Nfsv4 provides seamless network access

October 23, 2006

Network File System (NFS) has become a part of the free operating system since the middle of 1980s and has become a favorite of proprietary UNIX systems. It is very important to know about NFS because seamless access between Unix networks is critical to the system. In this article, we will learn how nfsv4, the latest NFS release, solves many key problems, especially the security issues highlighted in versions 2 and 3.

We can easily take the file system for granted. We work on computers that allow us to access printers, cameras, databases, remote sensors, telescopes, compilers, and mobile phones. These devices have almost nothing in common-in fact, many of them have become a reality after the Internet is widely used (for example, cameras and mobile phones integrated with the functions of small computers ). However, they all require some types of file systems to securely store and access data.

Generally, we don't really ask the following questions: data and data application.ProgramAnd how is the interface that presents data stored on a computer? Many users (without reason) use the file system as a wall to separate themselves from the raw data saved in bits and byte formats. The protocol stack used to connect to the file system is usually a black box for most users, but it is also true for most programmers. Interconnection between all these devices is equivalent to enabling communication between file systems.

Network File System

In many aspects, communication is not just a long-distance transmission of information. Network protocols are not the only way to make general communication possible. After all, every computer system must translate the datagram into something that the operating system at the other end can understand. TCP is an efficient transmission protocol, but it is not optimized to assist in Fast File Access and enable remote control of application software.

Comparison between distributed computing and network computing

Traditional network protocols do not contribute much to the distribution of Computing among computers (actually networks. Only poor programmers rely on transmission protocols and optical fiber cables for parallel computing. On the contrary, we usually rely on a continuous model, in which the connection layer protocol takes over after the connection Initialization is complete, and a rather complex handshake between NICS is required. Parallel Computing and distributed file systems no longer recognize IP addresses or Ethernet. Now, we can ignore performance issues. However, security issues are another matter.

The way files are accessed across computer systems is still a mystery. Now, no matter whether the accessed files are on one computer or on multiple reasonably distributed computers, there should be no difference in accessing the system. The semantics of the file system and the data structure of the file system have now become two completely different themes. Installed on Plan 9 or on Andrew File System (AFS) the file system semantics on a style Distributed File System hides the file organization mode and the ing mode from the file system to the hardware and network. NFS does not need to hide the storage methods of files and directories on remote file systems, but does not disclose the actual hardware used to store file systems, directories, and files.

NFS: a solution to Unix Problems

To access a distributed file system, you must run multiple commands to mount the directories on a computer on the network to your system. Sun Microsystems was faced with this challenge many years ago when it started to promoteRemote process call(RPC) technology and NFS.

Sun needs to solve the fundamental problem: how to connect several Unix machines together to form a seamless distributed working environment without re-writing the Unix File System semantics, at the same time, you do not need to add too many data structures unique to the distributed file system. Of course, it is impossible to make the network of a Unix workstation look like a large system: while preserving the integrity of each system, users must be able to operate on directories of other computers, it does not experience unacceptable delays or any workflow restrictions.

Of course, NFS does more than achieve access to text files. We can also use NFS to distribute "runable" applications. There must be some security processes to support the network to prevent malicious takeover of executable programs. But how is all this implemented?

NFS is an RPC Standard

NFS is traditionally defined as an RFC application. It requires the NFS server to use the TCP protocol, and the NFS client to use TCP or another protocol to avoid network congestion. The Internet Engineering Task Group (IETF) released the request for comments (RFC) of PRC in RFC 1832 ). Another criterion that is crucial for NFS implementation is the data format used by NFS. It has been published in RFC 1831 in the form of the "external data representation" (XDR) document.

Other RFC related to the security and encryption required to exchange verification information during an NFS sessionAlgorithm. Here, let's take a look at the basic NFS mechanism. The related protocol isMount ProtocolIt is described in Appendix 1 of RFC 1813.

This RFC tells us which protocols Enable NFS to work, but it does not tell us how NFS currently works. The fact that NFS has been defined as an IETF standard illustrates its importance. The latest NFS release is still version 3, and the development of RFC is not beyond the stage described in RFC, therefore, REC has always been regarded as a research object and a proprietary unix variant that is limited by a large number of engineers at Sun Microsystems. Sun NFS has released many versions since 1985, so it has been in the leading position in the most current file system categories for many years. Sun Microsystems transferred control of NFS to IETF in 1998. Many NSF version 4 (nfsv4) activities were conducted with the support of IETF.

