NFS | Apntechunix

Network File System (NFS)

A NFS allows remote hosts to mount the file system over a network and interact with those file system as though they are mounted locally.

1. Currently there are three version of NFSv2, NFSv3 and NFSv4

2. NFSv2 is older and is widely supported. NFSv3 support safe asynchronous writes and a more robust error handling that NFSv2; it also support 64-bit file sizes and offsets, allowing clients to access more than 2GB of file data.

3. NFSv4 works through firewalls and on the internet, no longer requires an “rpcbind” service, supports ACLs, and utilizes “stateful” operations. RHEL 6 support NFSv2, NFSv3 and NFSv4 clients. When mounting a file system via NFS, Red hat Enterprise Linux uses NFSv4 by default, if the server supports it.

4. All version of NFS can use “Transmission Control Protocol” (TCP) running over an IP network, with NFSv4 requiring it. NFSv2 and NFSv3 can use the “User Datagram Protocol” (UDP) running over an IP network to provide a “stateless” network connection between the client and server.

5. TCP port 2049 is the default protocol for NFSv2 and NFSv3 under RHEL. UDP can be used for compatibility purpose as needed, but is not recommended for wide usage. NFSv4 requires TCP.

Note:

1. A “stateful” protocol expects a response. A “stateless” protocol doesn’t care.

Example

A stateless protocol is akin to TV broadcast –the broadcast doesn’t care if you watch it, if you like it, if you talk to it etc. The TV broadcast has no expectations.

TCP	UDP
Reliable	Unreliable
Connection – oriented	Connectionless
Segment retransmission and flow control through windowing	No windowing or retransmission
Segment sequence	No sequence
Acknowledge segments	No acknowledgement

2. The “portmap” services was used to map RPC program numbers to IP address port number combination in earlier version of RHEL. This service is now replaced by “rpcbind” in RHEL 6 to enable IPv6 support.

Configuration and status files
*/etc/exports
*/var/lib/nfs/rmtab
*/var/lib/nfs/xtab
*/etc/hosts.allow
*/etc/hosts.deny
Daemons
*rpc.portmap(rpcbind for RHEL 6)
*rpc.mountd
*rpc.nfsd
*rpc.statd
*rpc.lockd
*rpc.rquotad
Scripts and commands
*/etc/rc.d/init.d/nfs
*nfstat
*showmount
*rpcinfo
*exportfs

Required Services

a> nfs

“service nfs start” starts the NFS server and the appropriate RPC processes to service request for shared NFS file system.

b> nfslock

”service nfslock start” activates a mandatory service that starts the appropriate RPC processes which allow NFS clients to lock files on the server.

c> rpcbind

“rpcbind” accept port reservation from local RPC services. These ports are then made available (or advertised) so the responding remote RPC services can access them. rpcbind responds to request for RPC services and sets up connections to the requested RPC service. This is not used with NFSv4.

RPC services

rpc.mountd

This process is used by an NFS server to process MOUNT requests from NFSv2 and NFSv3 clients. It checks that the requested NFS share is currently exported by the NFS server, and that the client is allowed to access it. If the mount request is allowed, the rpc.mountd server replies with a Success status and provides the File-Handle for this NFS share back to the NFS client.

rpc.nfsd

rpc.nfsd allows explicit NFS versions and protocols the server advertises to be defined. It works with the Linux kernel to meet the dynamic demands of NFS clients, such as providing server threads each time an NFS client connects. This process corresponds to the nfs service.

lockd

lockd is a kernel thread which runs on both clients and servers. It implements the Network Lock Manager (NLM) protocol, which allows NFSv2 and NFSv3 clients to lock files on the server. It is started automatically whenever the NFS server is run and whenever an NFS file system is mounted.

rpc.statd

This process implements the Network Status Monitor (NSM) RPC protocol, which notifies NFS clients when an NFS server is restarted without being gracefully brought down. rpc.statd is started automatically by the nfslock service, and does not require user configuration. This is not used with NFSv4.

rpc.rquotad

This process provides user quota information for remote users. rpc.rquotad is started automatically by the nfs service and does not require user configuration.

rpc.idmapd

rpc.idmapd provides NFSv4 client and server upcalls, which map between on-the-wire NFSv4 names (which are strings in the form of user@domain) and local UIDs and GIDs. For idmapd to function with NFSv4, the /etc/idmapd.conf must be configured. This service is required for use with NFSv4, although not when all hosts share the same DNS domain name.

