{"id":1523,"date":"2017-07-25T10:17:07","date_gmt":"2017-07-25T08:17:07","guid":{"rendered":"http:\/\/miroslaw.borodziuk.eu\/?p=1523"},"modified":"2017-08-20T18:22:01","modified_gmt":"2017-08-20T16:22:01","slug":"network-file-system","status":"publish","type":"post","link":"http:\/\/miro.borodziuk.eu\/index.php\/2017\/07\/25\/network-file-system\/","title":{"rendered":"Network File System"},"content":{"rendered":"<p>NFS (Network File System) to protok\u00f3\u0142 sieciowy, kt\u00f3ry umo\u017cliwia wsp\u00f3\u0142dzielenie plik\u00f3w pomi\u0119dzy maszynami Linux i Unix przez sie\u0107. To us\u0142uga oparta na architekturze klient\/serwer, dzi\u0119ki kt\u00f3rej klient ma dost\u0119p do plik\u00f3w, katalog\u00f3w i ca\u0142ego systemu plik\u00f3w na zdalnej maszynie tak jakby by\u0142y zamontowane na lokalnie. Proces udost\u0119pniania zasob\u00f3w na serwerze NFS klientowi nazywany jest <em>eksportowaniem<\/em>.<!--more--><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-1528 aligncenter\" src=\"http:\/\/miroslaw.borodziuk.eu\/wp-content\/uploads\/NFS2-300x165.jpg\" alt=\"\" width=\"300\" height=\"165\" srcset=\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/NFS2-300x165.jpg 300w, http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/NFS2.jpg 368w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/p>\n<p>Komendy zwi\u0105zane z us\u0142ug\u0105 NFS przedstawia tabela poni\u017cej.<\/p>\n<table style=\"width: 730.617px;\">\n<tbody>\n<tr>\n<td style=\"width: 119px;\"><span style=\"color: #808080;\">Komenda<\/span><\/td>\n<td style=\"width: 593.617px;\"><span style=\"color: #808080;\">Opis<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 119px;\"><span style=\"color: #008000;\"><code>exportfs<\/code><\/span><\/td>\n<td style=\"width: 593.617px;\">Eksportuje zasoby wylistowane w pliku <code>\/etc\/exports<\/code> i katalogu <code>\/etc\/exports.d<\/code>. Wy\u015bwietla tak\u017ce wyeksportowane zasoby wylistowane w plikach <code> \/var\/lib\/nfs\/etab<\/code> i <code>\/proc\/fs\/nfs\/exports.<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 119px;\"><span style=\"color: #008000;\"><code> nfsiostat<\/code><\/span><\/td>\n<td style=\"width: 593.617px;\">Statystyki\u00a0 I\/O z pliku<code> \/proc\/self\/mountstats<\/code> zamontowanych zasob\u00f3w NFS.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 119px;\"><span style=\"color: #008000;\"><code> nfsstat<\/code><\/span><\/td>\n<td style=\"width: 593.617px;\">Statystyki NFS i RPC z plik\u00f3w: <code>\/proc\/net\/rpc\/nfsd<\/code> (serwer) i <code>\/proc\/net\/rpc\/nfs<\/code> (klient).<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 119px;\"><span style=\"color: #008000;\"><code> mountstats<\/code><\/span><\/td>\n<td style=\"width: 593.617px;\">Komenda klienta wy\u015bwietlaj\u0105c\u0105 statystyki z pliku <code> \/proc\/self\/mountstats<\/code>.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 119px;\"><span style=\"color: #008000;\"><code>showmount<\/code><\/span><\/td>\n<td style=\"width: 593.617px;\">Wraz z opcj\u0105 <em>-e server_nfs<\/em> wy\u015bwietla zasoby NFS wyeksportowane przez serwer.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 119px;\"><span style=\"color: #008000;\"><code>mount<\/code><\/span><\/td>\n<td style=\"width: 593.617px;\">Montowanie zdalnych zasob\u00f3w NFS i nie tylko.