1 / 14

CT 320: Network and System Administration

CT 320: Network and System Administration. Network file system (NFS) Colorado State University Computer Science Department Chris Wilcox Fall 2012. Original slides from Dr. James Walden at Northern Kentucky University. Topics. NFS Versions Using NFS NFS Services

vonda
Télécharger la présentation

CT 320: Network and System Administration

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CT 320: Network and System Administration Network file system (NFS) Colorado State University Computer Science Department Chris Wilcox Fall 2012 Original slides from Dr. James Walden at Northern Kentucky University.

  2. Topics • NFS Versions • Using NFS • NFS Services • Server and Client Configuration • Automounter • Security • Performance CT320: Fall Semester 2012

  3. NFS Verions v2 (1984) UDP 32-bit v3 (1992) TCP 64-bit. v4 (2000) Distributed, x-platform, security. CT320: Fall Semester 2012

  4. Using NFS Client • Start portmap • … • … • … • Mount filesystems. Server • Start portmap • Start nfs services. • Configure exports. • Export filesystems. CT320: Fall Semester 2012

  5. NFS Services • portmap — RPC service for Linux • portmap • nfs — NFS file server processes. • rpc.mountd • rpc.rquotad • nfsd • nfslock — Optional file locking service. • rpc.statd CT320: Fall Semester 2012

  6. NFSv2/3 Processes rpc.mountd — Handles client mount requests. rpc.nfsd — NFS server processes. rpc.lockd — Process for optional nfslock service. rpc.statd — Handles server crashes for nfslock. rpc.rquotad — Quotas for remote users. CT320: Fall Semester 2012

  7. rpcinfo > rpcinfo -p program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100021 1 udp 32774 nlockmgr 100021 1 tcp 34437 nlockmgr 100011 1 udp 819 rquotad 100011 2 udp 819 rquotad 100011 1 tcp 822 rquotad 100011 2 tcp 822 rquotad 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs 100005 2 udp 836 mountd 100005 2 tcp 839 mountd 100005 3 udp 836 mountd 100005 3 tcp 839 mountd CT320: Fall Semester 2012

  8. NFSv4 Processes nfsd — NFSv4 server processes. Handles mounts. rpc.idmapd — Maps NFSv4 names (user@domain) and local UIDs and GIDs. Uses /etc/idmapd.conf. rpc.svcgssd — Server transport Kerberos auth. rpc.gssd — Client transport Kerberos auth. CT320: Fall Semester 2012

  9. Server Configuration • Configure /etc/exports List filesystems to be exported. Specify export options (ro, rw, etc.) Specify hosts/networks to export to. • Export filesystems. exportfs • Start NFS server (if not already started) service portmap start service nfs start CT320: Fall Semester 2012

  10. /etc/exports • Format: directory hosts(options) • Options • ro, rw Read-only, read-write. • async Server replies before write. • sync Save before reply (default) • all_squash Map all users to anon UID/GID. • root_squash Map root to anon UID (default) • no_root_squash Don’t map root (insecure.) • anon{uid,gid} Set anonymous UID, GID. • Examples: • /home *.example.com(rw,sync) • /backups 192.168.1.0/24(ro,all_squash) • /ex/limited foo.example.com CT320: Fall Semester 2012

  11. Client Configuration • Manual mounting • mount -t <nfs-type> -o <options>server:/remote/export/local/directory • Mounting via /etc/fstab • server:/remote/export/local/directory<nfs-type><options> 0 0 • NFS Type is either nfs or nfs4. CT320: Fall Semester 2012

  12. Mount Options hard or soft — Error handling hard: NFS requests will uninterruptible wait until server back. soft: NFS requests will timeout and report failure. intr — NFS requests can be interrupted if server unreachable. nfsvers=2,3— NFS protocol version (not 4) noexec — Prevents execution of binaries. nosuid — Disables setuid for security. rsize,wsize=# — NFS data block size (default 8192) sec=mode — NFS security type. sys uses local UIDs and GIDs. krb5 uses Kerberos5 authentication. krb5i uses Kerberos5 authentication + integrity checking krb5p uses Kerberos5 auth + integrity checking + encryption. tcp, udp — Specifies protocol to use for mount. CT320: Fall Semester 2012

  13. Automounter • Manages NFS mounts • Automounter maps vs /etc/fstab. • Mounts filesystems only when needed: • Makes administering many filesystems easier. • Improves startup speed. • Provides uniform namespaces. • Ex: mounts /home/home7 as /home on login. • /etc/auto.master points to maps • /home /etc/auto.home • Maps describe mounts • * -fstype=nfs4,soft,intr,nosuid server:/home CT320: Fall Semester 2012

  14. Security • Limit which hosts have access to fs. • Specify hosts in /etc/exports. • Use iptables to limit which hosts can use nfs. • Use read-only mounts unless need writes. • Disable suid and execution unless needed. • Map root to nobody. • Map all users to specific user by default. • Block NFS at network firewalls. • Use NFSv4 with Kerberos. CT320: Fall Semester 2012

More Related