NFS ( Network File Server) Server Installation and Confiuration and Security/Firewall Steps to control
Network File System (NFS) is a distributed file system protocol originally developed by Sun Microsystems in 1984, allowing a user on a client computer to access files over a network in a manner similar to how local storage is accessed. NFS, like many other protocols, builds on the Open Network Computing Remote Procedure Call (ONC RPC) system. The Network File System is an open standard defined in RFCs, allowing anyone to implement the protocol. [Wiki]
We will implement or install one NFS server in CentOS and do some basic setup here. For the beginner, NFS server is something like a network partition similar like other local parition e.g. /usr/local which can be mounted in your local system while you have access to the network server where the partition is physically located. NFS server is very useful in terms of clustered solution or shared space.
Example Image Used: Centos 2.6.18-308.11.1.el5
Scenario:
- Grant read-only access to the /opt/local directory to all networks
- Grant read/write access to the /var/common-log directory to all networks
Install Steps
- Install rpcbind/portmap ( old versiono and NFS-related packages:
- Once installed, configure the nfs, nfslock and rpcbind to run as daemons:
- rpcbind: (portmap in older versions of Linux) the primary daemon upon which all the others rely, rpcbind manages connections for applications that use the RPC specification. By default, rpcbind listens to TCP port 111 on which an initial connection is made. This is then used to negotiate a range of TCP ports, usually above port 1024, to be used for subsequent data transfers. You need to run rpcbind on both the NFS server and client.
- nfs: starts the RPC processes needed to serve shared NFS file systems. The nfs daemon needs to be run on the NFS server only.
- nfslock: Used to allow NFS clients to lock files on the server via RPC processes. The nfslock daemon needs to be run on both the NFS server and client.
- Test whether NFS is running correctly with the rpcinfo command. You should get a listing of running RPC programs that must include mountd, portmapper, nfs, and nlockmgr:
$ yum install portmap/rpcbind nfs-utils nfs-utils-lib
$ chkconfig --level 35 portmap/rpcbind on
$ chkconfig --level 35 nfs on $ chkconfig --level 35 nfslock on
then start the rpcbind and nfs daemons:
NFS daemons$ service rpcbind/portmap start $ service nfslock start $ service nfs start
$ rpcinfo -p localhost
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 40481 status
100024 1 tcp 49796 status
100011 1 udp 875 rquotad
100011 2 udp 875 rquotad
100011 1 tcp 875 rquotad
100011 2 tcp 875 rquotad
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100227 2 tcp 2049 nfs_acl
100227 3 tcp 2049 nfs_acl
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100227 2 udp 2049 nfs_acl
100227 3 udp 2049 nfs_acl
100021 1 udp 32769 nlockmgr
100021 3 udp 32769 nlockmgr
100021 4 udp 32769 nlockmgr
100021 1 tcp 32803 nlockmgr
100021 3 tcp 32803 nlockmgr
100021 4 tcp 32803 nlockmgr
100005 1 udp 892 mountd
100005 1 tcp 892 mountd
100005 2 udp 892 mountd
100005 2 tcp 892 mountd
100005 3 udp 892 mountd
100005 3 tcp 892 mountd
Config Steps
- Create the directories to be published with the correct permissions:
it should end like this:$ mkdir -p /opt/local $ chown nfsnobody:nfsnobody /opt/local $ mkdir -p /var/log $ chown nfsnobody:nfsnobody /var/common-log
$ ls -l /opt ... drwxr-xr-x. 2 nfsnobody nfsnobody 4096 Feb 20 12:55 local
$ ls -l /var
drwxr-xr-x. 7 nfsnobody nfsnobody 4096 Feb 17 14:44 common-log
2. The /etc/exports file is the main NFS configuration file, and it consists of two columns. The first column lists the directories you want to make available to the network. The second column has two parts. The first part lists the networks or DNS domains that can get access to the directory, and the second part lists NFS options in brackets
Edit /etc/exports and append the desired shares:- /opt/local: directory to share with read-only access to all networks
- /var/log: directory to share with read/write access to all networks
- *: allow access from all networks
- ro: read-only access
- rw: read/write access
- sync: synchronous access
- root_squash: prevents root users connected remotely from having root privileges and assigns them the user ID for the user nfsnobody. This effectively "squashes" the power of the remote root user to the lowest local user, preventing unauthorized alteration of files on the remote server. Alternatively, the no_root_squash option turns off root squashing. To squash every remote user, including root, use the all_squash option. To specify the user and group IDs to use with remote users from a particular host, use the anonuid and anongid options, respectively. In this case, a special user account can be created for remote NFS users to share and specify (anonuid=,anongid=), where is the user ID number and is the group ID number.