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p>NFS czyta dane konfiguracyjne z wielu plik\u00f3w, pliki te opisane s\u0105 w tabeli poni\u017cej.<\/p>\n<table style=\"width: 733px;\">\n<tbody>\n<tr>\n<td style=\"width: 125.483px;\"><span style=\"color: #808080;\">Plik<\/span><\/td>\n<td style=\"width: 591.517px;\"><span style=\"color: #808080;\">Opis<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 125.483px;\"><span style=\"color: #008000;\"><code> \/etc\/sysconfig\/nfs<\/code><\/span><\/td>\n<td style=\"width: 591.517px;\">Startowy plik konfiguracyjny NFS.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 125.483px;\"><span style=\"color: #008000;\"><code> \/etc\/exports<\/code><\/span><\/td>\n<td style=\"width: 591.517px;\">Definicje zasob\u00f3w do wyeksportowania.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 125.483px;\"><span style=\"color: #008000;\"><code> \/var\/lib\/nfs\/etab<\/code><\/span><\/td>\n<td style=\"width: 591.517px;\">Wpisy dla eksportowanych zasob\u00f3w.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 125.483px;\"><span style=\"color: #008000;\"><code>\/etc\/nfsmount.conf<\/code><\/span><\/td>\n<td style=\"width: 591.517px;\">Plik klienta, kt\u00f3ry zawiera opcje u\u017cywane podczas montowania zasob\u00f3w.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 125.483px;\"><span style=\"color: #008000;\"><code> \/etc\/fstab<\/code><\/span><\/td>\n<td style=\"width: 591.517px;\">Plik klienta, kt\u00f3ry zawiera zasoby dyskowe do podmontowania manualnie lub automatycznie po restarcie systemu.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 125.483px;\"><span style=\"color: #008000;\"><code> \/etc\/mtab<\/code><\/span><\/td>\n<td style=\"width: 591.517px;\">Plik klienta, kt\u00f3ry zawiera list\u0119 podmontowanych zasob\u00f3w dyskowych.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Wi\u0119cej informacji o NFS mo\u017cna znale\u017a\u0107 w dokumentacji systemowej, jest tego naprawd\u0119 du\u017co:<\/p>\n<pre class=\"lang:sh decode:true\"># man -k nfs\r\nconfstr (3) - get configuration dependent string variables\r\nblkmapd (8) - pNFS block layout mapping daemon\r\nconfstr (3p) - get configurable variables\r\nexportfs (8) - maintain table of exported NFS file systems\r\nexports (5) - NFS server export table\r\nfilesystems (5) - Linux file-system types: minix, ext, ext2, ext3, ext4, Reiserfs, XFS, JFS, xia, msdos, umsdos, vfat, ntf...\r\nfs (5) - Linux file-system types: minix, ext, ext2, ext3, ext4, Reiserfs, XFS, JFS, xia, msdos, umsdos, vfat, ntf...\r\nidmapd (8) - NFSv4 ID &lt;-&gt; Name Mapper\r\nidmapd.conf (5) - configuration file for libnfsidmap\r\nipa-client-automount (1) - Configure automount and NFS for IPA\r\nmount.nfs (8) - mount a Network File System\r\nmountd (8) - NFS mount daemon\r\nmountstats (8) - Displays various NFS client per-mount statistics\r\nnfs (5) - fstab format and options for the nfs file systems\r\nnfs4_acl (5) - NFSv4 Access Control Lists\r\nnfs4_editfacl (1) - manipulate NFSv4 file\/directory access control lists\r\nnfs4_uid_to_name (3) - ID mapping routines used for NFSv4\r\nnfs4_getfacl (1) - get NFSv4 file\/directory access control lists\r\nnfs4_setfacl (1) - manipulate NFSv4 file\/directory access control lists\r\nnfsd (7) - special filesystem for