nfs network file system. nfs (network file system) network file systems allow us to share files...
TRANSCRIPT
NFS
Network File System
NFS (Network File System)
Network file systems allow us to share files between users on different systems, often with different operating systems
The Windows® operating systems use CIFS (SMB) network file system as implemented by the Samba package on UNIX systems
Developed by Sun Microsystems Uses the RPC (remote procedure call) service Requires portmap Directories shared through the /etc/exports file Directories mounted through the mount command
NFS: Service Profile
Type: System-V managed service Package: nfs-utils Daemons: nfsd, lockd, rpciod, rpc.mountd
rpc.rquotad, rpc.statd Scripts: nfs, nfslock Ports: assigned by portmap (111) Configuration: /etc/exports
Packaging for Unix/Linux
Different packaging approaches Solaris: Pkg* (pkginfo, pkgadd, pkgmake) Linux: rpm / rpmbuild
Uses digital signatures
Overall objectives and approaches are similar Packages are created
NFS Server Components
portmap: maps calls from other machines to the correct RPC service
nfs: kernel module translates NFS requests into local file system requests
rpc,mountd: file client used to mount and unmount remote file systems
/etc/exports examples/var/ftp/pub *.dit.ie(ro,sync) *.comp.dit.ie(rw,sync)
/root/presentationsrbradley.dit.ie(rw,sync)
/data 147.252.230.230(sync)
Note that whitespace makes a difference [server]([options]) applies the options to that
server [server1] ([options]) applies the options to
everything apart from the server
/etc/exports
Exported with root-squashing turned on, this ensures that requests from the root user on a client machine are denied root access to root-owned files on a server machine
Such requests are mapped onto a uid such as 65534
Can be prevented with the no_root_squash option, but this is not recommended
/etc/exports examples
More examples:
/usr/local 192.168.0.1(ro) 192.168.0.2(ro)
/home 192.168.0.1(rw) 192.168.0.2(rw, no_root_squash)
Also allow access to sets of computers:/usr/local 192.168.0.0/255.255.255.0(ro)
/home 192.168.0.0/255.255.255.0(rw)
Controlling access Most services (anything controlled by inetd and also
nfs) support access control with /etc/hosts.allow, /etc/hosts.deny
Format of files is:[service name]: [host or network/netmask], [host or network/netmask] …
E.g: portmap: 192.168.0.1 , 192.168.0.2 mountd: 192.168.0.1 , 192.168.0.2 All: all
Controlling access
Any service using this approach will follow the process: Check in hosts.allow: if the requesting server is in
this file, allow the access and finish Now check in hosts.deny, if the requesting server
is not in this file, allow the access and finish. Allow access
For nfs, to allow/deny access ALL the services need to be included in the file. portmap, lockd, mountd, rquotad, statd
NFS Client
Client side NFS implemented as a kernel module
/etc/fstab used to specify network mounts. NFS shares are mounted at boot time by
/etc/rc.d/init.d/netfs
NFS Client
Shares can be mounted manually by root, or automatically at boot time.
The default /etc/fstab nfs entries in UMLDevice mountpoint type options dump fsckorder
/dev/ubd/0 / ext2 defaults 1 1
/proc /proc proc defaults
/dev/ubd/1 none swap sw
/etc/fstab nfs entryDevice mountpoint type options dump fsckorder
Server1:/var/ftp/pub /mnt/pub nfs defaults 0 0
NFS Mount Options Options include
rsize=8192 and wsize=8192 will speed up transfers considerably soft: processes return with an error on a failed I/O attempt hard: will block a process that tries to access an unreachable
share. nolock: disables file locking and allows inter operation with older
NFS servers nosuid: stops suid enabled programmes executing from the
mounted file system. noexec: stops all programmes executing from the mounted file
system. ro: Read only file system rw: Read/write access
NFS autofs
autofs provides the ability to mount NFS shares on demand and to unmount them when they are idle
autofs uses the files /etc/auto.master and /etc/auto.misc for configuration
autofs is a kernel service, but must be enabled by configuring autofs to run in the appropriate run levels
NFS Services
exportfs –r refreshes the server’s share list after modifying /etc/exports -v displays a list of the shared directories and
options on a server -a exports all shares listed in the /etc/exports or a
share named as an argument -u unexports the share named as an argument or
all shares with no argument and a –a -e host shows the available shares on host
Trouble shooting nfs
Unable to see a mounted file system: cat /proc/mounts mount –f
Permission denied on mount attempt: Check that the fstab entry and exports have the
same access (i.e. ro, rw etc) Check you haven’t attempted to export both a
parent and a child i.e. /usr and /usr/local can’t be both exported.