Therefore, the current RPC and NFS versions reflect the willingness of companies and interest groups outside Sun. However, many sun engineers are still very interested in NFS development.

NFS Version 3

NFS (nfsv3) of version 3 is stateless, while nfsv4 is stateful. This fact will not cause much controversy: although the TCP/IP world built on NFS has always been stateless, this is exactly one of the reasons why some traffic analysis and security software companies run well.

Nfsv3 must rely on several auxiliary protocols to seamlessly load directories on remote computers, instead of relying too much on the underlying file system mechanism. NFS is not always successful in this attempt. For example, the Mount protocol calls the initial file handle, while the network lock manager protocol solves the file lock. Both operations require statuses, but nfsv3 does not. Therefore, complex interaction is required at the protocol layer that does not provide similar data flow mechanisms. Now, if we take into account the fact that the files and directories created in Microsoft Windows are significantly different from those created in UNIX, the process becomes more complex.

Nfsv3 must use several ports to coordinate some auxiliary protocols, so that the port and protocol layer and their related security issues become more complicated. At present, this operation model has been abandoned. All the operations on the auxiliary protocols previously performed on each port can be performed using a well-known port in nfsv4.

Nfsv3 is also ready for Unicode-enabled file system operations-this was a theoretical advantage until 1990s. In short, NFS maps Unix File System semantics very well and promotes competition between distributed file system implementations, such as AFS and samba. Despite the poor support of windows, the Samba File Server has solved the problem of accessing shared files between UNIX and Windows systems.

NFS Version 4

As we have pointed out, nfsv4 is stateful. There are several fundamental changes that make it possible. We mentioned earlier that the auxiliary protocol must be called because the user-layer process has been abandoned. On the contrary, each file opening operation and a considerable number of RPC calls are converted into file system operations at the kernel layer.

All NFS versions define each task unit in the form of RPC client and server operations. Each nfsv3 request requires a considerable number of RPC calls and port opening calls to generate results. Version 4 introduces a so-calledCompound operationTo simplify this process, it contains a lot of File System Object operations. Of course, the direct impact of this is that RPC calls and data transmitted over the network will be much less, but each RPC call carries more data than the actual data. According to the evaluation, nfsv3 RPC calls require five times the number of client-server interactions required by the nfsv4 compound RPC process.

RPC is no longer so important. In fact, RPC is often used as a package for many operations encapsulated in the nfsv4 stack. This change also makes the protocol stack less dependent on the underlying File System semantics. However, these changes do not mean to ignore the file system operations of other operating systems: for example, Windows sharing requires stateful open calls. Stateful analytics not only facilitates traffic analysis, but also makes it easier to track file system operations in file system semantics. A stateful open call allows the client to buffer the data and status of the file-otherwise, this operation must be performed on the server. In the real world, Windows clients are common, while NFS servers can share data seamlessly and transparently with windows. Therefore, it is worthwhile to spend some time on NFS configuration.

Use NFS

NFS settings are very similar to Samba settings. On the server side, define the file system or directory to export (or share); on the client side, mount these shared directories to the local system. When a remote client mounts a directory shared by NFS, the access method of this directory is the same as that of other local file systems. Setting NFS on the server is quite simple. You only need to create or edit the/etc/exports file and start the NFS daemon. To set up a safer NFS service, you also need to edit/etc/hosts. Allow and/etc/hosts. Deny. The NFS client only needs to runMountCommand. For more information and options, see the Linux manual page.

