150 likes | 290 Views
CT 320: Network and System Administration. Network file system (NFS) Colorado State University Computer Science Department Chris Wilcox Fall 2012. Original slides from Dr. James Walden at Northern Kentucky University. Topics. NFS Versions Using NFS NFS Services
E N D
CT 320: Network and System Administration Network file system (NFS) Colorado State University Computer Science Department Chris Wilcox Fall 2012 Original slides from Dr. James Walden at Northern Kentucky University.
Topics • NFS Versions • Using NFS • NFS Services • Server and Client Configuration • Automounter • Security • Performance CT320: Fall Semester 2012
NFS Verions v2 (1984) UDP 32-bit v3 (1992) TCP 64-bit. v4 (2000) Distributed, x-platform, security. CT320: Fall Semester 2012
Using NFS Client • Start portmap • … • … • … • Mount filesystems. Server • Start portmap • Start nfs services. • Configure exports. • Export filesystems. CT320: Fall Semester 2012
NFS Services • portmap — RPC service for Linux • portmap • nfs — NFS file server processes. • rpc.mountd • rpc.rquotad • nfsd • nfslock — Optional file locking service. • rpc.statd CT320: Fall Semester 2012
NFSv2/3 Processes rpc.mountd — Handles client mount requests. rpc.nfsd — NFS server processes. rpc.lockd — Process for optional nfslock service. rpc.statd — Handles server crashes for nfslock. rpc.rquotad — Quotas for remote users. CT320: Fall Semester 2012
rpcinfo > rpcinfo -p program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100021 1 udp 32774 nlockmgr 100021 1 tcp 34437 nlockmgr 100011 1 udp 819 rquotad 100011 2 udp 819 rquotad 100011 1 tcp 822 rquotad 100011 2 tcp 822 rquotad 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs 100005 2 udp 836 mountd 100005 2 tcp 839 mountd 100005 3 udp 836 mountd 100005 3 tcp 839 mountd CT320: Fall Semester 2012
NFSv4 Processes nfsd — NFSv4 server processes. Handles mounts. rpc.idmapd — Maps NFSv4 names (user@domain) and local UIDs and GIDs. Uses /etc/idmapd.conf. rpc.svcgssd — Server transport Kerberos auth. rpc.gssd — Client transport Kerberos auth. CT320: Fall Semester 2012
Server Configuration • Configure /etc/exports List filesystems to be exported. Specify export options (ro, rw, etc.) Specify hosts/networks to export to. • Export filesystems. exportfs • Start NFS server (if not already started) service portmap start service nfs start CT320: Fall Semester 2012
/etc/exports • Format: directory hosts(options) • Options • ro, rw Read-only, read-write. • async Server replies before write. • sync Save before reply (default) • all_squash Map all users to anon UID/GID. • root_squash Map root to anon UID (default) • no_root_squash Don’t map root (insecure.) • anon{uid,gid} Set anonymous UID, GID. • Examples: • /home *.example.com(rw,sync) • /backups 192.168.1.0/24(ro,all_squash) • /ex/limited foo.example.com CT320: Fall Semester 2012
Client Configuration • Manual mounting • mount -t <nfs-type> -o <options>server:/remote/export/local/directory • Mounting via /etc/fstab • server:/remote/export/local/directory<nfs-type><options> 0 0 • NFS Type is either nfs or nfs4. CT320: Fall Semester 2012
Mount Options hard or soft — Error handling hard: NFS requests will uninterruptible wait until server back. soft: NFS requests will timeout and report failure. intr — NFS requests can be interrupted if server unreachable. nfsvers=2,3— NFS protocol version (not 4) noexec — Prevents execution of binaries. nosuid — Disables setuid for security. rsize,wsize=# — NFS data block size (default 8192) sec=mode — NFS security type. sys uses local UIDs and GIDs. krb5 uses Kerberos5 authentication. krb5i uses Kerberos5 authentication + integrity checking krb5p uses Kerberos5 auth + integrity checking + encryption. tcp, udp — Specifies protocol to use for mount. CT320: Fall Semester 2012
Automounter • Manages NFS mounts • Automounter maps vs /etc/fstab. • Mounts filesystems only when needed: • Makes administering many filesystems easier. • Improves startup speed. • Provides uniform namespaces. • Ex: mounts /home/home7 as /home on login. • /etc/auto.master points to maps • /home /etc/auto.home • Maps describe mounts • * -fstype=nfs4,soft,intr,nosuid server:/home CT320: Fall Semester 2012
Security • Limit which hosts have access to fs. • Specify hosts in /etc/exports. • Use iptables to limit which hosts can use nfs. • Use read-only mounts unless need writes. • Disable suid and execution unless needed. • Map root to nobody. • Map all users to specific user by default. • Block NFS at network firewalls. • Use NFSv4 with Kerberos. CT320: Fall Semester 2012