1. What is network filesystem)
NFS
Is the abbreviation of network filesystem.
Developed. Its biggest function is to allow different machines and operating systems to share individual files with each other through the network.
), So you can simply regard it as a file server! This NFS server allows your PC to remotely mount NFS
The directory shared by the host is mounted to the local machine. Therefore, the remote host directory looks like its own partition!
Although NFS has its own protocol and port number, NFS uses a Remote Procedure Call, RPC) Protocol to help NFS itself operate!
2. RPC
When we use some services for remote connection, some information, such as the IP address of the host, the port number of the service, and the corresponding service
PID and so on, all need management and corresponding! This is the Remote Procedure Call, RPC
The task
The NFS service does not provide the data transfer protocol, but NFS allows us to share files. The reason is that NFS
Use some other related transmission protocols! These transmission protocols use the so-called RPC function! That is to say, NFS itself is an RPC
That's program! NFS can also be regarded as an RPC server! Note that in some situations, not only does NFS run
The server that needs to activate the RPC service. Alternatively, to mount the NFS partition client machine, you also need to activate the RPC
Only now! In this way, the server and client can correspond to the program port through the RPC protocol! NFS
It is mainly used to manage shared directories. As for data transmission, it is enough to directly run the RPC protocol!
3. RPC daemons activated by NFS
O rpc. nfsd: the main function of daemon is to manage whether the client can log on to the host. It also includes the identification of the login user ID.
O rpc. mountd: This daemon is mainly used to manage the NFS file system! When the client successfully passes rpc. nfsd
After logging on to the host, the File Permission (that is, rwxrwxrwx and owner) will pass through the file before the file provided by the NFS server can be used,
The permissions of the group! He will read the NFS configuration file/etc/exports to compare to the client.
After this function is enabled, the client can obtain the permission to use the NFS file! (Note: This is also used to manage NFS.
Sharing directory permission and security settings)
4. NFS requires two suites:
Nfs-utils
The NFS daemons, rpc. nfsd and rpc. mountd, are provided with other related documents and instructions, and execution files! This is the main NFS suite.
Portmap
As mentioned above, our NFS can be regarded as an RPC server program, but any RPC server must be activated.
Before program, we need to do a good job of port mapping. This job is actually "Portmap ".
"This service is responsible! That is to say, we need to activate Portmap before activating any RPC server! So this Portmap
What are you doing? Just like the name of this service, haha! It is the mapping of port! For example, when the client tries to use RPC
When the client needs to obtain a port that can be connected to use the services provided by the RPC server,
The client will first talk to Portmap about "Hello! Can you tell me a port number so that I can communicate with RPC?
Contact me !』 At this time, Portmap automatically informs the client of the port mapping managed by itself so that it can connect to the server.
What about it! So, "Activate Portmap first before activating NFS !』
5. NFS Server Configuration:
A)./etc/exports
Shared directory host name 1 or IP1 (parameter 1, parameter 2) host name 2 or ip2 (parameter 3, parameter 4)
B). Parameters
RW: erasable write permission
RO: Read-Only permission
No_root_squash: the user who logs on to the NFS host and uses the shared directory. If it is root, the user has the root permission for the shared directory! This project is "extremely insecure" and is not recommended!
Root_squash: if the user who logs on to the NFS host to use the shared directory is root, the user's permissions will be compressed into anonymous users, generally, his UID and GID will become the nobody identity;
All_squash: regardless of the identity of the NFS user, his identity will be compressed into anonymous users, usually nobody!
Anonuid: The UID setting value for anonymous users mentioned in * _ squash. It is usually nobody, but you can set this uid value on your own! Of course, this uid must exist in your/etc/passwd!
Anongid: Same as anonuid, but changed to group ID.
Sync: synchronize data to memory and Hard Disk
Async: data will be saved in the memory first, rather than directly written to the hard disk.
6. Set the instance:
A)./tmp * (RW, no_root_squash) // * indicates that all IP addresses can access
B)./tmp * (RW)
/Home/Public 192.168.0. * (RW) * (RO) // The following two rows have the same effect.
