Security and NFS
Something interesting that will scare you http://www.tldp.org/HOWTO/NFS-HOWTO/security.html
NB: the above link is rather vintage, but still worth reading. If you intend to share NFS over the Internet you'd best be extremely careful.
1. Install the smeserver-nfs contrib like this:
yum install smeserver-nfs --enablerepo=smecontribs
2. Then execute the following:
config setprop nfs status enabled config setprop portmap status enabled config setprop nfslock status enabled
3. Edit /etc/exports to add the directories to be shared (this line exports user home directories and ibays):
/home/e-smith/files – shared directory 192.168.1.0/24 – IP address range of clients or *.mydomain – Domain's client allowed rw – Writable permission to shared folder sync – Synchronize shared directory no_root_squash – Enable root privilege no_all_squash – Enable user’s authority
if you want to see all your exports
4. Then, the following, which will reboot the server:
signal-event post-upgrade; signal-event reboot
Couple of notes whilst installing on SME8.....
DB options as follows - status disabled by default :
nfs=service TCPPorts=2049,4002,4003 UDPPorts=2049,4002,4003 access=private mountdPort=4002 rquotadPort=4003 status=disabled
nfslock=service TCPPorts=4000,4001,4004 UDPPorts=4000,4001,4004 access=private lockdPort=4001 statdOutgoingPort=4004 statdPort=4000 status=disabled
portmap=service TCPPort=111 UDPPort=111 access=private status=disabled
After installation & reboot you should be able to update with
However, I don't think this starts/restarts portmap, hence the reboot on install which should not really be necessary.
For SME9 and SME10
yum install --enablerepo=smecontribs smeserver-nfs
You need to activate the service
signal-event nfs-update config set UnsavedChanges no
or if you prefer to restart your server
signal-event post-upgrade; signal-event reboot
- Each IP needs to be allowed if you want write permissions. For read only permissions, you can open the share to all defined local network in the server-manager
- The NFS share works with ibays whose system of permissions is Group based and inherited from the ibay panel. Therefore for changing write/read and group permissions you can do it in the NFS ibay panel. You have at the top of the NFS panel, boxes on the state of permissions and the group ownership.
- NFS works with UID and GID, the user id and group id of the client system are sent in each RPC call, and the permissions these IDs have on the file being accessed are checked on the server. For this to work, the UID and GIDs must be the same on the server and the clients.
- you can easily allow the share in read permission for the local network and for all defined IP (go to the NFS ibay panel and set the User access to write=group, read=everyone, enabled the share, and allow IP(s) or the local network in the nfs panel)
Write and read permission for group
- you have to set a group which owns the ibay (in the NFS ibay panel) and change the permissions to Write=group, Read=Group
- All users both in the server and in the clients need to be members of that group with the same GID.
- you have to share the same UID for users between the server and the client
for example the user Helene must share the same UID and GID between the SME Server and the remote client
on remote client # id helene uid=5006(helene) gid=5006(helene) groupes=5006(helene),5002(famille) on SME Server # id helene uid=5006(helene) gid=5006(helene) groupes=5006(helene),500(shared),5002(famille)
- see informations of a user
- change the uid of a user
usermod -u UID USER_NAME
- create a group
groupadd -g GID -o GROUPE_NAME
- modify the GID of a group
groupmod -o -g GID GROUPE_NAME
- add a principal group to a user
usermod -g GROUP_NAME_OR_GID USER_NAME
- add a secondary group to a user
usermod -a -G GROUP_NAME_OR_GID USER_NAME
Manual Settings for specific needs
Nfs offers a lot of parameters and you may need some specific settings that it would be difficult or dangerous to let them in all hands. So for some cases you can enable by db command your nfs shares
but you cannot :
- use the wildcard '*'
- open your shares to ip(s) outside of your local network(s)
- use a domain to define your shares, the ip or the network are a mandatory
- use the root '/'
- let a space between the ip and its share definition
IF you want to do all these dangerous things, then you need to do them by custom templates.
