1. Learn the essential skills of this chapter 2. The origin of NFS and its function What is NFS (Network FileSystem) What is RPC (Remote Procedure Call) NFS Activated RPC Daemons 3. Required Kit 4. Set of the Server End 5. Client Set 6. RPC Server Related Directive 7. Precautions at the time of shutdown or end 8. Security settings (blocked by the firewall) 9. Real exercise ---------------- -------------------------------------------------- ------------------------------ Study this chapter must have the necessary skills: Welcome to the "broken cluster time" in the bird brother again ! In this section, we need to use VI to modify the setting file and use the activated scripts to activate our services, in addition to this, also use simple RPM instructions to install data. So, you must understand this chapter, you can do the least need to know these knowledge: · Know Vi · Know Bash Shell · Cognition services · Common network instructions · Understand network security · Simple firewall frame, in any case, will be the foundation of Linux Foundation and Network After reading, it will be a good thing!
Back to top
-------------------------------------------------- ---------------------------------------------- NFS from Features · What is NFS (Network filesystem) We must first understand, what is NFS? Otherwise, I have not used a bunch, right! ^ _ ^! The so-called NFS is the abbreviation of NetWork FileSystem, which was previously developed by Sun.
His biggest feature is to allow different machines, different machines, different machines, Share File, so you can also see him as a File Server! This NFS Server allows your PC to share the directory of the network remote NFS host, mounted to the local machine, so the machine's machine looks, the directory of the remote host is like it is your own partition! Use the above convenience! Just like the icon above, when our NFS Server is set, the other client ends can access the information directly on the Server! That is, other Personal Computer can "mount the files or directories provided by NFS Server", and after mount, this directory looks like the disk block of your local, as long as the permissions are right, then you can Use directives related to disk or files using CP, CD, MV, RM ... It's what he is convenient! Then you may ask: "Hey! So is this NFS to transfer by what protocol? Although NFS has the port number and use of its own protocol, but when data transfer or other related message is transmitted, NFS is used as a protocol called remote procedure call (RPC) to assist NFS itself. Operation! · What is RPC (Remote Procedure Call) What is RPC? What is the program that requires some programs when you mean by literally meaning? Ha ha! It's okay! Simply, when we use certain services to remotely online, some information, such as the host's IP, service port number, the corresponding service PID, etc., you need to manage and correspond to you! These management ports correspond to the work of service dependence, which is the task of this Remote Procedure Call, RPC! Ok, if we connect NFS to the RPC to connect, then you should know that NFS itself does not provide an agreement to provide information, but NFS can let us share the profile, this The reason is that NFS uses some other related transport protocols! The protocol of these transmission is to use this so-called RPC function! That is to say, NFS itself is a program that uses RPC is! White words say, NFS can also be considered an RPC Server! At the same time, it should be noted that in some cases, not only the NFS Server needs to activate the RPC service, but also to mount NFS Partition's Client machine, you need to simultaneously activate RPC! This way the Server ends and the client end can perform the corresponding PROGRAM Port by the RPC protocol! OK! Simply put, NFS can also be seen as a kind of RPC Server, because he is using this agreement with Program! ^ _ ^! So why is NFS to execute using RPC?
