653
edits
Changes
From SME Server
Jump to navigationJump to search→Documentation
=How To use SME as an NFS server=
<blockquote style="float: right;">
[[File:nfs.jpg|250px]]
</blockquote>
==Security and NFS==
Something interesting that will scare you http://www.tldp.org/HOWTO/NFS-HOWTO/security.html
NB: the above link is rather vintage, but still worth reading. If you intend to share NFS over the Internet you'd best be extremely careful.
===Version===
{{#smeversion: smeserver-nfs }}
==Installation==
==Installation==
===for sme8===
===For SME8===
1. Install the smeserver-nfs contrib like this:
1. Install the smeserver-nfs contrib like this:
2. Then execute the following:
2. Then execute the following:
*sme8
*sme8
config setprop nfs status enabled
config setprop nfs status enabled
config setprop portmap status enabled
config setprop portmap status enabled
showmount -e
showmount -e
{{Warning box|Make sure to leave a blank line at the end of the file.}}
{{Note box|Make sure to leave a blank line at the end of the file.}}
[http://www-uxsup.csx.cam.ac.uk/pub/doc/redhat/AS2.1/rhl-rg-en-7.2/s1-nfs-security.html securing NFS]
[http://www-uxsup.csx.cam.ac.uk/pub/doc/redhat/AS2.1/rhl-rg-en-7.2/s1-nfs-security.html securing NFS]
==== Couple of notes whilst installing on SME8..... ====
=====Couple of notes whilst installing on SME8.....=====
DB options as follows - status disabled by default :
DB options as follows - status disabled by default :
However, I don't think this starts/restarts portmap, hence the reboot on install which should not really be necessary.
However, I don't think this starts/restarts portmap, hence the reboot on install which should not really be necessary.
===for sme9===
===For SME9 and SME10===
yum install --enablerepo=stephdl smeserver-nfs
yum install --enablerepo=smecontribs smeserver-nfs
You need to activate the service
You need to activate the service
signal-event nfs-update
signal-event nfs-update
config set UnsavedChanges no
config set UnsavedChanges no
{{Note box | For security Reasons you can not enable Your NFS Share in ''''Read and Write, No Root Squash and Insecure'''' options for the whole local network, you have to specify each IP allowed for these insecure settings.}}
{{Note box | For security Reasons you can not enable Your NFS Share in ''''Read and Write, No Root Squash and Insecure'''' options for the whole local network, you have to specify each IP allowed for these insecure settings.}}
==Usage==
* Each IP needs to be allowed if you want write permissions. For read only permissions, you can open the share to all defined local network in the server-manager
*Each IP needs to be allowed if you want write permissions. For read only permissions, you can open the share to all defined local network in the server-manager
* The NFS share works with Ibays whose the system of permissions are Group based and inherited from the ibay panel. Therefore for changing write/read and group permissions you need to do it in the Ibay panel. You have at the top of the NFS panel a description on the state of permissions and the group ownership.
*The NFS share works with ibays whose system of permissions is Group based and inherited from the ibay panel. Therefore for changing write/read and group permissions you can do it in the NFS ibay panel. You have at the top of the NFS panel, boxes on the state of permissions and the group ownership.
* NFS works with UID and GID, the user id and group id of the client system are sent in each RPC call, and the permissions these IDs have on the file being accessed are checked on the server. For this to work, the UID and GIDs must be the same on the server and the clients.
*NFS works with UID and GID, the user id and group id of the client system are sent in each RPC call, and the permissions these IDs have on the file being accessed are checked on the server. For this to work, the UID and GIDs must be the same on the server and the clients.
=====Read permissions=====
=====Read permissions=====
- you can easily allow the share in read permission for the local network and for all defined IP (go to the ibay panel and set the User access to write=group, read=everyone, enabled the share, and allow IP(s) or the local network.)
