Difference between revisions of "NFS for Beginners"

From NAS-Central Buffalo - The Linkstation Wiki
Jump to: navigation, search
(mountd)
 
(9 intermediate revisions by 3 users not shown)
Line 29: Line 29:
 
This is the daemon which provides the access to the filesystem. It depends on the existance of the NFS filesystem mounted as "nfsd". If your kernel does not provide /proc/fs/nfsd you do not have a NFS kernel running (the opposite is not necessarily true).
 
This is the daemon which provides the access to the filesystem. It depends on the existance of the NFS filesystem mounted as "nfsd". If your kernel does not provide /proc/fs/nfsd you do not have a NFS kernel running (the opposite is not necessarily true).
  
Is nfsd not running, NFS will NOT work.
+
Without a running nfsd, NFS will NOT work.
  
 
=== mountd ===
 
=== mountd ===
 +
 
This is the daemon which checks if a client, which requests access to a directory, is allowed to access.
 
This is the daemon which checks if a client, which requests access to a directory, is allowed to access.
  
 
If mountd is not running, you will get an error message which tells you, that you have no permission to access.
 
If mountd is not running, you will get an error message which tells you, that you have no permission to access.
  
Without mountd running, NFS will NOT work.
+
Without a running mountd, NFS will NOT work.
  
 
=== statd ===
 
=== statd ===
Not yet written.
+
 
 +
This is the daemon which provides fucntionality for file locking (together with the lockd daemon) and crash recovery.
 +
 
 +
In current implementations of the "nfs-utils", statd starts the lockd daemon when needed.
 +
 
 +
Without a running statd, NFS will NOT work.
 +
 
 
=== exportfs ===
 
=== exportfs ===
Not yet written.
+
 
 +
This executable is used to administrate the directories which are exported via NFS during runtime.
 +
 
 +
If you change anything in /etc/exports you have to call exportfs to make the changes recognised by the running daemons.
 +
 
 
=== showmount ===
 
=== showmount ===
Not yet written.
+
 
 +
This executable is used to query the exported directories of a NFS server. Use IP address 127.0.0.1 to query the local NFS server.
  
 
== What belongs to the configuration and what is it used for? ==
 
== What belongs to the configuration and what is it used for? ==
  
 
=== /etc/exports ===
 
=== /etc/exports ===
Not yet written.
+
 
 +
This file contains the information which directory is available for remote clients.
 +
 
 +
Each line has an identical structure.
 +
 
 +
First you specify the directory you want to export (Note: this means ALWAYS also ALL subdirectories).
 +
Then you specify the clients and their export options. If you have more than one client, you separate them with a space.
 +
 
 
=== /etc/hosts.deny ===
 
=== /etc/hosts.deny ===
Not yet written.
+
 
 +
This file specifies which hosts you do not want to have access to your exports. (Note: this file is NOT for NFS only, but also used for all other services with the ability to provide remote access)
 +
 
 +
From a security point of view, you should deny access to ALL machines and explicitly allow access for the machines you trust via /etc/hosts.allow. The hosts.allow is evaluated first and whatever got allowance in hosts.allow can NOT be denied in hosts.deny later on.
 +
 
 +
Example /etc/hosts.deny with everything denied:
 +
  ALL : ALL
 +
 
 
=== /etc/hosts.allow ===
 
=== /etc/hosts.allow ===
Not yet written.
+
 
 +
This file specifies which hosts you want to allow access to your exports. (Note: this file is NOT for NFS only, but also used for all other services with the ability to provide remote access)
 +
 
 +
Example /etc/hosts.allow with a special handling of telnetd and sshd:
 +
  ALL EXCEPT in.telnetd in.sshd : 192.168.1.0/255.255.255.0
 +
  in.telnetd in.sshd : 192.168.1.11
 +
 
 +
This means that all machines having an IP address starting with 192.168.1. can access all services of the local machine except incoming telnetd and sshd.
 +
 
 +
Telnetd and sshd is remotely only available for the machine with IP address 192.168.1.11.
  