This is because NFS itself can be seen is a file system. If you come, your user is often changing, and your file content, shared directory, there are other files related information, etc. It will often change, this time, using the RPC that can correspond to the PROGRAM NUMBER and Port Number is quite convenient! In other words, NFS is primarily managed by the directory of sharing, and as for the transfer of information, it will work directly to the RPC's protocol! More information about NFS protocols You can refer to the page below: o http://www.faqs.org/rfcs/rfc1094.html o http://www.tldp.org/howto/nfs-howto/index.html · NFS activation RPC daemons NFS Server requires a total of at least two daemons, a problem that the client can log in, another file permission that can be used after logging in to the host! The following: o rpc.nfsd: This daemon's main function is to manage whether the client can log in to the host, which contains the discrimination of the login ID! o Rpc.mountd: This daemon's main function is to manage NFS file system! After the Client is logged into the host through rpc.nfsd, after he can use the file provided by NFS Server, it will pass the file using permission (which is that -RWXRWXRWX and Owner, Group's permissions)! He will read the NFS setting file / etc / exports to compare the client's permissions, after this, the client can obtain the permission of the NFS file! (Note: This is also the place where we use the use of the NFS sharing and the safe setting of the safe setting!) Back to top
-------------------------------------------------- --------------------------------------------- needed to activate NFS We must have two kits, which are: o NFS-Utils o Portmap · Portmap: Just as just mentioned, our NFS can act as an RPC Server Program, and to activate any RPC Server Program, we all need to do a good job of port, this work is actually responsible for the "portmap" service! That is to say, before activating any RPC Server, we need to activate the portmap! So what this portmap is doing? Just like this service name, haha! It is mapping for port! For example, when the client attempts to use the service provided by RPC Server, because the client needs to get a connectionable Port to use the service provided by RPC Server, the client will first go to Portmap " Hey! Can you notify me, give me a port number, so that I can contact RPC! "At this time, Portmap will tell the client with the portmap to tell the client, so that he can connect to Server! So: "Before activating NFS, please activate Portmap! NFS-Utils: The two NFS Daemons that provide rpc.nfsd and rpc.mountd and other related documents and documents, executive files, etc. This is the main suite of NFS! Be sure to have! Ok, I know that we need these two suits, what are you doing now? ! Go to your system first, take RPM, don't have these two suits! If you haven't, use rpm to install! Otherwise, it will not be over! Back to top
-------------------------------------------------- -------------------------------------------- Server end setting: In front of NFS, I explain it, wow! How to look like a powder! In fact, it is not! why? Because PortMap can be activated as long as a scripts can be activated, NFS can operate smoothly as long as a file is set! So how can you say not simple! Ha ha! This NFS is really his wife's wife ..... Simple ~ Before starting NFS, let us first in the "resource sharing" in the Windows system: 1. On Windows Server, open the file The general tube, press the right click on a directory to select activation resource sharing; You need to activate the "Aromorphic" to find the directory of the available network, then click the directory, if you can log in to the Windows Server, you can use the files in this directory according to the permissions of step one! Ha ha! That's right! The entire process of NFS is almost like this: · First, you need to confirm whether your Linux host can support the NFS service, then set the user's source IP or host name and the permissions of the shared directory, then Activate NFS to share the directory of just set! · How do you use this shared directory in the Client side? Just check whether Linux Server has a NFS directory that Linux Server can use, if any, you can use the NFS host with the NFS host! Haha! Sure enough, it's simple! So, let's come to a step of explaining how NFS is set to: 1. System requirements 2. / etc / exports 3. About permissions issues 4. Active service Portmap, NFSD 5. Exportfs 6. Check / var / lib / NFS / XTAB 7. SHOWMOUNT 8. Observe the activated Port Number OK! Every 咚咚 细 项目 项目 就: o System Need: 嗄! Does NFS have the lowest hardware demand? Ha ha! You misunderstand! The demand here is actually "software demand"! It is: 1. In addition to the two suite we have mentioned "Portmap and NFS-Utils" must exist; 2. Your core version is best better than 2.2.xx! 3. In addition, if you recompile the core, you must "must choose" NFS support! Currently, if you use the Linux Distribution to set up the LINUX Distribution, you don't have to worry, because the system has already preset support! So you can play! However, if you have recompiled the core, and don't know how you compile (see you said, try to compile your core when you look at fresh stuff, so I didn't pay attention to the choice of this project).
