NFS configuration in Linux and precautions

Source: Internet
Author: User
Tags nfsd
NFS configuration in Linux and precautions-Linux Enterprise Application-Linux server application information. For more information, see the following section. 1. What is Network FileSystem)
NFS is the abbreviation of Network FileSystem, which was first developed by Sun. Its biggest function is to allow different machines and operating systems to share individual files with each other through the network. Therefore, you can also simply regard it as a file server! This NFS Server allows your PC to mount the directories shared by remote NFS Hosts to local machines, the Directory of the remote host is like its own partition!
Although NFS has its own protocol and port number, NFS uses a Remote Procedure Call, RPC) Protocol to help NFS itself operate!

2. RPC
When we use some services for remote connection, some information, such as the IP address of the host, the port number of the service, and the PID of the corresponding service, etc, all need to be managed and matched! This is the task of Remote Procedure Call and RPC.
The NFS service does not provide the data transfer protocol, but NFS allows us to share files. The reason is that NFS uses some other related transmission protocols! These transmission protocols use the so-called RPC function ?? The Zookeeper is a program that uses RPC! NFS can also be regarded as an RPC server! At the same time, it should be noted that in some situations, not only the NFS Server needs to activate the RPC service, but also, to mount the NFS partition Client machine, you also need to activate the RPC synchronously! In this way, the Server and Client can correspond to the program port through the RPC protocol! NFS is mainly used to manage shared directories. As for data transmission, it is enough to directly run the RPC protocol!

3. RPC daemons activated by NFS
O rpc. nfsd: the main function of daemon is to manage whether the Client can log on to the host. It also includes the identification of the login user ID.
O rpc. mountd: This daemon is mainly used to manage the NFS file system! When the Client successfully passes the rpc. after nfsd logs on to the host, the File Permission (that is, the permissions of rwxrwxrwx and owner, and the permissions of the group) will be applied before the file provided by NFS server can be used) certification Program! He will read the NFS configuration file/etc/exports to compare the Client's permissions. After this level is passed, the Client will be able to get the permission to use the NFS file! (Note: This is also the place where we use the permission and security settings to manage the NFS shared directory)

4. NFS requires two suites:
Nfs-utils
The NFS daemons, rpc. nfsd and rpc. mountd, are provided with other related documents and instructions, and execution files! This is the main NFS suite.
Portmap
As mentioned above, our NFS can be regarded as an RPC server program. before activating any RPC server program, we need to map the port (mapping) this is actually the responsibility of the Service "portmap! That is to say, we need to activate portmap before activating any RPC server! So what is this portmap doing? Just like the name of this service, haha! It is the mapping of port! For example, when the Client tries to use the services provided by the RPC server, the Client needs to obtain a port that can be connected to use the services provided by the RPC server, the Client will first talk to portmap about "Hello! Can you tell me a port number so that I can contact RPC !』 At this time, portmap automatically informs the Client of the port mapping managed by itself so that it can connect to the server! So ?? Activate portmap before you renew NFS !』

5. NFS server Configuration:
A)./etc/exports
Shared directory host name 1 or IP1 (parameter 1, parameter 2) host name 2 or IP2 (parameter 3, parameter 4)
B). Parameters
Rw: erasable write permission
Ro: Read-Only permission
No_root_squash: the user who logs on to the NFS host and uses the shared directory. If it is root, the user has the root permission for the shared directory! This project is "extremely insecure" and is not recommended!
Root_squash: if the user who logs on to the NFS host to use the shared directory is root, the user's permissions will be compressed into anonymous users, generally, his UID and GID will become the nobody identity;
All_squash: regardless of the identity of the NFS user, his identity will be compressed into anonymous users, usually nobody!
Anonuid: The UID setting value for anonymous users mentioned in * _ squash. It is usually nobody, but you can set this UID value on your own! Of course, this UID must exist in your/etc/passwd!
Anongid: Same as anonuid, but changed to group ID.
Sync: synchronize data to memory and Hard Disk
Async: data will be saved in the memory first, rather than directly written to the hard disk.