controlling Linux NFS server\r\nnfsd (8) - NFS server process\r\nnfsdcltrack (8) - NFSv4 Client Tracking Callout Program\r\nnfsidmap (8) - The NFS idmapper upcall program\r\nnfsiostat (8) - Emulate iostat for NFS mount points using \/proc\/self\/mountstats\r\nnfsiostat-sysstat (1) - (temat nieznany)\r\nnfsmount.conf (5) - Configuration file for NFS mounts\r\nnfsservctl (2) - syscall interface to kernel nfs daemon\r\nnfsstat (8) - list NFS statistics\r\nrpc.idmapd (8) - NFSv4 ID &lt;-&gt; Name Mapper\r\nrpc.mountd (8) - NFS mount daemon\r\nrpc.nfsd (8) - NFS server process\r\nrpc.sm-notify (8) - send reboot notifications to NFS peers\r\nrpcdebug (8) - set and clear NFS and RPC kernel debug flags\r\nshowmount (8) - show mount information for an NFS server\r\nsm-notify (8) - send reboot notifications to NFS peers\r\numount.nfs (8) - unmount a Network File System<\/pre>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #3366ff;\">SELinux a NFS.<\/span><\/p>\n<p>Jakikolwiek katalog lub system plik\u00f3w, kt\u00f3ry ma by\u0107 udost\u0119pniony przez NFS musi mie\u0107 ustawiony kontekst <code>public_content_ro<\/code> (odczyt) lub <code>public_content_rw<\/code> (zapis). Wymagane jest to tylko wtedy gdy dany zas\u00f3b udost\u0119pniony jest nie tylko przez NFS ale r\u00f3wnie\u017c przez inn\u0105 us\u0142ug\u0119, np. FTP czy CIFS (Samba). Polityka SELinux zawiera tak\u017ce wiele zmiennych boolean zwi\u0105zanych z NFS:<\/p>\n<pre class=\"lang:sh decode:true\"># getsebool \u2013a | egrep \u2018^nfs|^use_nfs\u2019\r\nnfs_export_all_ro --&gt; on\r\nnfs_export_all_rw --&gt; on\r\nnfsd_anon_write --&gt; off\r\nuse_nfs_home_dirs --&gt; off<\/pre>\n<table style=\"width: 632px;\">\n<tbody>\n<tr>\n<td style=\"width: 156.967px;\"><span style=\"color: #808080;\">Zmienna boolean<\/span><\/td>\n<td style=\"width: 458.033px;\"><span style=\"color: #808080;\">Przeznaczenie<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 156.967px;\"><span style=\"color: #008000;\"><code>nfs_export_all_ro<\/code><\/span><\/td>\n<td style=\"width: 458.033px;\">Eksportowanie zasobu tylko w trybie do odczytu.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 156.967px;\"><span style=\"color: #008000;\"><code>nfs_export_all_rw<\/code><\/span><\/td>\n<td style=\"width: 458.033px;\">Eksportowanie zasobu w trybie do zapisu.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 156.967px;\"><span style=\"color: #008000;\"><code>nfsd_anon_write<\/code><\/span><\/td>\n<td style=\"width: 458.033px;\">Zezwala\/zabrania na anonimowy zapis do zasobu NFS.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 156.967px;\"><span style=\"color: #008000;\"><code>use_nfs_home_dirs<\/code><\/span><\/td>\n<td style=\"width: 458.033px;\">Zezwala\/zabrania klientom NFS na montowanie katalog\u00f3w domowych u\u017cytkownik\u00f3w.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>\u0106wiczenie 1. Udost\u0119pnianie zasob\u00f3w NFS i podmontowanie na kliencie.<\/p>\n<p>Strona serwera.<\/p>\n<p>1. Instalacja pakietu nfs.<\/p>\n<pre class=\"lang:sh decode:true\"># yum \u2013y install nfs-utils\r\nPackage 1:nfs-utils-1.3.0-0.el7.x86_64 already installed and latest version\r\nNothing to do<\/pre>\n<p>2. Utworzenie katalog\u00f3w <code>\/common<\/code> i <code>\/nfsrhcsa<\/code>:<\/p>\n<pre class=\"lang:sh decode:true \"># mkdir \/common \/nfsrhcsa<\/pre>\n<p>3. Aktywacja zmiennych SELinux booleans aby zezwoli\u0107 na export zasob\u00f3w NFS w trybie tylko do odczytu i do zapisu.