209.2. NFS Server Configuration
209.2 NFS Server Configuration
Weight: 3
Description: Candidates should be able to export filesystems using NFS. This objective includes access restrictions, mounting an NFS filesystem on a client and securing NFS.
Key Knowledge Areas:
NFS version 3 configuration files
NFS tools and utilities
Access restrictions to certain hosts and/or subnets
Mount options on server and client
TCP Wrappers
Awareness of NFSv4
Terms and Utilities:
/etc/exports
exportfs
showmount
nfsstat
/proc/mounts
/etc/fstab
rpcinfo
mountd
portmapper
What is NFS?
NFS (Network File System) is basically developed for sharing of files and folders between Linux/Unix systems by Sun Microsystems in 1980. It allows us to mount our local file systems over a network and remote hosts to interact with them as they are mounted locally on the same system. With the help of NFS, we can set up file sharing between Unix to Linux system and visa versa.
NFS Advantages
NFS allows local access to remote files.
It uses standard client/server architecture for file sharing between all unix based machines.
With NFS it is not necessary that both machines run on the same OS.
With the help of NFS we can configure centralized storage solutions.
Users get their data with no concern about physical location of data.
No manual refresh needed for new files.
Newer version of NFS also supports acl, pseudo root mounts.
Can be secured with Firewalls and Kerberos.
NFS Versions
Currently, there are three versions of NFS. NFS version 2 (NFSv2) is older and is widely supported. NFS version 3 (NFSv3) has more features but has some security issues and dis advantages. And NFS version 4 (NFSv4) wich is lates full feature and secure version of NFS.
NFS v2 – March 1989
NFS v3 – June 1995
NFS v4 – December 2000
NFS v4.1 – January 2010
For LPIC2 exam we are required to work NFS version3 but we also have to know a little bit about NFS version4 and differences.
NFS v3
The NFS server version 3 service includes three facilities:
nfs: It translates remote file sharing requests into requests on the local file system.
portmap : It maps calls made from other machines to the correct RPC service .it uses rpcbind(not required with NFSv4).
rpcbind: The rpcbind service redirects the client to the proper port number so it can communicate with the requested service.(not required with NFSv4)
NFS v3 Disadvantage
Probably the greatest disadvantage is the issue of security. Because NFS v3 is based on RPC, remote procedure calls, it is inherently insecure and should only be used on a trusted network behind a firewall. This is not to say that steps can't be taken to secure NFS but it still will not be ready for the wilds of the open Internet.
NFS v4
In NFSv4 , there is no more rpcbind and portmapper.
In NFSv3 there is a nfslock service which that starts the appropriate RPC processes to allow NFS clients to lock files on the server but NFSv4 has native file locking mechanisem.
In NFSv3 rpc.mountd service is responsible for mounting and unmounting of file systems, In NFSv4 there no rpc.mound.
While NFSv3 Works with TCP/UDP ports, NFSv4 just works with TCP
Installing NFSv3
Lets install NFS server (v3) on a CentOS system:
Important NFS Configuration Files:
/etc/exports : Its a main configuration file of NFS, all exported files and directories are defined in this file at the NFS Server end.
/etc/fstab : To mount a NFS directory on your system across the reboots, we need to make an entry in /etc/fstab.
/etc/sysconfig/nfs : Configuration file of NFS to control on which port rpc and other services are listening.
We will spend more time on them during the course. Now lets create something to share:
We will discuse about NFS security later in this course but for now keep it simple and grant 777 permission.( Also in RedHat based distributions do not forget to turn off selinux by using setenforce 0
command.
Next we have to export this file system to one or more clients.
