NFS Configuration and Installation

NFS Configuration and Installation

Installation
1 Environment Description:
* Network environment:
NFS server:192.168.102.47
NFS client:192.168.102.15
NFS client:192.168.102.61
* Software version
Nfs-common 5-20
Nfs-kernel-server 1.0.9-5
Portmap 1.0.9-5
2 Installation:
Server-side Installation
Installing NFS under a Debian system is fairly straightforward, and executing the following command on an NFS server
# Aptitude Install Nfs-common Nfs-kernel-server portmap
At the client you need to install:
# Aptitude Install Nfs-common Portmap
3 Start and stop of service
Start a service
#/etc/init.d/nfs-kernel-server Start
Stop Service
#/etc/init.d/nfs-kernel-server Stop
Restart Service
#/etc/init.d/nfs-kernel-server Restart
＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊
Server-side configuration
1 Creating a shared directory
# Mkdir/home/share
# chown Nobody.nogroup/home/share
2 Create or modify/etc/exports configuration file
The contents of this file are very simple, each row consists of the throw path, the list of customer names, and the access options immediately following each customer name:
[Shared directory] [Host name or IP (parameters, parameters)]
Where parameters are optional, NFS uses the default option when no parameters are specified. The default sharing option is Sync,ro,root_squash,no_delay.
When the host name or IP address is empty, the share is serviced to any client.
When you share the same directory with multiple clients, but do not have the same permissions for each client, you can:
[Shared directory] [Host name 1 or IP1 (parameter 1, parameter 2)] [Host Name 2 or IP2 (parameter 3, parameter 4)]
Here are some common parameters for NFS sharing:
RO read-only access
RW Read-Write access
Sync all data is written to share when requested
Async NFS can request it before writing data
Secure NFS is sent via a secure TCP/IP port under 1024
Insecure NFS is sent over 1024 ports
Wdelay If multiple users are writing to the NFS directory, group write (default)
No_wdelay If multiple users are writing to the NFS directory, write now and do not need this setting when using Async.
Hide does not share subdirectories in NFS shared directories
No_hide Share subdirectories for NFS directories
Subtree_check Force NFS to check the permissions of the parent directory (default) if you share a subdirectory such as/usr/bin
No_subtree_check and above, do not check parent directory permissions
All_squash the UID and GID of shared files map anonymous users anonymous, which is suitable for public directories.
No_all_squash preserves UID and GID for shared files (default)
Root_squash all requests for root users are mapped to the same permissions as anonymous users (default)
No_root_squas Root user has full administrative access to the root directory
Anonuid=xxx Specify the UID of anonymous users in server/etc/passwd files for NFS
Anongid=xxx Specify the GID for anonymous users in server/etc/passwd files for NFS
The configuration file/etc/exports the following contents:
$ cat/etc/exports
/home/share 192.168.102.15 (rw,sync) * (RO)
Configuration Note: Give read-write access to 192.168.102.15, and other machines have read-only access.
3 Restart NFS Service
#/etc/init.d/nfs-kernel-server Restart
4 View NFS resource sharing on the client
# SHOWMOUNT-E 192.168.102.47
Export list for 192.168.102.47:
/home/share (Everyone)
5 using the Mount command to hang a shared resource
Load a shared resource on the client 192.168.102.15
# Mount 192.168.102.47:/home/share/mnt
# cd/mnt
# echo ' 12345 ' > 123
You can find a shared directory for the server to write
# umount/mnt
Load a shared resource on the client 192.168.102.61
# Mount 192.168.102.47:/home/share/mnt
# cd/mnt
# ls
123
# Touch 321
Touch:cannot Touch ' 321 ': Permission denied
# echo ' 123455 ' >123
-bash:123:permission denied
You can find that only read access is available to the server share directory,
This is consistent with our permission settings on the server side.
Do we need to reboot the NFS service every time we modify the profile? This time we can use the Exportfs command to rescan/etc/exports files, so that the changes take effect immediately.
Like what:
# Exportfs-au Uninstall all shared directories
# EXPORTFS-RV share all directories and output details
EXPORTFS command has package nfs-kernel-server provided, detailed exportfs command description please view:
Mans Exportfs