<\/p>\n<pre class=\"lang:sh decode:true \"># setsebool \u2013P nfs_export_all_ro=1 nfs_export_all_rw=1\r\n# getsebool \u2013a | grep nfs_export\r\nnfs_export_all_ro --&gt; on\r\nnfs_export_all_rw --&gt; on<\/pre>\n<p>4. Odblokowanie us\u0142ugi NFS na firewallu:<\/p>\n<pre class=\"lang:sh decode:true\"># firewall-cmd --permanent --add-service nfs; firewall-cmd --reload\r\nsuccess\r\nsuccess<\/pre>\n<p>5. Autostart, start i status us\u0142ug rpcbind i NFS:<\/p>\n<pre class=\"lang:sh decode:true \"># systemctl enable rpcbind nfs-server\r\n# systemctl start rpcbind nfs-server\r\n# systemctl status rpcbind nfs-server<\/pre>\n<p>6. Edycj pliku <code>\/etc\/exports<\/code>:<\/p>\n<pre class=\"lang:sh decode:true \"># vim \/etc\/exports\r\n\/common server2.example.com(rw)\r\n\/nfsrhcsa server2.example.com(sync)<\/pre>\n<p>Najlepiej aby by\u0142a co najmniej jedna opcja przy ka\u017cdym wpisie.<\/p>\n<p>7. Wyeksportowanie zasob\u00f3w:<\/p>\n<pre class=\"lang:sh decode:true \"># exportfs \u2013avr\r\nexporting server2.example.com:\/common\r\nexporting server2.example.com:\/nfsrhcsa<\/pre>\n<p>8. Wy\u015bwietlenie zawarto\u015bci pliku \/var\/lib\/nfs\/etab:<\/p>\n<pre class=\"lang:sh decode:true \"># cat \/var\/lib\/nfs\/etab\r\n\/common\r\nserver2.example.com(rw,sync,wdelay,hide,nocrossmnt,secure,no_root_squash,no_all_squash,no_subtree_check,secure_locks,acl,anonuid=65534,anongid=65534,sec=sys)\r\n\/nfsrhcsa\r\nserver2.example.com(ro,sync,wdelay,hide,nocrossmnt,secure,no_root_squash,no_all_squash,no_subtree_check,secure_locks,acl,anonuid=65534,anongid=65534,sec=sys)<\/pre>\n<p>Oba powy\u017csze zasoby s\u0105 teraz wyeksportowane. Istnieje jednak mo\u017cliwo\u015b\u0107 cofni\u0119cia eksportu opcj\u0105 -u:<\/p>\n<pre class=\"lang:sh decode:true \"># exportfs \u2013u server2.example.com:\/common<\/pre>\n<p>Potwierdzamy cofni\u0119cie exportu:<\/p>\n<pre class=\"lang:sh decode:true \"># exportfs \u2013v | grep common<\/pre>\n<p>Ponowny eksport zasobu mo\u017cna wykona\u0107 w spos\u00f3b nast\u0119puj\u0105cy:<\/p>\n<pre class=\"lang:sh decode:true \"># exportfs \u2013avr<\/pre>\n<p>&nbsp;<\/p>\n<p>Strona klienta.<\/p>\n<p>1. Instalacja nfs-utils:<\/p>\n<pre class=\"lang:sh decode:true \"># yum \u2013y install nfs-utils\r\nPackage 1:nfs-utils-1.3.0-0.el7.x86_64 already installed and latest version\r\nNothing to do<\/pre>\n<p>2. Utworzenie punktu montowania \/nfsrhcemnt:<\/p>\n<pre class=\"lang:sh decode:true \"># mkdir \/nfsrhcemnt<\/pre>\n<p>3. Start, autostart i status rpcbind:<\/p>\n<pre class=\"lang:sh decode:true \"># systemctl enable rpcbind\r\n# systemctl start rpcbind\r\n# systemctl status rpcbind<\/pre>\n<p>4. Edycja pliku \/etc\/fstab:<\/p>\n<pre class=\"lang:sh decode:true \"># vim \/etc\/fstab\r\nserver1.example.com:\/common \/nfsrhcemnt nfs _netdev,rw 0 0<\/pre>\n<p>5. Podmontowanie zasobu NFS:<\/p>\n<pre class=\"lang:sh decode:true \"># mount \/nfsrhcemnt\r\n# mount \u2013t nfs \u2013o rw server1:\/common \/nfsrhcemnt<\/pre>\n<p>lub<\/p>\n<pre class=\"lang:sh decode:true \"># mount -a<\/pre>\n<p>6. Weryfikacja:<\/p>\n<pre class=\"lang:sh decode:true \"># mount | grep nfsrhcemnt\r\n# df -h<\/pre>\n<p>7. Utworzenie pliku <code>nfsrhcetest<\/code> w katalogu<code> \/nfsrhcemnt<\/code> na kliencie i weryfikacja po stronie serwera:<\/p>\n<pre class=\"lang:sh decode:true \">[server]# touch \/nfsrhcemnt\/nfsrhcetest\r\n[client]# ll \/common<\/pre>\n<p>&nbsp;<\/p>\n<p>\u0106wiczenie 2. Udost\u0119pnienie zasobu NFS do pracy grupowej.