Monday, November 15, 2010
Anu
NFS is an excellent way of sharingfiles between Linux and other UNIX systems. While Samba is a great choice dueto the compatibility with Windows, if you’re in a Windows-less environment, NFSmay be a better choice.
NFS allows for machines to mountwithout authentication, at boot, which is great if you have a cluster ofsystems or if you want to use a centralized home directory system (using anNFS-mounted directory for home directories to keep your configurations andfiles identical on multiple systems).
NFS is also very easy to set up. Tobegin, you need to install the NFS package, so on Fedora or Red Hat EnterpriseLinux and other similar systems, install the nfs-utils package:
#yum install nfs-utils
Next, you will need to edit/etc/exports which is where we define what filesystems can be remotelyaccessed. A sample /etc/exports may look like this:
/srv site1.domain.com(rw)site2.domain.com(ro)/home192.168.1.0/255.255.255.0(rw)
What this /etc/exports doesis export the /srv directory on the server to the site1.domain.com computer asread/write and to site2.domain.com as read-only.
It also exports /home asread/write to any computer in the 192.168.1.0 network (192.168.1.0 being thenetwork address and 255.255.255.0 being the netmask).
There are other options you cansupply on a per-host or per-network basis, including the no_root_squash optionwhich will not prevent root on a client machine from writing files to theserver as root; by default, NFS will map any requests from root on the clientto the ‘nobody’ user on the server.
Next, check /etc/hosts.allow and/etc/hosts.deny. NFS will check these files for access controls to the server.This is particularly necessary if you are using wildcards or broad network specificationsin /etc/exports; using hosts.allow and hosts.deny you can fine-tune whichclients do and don’t have access. For instance, you may add in /etc/hosts.deny:
portmap:ALL
and then in /etc/hosts.allow:
portmap:192.168.1.1, 192.168.1.2, 192.168.1.3
This would only allow the hostsspecified in /etc/hosts.allow to connect to the portmap service. You can getmore fine-grained and also add entries for lockd, rquotad, mountd, and statd —all other NFS-related services.
Finally, to start NFS sharing, on theserver you need to start a few services:
#service portmap start#service nfs start#service nfslock start#service rpcbindstart#service rpcidmapd start
On newer systems, portmap isprobably deprecated in favour of portreserve; in that case you would use serviceportreserve start instead.
To see what filesystems areexported, use the exportfs command; if you’ve made changes to /etc/exports, useexportfs -ra to force NFS to re-read the configuration. To make sure that NFSis running, use the rpcinfo command; if it returns a list of services andaddresses being listened to, you know it is running.
Finally, if you are running iptableson the server as a firewall, you will need to change what ports the NFSservices listen to.
By default, these are random unused ports, withportreserve/portmap letting requesting services know what ports to connect to.
This is a major difference between NFSv3, where this is true, and NFSv4 whichsolely uses TCP port 2049, so this largely depends on which version of NFS youplan to use or enforce.
On Fedora or Red Hat Enterprise Linux, this can be doneby editing /etc/sysconfig/nfs. By default, it’s all commented, so the followingis what we want to uncomment and define:
RQUOTAD_PORT=875LOCKD_TCPPORT=32803LOCKD_UDPPORT=32769MOUNTD_PORT=892STATD_PORT=662STATD_OUTGOING_PORT=2020
This will force static ports for theabove services. The next step is to open the firewall on these ports, which canbe done by editing /etc/sysconfig/iptables (again keeping in mind this is on aRHEL system):
#the following are for NFS-ARH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p udp--dport111 -j ACCEPT-ARH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 111-j ACCEPT-ARH-Firewall-1-INPUT-s 192.168.1.0/24 -m state --state NEW -p tcp --dport 2049 -j ACCEPT-ARH-Firewall-1-INPUT -s192.168.1.0/24-m state --state NEW -p tcp --dport 32803 -j ACCEPT-ARH-Firewall-1-INPUT -s 192.168.1.0/24 -m state--stateNEW -p udp --dport 32769 -j ACCEPT-ARH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport892-j ACCEPT-ARH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 892-j ACCEPT-ARH-Firewall-1-INPUT-s 192.168.1.0/24 -m state --state NEW -p tcp --dport 875 -j ACCEPT-ARH-Firewall-1-INPUT -s192.168.1.0/24-m state --state NEW -p udp --dport 875 -j ACCEPT-ARH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --stateNEW-p tcp --dport 662 -j ACCEPT-ARH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 662-jACCEPT
After these changes are made,restart the firewall and the NFS services:
#for i in iptablesportmapnfs; do service $i restart; done
At this point, your NFS server isset up and ready to accept connections from remote clients, which can be testedby mounting one of the exported filesystems on the client:
#mkdir -p/server/srv#mount -t nfs server.domain.com:/srv /server/srv
If mount does in fact mount theremote filesystem, everything is working as it should.
NFS is really easy to use, and itworks really well. Being able to mount NFS filesystems at boot is a great boon;you can have NFS mounted filesystems without your users even being aware thatthey are there, and without any direct intervention by them, which is handy.
Don't forget to leave a comment "IF U LIKE THIS"
Posted in
0 comments:
Post a Comment