- you can easily allow the share in read permission for the local network and for all defined IP (go to the NFS ibay panel and set the User access to write=group, read=everyone, enabled the share, and allow IP(s) or the local network in the nfs panel)
=====Write and read permission for group=====
=====Write and read permission for group=====
- you have to set a group which owns the ibay (in the ibay panel) and change the permissions to Write=group, Read=Group <br />
- you have to set a group which owns the ibay (in the NFS ibay panel) and change the permissions to Write=group, Read=Group <br />
- All users both in the server and in the clients need to be members of that group with the same GID.<br />
- All users both in the server and in the clients need to be members of that group with the same GID.<br />
{{Warning box|IF the option no_root_squash is set, the root and all sudoers of every allowed servers to the nfs share are able to write without controls in the ibay.}}
{{Warning box|IF the option no_root_squash is set, the root and all sudoers of every allowed servers to the nfs share are able to write without controls in the ibay.}}
====UID/GID====
====UID/GID====
* see informations of a user
*see informations of a user
id USER
id USER
*change the uid of a user
*change the uid of a user
usermod -u '''UID''' USER_NAME
usermod -u '''UID''' USER_NAME
* create a group
*create a group
groupadd -g '''GID''' -o GROUPE_NAME
groupadd -g '''GID''' -o GROUPE_NAME
* modify the GID of a group
*modify the GID of a group
groupmod -o -g '''GID''' GROUPE_NAME
groupmod -o -g '''GID''' GROUPE_NAME
* add a principal group to a user
*add a principal group to a user
usermod -g '''GROUP_NAME_OR_GID''' USER_NAME
usermod -g '''GROUP_NAME_OR_GID''' USER_NAME
* add a secondary group to a user
*add a secondary group to a user
usermod -a -G '''GROUP_NAME_OR_GID''' USER_NAME
usermod -a -G '''GROUP_NAME_OR_GID''' USER_NAME
====Manual Settings for specific needs====
Nfs offers a lot of parameters and you may need some specific settings that it would be difficult or dangerous to let them in all hands. So for some cases you can enable by db command your nfs shares
Nfs offers a lot of parameters and you may need some specific settings that it would be difficult or dangerous to let them in all hands. So for some cases you can enable by db command your nfs shares
but you cannot :
but you cannot :
* use the wildcard '*'
* open your shares to ip(s) outside of your local network(s)
*use the wildcard '*'
* use a domain to define your shares, the ip or the network are a mandatory
*open your shares to ip(s) outside of your local network(s)
* use the root '/'
*use a domain to define your shares, the ip or the network are a mandatory
* let a space between the ip and its share definition
*use the root '/'
*let a space between the ip and its share definition
IF you want to do all these dangerous things, then you need to do them by custom templates.
IF you want to do all these dangerous things, then you need to do them by custom templates.
How enable specific rules (the name of the rule is free):
How enable specific rules (the name of the rule is free):
config setprop nfs-rules '''MYRULE''' '/home/e-smith/files/ibays/IBAYNAME/files 192.168.14.0/22(nohide,sync,wdelay,rw,no_root_squash,secure)'
config setprop nfs-rules '''MYRULE''' "/home/e-smith/files/ibays/IBAYNAME/files 192.168.14.0/22(nohide,sync,wdelay,rw,no_root_squash,secure)"
or
or
config setprop nfs-rules '''RULE2''' '/home/e-smith/files/ibays/IBAYNAME/files 192.168.14.154(nohide,sync,wdelay,rw,no_root_squash,secure)'
config setprop nfs-rules '''RULE2''' "/home/e-smith/files/ibays/IBAYNAME/files 192.168.14.154(nohide,sync,wdelay,rw,no_root_squash,secure)"
There is no analysis of the share settings, ditto for the path of the folder you want to share (except for the '/') <br />
There is no analysis of the share settings, ditto for the path of the folder you want to share (except for the '/') <br />
less /etc/exports
less /etc/exports
==== Couple of notes whilst installing on SME9..... ====
====Common Mount permission options====
rw read/write permissions
ro read-only permissions
insecure Allows the use of ports over 1024
sync Specifies that all changes must be written to disk before a command completes
no_wdelay Forces the writing of changes immediately
root_squash Prevents root users
no_root_squash Allow root users
====Couple of notes whilst installing on SME9.....====
DB options as follows - status enabled by default :
DB options as follows - status enabled by default :
signal-event nfs-update
signal-event nfs-update
==see exported folders==
You can have a look on all exported folders and see for which ip/network they are allowed.
==Exported folders overview==
You can have an overview of all exported folders and see for which ip/network they are allowed.