/etc/exports
Its a main configuration file of NFS, all exported files and directories are defined in this file at the NFS Server end. A line for an exported file system has the following structure:
This file might be populated by some examples and explanation or might not exist and should be created, like here on CentOS:
In this example we have shared /nfsshared directory with centos7-2 client with read and write permissions. Also we have let everybody to have readonly permission. It is possible to use Ip addresses and wild cards intstead of HostNames.The following methods can be used to specify host names:
single host — Where one particular host is specified with a fully qualified domain name, hostname, or IP address.
wildcards — Where a * or ? character is used to take into account a grouping of fully qualified domain names that match a particular string of letters. Wildcards should not be used with IP addresses; however, it is possible for them to work accidentally if reverse DNS lookups fail.
IP networks — Allows the matching of hosts based on their IP addresses within a larger network. For example, 192.168.0.0/28 allows the first 16 IP addresses, from 192.168.0.0 to 192.168.0.15, to access the exported file system, but not 192.168.0.16 and higher.
netgroups —This option is pretty old but noy bad to know. It Permits an NIS netgroup name, written as @<group-name>, to be used. This effectively puts the NIS server in charge of access control for this exported file system, where users can be added and removed from an NIS group without affecting /etc/exports.
Some other options we can use in /etc/exports file for file sharing is as follows:
ro: With the help of this option we can provide read only access to the shared files i.e client will only be able to read.
rw: This option allows the client server to both read and write access within the shared directory.
sync: Syncronize nfs file system to the disk immediatly, so this way we reduce the chance of ifle system corruption.
no_subtree_check: This option prevents the subtree checking. When a shared directory is the subdirectory of a larger file system, nfs performs scans of every directory above it, in order to verify its permissions and details. Disabling the subtree check may increase the reliability of NFS, but reduce security.
no_root_squash: This phrase allows root to connect to the designated directory. [it needs more explanation:]
Mapping user's ides and group ides, What NFS does?
The way that NFS permissions work is that , they are the permissions both for subdirectories within the share as well as files created by users, they have userid(uid) and groupid(gid) of the user on the remote system that creates them. The problem is that those user ides and group ides can be different on different systems. From the security perspective that sounds like a problem.Why? Lets imagine in a client server environment we have a user with uid 1101( on the server) called user1, and we have user3 on the remote system (client system) with the same user id 1101.
The problem is that any files created by user1 locally on the server (or from any other systems ) , are made with permissions for uid1101. Now imagine another user like user3 with the same uid 1101 is permitted to get connected to the NFS server. user3 is another person, from different computer but he/she has uid 1101 so he/she would have the same persmissions as user1 has.
So we have problem in syncronizing user's permissions becaused they are handled by user id and group id. So we need to map uid and gid between client and server for users who access them. It could be done by choosing right uid and gid while we are creating users. also there are some other solutions like OpenLDAP to automatically syncronized accounts.
But the option that we are talking about , whould be different from root user perspective. the root user is going to have thae same id on the both client and server. so lets explain it again :
root_squash : says do not map root client account to the server root account, it prevents remote root user to have the same access to the file system as the server root user.
no_root_squash: says hey go and map users root client acount to the server root account. It depends on you and security profile of your organization.
Now that we know about more options, lets complete our configuration:
Now we need to start a couple of processes we need to start, we need to start nfs server and we need to start rpcbind process.One Supports the other, and we need both of them so NFS server works corectlly.
nfsd process is primary process that handles clients. But Because RPC-based services rely on rpcbind to make all connections with incoming client requests, rpcbind must be available before any of these services start,(1-rpc-->2-nfs) lets check the rpc services and tale a closer look at them:
Based on Linux distro that we are using, we might see some additional rpc services. following RPC processes facilitate NFS services.For those who like details:
among them rpc.idmap is for hybrid NFSv3 and NFSv4 systems, which is why we see here.
rpcinfo
rpcbind
provides coordination between RPC services and the port numbers used to communicate with them, it is useful to view the status of current RPC services usingrpcbind
when troubleshooting. Therpcinfo
command shows each RPC-based service with port numbers, an RPC program number, a version number, and an IP protocol type (TCP or UDP).
rpcinfo makes an RPC call to an RPC server and reports what it finds. It has lots of options but for now we just show how rpc feeds portmap:
If one of the NFS services does not start up correctly,rpcbind
will be unable to map RPC requests from clients for that service to the correct port. In many cases, if NFS is not present inrpcinfo
output, restarting NFS causes the service to correctly register withrpcbind
and begin working. For more information and a list of options onrpcinfo
, refer to itsman
page.
