Linux NFS service explanation 1. What is NFS (Network FileSystem) NFS is short for Network FileSystem, which was first developed by Sun. His biggest
The function is to allow different machines, different operating systems, and individual files to be shared with each other through the network.
(Share file), so you can simply regard it as a file server! This NFS Server
Allows your PC to mount the directories shared by remote NFS Hosts to local machines.
The local machine looks like the remote host's directory is like its own partition! Although NFS has its own protocol and port number
During message transmission, NFS uses a Remote Procedure Call,
RPC) Protocol to help NFS itself operate! 2. RPC when we use some services for remote connection, some information, such as the host IP address and service
Port number, and the PID of the corresponding service, must be managed and matched! Corresponding to these management ports
This Remote Procedure Call and RPC task does not provide data transfer protocols for NFS services, but NFS allows us to share files,
The reason is that NFS uses some other related transmission protocols! And these transmission protocols are
Use this so-called RPC function! That is to say, NFS itself is an RPC
That's program! NFS can also be regarded as an RPC server! At the same time
Note that in some situations, not only servers running NFS need to activate the RPC service, but also,
To mount the NFS partition Client machine, you also need to activate RPC synchronously! In this way, the Server and
The Client can correspond to the program port through the RPC protocol! NFS is mainly used for management and sharing.
As for the data transfer, it is enough to directly run the RPC protocol! 3. RPC daemons o rpc. nfsd activated by NFS: The main function of this daemon is to manage whether the Client can log on to the host,
It also contains the identification o rpc. mountd of the login ID: The main function of this daemon is to manage the NFS file system! When the Client
After logging on to the host through rpc. nfsd,
It will also be authenticated by the archive permission (that is, the-rwxrwxrwx, owner, and group permissions ).
Program! He will read the NFS configuration file/etc/exports to compare the Client's permissions,
The Client can obtain the permission to use the NFS file! (Note: This is also used to manage NFS sharing.
Directory permission and security settings) 4. NFS requires two suites: nfs-utils provides rpc. nfsd and rpc. mountd NFS daemons and Other Related documents
It is a suite of instruction files and execution files! This is the main NFS suite portmap, as we just mentioned, our NFS can actually be regarded as an RPC server program, but it needs to be excited
Before activating any RPC server program, we need to do a good job of port mapping.
This is actually the responsibility of the Service "portmap! That is, when activating any
Before an RPC server, we need to activate portmap! So this portmap is in
Why? Just like the name of this service, haha! It is the mapping of port! For example:
When the Client tries to use the services provided by the RPC server
The connection port can use the service provided by the RPC server. Therefore, the Client will first
Say "hello! Can you tell me a port number so that I can contact RPC !』 This
In this case, portmap automatically notifies the Client of the port ing managed by him so that he can connect to the Client.
Come to server! So, "Activate portmap first before activating NFS !』 5. NFS server: ). /etc/exports shared directory host name 1 or IP1 (parameter 1, parameter 2) host name 2 or IP2 (parameter 3, parameter 4) B ). rw: erasable permission ro: Read-Only permission no_root_squash: the user who logs on to the NFS host and uses the shared directory. If it is root
The shared directory has the root permission! This project is "extremely insecure" and is not recommended! Root_squash: if the user who logs on to the NFS host and uses the shared directory is root, the user
Permissions will be compressed into anonymous users. Generally, his UID and GID will become the nobody identity. all_squash: no matter what the NFS user identity is, all his identities are compressed into anonymous users,
It's usually nobody! Anonuid: The UID setting value of the anonymous user mentioned in * _ squash, usually nobody,
You can set the UID value on your own! Of course, this UID must exist in your/etc/passwd! Anongid: Same as anonuid, but changed to group ID. sync: data is synchronized to the memory and hard disk. async: data is saved in the memory first, rather than directly written to the hard disk. 6. instance: ). /tmp * (rw, no_root_squash) // * indicates that all IP addresses can access B ). /tmp * (rw)/home/public 192.168.0. * (rw) * (ro) // The following two rows serve the same purpose/home/public 192.168.0.0/24 (rw) * (ro) c ). /home/test 192.168.0.100 (rw) // only set permissions for a certain machine d ). /home/linux * .linux.org (rw, all_squash, anonuid = 40, anongid = 40) // log on to * .linux.org
When this NFS host writes an archive under/home/linux, the archive owner and all groups change.
The ID of the user whose UID is 40 in/etc/passwd. 7. permission questions assume that the content in/etc/exports is # vi/etc/exports/tmp * (rw, no_root_squash)/home/public 192.168.0. * (rw) * (ro)/home/test 192.168.0.100 (rw)/home/linux * .linux.org (rw, all_squash, anonuid = 40, anongid = 40) assume that we log on to the NFS host (192.168.0.2) on the client of 192.168.0.100. In this case, the account of 192.168.0.100 is "test", and the NFS host also has "test" Account ). because the/tmp permission of the NFS host is-rwxrwxrwt, I (test on 192.168.0.100) under/tmp
The mask has the access permission and the owner who writes the file is test. B). In/home/public, because I have the read/write permission, if the NFS host is in the/home/public directory
For test, you can read and write data, and the owner who writes data to the file is test. If
The/home/public of the NFS host cannot be written if the user test has not enabled the write permission,
It does not work even though it is rw in/etc/exports. c ). in/home/test, the permission is in the same status as/home/public, and the/home/test pair of the NFS host is required.