 
== Example configurations ==
 
== Example configurations ==
  
 
=== One directory for one machine ===
 
=== One directory for one machine ===
Not yet written.
+
/etc/hosts.deny
 +
  ALL : ALL
 +
 
 +
/etc/hosts.allow
 +
  ALL : 192.168.1.11
 +
 
 +
/etc/exports
 +
  /mnt/mymusic 192.168.1.11(ro)
 +
 
 +
Mount command on clients side:
 +
  mount -t nfs -o ro 192.168.1.139:/mnt/mymusic /mnt/LS-music
 +
 
 +
=== Three directories for one machine each ===
 +
/etc/hosts.deny
 +
  ALL : ALL
 +
 
 +
/etc/hosts.allow
 +
  ALL : 192.168.1.11 192.168.1.12 192.168.1.13
 +
 
 +
/etc/exports
 +
  /mnt/mymusic 192.168.1.11(ro)
 +
  /mnt/backup.12 192.168.1.12(rw)
 +
  /mnt/backup.13 192.168.1.13(rw)
 +
 
 +
Mount command on clients side:
 +
  mount -t nfs -o ro 192.168.1.139:/mnt/mymusic /mnt/LS-music
 +
 
 
=== One directory for three machines ===
 
=== One directory for three machines ===
Not yet written.
+
/etc/hosts.deny
=== One directory for all machines in a specific subnet ===
+
  ALL : ALL
Not yet written.
+
 
 +
/etc/hosts.allow
 +
  ALL : 192.168.1.11 192.168.1.12 192.168.1.13
 +
 
 +
/etc/exports
 +
  /mnt/mymusic 192.168.1.11(ro) 192.168.1.12(ro) 192.168.1.13(rw)
 +
 
 +
Mount command on clients side:
 +
  mount -t nfs -o ro 192.168.1.139:/mnt/mymusic /mnt/LS-music
 +
 
 +
=== One directory for all machines in a specific subnet and one directory for one machine only ===
 +
/etc/hosts.deny
 +
  ALL : ALL
 +
 
 +
/etc/hosts.allow
 +
  ALL : 192.168.0.0/255.255.0.0
 +
 
 +
/etc/exports
 +
  /mnt/mymusic 192.168.0.0/255.255.0.0(ro)
 +
  /mnt/mymovies 192.168.1.13(rw)
 +
 
 +
Note: The configuration of /etc/hosts.allow and /etc/exports does NOT depend on each other. You can allow host access to machines which are not mentioned in /etc/exports and vice versa! It is YOUR duty to make a configuration which makes sense! Hosts not allowed to access services do NOT get access because of an entry within /etc/exports!
 +
 
 +
Mount command on clients side:
 +
  mount -t nfs -o ro 192.168.1.139:/mnt/mymusic /mnt/LS-music
 +
  mount -t nfs -o rw 192.168.1.139:/mnt/mymovies /mnt/LS-movies
 +
 
 
=== Fully open to everyone (no security at all) ===
 
=== Fully open to everyone (no security at all) ===
Not yet written.
+
 
 +
Allow everyone to access any service.
 +
 
 +
/etc/hosts.deny
 +
  ALL : ALL
 +
 
 +
/etc/hosts.allow
 +
  ALL : ALL
 +
 
 +
Export the directory to everyone.
 +
 
 +
/etc/exports
 +
  /mnt/mymusic 0.0.0.0/0.0.0.0(rw)
 +
 
 +
=== Most common usage ===
 +
 
 +
Allow the complete local network to access services.
 +
 
 +
/etc/hosts.deny
 +
  ALL : ALL
 +
 
 +
/etc/hosts.allow
 +
  ALL : 192.168.0.0/255.255.0.0
 +
 
 +
Export two directories for the PVR.
 +
 
 +
/etc/exports
 +
  /mnt/mymusic 192.168.0.0/255.255.0.0(rw,sync,no_root_squash,no_subtree_check,insecure)
 +
  /mnt/mymovies 192.168.0.0/255.255.0.0(rw,sync,no_root_squash,no_subtree_check,insecure)
 +
 