TCP Wrappers
Therpcbind
service uses TCP wrappers for access control, and access control rules forrpcbind
affect all RPC-based services. Alternatively, it is possible to specify access control rules using /etc/host.allow and etc/host.deny files.
By default both of hosts.allow and hosts.deny files are blank. So the access will be granted to any client.
Keep in mind that hosts.allow over rides hosts.deny. For example if we want to let specific network range can access and use "portmap" we specify portmap: 192.168.10.0/24
in /etc/hosts.allow
and then define portmanp: ALL
in /etc/hosts.deny
. Do not forget to restart rpcbind
and nfs
service in order to changes take effect.
exportfs
that is a utility to show what shares are available.
Some usefull switches are:
exportfs examples
Description
exportfs -v
Displays a list of shares files and options on a server
exportfs -a
Exports all shares listed in /etc/exports, or given name
exportfs -u
Unexports all shares listed in /etc/exports, or given name
exportfs -r
Refresh the server’s list after modifying /etc/exports
nfsstat
nfstat let us config client connections to export
NFS Client Configuration
Lets configure NFS client, First we need to have some utilites set to mount NFS File system(Centos7):
Now we create a mount point before mounting NFS file system under /mnt directory :
and for demostrating the discussion we had about user id mapping and group id , we create two users:
we can use showmount command to findout what has been shared on the server:
showmount command examples
Description
showmount -e
Shows the available shares on your local machine
showmount -e <server-ip or hostname>
Lists the available shares at the remote server
showmount -d
Lists all the sub directories
Ops lets check remote rpc service with rpcinfo command:
Oh No, we have forgot to set NFS required ports on the server firewall, so :
okey , lets check it again:
and now it is mounting time:
lets create a file there:
as we have set no root squash option, if root user create a file it would have root permisions, wheather from the client mashine or the server:
see boot root users have the same permissions to this file, if we have used no root squash, as root users wouldn't be mapped among client and server it would get nfsnobody
user permissions.
Lets do another example, let create two text files, nfsuser1 created user1.txt and nfsuser2 creates user2.txt file:
Now on the server we create nfsuser1 with uid 1102 (this id is nfsuser2's id on client machine):
Hm, It seem unsecure hm? Be carefull about usning NFSv3 and use OpenLDAP with it.
NFS /etc/fstab options
As u have seen we use mount command to mount NFS File System on the clint computer, that is not permanent and it would dissapear after rebooting the system.
and lets chek it:
As it is a network file system it can make problems during boot process if network is not available, so we change the configurations, there are number of different defaults which determined the behaviour of our attemted mount depending upon its availability.We can indicated weather we want to mount soft or hard. If the server is unavailable and we set it to soft, it would stop trying after determining NFS server is unavailable, if we set it to hard mount it would countinue trying upto the timeout option.
We can also set it foreground or background, fg or bg. It determines if the attempt for mounting happens on the foreground, then the boot of system would wait until it succeeded or fail . Or in the background , so the boot can countinue silently attemting to mount while boot process is doing its job. it usually used with Hard mount option, inorder to the system from hanging.
timeout option wich is defined with tmeo=10 in seconds, and indicates timeout value before the mount attempts fail.
retrans option, defines how many times the system will retry to mount duting a boot.
rsize and wsize which are the maximum read and write sizes requests, allowed in the remote server. Typically set to 8MegaBytes in size or 8192. We can perforamncing testing if we have very very small files or large of files.
ro and rw it is obvious as you can guess it mount file system Read-Only or for Read-Write, but if share Read-Only on the server side it would be Read-Only.
Thats all.
Last updated