Beruflich Dokumente
Kultur Dokumente
==============================================================================
=
Quick:
on server:
chkconfig nfs on
service nfs start
add to /etc/exports
[root@fedor etc]# cat exports
/home/tlucciano 192.168.1.5(mp,rw,secure,no_subtree_check)
On client:
edit /etc/fstab and add a mount point, i.e:
twain.mydomain.com:/home/huckleberry /mnt/home
0
0
nfs
rw
result in: any nfs client can mount the export, numerous errors in
/var/log/messages, list options applied
to all clients, client id'ed by host specification will have the default
mount option applied (not those
specified by options
host specified as single name, an NIS netgroup, a subnet uing address/net mask
form, or group of hostnames
using wildcard chars ? and *.
Multiple host(options) entries, separated by whitespace, are accepted,
enabling you to specify different export
options for a single dir depending on client.
When you add a share to /etc/exports, the exportfs -r cmd adds the new dirs.
If modifying, moving, or deleting a share, safest to temporarily unexport all
filesystems first w/ exportfs -ua cmd
before re-exporting the shares w/ exportfs -a cmd
You can add a new export to etb and kernels' internal table of NFS exports
without editing /etc/exports,using:
exportfs -o opts host:dir
i.e:
# exportfs -o async,rw 192.168.0.3:/var/spool/mail
this exports /var/spool/mial with async and rw options to host 192.168.0.3
Exactly same as in /etc/exports;
/var/spool/mail 192.168.0.3(async,rw)
Set unused ports for the noted services: rpc.lockd (tcp), rpc.lockd (udp),
rpc.mountd (tcp), rpc.statd (tcp)
Common ports for these: 32764, 32765, 32766, 32767
Will need to designate a port for rpc.rquotad in /etc/services
you need to make sure these ports, as well as tcp and udp ports 111 for
portmap are allowd thru firewalls
Making nfs work with SELinux
- allow_gssd_read_tmp supports the reading of temporary directories by the
General Security Services daemon, gssd,
which helps protect NFS using kerberos 5.
- allow_nfsd_anon_write supports NFS servers when they modify files on public
file transfer services.
- nfs_export_all_ro supports read-only access to shared NFS dirs
- nfs_export_all_rw supports read-write access to shared NFS directories.
To set thes directives, use the setsebool command. I.E. to activate read-write
access, run:
# setsebool -P nfs_export_all_rw 1
performance:
eight kernel nfs daemons, (is the default), is usually sufficient for good
performance.
If NFS server is busy, you may want to add additional NFS daemons through the
RPCNFSDCOUNT directive
in /etc/init.d/nfs script, but remember that extra kernel processes consume
kernel resources.
i.e.
RPCNFSDCOUNT=3
nfs write performance can be extremely slow.
you can try specialized hardware w/nonvolatile RAM. Data on such ram isn't
losst if you have trouble with network
connectivity, or power failure.
In applications where data loss is not a big concern,,u can try the asnyc
option. This makes NFS faster because async
nfs mounts do not write files to disk until other operations are complete.
(a loss of power or network connectivity
can result in loss of data.
host name lookups are performed frequently by nfs server - you can start the
name switch cache daemon (nscd) to
speed up lookups.
SECURITY
- data accessible via nfs to any user can potentially be accessed by any other
user.
- not even secure nfs encrypts its network traffic
- portmap has been historically prone to serious security holes. portmap is
not recommended on computers
directly connected to internet
Use firewall settings to deny access to the portmapper and nfsd ports, except
with trusted hosts/networks
Known ports: 111 portmapper (server and client), 2049 nfsd (server)
Fix the ports associated with NFS - it is possible in /etc/sysconfig/nfs with
the following,
which are read by /etc/init.d/nfs script. You can choose a different port
number
LOCKD_TCPPORT=32765
LOCKD_UDPPORT=32765
MOUNTD_PORT=32767
STATD_PORT=32766
create a port for rquotad in /etc/services, stop, and restart the rpc.quotad
daemon
(use a port scanner to verify)
on nfs server:
create group it (in /etc/group)
create /MIS dir
assign ownership: chmod nobody.it /MIS (or use chgrp)
set the SGID bit on /MIS:
mod 2770 /MIS
or
chmod g+s /MIS
Update /etc/exports file and run :
#exportfs -a
then restart nfs
Client:
make sure that the portmapper and the NFS file locking daemons statd and lockd
are available, adding
entries to the clients' /etc/fstab for the NFS exports and mounting the
exports using the mount cmd
On client:
Create a dir for the server share: /mnt/MIS