6. Set the instance:
A)./tmp * (rw, no_root_squash) // * indicates that all IP addresses can access
B)./tmp * (rw)
/Home/public 192.168.0. * (rw) * (ro) // The following two rows have the same effect.
/Home/public 192.168.0.0/24 (rw) * (ro)
C)./home/test 192.168.0.100 (rw) // only set permissions for a certain Machine
D ). /home/linux * .linux.org (rw, all_squash, anonuid = 40, anongid = 40) // when * .linux.org logs on to this NFS host and writes files under/home/linux, the owner of the archive and all the groups will become the user with the ID 40 corresponding to the/etc/passwd.

7. Permission issues
Assume that the content in/etc/exports is
# Vi/etc/exports
/Tmp * (rw, no_root_squash)
/Home/public 192.168.0. * (rw) * (ro)
/Home/test 192.168.0.100 (rw)
/Home/linux * .linux.org (rw, all_squash, anonuid = 40, anongid = 40)
Assume that we log on to the NFS host (192.168.0.2) on the client of 192.168.0.100.
Scenario 1: The account 192.168.0.100 is named "test", and the account "test" is also available on the NFS host.
A). Because the/tmp permission of the NFS host is-rwxrwxrwt, I (test on 192.168.0.100) have the access permission under/tmp, and the owner who writes the file is test.
B ). in/home/public, because I have the read and write permissions, if the NFS host has the permission to write to the/home/public directory for test, it can be read and written, and the owner who writes the file is test. If the/home/public option of the NFS host does not enable the write permission for the user test, data cannot be written, even though it is rw in/etc/exports.
C). In/home/test, the permission is in the same status as/home/public, and the/home/test of the NFS host must be open to test.
D) In/home/linux, regardless of the user, the identity will be changed to the account with UID = 40.
Scenario 2: If the identity of 192.168.0.100 is test2, but the NFS host does not have the account test2
A). It can still be written under/tmp, but the owner of the written file becomes nobody.
B) whether the data can be written in/home/public and/home/test depends on the permission of/home/public, but the identity is changed to nobody.
C) The ID in/home/linux is still the account with UID = 40.
Case 3: The identity at 192.168.0.100 is root
A). It can be written in/tmp, but the default value of root_squash is changed due to the no_root_squash parameter. Therefore, the owner who writes files to/tmp is root.
B). The identity under/home/public is compressed into nobody. Because all the preset attributes have root_squash, the archive owner becomes nobody.
C)./home/test is the same as/home/public.
D). In/home/linux, the root identity is also compressed to the user whose UID is 40.

8. Start the service portmap and nfs
#/Etc/rc. d/init. d/portmap start (or: # service portmap start)
#/Etc/rc. d/init. d/nfs start (or: # service nfs start)
You can go to/var/log/messages to check whether the message is correctly activated.
9. exportfs usage
If you have modified/etc/exports, you do not need to restart the nfs service. You only need to use exportfs to re-scan/etc/exports and reload it.
Syntax: exportfs [-aruv]
-A: All mounting (or unmounting) settings in the/etc/exports file
-R: Remount the settings in/etc/exports, and update the content in/etc/exports and/var/lib/nfs/xtab synchronously.
-U: unmount a directory
-V: displays the shared directory on the screen during the export operation.
Example
# Exportfs-rv // re-export once
# Exportfs-au // Uninstall all

10. in/var/lib/nfs/xtab, you can view the sharing permissions for each directory (however, I did not find the sharing permissions, the content will only appear after someone mounts nfs), for example:
/Tmp node3 (ro, sync, wdelay, hide, secure, root_squash, no_all_squash, subtree_check, secure_locks, mapping = identity, anonuid =-2, anongid =-2)
Why does anonuid =-2? Haha! In fact, it refers to the value of 65536-2, that is, the UID of 65534! Check/etc/passwd and you will find out, wow! It turned out to be nobody.