<\/p>\n<p><span style=\"color: #808080;\">Strona serwera NFS.<\/span><\/p>\n<p>1. Utworzenie grupy z GID 7777:<\/p>\n<pre class=\"lang:sh decode:true \"># groupadd \u2013g 7777 nfssdatagrp<\/pre>\n<p>2. Dodanie u\u017cytkownik\u00f3w do tej grupy:<\/p>\n<pre class=\"lang:sh decode:true \"># usermod \u2013G nfssdatagrp user3\r\n# usermod \u2013G nfssdatagrp user4<\/pre>\n<p>3. Utworzenie katalogu \/nfssdata:<\/p>\n<pre class=\"lang:sh decode:true \"># mkdir \/nfssdata<\/pre>\n<p>4. Ustawienie w\u0142asno\u015bci dla katalogu:<\/p>\n<pre class=\"lang:sh decode:true \"># chown nfsnobody:nfssdatagrp \/nfssdata<\/pre>\n<p>5. Ustawienie bitu setgid dla \/nfssdata:<\/p>\n<pre class=\"lang:sh decode:true \"># chmod 2770 \/nfssdata<\/pre>\n<p>6. Weryfikacja nowych uprawnie\u0144 do katalogu \/nfssdata:<\/p>\n<pre class=\"lang:sh decode:true \"># ll \u2013d \/nfssdata\r\ndrwxrws---. 2 nfsnobody nfssdatagrp 6 Jan 27 14:54 \/nfssdata<\/pre>\n<p>7. Instalacja pakietu nfs.<\/p>\n<pre class=\"lang:sh decode:true \"># yum \u2013y install nfs-utils\r\nPackage 1:nfs-utils-1.3.0-0.el7.x86_64 already installed and latest version\r\nNothing to do<\/pre>\n<p>8. Aktywacja zmiennych SELinux booleans aby zezwoli\u0107 na export zasob\u00f3w NFS w trybie tylko do odczytu i do zapisu.<\/p>\n<pre class=\"lang:sh decode:true \"># setsebool \u2013P nfs_export_all_ro=1 nfs_export_all_rw=1\r\n# getsebool \u2013a | grep nfs_export\r\nnfs_export_all_ro --&gt; on\r\nnfs_export_all_rw --&gt; on<\/pre>\n<p>9. Odblokowanie us\u0142ugi NFS na firewallu:<\/p>\n<pre class=\"lang:sh decode:true \"># firewall-cmd --permanent --add-service nfs; firewall-cmd --reload\r\nsuccess\r\nsuccess<\/pre>\n<p>10. Autostart, start i status us\u0142ug rpcbind i NFS:<\/p>\n<pre class=\"lang:sh decode:true \"># systemctl enable rpcbind nfs-server\r\n# systemctl start rpcbind nfs-server\r\n# systemctl status rpcbind nfs-server<\/pre>\n<p>11. Edycja pliku \/etc\/exports:<\/p>\n<pre class=\"lang:sh decode:true \"># vim \/etc\/exports\r\n\/nfssdata server2.example.com(rw,no_root_squash)<\/pre>\n<p><span style=\"color: #ff0000;\">Opcja <code>no_root_squash<\/code> zabezpiecza udost\u0119pniany na serwerze NFS zas\u00f3b przed uzyskaniem na komputerze klienta uprawnie\u0144 superu\u017cytkownika do zasobu. Root na kliencie mapowany jest na konto nfsnobody z UID 65534.<\/span><\/p>\n<p>12. Wyeksportowanie zasob\u00f3w:<\/p>\n<pre class=\"lang:sh decode:true \"># exportfs \u2013avr\r\nexporting server2.example.com:\/nfssdata<\/pre>\n<p>13. Wy\u015bwietlenie zawarto\u015bci pliku \/var\/lib\/nfs\/etab:<\/p>\n<pre class=\"lang:sh decode:true \"># cat \/var\/lib\/nfs\/etab | grep nfssdata\r\n\/nfssdata\r\nserver2.example.com(rw,sync,wdelay,hide,nocrossmnt,secure,no_root_squash,no_all_squash,no_subtree_check,secure_locks,acl,anonuid=65534,anongid=65534,sec=sys,rw,secure,no_root_squash,no_all_squash)<\/pre>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #808080;\">Strona klienta NFS.