Ac­cess­ing Net­work Stor­age with Net­work File Sys­tem

There are a num­ber of steps that need to be taken be­fore Net­work File Sys­tem (NFS) al­lows clients ac­cess to data. This ar­ti­cle de­scribes those steps and also guides the reader on some other as­pects of NFS.

OpenSource For You - - Contents -

Net­work File Sys­tem or NFS is an In­ter­net stan­dard pro­to­col used by Linux, UNIX and sim­i­lar op­er­at­ing sys­tems as their na­tive net­work file sys­tem. It is an open stan­dard un­der ac­tive ex­ten­sion, which sup­ports na­tive Linux per­mis­sions and file sys­tem fea­tures. Red

Hat En­ter­prise Linux 7 sup­ports NFSv4 (ver­sion 4 for the pro­to­col) by de­fault, and falls back au­to­mat­i­cally to NFSv3 and NFSv2 if that is not avail­able. NFSv4 uses the TCP pro­to­col to com­mu­ni­cate with the server, while older ver­sions of NFS may use ei­ther TCP or UDP.

NFS servers ex­port share di­rec­to­ries and NFS clients mount an ex­ported share to a lo­cal mount point (di­rec­tory). The lo­cal mount point must ex­ist. NFS shares can be mounted in a num­ber of ways:

Man­ual mount­ing us­ing the mount com­mand

Au­to­matic mount­ing at boot time us­ing /etc/fstab Mount­ing on de­mand through a process known as au­to­mount­ing

Se­cur­ing file ac­cess on NFS shares

NFS servers se­cure ac­cess to files us­ing a num­ber of meth­ods such as none, sys, krb5, kr­b5i and kr­b5p. The NFS server can choose to of­fer a sin­gle or mul­ti­ple meth­ods for each ex­ported share. NFS clients must con­nect to the ex­ported share us­ing one of the meth­ods man­dated for that share, spec­i­fied as a mount op­tion sec= method.

Meth­ods used to se­cure ac­cess to files

None: This gives anony­mous ac­cess to the files, and writes to the server (if al­lowed) are al­lo­cated UID and GID of nf­s­no­body.

Sys: This gives file ac­cess based on stan­dard Linux file per­mis­sions for UID and GID val­ues. If not spec­i­fied, this is the de­fault.

Krb5: Clients must prove their iden­tity us­ing Ker­beros, and then stan­dard Linux file per­mis­sions ap­ply.

Kr­b5i adds a cryp­to­graph­i­cally strong guar­an­tee that the data in each re­quest has not been tam­pered with.

Kr­b5p adds en­cryp­tion to all re­quests be­tween the client and the server, pre­vent­ing data ex­po­sure on the net­work. This has a per­for­mance im­pact.

Im­por­tant: Ker­beros op­tions will re­quire, as a min­i­mum, a /etc/krb5. keytab and ad­di­tional au­then­ti­ca­tion con­fig­u­ra­tion. The /etc/krb5. keytab will nor­mally be pro­vided by the au­then­ti­ca­tion or se­cu­rity ad­min­is­tra­tor. Re­quest a keytab that in­cludes ei­ther a host prin­ci­pal, NFS prin­ci­pal, or (ide­ally) both.

NFS uses the nfs-se­cure ser­vice to help ne­go­ti­ate and man­age com­mu­ni­ca­tion with the server when con­nect­ing to Ker­berosse­cured shares. It must be run­ning to use the sec­ond NFS shares; start and en­able it to en­sure it is al­ways avail­able.

# sys­tem­ctl en­able nfs-se­cure # sys­tem­ctl start nfs-se­cure

Note: The nfs-se­cure com­mand is part of the nfs-utils pack­age, which should be in­stalled, by de­fault. If it is not in­stalled, use the fol­low­ing com­mand:

# yum –y in­stall nfs-utils

Ex­port­ing NFS

The Net­work File Sys­tem (NFS) is com­monly used by UNIX sys­tems and net­work at­tached stor­age de­vices to al­low mul­ti­ple clients to share ac­cess to files over the net­work. It pro­vides ac­cess to shared di­rec­to­ries or files from client sys­tems.