NFS server

The format of items in the/etc/exports file is quite simple. To share a file system, you only need to edit/etc/exports and give the file system (and options) in the following format:

Directory (or file system) Client1 (option1, option2) Client2 (option1, option2)

Common options

Several common options can be used to customize the NFS implementation. These options include:

• Secure:This option is the default option. It uses TCP/IP ports lower than 1024 to implement NFS connections. SpecifyInsecureThis option can be disabled.
• RW:This option allows the NFS client to perform read/write access. The default option is read-only.
• Async:This option can improve the performance. However, if the NFS daemon is not completely disabled, the NFS server is restarted, which may cause data loss. The default value isSync.
• No_wdelay:This option disables write latency. IfAsyncNFS ignores this option.
• Nohide:If a directory is mounted to another directory, the original directory is usually hidden or looks as empty. To disable this behavior, you must enableHide.
• No_subtree_check:This option disables the subtree check. The subtree check performs some security checks that you do not want to ignore. The default option is to enable the subtree check.
• No_auth_nlm:This option can also be usedInsecure_locksIndicates that the NFS daemon does not authenticate the lock request. Avoid using this option if you are concerned about security. The default option isAuth_nlmOrSecure_locks.
• MP (mountpoint = path):By explicitly declaring this option, NFS requires that the exported directory be mounted.
• Fsid = num:This option is usually used for NFS fault recovery. If you want to implement NFS fault recovery, refer to the NFS document.

User ing

User ing in NFS allows you to assign a pseudo or actual user and group ID to a user who is operating on the NFS volume. This NFS user has the permission to map permitted users and groups. Using a universal user/group for NFS volumes provides certain security and flexibility without causing a lot of Management load.

When you use NFS to mount files on a file system, user access is usually restricted. That is to say, users access files as anonymous users, by default, these users only have read-only permissions on these files. This behavior is especially important for root users. However, this situation does exist: users are expected to access files on the Remote File System as root users or other defined users. NFS allows users who access remote files to disable normal squash behaviors by using the user ID (UID) and group ID (GID.

User ing options include:

• Root_squash:This option does not allow root users to access mounted NFS volumes.
• No_root_squash:This option allows the root user to access mounted NFS volumes.
• All_squash:This option is very useful for public access to NFS volumes. It limits all UIDs and gids and only uses anonymous users. The default setting isNo_all_squash.
• AnonuidAndAnongid:These two options change the anonymous UID and GID to a specific user and a group account.

Listing 1 provides an example of/etc/exports.

Listing 1. Examples of/etc/exports

/Opt/Files 192.168.0. */opt/Files 192.168.0.120/opt/Files 192.168.0.125 (RW, all_squash, anonuid = 210, anongid = 100)/opt/Files * (RO, insecure, all_squash)

First, export the/opt/Files directory to all hosts on the 192.168.0 network. Next, export/opt/files to a host: 192.168.0.120. The third item specifies the host 192.168.0.125 and grants the file read and write permissionsUser ID = 210AndGroup ID = 100.. The last item is for a public directory. It only has read-only permission and can only be accessed as an anonymous account.

NFS client

Notes After mounting a Remote File System with NFS, the remote system becomes part of the overall system backup performed on the client system. If the newly mounted directory is not excluded from the backup, this behavior may cause serious consequences.

To use NFS as the client, the client machine must run the rpc. statd and Portmap processes. You can execute a simplePS-efCommand to check whether the two daemon processes are running. If they are running (this should be the case), you can use the following general commands to mount the exported directory on the server:

Mount server: Directory local mount point

Generally, the file system must be mounted as the root user. On a remote computer, run the following command (assuming that the IP address of the NFS server is 192.168.0.100 ):

Mount 192.168.0.100:/opt/files/mnt

The release you are using may require you to specify the type of the file system when mounting the file system. If this happens, run the following command:

Mount-t nfs 192.168.0.100:/opt/files/mnt

If the server has been correctly configured, the remote file system can load the file without any problem. Now, executeCDSwitch the command to the/mnt directory, and then executeLsCommand to view the file. To be permanently mounted, you must edit the/etc/fstab file and create an item similar to the following:

192.168.0.100:/opt/files/mnt nfs rw 0 0

Note:For more information about/etc/fstab, see the fstab manual page.