<\/span><\/p>\n<p>14. Utworzenie grupy <em>nfssdatagrp<\/em> z GID 7777:<\/p>\n<pre class=\"lang:sh decode:true \"># groupadd \u2013g 7777 nfssdatagrp<\/pre>\n<p>15. Utworzenie kont user3 i user4, nale\u017cy zwr\u00f3ci\u0107 uwag\u0119 na to aby UID by\u0142 ten sam jak na serwerze NFS:<\/p>\n<pre class=\"lang:sh decode:true \"># useradd user3 ; useradd user4\r\n# passwd user3l passwd user4<\/pre>\n<p>16. Dodanie u\u017cytkownik\u00f3w user3 and user4 do grupy nfssdatagrp:<\/p>\n<pre class=\"lang:sh decode:true \"># usermod \u2013G nfssdatagrp user3\r\n# usermod \u2013G nfssdatagrp user4<\/pre>\n<p>17. Dodanie zasobu do pliku \/etc\/fstab:<\/p>\n<pre class=\"lang:sh decode:true \">server1.example.com:\/nfsdata \/nfsdatamnt nfs _netdev,rw 0 0<\/pre>\n<p>18. Utworzenie punktu montowania \/nfssdatamnt:<\/p>\n<pre class=\"lang:sh decode:true \"># mkdir \/nfssdatamnt<\/pre>\n<p>19. Podmontowanie zasob\u00f3w NFS:<\/p>\n<pre class=\"lang:sh decode:true \"># mount \/nfssdatamnt\r\n# mount \u2013t nfs \u2013o rw server1:\/nfssdata \/nfssdatamnt<\/pre>\n<p>20. Weryfikacja:<\/p>\n<pre class=\"lang:sh decode:true \"># mount | grep nfssdata\r\nserver1.example.com:\/nfssdata on \/nfssdatamnt type nfs4\r\n(rw,relatime,vers=4.0,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.0.120,local_lock=none,addr=192.168.0.110)\r\n# df \u2013h | grep nfssdata\r\nserver1.example.com:\/nfssdata 8.8G 3.4G 5.4G 39% \/nfssdatamnt<\/pre>\n<p>21. Weryfikacja uprawnie\u0144 katalogu \/nfssdatamnt:<\/p>\n<pre class=\"lang:sh decode:true \"># ll \u2013d \/nfssdatamnt\r\ndrwxrws---. 2 nfsnobody nfssdatagrp 6 Jan 28 06:54 \/nfssdatamnt<\/pre>\n<p>22. Weryfikacja mo\u017cliwo\u015bci zapisu:<\/p>\n<pre class=\"lang:sh decode:true \"># su \u2013 user3\r\n$ touch \/nfssdatamnt\/nfssdatatest3 ; exit\r\n# su \u2013 user4\r\n$ touch \/nfssdatamnt\/nfssdatatest4 ; exit\r\n\r\n# ll \/nfssdatamnt\r\n-rw-rw-r--. 1 user3 nfssdatagrp 0 Jan 28 08:38 nfssdatatest3\r\n-rw-rw-r--. 1 user4 nfssdatagrp 0 Jan 28 08:38 nfssdatatest4<\/pre>\n<p>&nbsp;<\/p>\n<p>\u0106wiczenie 5. Bezpieczne udost\u0119pnianie zasob\u00f3w NFS przy wykorzystaniu Kerberos. Wymaga skonfigurowanego serwera kerberos KDC wg opisu:<\/p>\n<p><a href=\"http:\/\/miroslaw.borodziuk.eu\/index.php\/2017\/07\/15\/kerberos\/\" target=\"_blank\" rel=\"noopener\">http:\/\/miroslaw.borodziuk.eu\/index.php\/2017\/07\/15\/kerberos\/<\/a><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #808080;\">Strona serwera NFS &#8211; server.example.com.<\/span><\/p>\n<pre class=\"lang:sh decode:true \"># yum install -y nfs-utils sssd authconfig krb5-workstation\r\n# mkdir \/nfskrb\r\n<\/pre>\n<p>U\u017cytkownik <em>user01<\/em> musi mie\u0107 takie samo uid na maszynach kdc, server i client.<\/p>\n<pre class=\"lang:sh decode:true \"># useradd -u 3001 user01\r\n# passwd user01\r\n# chown user01 \/nfskrb<\/pre>\n<p>Zawarto\u015b\u0107 pliku<code> \/etc\/hosts<\/code>:<\/p>\n<pre class=\"lang:sh decode:true \">192.168.1.1 kdc.example.com     kdc\r\n192.168.1.2 server.example.com  server\r\n192.168.1.3 client.example.com  client<\/pre>\n<p>SElinux:<\/p>\n<pre class=\"lang:sh decode:true\"># semanage fcontext -a -t public_content_rw_t \"\/nfskrb(\/.*)?