At this time, please look at your core information and look at your core information: "Core Compilation"! O / ETC / EXPORTS: Ok, after confirming "everything OK", we really want to play NFS! This thing is really simple, as long as a file can get it! That is to edit / etc / exports file, please note that if this file does not exist, please create it yourself! And, the file is not written wrong! The content of this file is very simple. We list his rules: The above rules are like this: the directory to share is mainly to share to the host name 1 and host name 2, but the authority provided to these is not the same. Where the permissions to the host name 1 are parameter 1 and parameter 2, as a client permission to host name 2 is parameter 3 and parameter 4. Ok, then the "authority" is the main "parameter"? RW: Rewy permissions; RO: read-only permissions; no_root_squash: Login NFS host uses the user of the sharing directory, if it is root, then for this sharing directory, he has root permissions! This project is "extremely unsafe", not recommended! ROOT_SQUSH: When the user who uses the sharing of the NFS host, if it is root, then the user's permissions will be compressed into anonymous users, usually his UID and GID will become Nobody that identity; all_squash: No matter the login NFS The user identity, his identity will be compressed to become anonymous users, usually Nobody! AnonUID: The UID setting value of the anonymous user mentioned in front of * _Squash is usually Nobody, but you can set the value of this UID yourself! Of course, this UID must exist in your / etc / passwd! AnongID: With an AnonUID, it turns into a group ID! Sync: The data is synchronously writes to memory and hard drive; async: The information will be temporarily stored in memory, rather than directly writing hard disk! The rough parameter is these few things! Then let's assume a few examples: Thinking one: I want to share / TMP to use it for everyone, because this directory is that everyone can read, so I want all people to access. In addition, I want root writes in the file or ROOT permissions! So you can write this! For example, you can use my / TMP directory whenever (* million characters! "
Please note that there is no space in the middle of the * (rw, no_root_squash)! / TMP and * (rw, no_root_squash) are spaced from space! Special note that the function of NO_ROOT_SQUSH! Thinking 2: I want to open a public directory / home / public, but only define my local area network 192.168.0.0/24 This domain can read and write, others can only read: This Please note that In the above example, the format of the countdown line can be applied! So just write a line! The above example said that when my IP is in the section of 192.168.0.0/24, then / home / public I can read and write ~ As for if I am not within this network segment, then this directory I can only read it, it is the only attribute! Think 3: I want to open a private directory / home / test to 192.168.0.100 this client machine to use, then I must write this: This will be set! Moreover, only 192.168.0.100 This machine can access / home / test catalog! Thinking four: I want to let the host of the * .linux.org network, when logging in, I can access / home / linux, but when they save the information, I hope that their UID and GID become 40 this. Users of identity: Special notice that all_squash and Anonuid, AnongID function! As a result, when Test.Linux.org logins in this NFS host, and when / HOME / Linux is written to the file, the owner of this file will become the corresponding UID in / etc / passwd. 40 of the identity of 40! o About permissions: No matter what time, permission is needed! Let's take a look at the contents of the / etc / exports file that just built: Suppose I log in this NFS (IP assumption to 192.168.0.2) at 192.168.0.100, and I have Test this at 192.168.0.100, at the same time In this NFS, there is Test this account. If this is true, then: 1. Since 192.168.0.2 This NFS host / TMP permission is -rwxrwxrwt, so I (TEST is in 192.168.0.100) under / TMP Access rights, and written all people TEST; 2. In / home / public, because I have read and write permissions, if the permissions in / home / public directory have open writes for Test, Then I can read and write, and the file I wrote is Test.
But in case / home / public for Test this user does not open permissions that can be written, then I still have no way to write into the file! Please pay special attention to this point! 3. In / Home / Test, my permissions are the same as / home / public! There is also a need for NFS host / home / test for TEST. 4. It is more troublesome in / home / linux! Because if you are User, your identity will become uid = 40 this account! So, this directory must need to modify his permissions for the account name of UID = 40! So, if I was Test2 in 192.168.0.100, but 192.168.0.2 This NFS host did not have a Test2 account, what would the situation becomes? 1. I can write it under / TMP, but the written file owner becomes Nobody; 2. I can write it in / home / public, but also need to depend on / home / public permissions, However, anyway, my identity is turned into nobody; 3. / home / test point of view is the same as / home / public 4. / home / linux, my identity is turned into uid = 40 The user is! So if I am root in 192.168.0.100? Root This account will have every system! Ha ha! What is the permissions become? 1. I can write in / TMP, and because the parameters of NO_ROOT_SQUASH have changed the preset root_squash set value, so all people written in / TMP are root! 2. I am still compressed by the identity under / home / public. Because there is root_squash in the preset attribute! So, if the / home / public has an open authority for Nobody, then I can write, but the file owner turns Nobody! 3. / Home / Test is the same as / home / public; 4. In the case of HOME / Linux, my root's identity is also compressed into the user of UID = 40! Can you understand after this permission? Here is the most important place. If this is passed, there is no problem under the next! ^ _ ^ o Activates the service portmap, NFSD is ok, set OK and no permissions (there is no relationship, you can have a good review and modification!), then activate him! How to activate? Simple, give him OK! The portmap does not need to be set at all! Just activate him directly! After activating, a port 111's SunRPC service will appear! That is Portmap! As for NFS, at least two Daemon appear! Then start listening to the needs of the Client! After activation, please go to / var / log / messages to see if there is a correct activation? After the above words appear normally,
