NFS

Network File System

NFS (Network File System)

Network file systems allow us to share files between users on different systems, often with different operating systems

The Windows® operating systems use CIFS (SMB) network file system as implemented by the Samba package on UNIX systems

Developed by Sun Microsystems Uses the RPC (remote procedure call) service Requires portmap Directories shared through the /etc/exports file Directories mounted through the mount command

NFS: Service Profile

Type: System-V managed service Package: nfs-utils Daemons: nfsd, lockd, rpciod, rpc.mountd

rpc.rquotad, rpc.statd Scripts: nfs, nfslock Ports: assigned by portmap (111) Configuration: /etc/exports

Packaging for Unix/Linux

Different packaging approaches Solaris: Pkg* (pkginfo, pkgadd, pkgmake) Linux: rpm / rpmbuild

Uses digital signatures

Overall objectives and approaches are similar Packages are created

NFS Server Components

portmap: maps calls from other machines to the correct RPC service

nfs: kernel module translates NFS requests into local file system requests

rpc,mountd: file client used to mount and unmount remote file systems

/etc/exports examples/var/ftp/pub *.dit.ie(ro,sync) *.comp.dit.ie(rw,sync)

/root/presentationsrbradley.dit.ie(rw,sync)

/data 147.252.230.230(sync)

Note that whitespace makes a difference [server]([options]) applies the options to that

server [server1] ([options]) applies the options to

everything apart from the server

/etc/exports

Exported with root-squashing turned on, this ensures that requests from the root user on a client machine are denied root access to root-owned files on a server machine

Such requests are mapped onto a uid such as 65534

Can be prevented with the no_root_squash option, but this is not recommended

/etc/exports examples

More examples:

/usr/local 192.168.0.1(ro) 192.168.0.2(ro)

/home 192.168.0.1(rw) 192.168.0.2(rw, no_root_squash)

Also allow access to sets of computers:/usr/local 192.168.0.0/255.255.255.0(ro)

/home 192.168.0.0/255.255.255.0(rw)

Controlling access Most services (anything controlled by inetd and also

nfs) support access control with /etc/hosts.allow, /etc/hosts.deny

Format of files is:[service name]: [host or network/netmask], [host or network/netmask] …

E.g: portmap: 192.168.0.1 , 192.168.0.2 mountd: 192.168.0.1 , 192.168.0.2 All: all

Controlling access

Any service using this approach will follow the process: Check in hosts.allow: if the requesting server is in

this file, allow the access and finish Now check in hosts.deny, if the requesting server

is not in this file, allow the access and finish. Allow access

For nfs, to allow/deny access ALL the services need to be included in the file. portmap, lockd, mountd, rquotad, statd

NFS Client

Client side NFS implemented as a kernel module

/etc/fstab used to specify network mounts. NFS shares are mounted at boot time by

/etc/rc.d/init.d/netfs

NFS Client

Shares can be mounted manually by root, or automatically at boot time.

The default /etc/fstab nfs entries in UMLDevice mountpoint type options dump fsckorder

/dev/ubd/0 / ext2 defaults 1 1

/proc /proc proc defaults

/dev/ubd/1 none swap sw

/etc/fstab nfs entryDevice mountpoint type options dump fsckorder

Server1:/var/ftp/pub /mnt/pub nfs defaults 0 0

NFS Mount Options Options include

rsize=8192 and wsize=8192 will speed up transfers considerably soft: processes return with an error on a failed I/O attempt hard: will block a process that tries to access an unreachable

share. nolock: disables file locking and allows inter operation with older

NFS servers nosuid: stops suid enabled programmes executing from the

mounted file system. noexec: stops all programmes executing from the mounted file

system. ro: Read only file system rw: Read/write access

NFS autofs

autofs provides the ability to mount NFS shares on demand and to unmount them when they are idle

autofs uses the files /etc/auto.master and /etc/auto.misc for configuration

autofs is a kernel service, but must be enabled by configuring autofs to run in the appropriate run levels

NFS Services

exportfs –r refreshes the server’s share list after modifying /etc/exports -v displays a list of the shared directories and

options on a server -a exports all shares listed in the /etc/exports or a

share named as an argument -u unexports the share named as an argument or

all shares with no argument and a –a -e host shows the available shares on host

Trouble shooting nfs

Unable to see a mounted file system: cat /proc/mounts mount –f

Permission denied on mount attempt: Check that the fstab entry and exports have the

same access (i.e. ro, rw etc) Check you haven’t attempted to export both a

parent and a child i.e. /usr and /usr/local can’t be both exported.