\"\r\n# restorecon -R \/nfskrb<\/pre>\n<p>Odblokowanie odpowiednich port\u00f3w na firewallu:<\/p>\n<pre class=\"lang:sh decode:true \"># firewall-cmd --permanent --add-service={nfs,mountd,rpc-bind}\r\n# firewall-cmd --reload<\/pre>\n<p>Edycia pliku \/etc\/exports<\/p>\n<pre class=\"lang:sh decode:true \"># vim \/etc\/exports\r\n\/nfskrb client.example.com(rw,sec=krb5p)<\/pre>\n<p>&nbsp;<\/p>\n<p>Opcja <em>sec<\/em> akceptuje cztery r\u00f3\u017cne warto\u015bci:<\/p>\n<ul>\n<li>sec=sys (bez u\u017cywania Kerberosa), wymaga uruchomienia:\u00a0 <code># setsebool -P nfsd_anon_write 1<\/code><\/li>\n<li>sec=krb5 (Kerberos user authentication only),<\/li>\n<li>sec=krb5i (Kerberos user authentication and integrity checking),<\/li>\n<li>sec=krb5p (Kerberos user authentication, integrity checking and NFS traffic encryption).<\/li>\n<\/ul>\n<p>Im wy\u017cszy poziom tym wi\u0119ksze zu\u017cycie mocy obliczeniowej serwera NFS.<\/p>\n<p>Eksport zasob\u00f3w NFS:<\/p>\n<pre class=\"lang:sh decode:true \"># exportfs -avr\r\nexporting client.example.com:\/nfskrb<\/pre>\n<p>Aktywacja nfs-secure<\/p>\n<pre class=\"lang:sh decode:true\"># systemctl start nfs-secure; systemctl enable nfs-secure; systemctl status nfs-secure<\/pre>\n<p>Aktywacja nfs-secure-server (tylko na RHEL 7.0):<\/p>\n<pre class=\"lang:sh decode:true \"># systemctl start nfs-secure-server; systemctl enable nfs-secure-server; systemctl status nfs-secure-server<\/pre>\n<p>Us\u0142uga <em>nfs-secure-server<\/em> wymagana jest tylko w RHEL7.0 i CentOS7.0. W RHEL7.2 i CentOS7.2 wystarczy tylko nfs-secure. Dlatego w RHEL 7.2 us\u0142uga nfs-secure-server w statusie zg\u0142asza \u017ce nie dzia\u0142a, ale wszystko jest w porz\u0105dku.<\/p>\n<pre class=\"lang:sh decode:true \"># systemctl status nfs-secure-server.service\r\n? rpc-svcgssd.service - RPC security service for NFS server\r\nLoaded: loaded (\/usr\/lib\/systemd\/system\/rpc-svcgssd.service; static; vendor preset: disabled)\r\nActive: inactive (dead)\r\nCondition: start condition failed at Sat 2017-02-18 13:22:05 CET; 2min 12s ago\r\nnone of the trigger conditions were met<\/pre>\n<p>Edycja pliku<code> \/etc\/krb5.conf:<\/code><\/p>\n<pre class=\"lang:sh decode:true \"># vim krb5.conf\r\n\r\nConfiguration snippets may be placed in this directory as well\r\nincludedir \/etc\/krb5.conf.d\/\r\n\r\n[logging]\r\ndefault = FILE:\/var\/log\/krb5libs.log\r\nkdc = FILE:\/var\/log\/krb5kdc.log\r\nadmin_server = FILE:\/var\/log\/kadmind.log\r\n\r\n[libdefaults]\r\ndns_lookup_realm = false\r\nticket_lifetime = 24h\r\nrenew_lifetime = 7d\r\nforwardable = true\r\nrdns = false\r\ndefault_realm = EXAMPLE.COM\r\ndefault_ccache_name = KEYRING:persistent:%{uid}\r\n\r\n[realms]\r\nEXAMPLE.COM = {\r\nkdc = kdc.example.com\r\nadmin_server = kdc.example.com\r\n}\r\n\r\n[domain_realm]\r\n.example.com = EXAMPLE.COM\r\nexample.com = EXAMPLE.COM<\/pre>\n<p>Powy\u017cszy plik mo\u017cna te\u017c skopiowa\u0107 z serwera KDC kerberos bo jego zawarto\u015b\u0107 jest identyczna:<\/p>\n<pre class=\"lang:sh decode:true\"># scp kdc.example.com:\/etc\/krb5.conf  \/etc\/krb5.conf<\/pre>\n<p>Edycja pliku <code>\/etc\/ssh\/ssh_config<\/code> i dodanie\/odkomentowanie linii:<\/p>\n<pre class=\"lang:sh decode:true\">GSSAPIAuthentication yes\r\nGSSAPIDelegateCredentials yes<\/pre>\n<p>Prze\u0142adowanie demona <em>ssh<\/em>:<\/p>\n<pre class=\"lang:sh decode:true \"># systemctl reload sshd<\/pre>\n<p>Konfiguracja komponentu PAM z linii komend:<\/p>\n<pre class=\"lang:sh decode:true\"># authconfig --enablekrb5 --update<\/pre>\n<p>&nbsp;<\/p>\n<p>Je\u017celi mamy sk\u0105d pobra\u0107 plik<code> \/etc\/krb5.keytab<\/code>to go pobieramy.