It is only the right activation! o Exportfs: Ok, then if we modify the / etc / exports file, do you need to reactivate NFS? Oh, don't need it, just use the exportfs to re-sight the files of / etc / exports, and will be loaded! Therefore, it is necessary to learn about the usage of Exportfs: Be familiar with the usage of this instruction! In this way, you can re-export our record in / etc / exports directory! o Check the directory / var / lib / nfs / xtab, when you share your directory, how do you know the sharing permission for each directory? Don't forget, because we have a very much preset property! So, you have to check the contents of the directory you shared! Look at / var / lib / nfs / xtab this file! He is a bit like this: see it? This is the property of the preset NFS in the / home / test shared directory! There is a strange thing in this attribute state, that is, Anonuid = -2, how is UID = -2? Ha ha! In fact, it is said to the value of 65536 - 2, that is, the UID of 65534! In the control / etc / passwd, you will find, wow! It turns out that Nobody is! o Showmount: SHOWMOUNT As the name, look at there is no MOUNT directive! How to use it? Very simple! So, when you want to scan the directory of the NFS shared by a host, you can use ShowMount -E IP (or Hostname)! Very convenient! o Observe the activated Port Number: OK! Take a look at how much port we activated after the NFS? It should be noted that we have activated Portmap and NFS two scripts! Be careful to see it! A lot of ports have been produced! It's a terrible! First pay attention to the port of NFS yourself, is that the 2049 Port! That is the main PORT of NFS.
So where is the other RPC.xxxx port? NFS Server is mentioned in front, he is a kind of RPC Server, and NFS provides multiple programs, such as rpc.rmountd, rpc.rquotad, rpc.nfsd ..., therefore needs to be activated. Port! And these ports are "randomly generated", that is, the port number won't be fixed! Every time RESTART NFS will get different port number! So how do the Client end know to connect to the PORT to call the program? Ha ha! That is the power of the port number generated by the portmap service of SunRPC (Port 111)! Client will first connect to the SunRPC that port knows that should go to the PORT to call the program you need! So, the Daemon, etc., etc., the Daemon, etc. OK! In this way, the setting of the Server end is OK! Back to top
-------------------------------------------------- -------------------------------------------- Client end setting: Mounting the remote host: Ok, the Server end has been set, then naturally, it is necessary to use the Client side to connect to the Server end! So what is the step of connecting Server? 1. Scan the server directory you can use; 2. Establish Mount Point on the client local; 3. Use mount to mount the directory shared by the remote host; 4. Problem resolution (blocked by the firewall !?) . OK! So we have to know what is there in our host? Suppose my host name is Test.Linux.org, then I want to know what is in the directory that is shared by NFS, give him Showmount! and then? Suppose I want to mount / Home / Public under my / home / nfs / public, then I have to have this directory first! Then use the mount this command to mount the / home / public directory! A bit like this: First pay attention to the format example of mount NFS file! Ha ha! This will mount the information in this! Please pay attention! In the future, as long as you enter your directory / home / nfs / public is equal to Test.Linux.org that of the remote host / home / public directory! Very good! So how do you uninstall the mounted NFS directory? Use umount! Problem: Usually the reason why the user cannot be mounted: 1. The user's permissions do not match: with the example above, my / home / test can only provide 192.168.0.0/24 domain, So, if I am in the machine, when I am mount with localhost, I can't mount, this permission concept is no problem! Then you can try it: So! If you find the above displayed message, you said that your host permission is not able to enter the directory! If you determine that your IP has no error, please return to / etc / exports, fix your own IP! 2. Forget to activate Portmap: This is the easiest to forget! It is forgot to activate the service of Portmap! If you find your MOUNT message is like this: 3. Blocks blocked by the firewall: This is also easy to forget! That is to reset your firewall, which contains two parts, including iptables and TCP_WrapPers! Because we activate Portmap, this thing has two information that needs to be shared, one is the port 111 needs to be available, so your iptables rules are required to open this port! It's a bit like such a few words to join your iptables rules: or change all to what you want to let him use the NFS domain! Do you know this? To learn more about the firewall, please refer to: Simple firewall construction. Back to top
-------------------------------------------------- -------------------------------------------- RPC Server Directive: Ok, since we know that this NFS is actually used by RPC, so of course you have to know what the port of the RPC is doing! At this time, you can't know that rpcinfo is in order! Let's talk about this directive! This way you can know the program of each Port Number! You will also know what this RPC Server is provided to your program! Of course, let this rpcinfo can move correctly, your portmap really moves! Come on! -------------------------------------------------- ---------------------------------------------- shutdown or end Precautions: It should be noted that because the RPC used by NFS is connected to the host in the client side, then your host wants to shut down, it will become "impossible tasks"! I still don't know what the correct reason is, but if there is a client on your server, then you have to shut down, you may have to wait until a few hours can be normal. Ah! real or fake! Do not believe? Otherwise, you will try it again! ^ _ ^! So, it is recommended that your NFS Server wants to turn off the two things first "turn off the portmap and NFS"! If you can't get rid of these two daemons, you will find the PID with NetStat -UTLP, then you turn it first with kill! In this way, there is a normal shutdown to success! Please pay special attention to this! Back to top
-------------------------------------------------- ---------------------------------------------- Safety settings ( Block being blocked by the firewall): Ok! After some precautions are finished, what is it? correct! It is also the most important issue of security settings! So where can NFS can set a safe place? In fact, it is still a lot? It can be seen from the other inside: 1. iptables firewall settings; 2. TCP_WrapPERS firewall settings; 3. / etc / exports permission settings.