Starting and Stopping NFS

[root@server1 Desktop]# service rpcbind start

[root@server1 Desktop]# service nfs start

Starting NFS services: [ OK ]

Starting NFS quotas: [ OK ]

Starting NFS daemon: [ OK ]

Starting NFS mountd: [ OK ]

nfslock must also be started for both the NFS client and server to function properly. To start NFS locking, use the following command:

[root@server1 Desktop]# service nfslock start

[root@server1 Desktop]# chkconfig nfslock on

[root@server1 Desktop]# chkconfig nfs on

[root@server1 Desktop]# chkconfig rpcbind on

NFS Configuration

There are two ways to configure an NFS server

a> By manually editing the NFS configuration file, i.e. /etc/exports

b> Through the command link, i.et. through “exportfs”

The “/etc/exports” configuration file

Refer to “man exports” for details on these less-used options.

Export host(options)

Export – the directory being exported

Host – the host or network to which the export is being shared

Options – the options to be used for host

Export host1(options1) host2(options2) host3(options3)

Examples

/exported/directory server1.example.com

The default settings are (ro, sync, wdelay, root_squash)

ro, rw, sync, async, wdelay, no_wdelay, root_squash, no_root_squash

By default, access control lists ( ACLs) are supported by NFS under Red Hat Enterprise Linux. To disable this feature, specify the no_acl option when exporting the file system.

ro – read only

rw – read,write

sync – the server will only acknowledge data after it’s written out in the disk.

aync – the server will acknowledge data before it’s committed to disk, which can lead to data corruption if the server crachses.

wdelay – the nfs server will delay writing to the disk if it suspects another write request is imminent.

no_wdelay – disable the wdelay

root_squash – the nfs server will assign them the user ID nfsnobody.

no_root_squash – disable the root_squash

The exportfs command

Update the /etc/exports shared directory

Syntax:

exportfs [options]

-a – exports / unexports all directories

-r – reexports all directories

-u – unexports one or more directories

-v – provides verbose output

Example:

[root@server1 Desktop]#mkdir /share

[root@server1 Desktop]# vim /etc/exports

/share *.example.com(rw)

:wq!

[root@server1 Desktop]# exportfs -ar

[root@server1 Desktop]# exportfs -v

/share *.example.com(rw,wdelay,root_squash,no_subtree_check)

Discovering the NFS exports

[root@server1 Desktop]# showmount -e

Export list for server1.example.com:

/share *.example.com

[root@client1 Desktop]# showmount -e server1.example.com

Export list for server1.example.com:

/share *.example.com

[root@client1 ~]# mkdir /nfs

[root@client1 ~]# mount -t nfs server1.example.com:/share /nfs

[root@client1 ~]# cd /nfs

[root@client1 nfs]# ll

total 0

-rw-rw-r–. 1 nobody nobody 0 Nov 20 08:22 a

-rw-r–r–. 1 nfsnobody nfsnobody 0 Nov 20 08:23 b

-rw-rw-r–. 1 nobody nobody 0 Nov 20 08:25 c

[root@client1 nfs]#

Mounting NFS File Systems using /etc/fstab

Syntax:

server:/remote/export /local/directory nfs options 0 0

Example:

[root@client1 ~]# vim /etc/fstab

192.168.1.100:/share /nfs nfs defaults 0 0

:wq!

[root@client1 ~]# mount –a

[root@client1 ~]# mount | grep nfs

sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)

192.168.1.100:/share on /nfs type nfs (rw,vers=4,addr=192.168.1.100,clientaddr=192.168.1.101)

Mount options

-ro     Read only
-rw     Mount the file system read and write, but can be restricted by the server, and a warning is flagged
-soft   if the server fails to respond, return an error after the timeout period ( -timeo=value ) expires and don’t bother to try again
-hard   if the server fails to respond, retry until it does respond
-bg     do the retrys in background mode
-nosuid Do not allow executables on the mounted file system to run as setuid.
-fstype file system type of the remote partition to mount
ext2    linux native
nfs     NFS type
iso9660 CDROM
-user   Allow users to mount the filesystem
-noexec Don’t allow execution of files from this filesystem
-nosuid Don’t allow programs in this filesystem to run as setuid or setgid

Running NFS behind a Firewall

NFS requires rpcbind, which dynamically assigns ports for RPC services and can cause problems for configuring firewall rules. To allow clients to access NFS shares behind a firewall, edit the /etc/sysconfig/nfs configuration file to control which ports the required RPC services run on.