11. showmount command
Syntax: showmount [-AE] hostname
-A: displays the status of the directories currently connected to the host and client.
-E: displays the shared directory in/etc/exports of the hostname.

12. view the activated portnumber.
# Netstat-utln
The port opened by nfs itself is the port 2049! This is the port NFS server mainly generated by NFS, which we mentioned earlier. It is a type of RPC server, and NFS provides multiple programs (such as rpc. mountd, rpc. rquotad, rpc. nfsd ...), therefore, you need to activate multiple ports! These ports are randomly generated. That is, the port number is not fixed! Each restart nfs will get a different port number! So how does the Client know the required program to connect to the port? Haha! That is the function of the port number generated by the portmap service of sunrpc (port 111! The Client will first connect to the sunrpc port to know the program needed to call the port! So ?? Daemon such as rpc. xxxx naturally does not need a fixed port number ??? Br/>
**************************************** *******
NFS client settings
# Mount-t nfs hostname (orIP):/directory/mountpoint.
Root can mount the directories shared by NFS to a safer directory to run programs with SUID permission files mounted to NFS.
# Mount-t nfs-o nosuid, ro hostname:/directory/mountponit

Possible problems:
1. The permission settings do not match
2. If you forget to activate portmap, an error is returned:
Mount: RPC: Port mapper failure-RPC: Unable to receive or
Mount: RPC: Program not registered
Then, start portmap and restart nfs.
# Service portmap start
# Service nfs restart
3. Get rid of the firewall
Reset the firewall, including iptables and TCP_Wrappers. Because portmap is activated, port 111 must be provided. Therefore, in iptables rules, add:
Iptables-a input-p TCP -- dport 111-j ACCEPT
Iptables-a input-p UDP -- dport 111-j ACCEPT
If not, check/etc/hosts. deny. If one row is:
ALL: deny
You must add the following in/etc/hosts. allow:
Portmap: ALL: allow
If our NFS is developed for the internal network and the external network is only developed for the Academic Network (140.0.0.0/8), you can:
Iptables-a input-I eth0-p TCP-s 192.168.0.0/24 -- dport 111-j ACCEPT
Iptables-a input-I eth0-p UDP-s 192.168.0.0/24 -- dport 111-j ACCEPT
Iptables-a input-I eth0-p TCP-s 140.0.0.0/8 -- dport 111-j ACCEPT
Iptables-a input-I eth0-p UDP-s 140.0.0.0/8 -- dport 111-j ACCEPT
You can also use TCP_Wrappers to specify the IP address and name of the NFS host in/etc/hosts. allow. For example
# Vi/. etc/hosts. allow
Portmap: 192.168.0.0/255.255.255.0: allow
Portmap: 140.113.23.23: allow
Portmap: .sdu.edu.cn: allow

RPC Server commands
Rpcinfo
# Rpcinfo-p hostname (orIP)

Notes:
It should be noted that when NFS uses this RPC to connect the client to the host, your host will become an "impossible task" if you want to shut down the host 』! I still don't know why, but if you still have clients online on your Server, it may take several hours for you to shut down successfully! Success! Real or false! Don't you believe it? Otherwise, try it on your own! ^_^! So ??? Too many? Before the NFS Server is shut down, you can "turn off portmap and nfs" first! If the two daemons cannot be correctly switched off, use netstat-utlp to find the PID and kill it first! In this way, a normal shutdown is successful! Please pay special attention to this!

In TurboLinux8.0 for AMD64 (kernel 2.4.21-4smp), the following error occurs when mounting NFS:
Portmap: server localhost not responding, timed out
Solution:
Mount-t nfs-o nolock node1:/public
The-o nolock parameter is added because:
Unfsd doesn't support NLM locking, and it's causing the lockd daemon to be started (which again requires the portmapper to be installed etc .)
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.