 +
Mount command on clients side:
 +
  mount -t nfs -o rw,soft,nolock,udp,rsize=8192,wsize=8192 192.168.1.139:/mnt/mymusic /mnt/LS-music
 +
  mount -t nfs -o rw,soft,nolock,udp,rsize=8192,wsize=8192 192.168.1.139:/mnt/mymovies /mnt/LS-movies
  
 
== Some experiences ==
 
== Some experiences ==
Line 71: Line 190:
 
I "solved" the problem by specifying the port as option of the mount command:
 
I "solved" the problem by specifying the port as option of the mount command:
 
   mount -t nfs -o port=2049,rw 192.168.1.1:/mnt/disk1/share /mnt/LS-share
 
   mount -t nfs -o port=2049,rw 192.168.1.1:/mnt/disk1/share /mnt/LS-share
 +
 +
[[Category:Howto]]

Latest revision as of 10:59, 5 February 2011

Contents

What is "NFS"?

For a full-blown explanation look here: [1]

NFS stands for "Network File System". It is used to mount a filesystem on a remote machine to let it look like a local directory. A popular "successor" is "iSCSI" (it is just a successor in the meaning of "mounting a filesystem as if it is local").

One can distinguish between kernel based NFS and userland NFS.

Although userland NFS could be as good as kernel based NFS (maybe except of some percentages of performance), there is currently NO full-blown NFS implementation for userland (at least I know none). Some have the drawback to not support files bigger than 4GB, others do not support some other options, etc..

For kernel based NFS you need a kernel with NFS build into the kernel (either fixed or as a loadable module). You can NOT run kernel based NFS with a kernel, which was not enabled for NFS during compilation time.

If you have a kernel with NFS build into, you are NOT ready to go. You also need some userland executables for a working setup.

This userland executables are called the "nfs-utils" paket and consist of a bunch of applications (one time called) and daemons (background tasks). In addition to this paket you also need a startup script which starts the daemons with respect to the right order.

Last but not least, you have to do some configuration to allow access to the local filesystem via NFS.

What belongs to "nfs-utils" and what is it used for?

portmap

This executable is not really part of the "nfs-utils", but essential to get anything working.

NFS uses a method called "RPC" (Remot Procedure Call) to communicate between machines. The portmap executable is a kind of broker which provides the port numbers of specific services if called via RPC remotely.

Without a running portmap, NFS will NOT work.

nfsd

This is the daemon which provides the access to the filesystem. It depends on the existance of the NFS filesystem mounted as "nfsd". If your kernel does not provide /proc/fs/nfsd you do not have a NFS kernel running (the opposite is not necessarily true).

Without a running nfsd, NFS will NOT work.

mountd

This is the daemon which checks if a client, which requests access to a directory, is allowed to access.

If mountd is not running, you will get an error message which tells you, that you have no permission to access.

Without a running mountd, NFS will NOT work.

statd

This is the daemon which provides fucntionality for file locking (together with the lockd daemon) and crash recovery.

In current implementations of the "nfs-utils", statd starts the lockd daemon when needed.

Without a running statd, NFS will NOT work.

exportfs

This executable is used to administrate the directories which are exported via NFS during runtime.

If you change anything in /etc/exports you have to call exportfs to make the changes recognised by the running daemons.

showmount

This executable is used to query the exported directories of a NFS server. Use IP address 127.0.0.1 to query the local NFS server.

What belongs to the configuration and what is it used for?

/etc/exports

This file contains the information which directory is available for remote clients.

Each line has an identical structure.

First you specify the directory you want to export (Note: this means ALWAYS also ALL subdirectories). Then you specify the clients and their export options. If you have more than one client, you separate them with a space.

/etc/hosts.deny

This file specifies which hosts you do not want to have access to your exports. (Note: this file is NOT for NFS only, but also used for all other services with the ability to provide remote access)

From a security point of view, you should deny access to ALL machines and explicitly allow access for the machines you trust via /etc/hosts.allow. The hosts.allow is evaluated first and whatever got allowance in hosts.allow can NOT be denied in hosts.deny later on.

