Difference between revisions of "NFS for Beginners"

From NAS-Central Buffalo - The Linkstation Wiki
Jump to: navigation, search
(What belongs to "nfs-utils" and what is it used for?)
(What belongs to the configuration and what is it used for?)
Line 60: Line 60:
  
 
=== /etc/exports ===
 
=== /etc/exports ===
Not yet written.
+
 
 +
This file contains the information which directory is available for remote clients.
 +
 
 +
Each line has an identical structure.
 +
 
 +
First you specify the directory you want to export (Note: this means ALWAYS also ALL subdirectories).
 +
Then you specify the clients and their export options. If you have more than one client, you separate them with a space.
 +
 
 
=== /etc/hosts.deny ===
 
=== /etc/hosts.deny ===
Not yet written.
+
 
 +
This file specifies which hosts you do not want to have access to your exports. (Note: this file is NOT for NFS only, but also used for all other services with the ability to provide remote access)
 +
 
 +
From a security point of view, you should deny access to ALL machines and explicitly allow access for the machines you trust via /etc/hosts.allow. The hosts.allow is evaluated first and whatever got allowance in hosts.allow can NOT be denied in hosts.deny later on.
 +
 
 +
Example /etc/hosts.deny with everything denied:
 +
  ALL : ALL
 +
 
 
=== /etc/hosts.allow ===
 
=== /etc/hosts.allow ===
Not yet written.
+
 
 +
This file specifies which hosts you want to allow access to your exports. (Note: this file is NOT for NFS only, but also used for all other services with the ability to provide remote access)
 +
 
 +
Example /etc/hosts.allow with a special handling of telnetd and sshd:
 +
  ALL EXCEPT in.telnetd in.sshd : 192.168.1.0/255.255.255.0
 +
  in.telnetd in.sshd : 192.168.1.11
 +
 
 +
This means that all machines having an IP address starting with 192.168.1. can access all services of the local machine except incoming telnetd and sshd.
 +
 
 +
Telnetd and sshd is remotely only available for the machine with IP address 192.168.1.11.
  
 
== Example configurations ==
 
== Example configurations ==

Revision as of 12:02, 8 January 2010

Contents

What is "NFS"?

For a full-blown explanation look here: [1]

NFS stands for "Network File System". It is used to mount a filesystem on a remote machine to let it look like a local directory. A popular "successor" is "iSCSI" (it is just a successor in the meaning of "mounting a filesystem as if it is local").

One can distinguish between kernel based NFS and userland NFS.

Although userland NFS could be as good as kernel based NFS (maybe except of some percentages of performance), there is currently NO full-blown NFS implementation for userland (at least I know none). Some have the drawback to not support files bigger than 4GB, others do not support some other options, etc..

For kernel based NFS you need a kernel with NFS build into the kernel (either fixed or as a loadable module). You can NOT run kernel based NFS with a kernel, which was not enabled for NFS during compilation time.

If you have a kernel with NFS build into, you are NOT ready to go. You also need some userland executables for a working setup.

This userland executables are called the "nfs-utils" paket and consist of a bunch of applications (one time called) and daemons (background tasks). In addition to this paket you also need a startup script which starts the daemons with respect to the right order.

Last but not least, you have to do some configuration to allow access to the local filesystem via NFS.

What belongs to "nfs-utils" and what is it used for?

portmap

This executable is not really part of the "nfs-utils", but essential to get anything working.

NFS uses a method called "RPC" (Remot Procedure Call) to communicate between machines. The portmap executable is a kind of broker which provides the port numbers of specific services if called via RPC remotely.

Without a running portmap, NFS will NOT work.

nfsd

This is the daemon which provides the access to the filesystem. It depends on the existance of the NFS filesystem mounted as "nfsd". If your kernel does not provide /proc/fs/nfsd you do not have a NFS kernel running (the opposite is not necessarily true).

Without a running nfsd, NFS will NOT work.

mountd

This is the daemon which checks if a client, which requests access to a directory, is allowed to access.

If mountd is not running, you will get an error message which tells you, that you have no permission to access.

Without a running mountd, NFS will NOT work.

statd

This is the daemon which provides fucntionality for file locking (together with the lockd daemon) and crash recovery.

In current implementations of the "nfs-utils", statd starts the lockd daemon when needed.

Without a running statd, NFS will NOT work.

exportfs

This executable is used to administrate the directories which are exported via NFS during runtime.

If you change anything in /etc/exports you have to call exportfs to make the changes recognised by the running daemons.

showmount

This executable is used to query the exported directories of a NFS server. Use IP address 127.0.0.1 to query the local NFS server.

What belongs to the configuration and what is it used for?

/etc/exports

This file contains the information which directory is available for remote clients.

Each line has an identical structure.

First you specify the directory you want to export (Note: this means ALWAYS also ALL subdirectories). Then you specify the clients and their export options. If you have more than one client, you separate them with a space.

/etc/hosts.deny

This file specifies which hosts you do not want to have access to your exports. (Note: this file is NOT for NFS only, but also used for all other services with the ability to provide remote access)

From a security point of view, you should deny access to ALL machines and explicitly allow access for the machines you trust via /etc/hosts.allow. The hosts.allow is evaluated first and whatever got allowance in hosts.allow can NOT be denied in hosts.deny later on.

Example /etc/hosts.deny with everything denied:

 ALL : ALL

/etc/hosts.allow

This file specifies which hosts you want to allow access to your exports. (Note: this file is NOT for NFS only, but also used for all other services with the ability to provide remote access)

Example /etc/hosts.allow with a special handling of telnetd and sshd:

 ALL EXCEPT in.telnetd in.sshd : 192.168.1.0/255.255.255.0
 in.telnetd in.sshd : 192.168.1.11

This means that all machines having an IP address starting with 192.168.1. can access all services of the local machine except incoming telnetd and sshd.

Telnetd and sshd is remotely only available for the machine with IP address 192.168.1.11.

Example configurations

One directory for one machine

Not yet written.

One directory for three machines

Not yet written.

One directory for all machines in a specific subnet

Not yet written.

Fully open to everyone (no security at all)

Not yet written.

Some experiences

I had problems connecting from a Ubuntu 8.04 machine via NFS to a LS. The Ubuntu machine sometimes saw the NFS service of the LS and sometimes not.

I "solved" the problem by specifying the port as option of the mount command:

 mount -t nfs -o port=2049,rw 192.168.1.1:/mnt/disk1/share /mnt/LS-share