The Chinese manual description can be viewed here:
Exportfs Online Manual
How do we know what permissions are released when resource sharing is complete? At this point we can view the/var/lib/nfs/etab file, which is generated by the EXPORTFS command based on/etc/exports.
# Cat/var/lib/nfs/etab
/home/share 192.168.102.15 (Rw,sync,wdelay,hide,nocrossmnt,secure,root_squash,no_all_squash, Subtree_check,secure _locks,acl,mapping=identity,anonuid=65534,anongid=65534)
/home/share * (Ro,sync,wdelay,hide,nocrossmnt,secure,root_squash,no_all_squash,subtree_check, Secure_locks,acl, mapping=identity,anonuid=65534,anongid=65534)
Now let's look at what ports are on the server that are starting on Server for NFS:
tonybox:/home/share# Lsof-i|grep RPC
Portmap 1931 Daemon 3u IPv4 4289 UDP *:sunrpc
Portmap 1931 Daemon 4u IPv4 4290 TCP *:sunrpc (LISTEN)
RPC.STATD 3206 statd 3u IPv4 7081 UDP *:1029
RPC.STATD 3206 statd 6u IPv4 7072 UDP *:838
RPC.STATD 3206 statd 7u IPv4 7085 TCP *:1031 (LISTEN)
Rpc.mount 3483 root 6u IPv4 7934 UDP *:691
Rpc.mount 3483 root 7u IPv4 7937 TCP *:694 (LISTEN)
＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊
5. Security issues:
5.1 Iptables Firewall
If our NFS server is behind a firewall, you need to include the following policy in your fire-fighting strategy:
-A input-p tcp-m state--state new-m multiport--dport 111,2049,4001,32764:32767-j ACCEPT
-A input-p udp-m state--state new-m multiport--dport 111,2049,4001,32764:32767-j ACCEPT
5.2 Using/etc/hosts.allow and/etc/hosts.deny to control client access
/etc/hosts.allow and/etc/hosts.deny These two files are TCPD server configuration files, tcpd the server can control the external IP access to the native service. The two configuration files are formatted as follows:
#服务进程名: Host list: Optional command action when rule matches
Server_name:hosts-list[:command]
/etc/hosts.allow control can access the IP address of this computer,/etc/hosts.deny control prohibit access to native IP. If two files have conflicting configurations, take/etc/hosts.deny. The following is an example of a/etc/hosts.allow:
all:127.0.0.1 #允许本机访问本机所有服务进程
smbd:192.168.0.0/255.255.255.0 #允许192.168.0. IP Access SMBD services for network segments
All keyword matches all cases, except match in addition to some items, paranoid match the IP address you want to control and its domain name mismatch (domain name camouflage).
For example, the/etc/hosts.deny file on the server is set as follows:
# Cat/etc/hosts.deny
portmap:192.168.102.15
Then load the shared directory on the client 192.168.102.15
# Mount 192.168.102.47:/home/share/mnt
Mount to NFS server ' 192.168.102.47 ' failed.
We found that the shared directory could not be loaded now.
＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊
6. Resource use
In addition to manually hanging a shared resource using the Mount command, you can also use other methods to implement automatic hanging of shared resources:
6.1 Automatic mount when starting
Modify the client's/etc/fstab file to include a line similar to the following:
192.168.102.47:/home/share/mnt NFS Rsize=8192,wsize=8192,timeo=14,intr
Restart the client to enable the system to automatically hang a shared resource at startup
6.2 Using AutoFS to implement resource hanging
AutoFS uses the AutoMount daemon to manage your mount points, which are only dynamically mounted when the file system is accessed. AutoFS Query The main configuration file/etc/auto.master to determine which mount points to define. It then starts the automount process with parameters that apply to each mount point. Each row in the main configuration defines a mount point, and then a separate configuration file defines the file system to mount under that mount point.
Install AutoFS
# Aptitude Install AutoFS
Modify the/etc/auto.master file and add the following:
/mnt/etc/auto.nfs
The contents of the Create/etc/auto.nfs file are as follows:

nfs-rw,soft,intr,rsize=8192,wsize=8192 192.168.102.47:/home/share

This way, every time you enter the/mnt/nfs directory, the system tries to hook up the server's shared resources to the directory. It should be noted that the NFS directory was created dynamically by automount and should not actually exist on the client machine.

tonybox2:/# cd/mnt
tonybox2:/mnt# ls
tonybox2:/mnt# CD NFS
tonybox2:/mnt/nfs# ls
123
tonybox2:/mnt/nfs# ls-l
Total 4
-rw-r--r--1 Nobody nogroup 6 2006-08-22 07:50 123
tonybox2:/mnt/nfs#