynamically created by the automounter when needed, after the timeout period the remote directory is unmounted and the mount point is deleted.

Centralized administration of filesystems and users can be achived with NIS/NIS+ and LDAP, most popular today is LDAP but many are still using NIS/NIS+. Filesystems to be mounted from servers is ussaly users /home and some other filesystem with appz. /etc/nsswitch.conf controls how. For example like in picture above it reads automount: files nis ldap, this tell the client to first look after /etc/auto.master and then ask the NIS server and last the LDAP server. Both NIS and LDAP servers act as centralized databases with not only user patterns but can also describe client host patterns and the infrastructure they live in.The format of these map files is similar to that of the /etc/auto.master file, except that columns two and three have been switched. Column one lists all the directory keys that will activate the automounter feature. It is also the name of the mount point under the directory listed in the /etc/auto.master file. The second column provides all the NFS options to be used, and the third column lists the NFS servers and the filesystems that map to the keys. When the NFS client accesses a file, it refers to the keys in the /etc/auto.master file to see whether any fall within the realm of the automounter's responsibility. If one does, then automounter checks the subsidiary map file for subdirectory mount point key. If it finds one, then automounter mounts the files for the system. Indirect Map File ExampleIn the previous example, the /etc/auto.master file redirected all references to the /home directory to the /etc/auto.home file. This second file has entries for peter, kalle, and walker; these directories are actually mount points for directories on servers server, akvarius, and iss.Direct Map File ExampleThe second entry in the /etc/auto.master file was specifically created to handle all references to one of a kind directory prefixes. In the example the /data/sales and /sql/database are the mount points for directories on servers server and snail.

SAMPLE AUTOFS FILES (lives in /etc):# Sample auto.master file# This is an automounter map and it has the following format# key [ -mount-options-separated-by-comma ] location# For details of the format look at autofs(5).#/misc /etc/auto.misc --timeout=60#/misc /etc/auto.misc#/net /etc/auto.net/home /etc/auto.home-----------------------------------------------------## File: /etc/auto.home#* lina:/home/&---------------------------------------------------------------# snippet from /etc/nsswicth.confautomount: files nis

Other distributed filesystems include AFS ( the Andrew Filesystem ) and RFS (remote file system). Industry pundits expect AFS to become the preferred distributed filesystem as the commercial world becomes more security conscious. However this have changed the last year, nfsV4 has gained much more features than AFS have and now walks towards a fast and secure network file system.As you have seen NFS can be a very powerful tool in providing clients with access to large amounts of data, such as a database stored on a centralized server. Many of the new network-attached storage products currently available on the market rely on NFS - a testament to its popularity, increasing stability, and improving security.