Criticism of NFS

Criticism promotes progress Criticism of NFS security is at the root of nfsv4's many improvements. Designers of the new version adopt some practical testing mechanisms to consolidate the security between NFS client-server interaction. In fact, designers decided to design a completely new security model. To understand this security model, you should be familiar with the so-calledUniversal Security Service Application Programming Interface(Generic Security Services Application Programming Interface, GSS-API) Update 1 for version 2. The GSS-API made a complete description in RFC 2743, unfortunately, it is one of the most difficult to understand RFC. From the use experience of nfsv4, we know that it is very difficult to separate the Network File System from the operating system. However, it is more difficult to completely separate the security and network protocols of the operating system. Both of them are required, because NFS must be able to handle a large number of user operations, but not too much special content for network protocol interaction. The connection between the NFS client and the server goes through the so-called"Robust"RPC security is enhanced. Nfsv4 uses the open network computing Remote Procedure Call (oncrpc) standard defined in RFC 1831. This security model must be enhanced, rather than relying on a simple authentication (calledAuth_sys), There isRpcsec_gssThe GSS-API-based security model has been defined and implemented as a forced part of nfsv4. The most important security mechanisms provided by nfsv4 include Kerberos version 5 and lipkey. Although Kerberos has many restrictions on use on the Internet, lipkey has a satisfactory advantage-it can work like Secure Socket Layer (SSL), prompting users to enter their usernames and passwords, at the same time, you can avoid the TCP dependency of SSL, which is not a dependency of nfsv4. If you do not require rpcsec_gss, you can set NFS to negotiate security issues. Previous NFS versions do not have this capability, so we cannot negotiate the protection quality, data integrity, authentication requirements, or encryption type.

There are a lot of criticisms about nfsv3 security. Although the nfsv3 server runs on TCP, it can also run the nfsv3 network on the Internet. Unfortunately, multiple ports must be opened, which may cause several well-known security issues. By making port 2049 a forced port for NFS, you can use nfsv4 across the firewall, instead of paying too much attention to which ports are being listened by other protocols (such as the Mount protocol. Therefore, discarding the Mount Protocol has the following positive effects:

• Forced strong authentication mechanism:Nfsv4 enforces a strong authentication mechanism. Kerberos is very common. Lower infrastructure public key mechanism (lipkey) must also be supported. Nfsv3 only supports standard UNIX encryption to authenticate access-which may cause major security problems in large networks.
• Mandatory Access Control List (ACL) solution for Microsoft Windows NT: Although nfsv3 allows strong encryption for authentication, it does not promote Windows NT-type ACL access solutions. POSIX-style ACLs have been implemented for a while, but they have never been widely used. Nfsv4 enforces the Windows NT-type ACL scheme.
• Types and Mechanisms of negotiated Authentication: Nfsv4 makes it possible to negotiate the authentication type and mechanism. In nsfv3, you can only manually determine which encryption type to use. The system administrator must then coordinate the encryption and security protocols.

Is NFS still unequal?

Nfsv4 is starting to replace nfsv3 on many UNIX and Linux systems. As a Network File System, nsfv4 has several competitors. Considering that the general Internet File System (CIFS)/Server Message Block (SMB) is a proprietary system on Windows and Linux, they can both be considered as a strong competitor of nfsv4. AFS has never had much commercial impact. It focuses on some elements of a distributed file system, which simplifies data migration and replication.

From kernel development to Version 2.2, the NFS of the product-level Linux version already exists, but a major mistake of the Linux kernel version is that the adoption of nfsv3 is too late. In fact, it takes a long time for Linux to fully support nsfv3. This problem was quickly solved when nsfv4 emerged. Now, not only Solaris, Aix, And FreeBSD can provide comprehensive support for nsfv4.

NFS is now considered a very mature technology and has outstanding advantages: very secure and good availability, many users find it easy to access the network and its facilities with only one secure login, even if files and applications exist on other operating systems or computers. Compared with distributed file systems, this may seem like a disadvantage because the structure of the system is hidden from users in distributed systems, but do not forget that many applications use files from different operating systems and computers. NFS makes it easier to work on different operating systems, without worrying too much about file system semantics and performance features.

References

Learning

• For more information, see the original article on the developerworks global site.

• The main nfsv4 portal contains links to all nfsv4 technical documents and RFC.
• Distributed File systems require a little effort to understand. You can find the content you need on Wikipedia.
• RFC 1832 provides an overview of the XDR standard.
• RFC 1831 provides an overview of the RPC standard.
• RFC 1813, Appendix I: The Mount protocol provides an overview of the Mount protocol (obsolete ).
• RFC 2743 provides an overview of GSS-API.

Obtain products and technologies

• Openafs is an open-source version of AFS and another distributed file system.

• Samba can be considered as a file system, which can implement some NFS functions.