Trouble shooting nfs II

RPC: Program not registered On the server, use ps or rpcinfo –p to check that

portmapper, nfs and mountd are running On the client, use rpcinfo –p [server] to check that

it can see the services If the client gets No Remote programs registered,

check hosts.allow and hosts.deny

Trouble shooting nfs III

Permissions aren’t right/export/dir hostname(rw,no_root_squash) /export/dir hostname (rw,no_root_squash)

These statements aren’t the same. White space in the second will mean that everybody apart from hostname will get the privileges in the ().

NFS optimisation

Issues: NFS is sensitive to network traffic NFS needs both read and write performance NFS traffic is bursty

Detection: /usr/sbin/nfsstat –n -a

NFS optimisation

Lower the nice value Switch to a journaling file system Spread NFS exported file systems across

multiple disks and disk controllers. Use RAID 0/1

RAID 5 isn’t fast on writes Reduce the number of write intensive mounts

Automount is difficult to get away from

FTP

File Transfer Protocol

FTP Service Profile

System-V managed Service Package: vsftpd Script: vsftpd Ports: 21 (ftp) 20 (ftp-data) Config Files:

/etc/vsftpd/vsftpd.conf /etc/vsftpd.ftpusers /etc/pam.d/vsftpd

Log File: /var/log/vsftpd.log

FTP (File Transfer Protocol)

Linux uses vsftpd, which is no longer managed by inetd by default Can be configured to use xinetd.

/etc/vsftpd/vsftpd.conf is the main configuration file

Two levels of access: anonymous, by default, users are based in

/var/ftp By default, anonymous users can download files,

but not upload them

FTP (File Transfer Protocol)

rbradley@aisling:~$ ftp taranaki

Connected to taranaki.student.comp.dit.ie.

220 taranaki FTP server (SunOS 5.8) ready.

Name (taranaki:rbradley): rbradley

331 Password required for rbradley.

Password:

230 User rbradley logged in.

Remote system type is UNIX.

Using binary mode to transfer files.

FTP – User access

In /etc/vsftpd/vsftpd.conf Control anonymous user access with

anonymous_enable=YES/NO Control anonymous user access with upload

anon_upload_enable=YES/NO

Existing users on a system log in using their usual username and password

By default, users can download any file they can read and upload to any directory to which they have write access

FTP – User access

ftp> pwd257 "/export/home/lecturer/rbradley" is current directory.ftp> cd ..250 CWD command successful.ftp> pwd257 "/export/home/lecturer" is current directory.ftp> lcd ..Local directory now /home/staffftp>

FTP – controlling user access

/etc/vsftpd/vsftpd.conf the main configuration file

Two additional files used to control access /etc/vsftpd.ftpusers /etc/vsftpd.user_list

FTP – controlling user access Individual users can be denied access by placing their

names in /etc/vsftpd.ftpusers /etc/vsftpd.user_list is examined if

userlist_enable=YES is set in /etc/vsftpd.conf The list file can be used either to grant access

(userlist_deny=NO) or to deny access (userlist_deny=YES)

.message file will be displayed to anybody changing to a directory.

Can also use hosts.allow and hosts.deny

FTP – Controlling directory access

By default, ftp connects to the /usr/ftp/pub directory.

Users can be restricted to only their home directory chroot_list_enable=NO/YES

chroot_list_file=/usr/local/etc/vsftpd.chroot_list