# showmount -e
# showmount -e
Export list for hpcompact:
Export list for hpcompact:
/home/e-smith/files/ibays/admin_25465/files 192.168.15.0/24,192.168.12.0/24
/home/e-smith/files/ibays/admin_25465/files 192.168.15.0/24,192.168.12.0/24
*On a remote client you can show all share exported by the NFS server
==find connected clients==
showmount -e IpOrHostNameServer
==Show connected clients==
netstat -an | grep nfs.server.ip:port
netstat -an | grep nfs.server.ip:port
* for example
*for example if you nfs server IP is 192.168.12.125
# netstat -an | grep 192.168.12.125:2049
# netstat -an | grep 192.168.12.125:2049
tcp 0 0 192.168.12.125:2049 192.168.12.25:850 ESTABLISHED
tcp 0 0 192.168.12.125:2049 192.168.12.25:850 ESTABLISHED
==Linux Client==
===nfs-utils===
yum install nfs-utils
===mount the network share===
mkdir /mnt/partage
mkdir /mnt/partage
mount -t nfs 192.168.xx.xxx:/home/e-smith/files /mnt/partage
mount -t nfs 192.168.xx.xxx:/home/e-smith/files /mnt/partage
ll /mnt/partage
ll /mnt/partage
[[Category:Howto]]
===mount the network share in the fstab===
If you want to get mounted the NFS remote share at boot, you can add it in your fstab<br />
Eg
192.168.XX.205:/mirror/mirror/smeserver-repo /home/build/smeserver/ nfs rw 0 0
Using fstab is useful for a server which is always on, and the NFS shares are available whenever the client boots up. Edit /etc/fstab file, and add an appropriate line reflecting the setup. Again, the server's NFS export root is omitted.
/etc/fstab
servername:/music /mountpoint/on/client nfs4 rsize=8192,wsize=8192,timeo=14,_netdev 0 0
Note: Consult the NFS and mount man pages for more mount options.
Some additional mount options to consider are include:
*rsize and wsize
The rsize value is the number of bytes used when reading from the server. The wsize value is the number of bytes used when writing to the server. The default for both is 1024, but using higher values such as 8192 can improve throughput. This is not universal. It is recommended to test after making this change, see #Performance tuning.
*timeo
The timeo value is the amount of time, in tenths of a second, to wait before resending a transmission after an RPC timeout. After the first timeout, the timeout value is doubled for each retry for a maximum of 60 seconds or until a major timeout occurs. If connecting to a slow server or over a busy network, better performance can be achieved by increasing this timeout value.
*_netdev
The _netdev option tells the system to wait until the network is up before trying to mount the share. systemd assumes this for NFS, but anyway it is good practice to use it for all types of networked file systems
Note: Setting the sixth field (fs_passno) to a nonzero value may lead to unexpected behaviour, e.g. hangs when the systemd automount waits for a check which will never happen.
===NFS Timeout===
Nfs can have a really long timeout in case if the remote host is not reachable, if you want to avoid it you can do
mount -t nfs -o nolock,timeo=30,retrans=1,retry=0 192.168.xx.xxx:/home/e-smith/files /mnt/partage
:*timeo : The -o timeo option allows designation of the length of time, in tenths of seconds, that the client will wait until it decides it will not get a reply from the server, and must try to send the request again. The default value is 7 tenths of a second
:*retrans : The -o retrans option allows designation of the number of timeouts allowed before the client gives up, and displays the Server not responding message. The default value is 3 attempts.
:*retry : The number of minutes that the mount command retries an NFS mount operation in the foreground or background before giving up. If a value of zero is specified, the mount command exits immediately after the first failure. If this option is not specified, the default value for foreground mounts is 2 minutes, and the default value for background mounts is 10000 minutes (80 minutes shy of one week).
==Documentation==
Additional documentation:
*[https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/storage_administration_guide/ch-nfs CentOS 7/SME10]
*[https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/ch-nfs.html CentOS 6/SME9]
*[https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-nfs-client-config.html CentOS 5/SME8]
*[https://wiki.archlinux.org/index.php/NFS Archlinux NFS]
[[Category:Contrib]]
[[Category:Contrib]]