How enable specific rules (the name of the rule is free):
config setprop nfs-rules MYRULE "/home/e-smith/files/ibays/IBAYNAME/files 192.168.14.0/22(nohide,sync,wdelay,rw,no_root_squash,secure)"
config setprop nfs-rules RULE2 "/home/e-smith/files/ibays/IBAYNAME/files 192.168.14.154(nohide,sync,wdelay,rw,no_root_squash,secure)"
There is no analysis of the share settings, ditto for the path of the folder you want to share (except for the '/')
or if you want to see if you haven't done a misconfiguration
expand-template /etc/exports service nfs restart
don't forget that you can see the mounted shares and the configuration file
Common Mount permission options
rw read/write permissions ro read-only permissions insecure Allows the use of ports over 1024 sync Specifies that all changes must be written to disk before a command completes no_wdelay Forces the writing of changes immediately root_squash Prevents root users no_root_squash Allow root users
Couple of notes whilst installing on SME9.....
DB options as follows - status enabled by default :
nfs=service TCPPorts=2049,4002,4003 UDPPorts=2049,4002,4003 access=private mountdPort=4002 rquotadPort=4003 status=enabled
nfslock=service TCPPorts=4000,4001,4004 UDPPorts=4000,4001,4004 access=private lockdPort=4001 statdOutgoingPort=4004 statdPort=4000 status=enabled
rpcbind=service TCPPort=111 UDPPort=111 access=private status=enabled
you should be able to update with
Exported folders overview
You can have an overview of all exported folders and see for which ip/network they are allowed.
# showmount -e Export list for hpcompact: /home/e-smith/files/ibays/toto/files 192.168.15.0/24,192.168.12.0/24 /home/e-smith/files/ibays/laurence/files 192.168.12.100,192.168.12.125 /home/e-smith/files/ibays/dolibarr/files 192.168.15.0/24,192.168.12.0/24 /home/e-smith/files/ibays/admin_25465/files 192.168.15.0/24,192.168.12.0/24
- On a remote client you can show all share exported by the NFS server
showmount -e IpOrHostNameServer
Show connected clients
netstat -an | grep nfs.server.ip:port
- for example if you nfs server IP is 192.168.12.125
# netstat -an | grep 192.168.12.125:2049 tcp 0 0 192.168.12.125:2049 192.168.12.25:850 ESTABLISHED
yum install nfs-utils
mkdir /mnt/partage mount -t nfs 192.168.xx.xxx:/home/e-smith/files /mnt/partage ll /mnt/partage
If you want to get mounted the NFS remote share at boot, you can add it in your fstab
192.168.XX.205:/mirror/mirror/smeserver-repo /home/build/smeserver/ nfs rw 0 0
Using fstab is useful for a server which is always on, and the NFS shares are available whenever the client boots up. Edit /etc/fstab file, and add an appropriate line reflecting the setup. Again, the server's NFS export root is omitted.
/etc/fstab servername:/music /mountpoint/on/client nfs4 rsize=8192,wsize=8192,timeo=14,_netdev 0 0
Note: Consult the NFS and mount man pages for more mount options. Some additional mount options to consider are include:
- rsize and wsize
The rsize value is the number of bytes used when reading from the server. The wsize value is the number of bytes used when writing to the server. The default for both is 1024, but using higher values such as 8192 can improve throughput. This is not universal. It is recommended to test after making this change, see #Performance tuning.
The timeo value is the amount of time, in tenths of a second, to wait before resending a transmission after an RPC timeout. After the first timeout, the timeout value is doubled for each retry for a maximum of 60 seconds or until a major timeout occurs. If connecting to a slow server or over a busy network, better performance can be achieved by increasing this timeout value.
The _netdev option tells the system to wait until the network is up before trying to mount the share. systemd assumes this for NFS, but anyway it is good practice to use it for all types of networked file systems Note: Setting the sixth field (fs_passno) to a nonzero value may lead to unexpected behaviour, e.g. hangs when the systemd automount waits for a check which will never happen.
Nfs can have a really long timeout in case if the remote host is not reachable, if you want to avoid it you can do
mount -t nfs -o nolock,timeo=30,retrans=1,retry=0 192.168.xx.xxx:/home/e-smith/files /mnt/partage
- timeo : The -o timeo option allows designation of the length of time, in tenths of seconds, that the client will wait until it decides it will not get a reply from the server, and must try to send the request again. The default value is 7 tenths of a second
- retrans : The -o retrans option allows designation of the number of timeouts allowed before the client gives up, and displays the Server not responding message. The default value is 3 attempts.
- retry : The number of minutes that the mount command retries an NFS mount operation in the foreground or background before giving up. If a value of zero is specified, the mount command exits immediately after the first failure. If this option is not specified, the default value for foreground mounts is 2 minutes, and the default value for background mounts is 10000 minutes (80 minutes shy of one week).