Example /etc/hosts.deny with everything denied:

 ALL : ALL

/etc/hosts.allow

This file specifies which hosts you want to allow access to your exports. (Note: this file is NOT for NFS only, but also used for all other services with the ability to provide remote access)

Example /etc/hosts.allow with a special handling of telnetd and sshd:

 ALL EXCEPT in.telnetd in.sshd : 192.168.1.0/255.255.255.0
 in.telnetd in.sshd : 192.168.1.11

This means that all machines having an IP address starting with 192.168.1. can access all services of the local machine except incoming telnetd and sshd.

Telnetd and sshd is remotely only available for the machine with IP address 192.168.1.11.

Example configurations

One directory for one machine

/etc/hosts.deny

 ALL : ALL

/etc/hosts.allow

 ALL : 192.168.1.11

/etc/exports

 /mnt/mymusic 192.168.1.11(ro)

Mount command on clients side:

 mount -t nfs -o ro 192.168.1.139:/mnt/mymusic /mnt/LS-music

Three directories for one machine each

/etc/hosts.deny

 ALL : ALL

/etc/hosts.allow

 ALL : 192.168.1.11 192.168.1.12 192.168.1.13

/etc/exports

 /mnt/mymusic 192.168.1.11(ro)
 /mnt/backup.12 192.168.1.12(rw)
 /mnt/backup.13 192.168.1.13(rw)

Mount command on clients side:

 mount -t nfs -o ro 192.168.1.139:/mnt/mymusic /mnt/LS-music

One directory for three machines

/etc/hosts.deny

 ALL : ALL

/etc/hosts.allow

 ALL : 192.168.1.11 192.168.1.12 192.168.1.13

/etc/exports

 /mnt/mymusic 192.168.1.11(ro) 192.168.1.12(ro) 192.168.1.13(rw)

Mount command on clients side:

 mount -t nfs -o ro 192.168.1.139:/mnt/mymusic /mnt/LS-music

One directory for all machines in a specific subnet and one directory for one machine only

/etc/hosts.deny

 ALL : ALL

/etc/hosts.allow

 ALL : 192.168.0.0/255.255.0.0

/etc/exports

 /mnt/mymusic 192.168.0.0/255.255.0.0(ro)
 /mnt/mymovies 192.168.1.13(rw)

Note: The configuration of /etc/hosts.allow and /etc/exports does NOT depend on each other. You can allow host access to machines which are not mentioned in /etc/exports and vice versa! It is YOUR duty to make a configuration which makes sense! Hosts not allowed to access services do NOT get access because of an entry within /etc/exports!

Mount command on clients side:

 mount -t nfs -o ro 192.168.1.139:/mnt/mymusic /mnt/LS-music
 mount -t nfs -o rw 192.168.1.139:/mnt/mymovies /mnt/LS-movies

Fully open to everyone (no security at all)

Allow everyone to access any service.

/etc/hosts.deny

 ALL : ALL

/etc/hosts.allow

 ALL : ALL

Export the directory to everyone.

/etc/exports

 /mnt/mymusic 0.0.0.0/0.0.0.0(rw)

Most common usage

Allow the complete local network to access services.

/etc/hosts.deny

 ALL : ALL

/etc/hosts.allow

 ALL : 192.168.0.0/255.255.0.0

Export two directories for the PVR.

/etc/exports

 /mnt/mymusic 192.168.0.0/255.255.0.0(rw,sync,no_root_squash,no_subtree_check,insecure)
 /mnt/mymovies 192.168.0.0/255.255.0.0(rw,sync,no_root_squash,no_subtree_check,insecure)

Mount command on clients side:

 mount -t nfs -o rw,soft,nolock,udp,rsize=8192,wsize=8192 192.168.1.139:/mnt/mymusic /mnt/LS-music
 mount -t nfs -o rw,soft,nolock,udp,rsize=8192,wsize=8192 192.168.1.139:/mnt/mymovies /mnt/LS-movies

Some experiences

I had problems connecting from a Ubuntu 8.04 machine via NFS to a LS. The Ubuntu machine sometimes saw the NFS service of the LS and sometimes not.

I "solved" the problem by specifying the port as option of the mount command:

 mount -t nfs -o port=2049,rw 192.168.1.1:/mnt/disk1/share /mnt/LS-share