/Home/Public 192.168.0.0/24 (RW) * (RO)
C)./home/test 192.168.0.100 (RW) // only set permissions for a certain Machine
D)./home/Linux * .linux.org (RW, all_squash, anonuid = 40, anongid = 40)
// When * .linux.org logs on to the NFS host and writes an archive under/home/Linux, the owner and all groups of the archive are changed to/etc/passwd.
The ID of the user whose uid is 40.
7. Permission issues
Assume that the content in/etc/exports is
# Vi/etc/exports
/Tmp * (RW, no_root_squash)
/Home/Public 192.168.0. * (RW) * (RO)
/Home/test 192.168.0.100 (RW)
/Home/Linux * .linux.org (RW, all_squash, anonuid = 40, anongid = 40)
Assume that we log on to the NFS host (192.168.0.2) on the client of 192.168.0.100.
Scenario 1: The account 192.168.0.100 is named "test", and the account "test" is also available on the NFS host.
A). Because the/tmp permission of the NFS host is-rwxrwxrwt, I (test on 192.168.0.100) have the access permission under/tmp, and the owner who writes the file is test.
B). In/home/public, because I have read and write permissions, if the NFS host has the permission to write to the/home/public directory for test, you can
To read and write, and the owner who writes the file is test. If the/home/public of the NFS host does not enable the write permission for the user test, the data cannot be written.
/Etc/exports contains RW and does not work.
C). In/home/test, the permission is in the same status as/home/public, and the/home/test of the NFS host must be open to test.
D) In/home/Linux, regardless of the user, the identity will be changed to the account with uid = 40.
Scenario 2: If the identity of 192.168.0.100 is Test2, but the NFS host does not have the account Test2
A). It can still be written under/tmp, but the owner of the written file becomes nobody.
B) whether the data can be written in/home/public and/home/test depends on the permission of/home/public, but the identity is changed to nobody.
C) The ID in/home/Linux is still the account with uid = 40.
Case 3: The identity at 192.168.0.100 is root
A). It can be written in/tmp, but the default value of root_squash is changed due to the no_root_squash parameter. Therefore, the owner who writes files to/tmp is root.
B). The identity under/home/public is compressed into nobody. Because all the preset attributes have root_squash, the archive owner becomes nobody.
C)./home/test is the same as/home/public.
D). In/home/Linux, the root identity is also compressed to the user whose uid is 40.
8. Start the service Portmap and NFS
#/Etc/rc. d/init. d/Portmap start (or: # service Portmap start)
#/Etc/rc. d/init. d/nfs start (or: # service NFS start)
You can go to/var/log/messages to check whether the message is correctly activated.
9. exportfs usage
If you have modified/etc/exports, you do not need to restart the NFS service. You only need to use exportfs to re-scan/etc/exports and reload it.
Syntax: exportfs [-aruv]
-A: All mounting (or unmounting) settings in the/etc/exports file
-R: Remount the settings in/etc/exports, and update the content in/etc/exports and/var/lib/nfs/xtab synchronously.
-U: unmount a directory
-V: displays the shared directory on the screen during the export operation.
Example
# Exportfs-RV // re-export once
# Exportfs-Au // Uninstall all
10. in/var/lib/nfs/xtab, you can view the sharing permissions for each directory (however, I did not find the sharing permissions, the content will only appear after someone mounts NFS), for example:
/Tmp
Node3 (RO, sync, wdelay, hide, secure, root_squash, no_all_squash, subtree_check, secure_locks, mapping = identity, anonuid =-2, anongid =-2)
Why does anonuid =-2? Haha! In fact, it refers to the value of 65536-2, that is, the UID of 65534! Check/etc/passwd and you will find out, wow! It turned out to be nobody.
11. showmount command
Syntax: showmount [-AE] hostname
-A: displays the status of the directories currently connected to the host and client.
-E: displays the shared directory in/etc/exports of the hostname.