The /etc/sysconfig/nfs may not exist by default on all systems. If it does not exist, create it and add the following variables, replacing portwith an unused port number (alternatively, if the file exists, un-comment and change the default entries as required):

MOUNTD_PORT=port

Controls which TCP and UDP port mountd ( rpc.mountd) uses.

STATD_PORT=port

Controls which TCP and UDP port status ( rpc.statd) uses.

LOCKD_TCPPORT=port

Controls which TCP port nlockmgr ( lockd) uses.

LOCKD_UDPPORT=port

Controls which UDP port nlockmgr ( lockd) uses.

If NFS fails to start, check /var/log/messages. Normally, NFS will fail to start if you specify a port number that is already in use. After editing /etc/sysconfig/nfs, restart the NFS service using service nfs restart. Run the rpcinfo -p command to confirm the changes.

To configure a firewall to allow NFS, perform the following steps:

Configure a firewall to allow NFS

Allow TCP and UDP port 2049 for NFS.
Allow TCP and UDP port 111 ( rpcbind/ sunrpc).
Allow the TCP and UDP port specified with MOUNTD_PORT=”port“
Allow the TCP and UDP port specified with STATD_PORT=”port“
Allow the TCP port specified with LOCKD_TCPPORT=”port“
Allow the UDP port specified with LOCKD_UDPPORT=”port“

Note

To allow NFSv4.0 callbacks to pass through firewalls set /proc/sys/fs/nfs/nfs_callback_tcpport and allow the server to connect to that port on the client. This process is not needed for NFSv4.1 or higher, and the other ports for mountd, statd, and lockd are not required in a pure NFSv4 environment.

Troubleshooting NFS and rpcbind

[root@server1 Desktop]# rpcinfo -p

program vers proto port service

100000 4 tcp 111 portmapper

100000 3 tcp 111 portmapper

100000 2 tcp 111 portmapper

100000 4 udp 111 portmapper

100000 3 udp 111 portmapper

100000 2 udp 111 portmapper

100024 1 udp 45999 status

100024 1 tcp 59207 status

100011 1 udp 875 rquotad

100011 2 udp 875 rquotad

100011 1 tcp 875 rquotad

100011 2 tcp 875 rquotad

100003 2 tcp 2049 nfs

100003 3 tcp 2049 nfs

100003 4 tcp 2049 nfs

100227 2 tcp 2049 nfs_acl

100227 3 tcp 2049 nfs_acl

100003 2 udp 2049 nfs

100003 3 udp 2049 nfs

100003 4 udp 2049 nfs

100227 2 udp 2049 nfs_acl

100227 3 udp 2049 nfs_acl

100021 1 udp 56223 nlockmgr

100021 3 udp 56223 nlockmgr

100021 4 udp 56223 nlockmgr

100021 1 tcp 58726 nlockmgr

100021 3 tcp 58726 nlockmgr

100021 4 tcp 58726 nlockmgr

100005 1 udp 35175 mountd

100005 1 tcp 45458 mountd

100005 2 udp 37640 mountd

100005 2 tcp 58572 mountd

100005 3 udp 49202 mountd

100005 3 tcp 36921 mountd

NFS with SELinux

SELinux Boolean settings

[root@server1 ~]# getsebool -a | grep nfs

allow_ftpd_use_nfs –> off

allow_nfsd_anon_write –> off

cobbler_use_nfs –> off

git_system_use_nfs –> off

httpd_use_nfs –> off

nfs_export_all_ro –> on

nfs_export_all_rw –> on

qemu_use_nfs –> on

samba_share_nfs –> off

use_nfs_home_dirs –> on

virt_use_nfs –> off

xen_use_nfs –> off

Semanage require package

[root@server1 ~]# yum install policycoreutils*

[root@server1 ~]# semanage boolean -l | grep nfs

xen_use_nfs -> off Allow xen to manage nfs files

virt_use_nfs -> off Allow virt to manage nfs files

use_nfs_home_dirs -> on Support NFS home directories

allow_ftpd_use_nfs -> off Allow ftp servers to use nfs used for public file transfer services.

git_system_use_nfs -> off Allow Git daemon system to access nfs file systems.

qemu_use_nfs -> on Allow qemu to use nfs file systems

cdrecord_read_content -> off Allow cdrecord to read various content. nfs, samba, removable devices, user temp and untrusted content files

allow_nfsd_anon_write -> off Allow nfs servers to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t.

cobbler_use_nfs -> off Allow Cobbler to access nfs file systems.

httpd_use_nfs -> off Allow httpd to access nfs file systems

samba_share_nfs -> off Allow samba to export NFS volumes.

nfs_export_all_rw -> on Allow any files/directories to be exported read/write via NFS.

nfs_export_all_ro -> on Allow any files/directories to be exported read/only via NFS.