Test has open permissions. d ). in/home/linux, no matter what kind of user, the identity will be changed to the account ID of UID = 40. Case 2: If the identity of 192.168.0.100 is test2, however, when the NFS host does not have the account test2, ). it can still be written under/tmp, but the owner of the written file becomes nobody. B ). whether data can be written in/home/public and/home/test depends on the permission of/home/public,
However, the identity is changed to nobody. c) The identity in/home/linux is still changed to the account with UID = 40. case 3: the identity of 192.168.0.100 is root ). it can be written in/tmp, but the default root_squash is changed due to the no_root_squash parameter.
So the owner who writes files to/tmp is root. B). The identity under/home/public is compressed into nobody, because the default attributes have root_squash,
So the archive owner becomes nobody. c ). /home/test is the same as/home/public. d ). in/home/linux, the root identity is also compressed to the user whose UID is 40. 8. start the service portmap, nfs #/etc/rc. d/init. d/portmap start (or: # service portmap start) #/etc/rc. d/init. d/nfs start (or: # service nfs start) You can go to/var/log/messages to check whether the service is correctly activated. exportfs usage if you do not need to restart the nfs service after modifying/etc/exports, use exportfs to scan again
Reload/etc/exports once. Syntax: exportfs [-aruv]-a: All mounting (or unmounting)/etc/exports File Settings-r: remount the settings in/etc/exports, and update/etc/exports and/var/lib/nfs/xtab synchronously.
Content in-u: unmount a directory-v: displays the shared directory on the screen during the export operation. example # exportfs-rv // re-export once # exportfs-au // Uninstall all 10. in/var/lib/nfs/xtab, you can view the sharing permissions for each directory (but I have not found any of them,
Yes, I found it. The content will only appear after someone mounts nfs.) For example:/tmp node3 (ro, sync, wdelay, hide, secure, root_squash, no_all_squash, subtree_check,
Secure_locks, mapping = identity, anonuid =-2, anongid =-2) Why does anonuid =-2? Haha! In fact, it refers to the value of 65536-2, that is, the value of 65534.
That UID! Check/etc/passwd and you will find out, wow! It turned out to be nobody 11. showmount command syntax: showmount [-AE] hostname-a: displays the status of the directory in which the current host and client are connected-e: displays the shared directory 12 in/etc/exports of hostname. view the activated portnumber # The port opened by netstat-utln nfs itself, which is the port 2049! Is mainly generated by NFS.
Port NFS server we mentioned earlier. It is a type of RPC server, whereas NFS
Provides multiple program (such as rpc. mountd, rpc. rquotad, rpc. nfsd...), so you need
Multiple ports are activated! And these ports are randomly generated, that is, the port number.
It won't be fixed! Each restart nfs will get a different port number! Then the Client
How does the client know which port to connect to call the required program? Haha! That is
The function of the port number generated by the portmap service of sunrpc (port 111! Client will
Connect to the port of sunrpc to know the program needed to call the port! So,
Daemon such as rpc. xxxx naturally does not need a fixed port number! **************************************** * ***** NFS client setting # mount-t nfs hostname (orIP) :/directory/mountpoint. This is easy to handle. for fear that you will accidentally execute the program that has the SUID permission file mounted on the NFS end, root can
To mount the directories shared by NFS to a safer location, you can # mount-t nfs-o nosuid, ro hostname:/directory/mountponit: 1. the permission settings do not match 2. if you forget to activate portmap, the following error occurs: mount: RPC: Port mapper failure-RPC: Unable to receive or mount: RPC: Program not registered, and restart nfs # service portmap start # service nfs restart3. the firewall gets rid of the firewall and resets the firewall, including iptables and TCP_Wrappers. Because portmap is activated
Port 111 must be provided. therefore, in iptables rules, add iptables-a input-p TCP -- dport 111-j ACCEPT iptables-a input-p UDP -- dport 111-j ACCEPT, that is the problem of TCP_Wrappers. Check/etc/hosts. deny. If one row is: ALL: deny, it must be in/etc/hosts. added in allow: portmap: ALL: allow. If our NFS is developed for internal networks and external networks are only developed for academic networks (140.0.0.0/8), you can: iptables-a input-I eth0-p TCP-s 192.168.0.0/24 -- dport 111-j ACCEPT iptables-a input-I eth0-p UDP-s 192.168.0.0/24 -- dport 111- j ACCEPT iptables-a input-I eth0-p TCP-s 140.0.0.0/8 -- dport 111-j ACCEPT iptables-a input-I eth0-p UDP-s 140.0.0.0/8 -- dport 111-j ACCEPT can also use TCP_Wrappers, in/etc/hosts. the IP address and name of the host connecting to the NFS host in allow, for example, # vi /. etc/hosts. allow portmap: 192.168.0.0/255.255.255.0: allow portmap: 140.113.23.23: allow portmap: .sdu.edu.cn: rpcinfo # rpcinfo-p hostname (orIP: note that when NFS uses this RPC to connect the client to the host, your
If the host wants to shut down, it will become an "impossible task 』! I still don't know why,
However, if you still have clients online on your Server, you may have to wait until the Server is shut down.
The shutdown can be successful only in an hour! Success! Real or false! Don't you believe it? Otherwise, try it on your own!
^_^! Therefore, we recommend that you "turn off portmap and NFS" before the nfs Server is shut down 』
These two items! If the two daemons cannot be correctly switched off, use netstat-utlp to find out
PID, and then kill him first! In this way, a normal shutdown is successful! Please pay special attention to this! In TurboLinux8.0 for AMD64 (kernel 2.4.21-4smp), when mounting NFS, the following error occurs: portmap: server localhost not responding. timed out solution: mount-t nfs-o nolock node1: /public: the-o nolock parameter is added. the reason is: Unfsd doesn't support NLM locking, and it's causing the lockd daemon
Be started (which again requires the portmapper to be installed etc .)