The basic concept of the firewall refers to the article "Simple Firewall Building", it is best to read this article to him, otherwise it is really difficult to understand what to do ~ um! Suppose you have already finished reading this post, then we have to step by step by step, then build a firewall! · Use iptables to limit large-scale online: Suppose our NFS is mainly for internal networking, and for external networks only open to academic networks, that is, 140.0.0.0/8, then you can use such syntax: This is roughly You can let 192.168.0.0.0/24 this C Class domain with 140.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0-8 to your host · Use TCP_WrapPERS to limit thinner range: In fact, if you don't know how to set iptables, then it doesn't matter, we can use TCP_WrapPers! Because you want to use NFS, you must pass the PORTMAP (Because you want to use RPC!), This portmap can be managed by TCP_WrapPers! Ha ha! Great! Then you will limit the scope of him! We can regulate the host IP and name of the NFS host in /etc/hosts.allow, assuming that the host in the limit is 192.168.0.0/24 this Class and 140.116.44.125 this host, and the back connected is ncku.edu .tw domain can connect to my NFS host, then I can write this: huh! This will set it! Very simple! · Use / etc / exports to set more secure permissions: This involves your logic to think! How to set it out, but between "Convenience" and "Safe", find your balance! Use root_squash and all_squash, etc., use an AnonUID and other settings to specify the user identity of the login you host! There should be a way to provide a more secure NFS host! · Client end mounted: Basically, when the client is mounted, in order to worry about the execution of the SuID permission file hung in the NFS side! This is likely to hazard the security of the system! Because SuID is not very safe! So, your root can also mount the directory shared by NFS in a more secure situation! For example: Choosing Nosuid is also a very good choice! Usually we will negotiate the recommendations, do not activate NFS Server, even if you want to activate, it is best to share a directory for a certain range! Also, "It is better to manage the user hierarchy". Let's take a simple NFS Server on your machine! Back to top
-------------------------------------------------- ---------------------------------------------- Real exercise: Suppose Environment: 1. Suppose my Linux host is 192.168.0.100; 2. It is expected to share / TMP to be eibbled, and not to limit the user's identity. All 192.168.0.0.0.0.0.0/24 all 192.168.0.0.0.0/24 Linux workstation; 3. Expected open / home / NFS directory, the properties used are read-only, providing information content in addition to workstations in the domain, exported to the Open / Home / Upload as 192.168.0.0 / 24 This domain information upload directory, where this / home / upload user and the group of groups are NFS-UPLOAD names, and his UID and GID are 210; 5. Expected to be / home / andy Only shared this Linux host to 192.168.0.50 to provide the user's use of Andy to use, that is, Andy has an account in 192.168.0.50 and 192.168.0.100, and the account is Andy, so it is expected to open / Home / andy uses his home directory to Andy! Field drill: Ok, then please don't look at the answer, first write your pen or do it directly on your own machine. After getting the answer you want, you will see it under the instructions below! · First of all, it is to build / etc / exports file content, you can write this! Probably this is like this! You can test it on your own! · Come again, it is to establish the actual Linux permissions for each corresponding directory! Let's look at it: This is one of the issues, and the privilege is probably solved! · Activate PortMap and NFS services: • Drill on the machine above 192.168.0.50: The whole step is roughly like this! Come on! (Source: Bird brother private house dish)