NFS ex­ports

An NFS server in­stal­la­tion re­quires the nfs-utils pack­age to be in­stalled. It pro­vides all the nec­es­sary util­i­ties to ex­port a di­rec­tory with NFS to clients. The con­fig­u­ra­tion file for the NFS server ex­ports the /etc/ex­ports file. This file lists the di­rec­tory to share to client hosts over the net­work, and in­di­cates which hosts or net­works have ac­cess to the ex­port.

Note: In­stead of adding the in­for­ma­tion re­quired for ex­port­ing di­rec­to­ries to the /etc/ex­ports file, a newly cre­ated file named *.ex­ports can be added to the /etc/ex­ports.d/ di­rec­tory hold­ing the con­fig­u­ra­tion of ex­ports.

Warn­ing: Ex­port­ing the same di­rec­tory with NFS and Samba is not sup­ported on Red Hat En­ter­prise Linux 7, be­cause NFS and Samba use dif­fer­ent file lock­ing mech­a­nisms, which can cause file cor­rup­tion.

One or more clients can be listed, sep­a­rated by a space, as any of the fol­low­ing:

1. DNS-re­solv­able host name, like server.ex­am­ple.com in the fol­low­ing ex­am­ple, where the /myshare di­rec­tory is ex­ported and can be mounted by serverX.ex­am­ple.com.

/myshare server.ex­am­ple.com

2. DNS re­solv­able host name with the wild­cards ‘*’ for mul­ti­ple char­ac­ter and ‘/’ or ‘?’ for a sin­gle char­ac­ter. The fol­low­ing ex­am­ple al­lows all sub-do­mains in the ex­am­ple. com do­main to ac­cess the NFS ex­port:

/myshare *.ex­am­ple.com

3. DNS re­solv­able host name with char­ac­ter class lists in square brack­ets. In this ex­am­ple, the hosts server1. ex­am­ple.com, server2.ex­am­ple.com,…and server20. ex­am­ple.com have ac­cess to the NFS ex­port.

/myshare server[0-20].ex­am­ple.com

4. IPv4 ad­dress. The fol­low­ing ex­am­ple al­lows ac­cess to the /myshare NFS share from the 172.25.21.21 IP ad­dress.

/myshare 172.25.21.21

5. IPv4 net­work. This ex­am­ple shows a /etc/ex­ports en­try, which al­lows ac­cess to the NFS-ex­ported di­rec­tory /myshare from the 172.25.0.0/16 net­work.

/myshare 172.25.0.0/16

6. IPv6 ad­dress with­out square brack­ets. The fol­low­ing ex­am­ple al­lows the client with the IPv6 ad­dress 2000:472:18:b51:c32:a21 ac­cess to the NFS ex­ported di­rec­tory /myshare.

/myshare 2000:472:18:b51:c32:a21

7. IPv6 net­work with­out square brack­ets. This ex­am­ple al­lows the IPv6 net­work 2000:472:18:b51::/64 ac­cess to the NFS ex­port.

/myshare 2000:472:18:b51::/64

8. A di­rec­tory can be ex­ported to mul­ti­ple hosts si­mul­ta­ne­ously by spec­i­fy­ing mul­ti­ple tar­gets with their op­tions, sep­a­rated by spa­ces fol­low­ing the di­rec­tory to ex­port.

/myshare *.ex­am­ple.com 172.25.0.0/16

Op­tion­ally, there can be one or more ex­port op­tions spec­i­fied in round brack­ets as a comma-sep­a­rated list, di­rectly fol­lowed by each client def­i­ni­tion. Three com­monly used ex­port op­tions are given be­low.

ro, read-only: This is the de­fault set­ting when noth­ing is spec­i­fied. It is al­lowed to ex­plic­itly spec­ify it with an en­try. This re­stricts the NFS clients to read files on the NFS share. Any write op­er­a­tion is pro­hib­ited. The fol­low­ing ex­am­ple ex­plic­itly states the ro flag for the server.ex­am­ple.com host.

/myshare desk­top.ex­am­ple.com(ro)

rw, read-write: This al­lows read and write ac­cess for the NFS clients. In the fol­low­ing ex­am­ple, the desk­top.ex­am­ple.com is able to ac­cess the NFS ex­port read-only, while server[0-20]. ex­am­ple.com has read-write ac­cess to the NFS share.

/myshare desk­top.ex­am­ple.com(ro) server[0-20].ex­am­ple.com(rw)

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.