Trouble shooting nfs II
RPC: Program not registered On the server, use ps or rpcinfo –p to check that
portmapper, nfs and mountd are running On the client, use rpcinfo –p [server] to check that
it can see the services If the client gets No Remote programs registered,
check hosts.allow and hosts.deny
Trouble shooting nfs III
Permissions aren’t right/export/dir hostname(rw,no_root_squash) /export/dir hostname (rw,no_root_squash)
These statements aren’t the same. White space in the second will mean that everybody apart from hostname will get the privileges in the ().
NFS optimisation
Issues: NFS is sensitive to network traffic NFS needs both read and write performance NFS traffic is bursty
Detection: /usr/sbin/nfsstat –n -a
NFS optimisation
Lower the nice value Switch to a journaling file system Spread NFS exported file systems across
multiple disks and disk controllers. Use RAID 0/1
RAID 5 isn’t fast on writes Reduce the number of write intensive mounts
Automount is difficult to get away from
FTP
File Transfer Protocol
FTP Service Profile
System-V managed Service Package: vsftpd Script: vsftpd Ports: 21 (ftp) 20 (ftp-data) Config Files:
/etc/vsftpd/vsftpd.conf /etc/vsftpd.ftpusers /etc/pam.d/vsftpd
Log File: /var/log/vsftpd.log
FTP (File Transfer Protocol)
Linux uses vsftpd, which is no longer managed by inetd by default Can be configured to use xinetd.
/etc/vsftpd/vsftpd.conf is the main configuration file
Two levels of access: anonymous, by default, users are based in
/var/ftp By default, anonymous users can download files,
but not upload them
FTP (File Transfer Protocol)
rbradley@aisling:~$ ftp taranaki
Connected to taranaki.student.comp.dit.ie.
220 taranaki FTP server (SunOS 5.8) ready.
Name (taranaki:rbradley): rbradley
331 Password required for rbradley.
Password:
230 User rbradley logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
FTP – User access
In /etc/vsftpd/vsftpd.conf Control anonymous user access with
anonymous_enable=YES/NO Control anonymous user access with upload
anon_upload_enable=YES/NO
Existing users on a system log in using their usual username and password
By default, users can download any file they can read and upload to any directory to which they have write access
FTP – User access
ftp> pwd257 "/export/home/lecturer/rbradley" is current directory.ftp> cd ..250 CWD command successful.ftp> pwd257 "/export/home/lecturer" is current directory.ftp> lcd ..Local directory now /home/staffftp>
FTP – controlling user access
/etc/vsftpd/vsftpd.conf the main configuration file
Two additional files used to control access /etc/vsftpd.ftpusers /etc/vsftpd.user_list
FTP – controlling user access Individual users can be denied access by placing their
names in /etc/vsftpd.ftpusers /etc/vsftpd.user_list is examined if
userlist_enable=YES is set in /etc/vsftpd.conf The list file can be used either to grant access
(userlist_deny=NO) or to deny access (userlist_deny=YES)
.message file will be displayed to anybody changing to a directory.
Can also use hosts.allow and hosts.deny
FTP – Controlling directory access
By default, ftp connects to the /usr/ftp/pub directory.
Users can be restricted to only their home directory chroot_list_enable=NO/YES
chroot_list_file=/usr/local/etc/vsftpd.chroot_list