To show that SELinux is still able to block access even when Linux permissions are completely open, give the /share directory full Linux access rights for all users:

[root@server1 ~]# chmod 777 /share

[root@server1 ~]# setsebool -P nfs_export_all_rw on

SELinux file context label

By default, mounted NFS file systems on the client side are labeled with a default context defined by policy for NFS file systems. In common policies, this default context uses the nfs_t type.The following types are used with NFS. Different types allow you to configure flexible access:

var_lib_nfs_t

This type is used for existing and new files copied to or created in the /var/lib/nfs directory. This type should not need to be changed in normal operation. To restore changes to the default settings, run the restorecon -R -v /var/lib/nfs command as the root user.

nfsd_exec_t

The /usr/sbin/rpc.nfsd file is labeled with the nfsd_exec_t, as are other system executables and libraries related to NFS. Users should not label any files with this type. nfsd_exec_t will transition to nfsd_t.

[root@client1 ~]# ls -dZ /nfs

drwxrwxrwx. root root system_u:object_r:nfs_t:s0 /nfs

NFS Server and Client example configuration

Server1.example.com – 192.168.1.100

Client1.example.com – 192.168.1.101

Check the NFS installation default installation packages

[root@server1 ~]# rpm -qa nfs*

nfs4-acl-tools-0.3.3-5.el6.x86_64

nfs-utils-lib-1.1.5-4.el6.x86_64

nfs-utils-1.2.3-15.el6.x86_64

[root@server1 ~]# rpm -qa rpcbind*

rpcbind-0.2.0-8.el6.x86_64

[root@server1 ~]# rpm -qlc nfs-utils

/etc/nfsmount.conf

/etc/rc.d/init.d/nfs

/etc/rc.d/init.d/nfslock

/etc/rc.d/init.d/rpcgssd

/etc/rc.d/init.d/rpcidmapd

/etc/rc.d/init.d/rpcsvcgssd

/etc/sysconfig/nfs

/var/lib/nfs/etab

/var/lib/nfs/rmtab

/var/lib/nfs/state

/var/lib/nfs/xtab

Create a shared directory and give full permission

[root@server1 ~]# mkdir /share

[root@server1 ~]# chmod 777 /share

[root@server1 ~]# ll -dZ /share/

drwxrwxrwx. root root unconfined_u:object_r:default_t:s0 /share/

[root@server1 ~]# service nfs start

Starting NFS services: [ OK ]

Starting NFS quotas: [ OK ]

Starting NFS daemon: [ OK ]

Starting NFS mountd: [ OK ]

[root@server1 ~]# service rpcbind status

rpcbind (pid 2054) is running…

[root@server1 ~]# vim /etc/exports

/share 192.168.1.0/24(rw)

:wq!

[root@server1 ~]# showmount -e

Export list for server1.example.com:

/share 192.168.1.0/24

[root@server1 ~]# exportfs -ar

[root@server1 ~]# exportfs -v

/share 192.168.1.0/24(rw,wdelay,root_squash,no_subtree_check)

[root@server1 ~]# getsebool -a | grep nfs

allow_ftpd_use_nfs –> off

allow_nfsd_anon_write –> off

cobbler_use_nfs –> off

git_system_use_nfs –> off

httpd_use_nfs –> off

nfs_export_all_ro –> on

nfs_export_all_rw –> on

qemu_use_nfs –> on

samba_share_nfs –> off

use_nfs_home_dirs –> on

virt_use_nfs –> off

xen_use_nfs –> off

Client side mountings steps

[root@client1 Desktop]# showmount -e server1.example.com

Export list for server1.example.com:

/share 192.168.1.0/24

[root@client1 Desktop]# mkdir /nfs

[root@client1 Desktop]# vim /etc/fstab

192.168.1.100:/share /nfs nfs defaults 0 0

:wq!