add following lines or your target line$ vi /etc/exports
/opt/local *(ro,sync,all_squash) /var/log *(rw,sync,all_squash)
Security and NFS-Client Acess Steps
- Security issues. To allow remote access some firewall rules and other NFS settings must be changed. You need to open the following ports:
- TCP/UDP 111 - RPC 4.0 portmapper
- TCP/UDP 2049 - NFSD (nfs server)
- Portmap static ports, Various TCP/UDP ports defined in /etc/sysconfig/nfs file.
and set:$ vi /etc/sysconfig/nfs
then restart nfs daemons:LOCKD_TCPPORT=32803 LOCKD_UDPPORT=32769 MOUNTD_PORT=892 RQUOTAD_PORT=875 STATD_PORT=662 STATD_OUTGOING_PORT=2020
update iptables rules by editing /etc/sysconfig/iptables, enter:$ service rpcbind/portmap restart $ service nfs restart
and append the following rules:$ vi /etc/sysconfig/iptables
- Mount NFS shared directories: Install client NFS packages first: on Ubuntu/Debian client:
- Mount NFS automatically after reboot on the client. Edit /etc/fstab, enter:
- A running NFS server with various LAN shared directories
- A active set of firewall rules allowing the access to NFS ports
- A permanently mounted NFS shared on a CentOS / Ubuntu client
-A INPUT -s 0.0.0.0/0 -m state --state NEW -p udp --dport 111 -j ACCEPT
-A INPUT -s 0.0.0.0/0 -m state --state NEW -p tcp --dport 111 -j ACCEPT
-A INPUT -s 0.0.0.0/0 -m state --state NEW -p tcp --dport 2049 -j ACCEPT
-A INPUT -s 0.0.0.0/0 -m state --state NEW -p tcp --dport 32803 -j ACCEPT
-A INPUT -s 0.0.0.0/0 -m state --state NEW -p udp --dport 32769 -j ACCEPT
-A INPUT -s 0.0.0.0/0 -m state --state NEW -p tcp --dport 892 -j ACCEPT
-A INPUT -s 0.0.0.0/0 -m state --state NEW -p udp --dport 892 -j ACCEPT
-A INPUT -s 0.0.0.0/0 -m state --state NEW -p tcp --dport 875 -j ACCEPT
-A INPUT -s 0.0.0.0/0 -m state --state NEW -p udp --dport 875 -j ACCEPT
-A INPUT -s 0.0.0.0/0 -m state --state NEW -p tcp --dport 662 -j ACCEPT
-A INPUT -s 0.0.0.0/0 -m state --state NEW -p udp --dport 662 -j ACCEPT
restart iptables daemon:
$ sudo service iptables restart
on CentOS client:$ apt-get install nfs-common
inquiry for the list of all shared directories:$ yum install nfs-utils nfs-utils-lib
mount server's /opt/local on client's /public:$ showmount -e SERVERADDRESS
mount server's /home/common on client's /common:$ mkdir -p /nfs-server $ mount SERVERADDRESS:/opt/local /nfs-server $ df -h
$ sudo mkdir -p /nfs-common $ sudo mount SERVERADDRESS:/var/common-log /nfs-common $ df -h
append the following line:$ vi /etc/fstab
to test the correctness of /etc/fstab before restarting, you can try to manually mount /nfs-server and /nfs-common:#Directory Mount Point Type Options Dump FSCK SERVER_IP_ADDRESS:/home/public /nfs-server nfs hard 0 0 SERVER_IP_ADDRESS:/home/common /nfs-common nfs hard 0 0
$ mount /public $ mount /common
This doc should help you to do the followings by now:
Comments
Post a Comment