12. view the activated portnumber.
# Netstat-utln
The port opened by NFS itself is
Port Number of 2049! This is the port NFS server mainly generated by NFS. we mentioned earlier that it is an RPC server.
NFS provides multiple program (such as rpc. mountd, rpc. rquotad, rpc. nfsd ...)
So you need to activate multiple ports! These ports are randomly generated. That is, the port number is not fixed! Each time
Restart NFS will get different port numbers! So how does the client know the port to connect to for the call?
What about program? Haha! That is the port number generated by the Portmap service of SunRPC (port 111 ).
Function! The client will first connect to the SunRPC port to know the program needed to call the port! So, rpc. xxxx
And so on, daemon naturally does not need a fixed port number!
**************************************** *******
NFS client settings
# Mount-t nfs hostname (orip):/directory/mountpoint.
Root can mount the directories shared by NFS to a safer directory to run programs with SUID permission files mounted to NFS.
# Mount-T nfs-O nosuid, RO hostname:/directory/mountponit
Possible problems:
1. The permission settings do not match
2. If you forget to activate Portmap, an error is returned:
Mount: RPC: Port Mapper failure-RPC: unable to receive or
Mount: RPC: program not registered
Then, start Portmap and restart NFS.
# Service Portmap start
# Service NFS restart
3. Get rid of the firewall
Reset the firewall, including iptables and TCP_WRAPPERS. Because Portmap is activated, port 111 must be provided. Therefore, in iptables rules, add:
Iptables-A input-p tcp -- dport 111-J accept
Iptables-A input-p udp -- dport 111-J accept
If not, check/etc/hosts. Deny. If one row is:
ALL: All: deny
You must add the following in/etc/hosts. allow:
Portmap: All: Allow
If our NFS is developed for the internal network and the external network is only developed for the Academic Network (140.0.0.0/8), you can:
Iptables-A input-I eth0-P TCP-s 192.168.0.0/24 -- dport 111-J accept
Iptables-A input-I eth0-P UDP-s 192.168.0.0/24 -- dport 111-J accept
Iptables-A input-I eth0-P TCP-s 140.0.0.0/8 -- dport 111-J accept
Iptables-A input-I eth0-P UDP-s 140.0.0.0/8 -- dport 111-J accept
You can also use TCP_WRAPPERS to specify the IP address and name of the NFS host in/etc/hosts. Allow. For example
# Vi/. ETC/hosts. Allow
Portmap: 192.168.0.0/255.255.255.0: Allow
Portmap: 140.113.23.23: Allow
Portmap: .sdu.edu.cn: Allow
RPC server commands
Rpcinfo
# Rpcinfo-P hostname (orip)
Notes:
Note that NFS uses the RPC in the client
When the host is connected, if your host wants to be shut down, it will become an "impossible task 』! I still don't know why, but if your server still has
If the client is online, it may take several hours for you to shut down successfully! Success! Real or false! Don't you believe it? Otherwise, try it on your own!
^_^! Therefore, we recommend that you "turn off Portmap and NFS" before the NFS server is shut down! If the two
If daemons is disabled, use netstat-utlp to find the PID, and then use kill
Turn him off first! In this way, a normal shutdown is successful! Please pay special attention to this!
In turbolinux8.0 for amd64 (kernel 2.4.21-4smp), the following error occurs when mounting NFS:
Portmap: Server localhost not responding, timed out
Solution:
Mount-T nfs-O nolock node1:/public
The-O nolock parameter is added because:
Unfsd doesn't support NLM locking, and it's causing the lockd daemon
Be Started (which again requires the portmapper to be installed etc .)
------------------------
When I use a virtual machine to mount the directory of a machine in the LAN, mountd [5065]: refused MOUNT request from 10.12.33.216 appears.
/Home/hammer (/home/hammer): illegal port 62423? However, I can ping it, and other machines in the LAN can also mount it. Later I learned that it was caused by the firewall. Add insecure to/etc/exports.