[root@client1 Desktop]# mount –a

[root@client1 Desktop]# mount | grep nfs

sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)

192.168.1.100:/share on /nfs type nfs (rw,vers=4,addr=192.168.1.100,clientaddr=192.168.1.101)

[root@client1 Desktop]# ls -dZ /nfs

drwxrwxrwx. root root system_u:object_r:nfs_t:s0 /nfs

[root@client1 Desktop]# cd /nfs/

[root@client1 nfs]# touch a b c

[root@client1 nfs]# ll

total 0

-rw-r–r–. 1 nfsnobody nfsnobody 0 Nov 20 13:37 a

-rw-r–r–. 1 nfsnobody nfsnobody 0 Nov 20 13:37 b

-rw-r–r–. 1 nfsnobody nfsnobody 0 Nov 20 13:37 c

[root@client1 nfs]# rm -rf c

Advanced Practical:

To share the nfs server for different networks.

1)To assigne the virtual IP.
2)export the directory & assigne the permitions.
3)restart the service.
4)Try to connect from client side.

*To assigne the virtual IP.
#netconfig –device eth0:1
10.0.0.2 255.0.0.0

*Restart the service.
#service network restart

*To configure the export file.
#vim /etc/exports

/share 10.0.0.3/8(ro,sync)

/share 10.0.0.0/8(rw,sync)

/reliance 192.168.1.0/24(rw,sync)

*To create the directory.
#mkdir /reliance
#chmod 777 /reliance/

*To restart the service.
# service portmap restart
#service nfs restart

*To check.
#exportfs -rav

Client side configuretion:

*To check from clientside.
#showmount -e (server IP)
#showmount -e 10.0.0.2
*To create the directory.
#mkdir /mount

*To mount the export directory by server.
#mount 10.0.0.2:/reliance /mount

*Directory should be mount but that directory is a read-only.

Common NFS errors & solutions:

1.”Server Not Responding” Message
2. “Access Denied” Message
3.”Permission Denied” Message
4. “Device Busy” Message

Error 1: If You Receive an NFS “Server Not Responding” Message

ping the nfs server from client

1.ping “nfs serer name or ip”

2./usr/bin/rpcinfo -p servername

The rpcinfo command should display the following processes:

* portmap
* nfs
* mountd
* status
* nlockmgr
* llockmgr

If any of these processes is not running, follow the below steps:

a.Make sure the /etc/rc.config.d/nfsconf file on the NFS server contains the following lines:

NFS_SERVER=1
START_MOUNTD=1

b.Make sure that the /etc/inetd.conf file on the NFS server does not contain a line to start rpc.mountd.
If it does, make sure the START_MOUNTD variable in /etc/rc.config.d/nfsconf is set to 0.

c.Issue the following command on the NFS server to start all the necessary NFS processes:

#/sbin/init.d/nfs.server start

Error 2: If You Receive an “Access Denied” Message

a.check the FS is exported or not

#/usr/sbin/showmount -e server_name

(If it is not exported means u have to edit /etc/exports file in NFS server and put the necessary entry and
then run the command
/usr/sbin/exportfs -a)

Error 3 :If You Receive a “Permission Denied” Message

a.Check the mount options in the /etc/fstab file on the NFS client. A directory you are attempting to write to may have
been mounted read-only.

b.Issue the ls -l command to check the HP-UX permissions on the server directory and on the client directory
that is the mount point. You may not be allowed access to the directory.

c.Issue the following command on the NFS server:

/usr/sbin/exportfs

Or, issue the following command on the NFS client:

/usr/sbin/showmount -e server_name

d. Check the export permissions on the exported directory. The directory may have been exported read-only to your client.
The system administrator of the NFS server can use the remount mount
option to mount the directory read/write without unmounting it

Error 4 : If You Receive a “Device Busy” Message

a.If you received the “device busy” message while attempting to mount a directory, try to access the mounted directory.
If you can access it, then it is already mounted.

b.If you received the “device busy” message while attempting to unmount a directory, a user or process is currently using the directory. Wait until the process completes, or follow these steps:

1.Issue the following command to determine who is using the mounted directory:

/usr/sbin/fuser -cu local_mount_point

The fuser(1M) command will return a list of process IDs and user names that are currently using the directory
mounted under local_mount_point. This will help you decide whether to kill the processes or wait for them to complete.

2. To kill all processes using the mounted directory, issue the following command:

/usr/sbin/fuser -ck local_mount_point

3. Try again to unmount the directory.

Apntechunix

This Blog is intended to collect information of my various Intrests,pen my opinion on the information gathered and not intended to educate any one of the information posted,but are most welcome to share there view on them.

Archives

Network File System (NFS)