\u00a0 Zdarza si\u0119 jednak, \u017ce pobranie pliku nie pomaga i nale\u017cy i tak go wygenerowa\u0107.<\/p>\n<p>Je\u017celi nie mamy sk\u0105d pobra\u0107 <code>\/etc\/krb5.keytab<\/code> to musimy go wygenerowa\u0107. W tym celu logujemy si\u0119 do Kerberosa:<\/p>\n<pre class=\"lang:sh decode:true\"># kadmin\r\nAuthenticating as principal root\/admin@EXAMPLE.COM with password.\r\nPassword for root\/admin@EXAMPLE.COM: kerberos\r\n<\/pre>\n<p>Dodanie principal o ile jej jeszcze nie ma w bazie kerberosa:<\/p>\n<pre class=\"lang:sh decode:true\">kadmin: addprinc -randkey nfs\/server.example.com\r\nWARNING: no policy specified for host\/server.example.com@EXAMPLE.COM; defaulting to no policy\r\nPrincipal \"host\/server.example.com@EXAMPLE.COM\" created.<\/pre>\n<p>Utworzenie lokalnej kopii bazy w pliku <code>\/etc\/krb5.keytab<\/code>:<\/p>\n<pre class=\"lang:sh decode:true\">kadmin: ktadd nfs\/server.example.com\r\nEntry for principal host\/server.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:\/etc\/krb5.keytab.\r\nEntry for principal host\/server.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:\/etc\/krb5.keytab.\r\nEntry for principal host\/server.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:\/etc\/krb5.keytab.\r\nEntry for principal host\/server.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:\/etc\/krb5.keytab.\r\nEntry for principal host\/server.example.com with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:\/etc\/krb5.keytab.\r\nEntry for principal host\/server.example.com with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:\/etc\/krb5.keytab.\r\nEntry for principal host\/server.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:\/etc\/krb5.keytab.\r\nEntry for principal host\/server.example.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:\/etc\/krb5.keytab.\r\nkadmin: quit<\/pre>\n<p>Wy\u015bwietlenie zawarto\u015bci <code>\/etc\/krb5.keytab<\/code>:<\/p>\n<pre class=\"lang:sh decode:true\">#  klist -k<\/pre>\n<p>lub<\/p>\n<pre class=\"lang:sh decode:true\"># strings \/etc\/krb5.keytab<\/pre>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #808080;\">Strona klienta NFS &#8211; client.example.com<\/span><\/p>\n<pre class=\"lang:sh decode:true\"># yum install -y nfs-utils krb5-workstation pam_krb5\r\n<\/pre>\n<p>U\u017cytkownik <em>user01<\/em> musi mie\u0107 takie samo uid na maszynach kdc, server i client.<\/p>\n<pre class=\"lang:sh decode:true\"># useradd -u 3001 user01\r\n# passwd user01<\/pre>\n<p>Zawarto\u015b\u0107 pliku \/etc\/hosts:<\/p>\n<pre class=\"lang:sh decode:true\">192.168.1.1 kdc.example.com     kdc\r\n192.168.1.2 server.example.com  server\r\n192.168.1.3 client.example.com  client<\/pre>\n<p>Wy\u015bwietlenie zasob\u00f3w serwera o skr\u00f3conej nazwie (wg \/etc\/hosts) <em>server<\/em> dost\u0119pnych do montowania:<\/p>\n<pre class=\"lang:sh decode:true \"># showmount -e server\r\n\/nfskrb client.example.com<\/pre>\n<p>Teraz:<\/p>\n<pre class=\"lang:sh decode:true\"># mkdir \/mnt\/nfskrb\r\n# vim \/etc\/fstab\r\nserver.example.com:\/nfskrb \/mnt\/nfskrb nfs _netdev,sec=krb5p 0 0\r\n# mount -a<\/pre>\n<p>Zapis do udost\u0119pnionego zasobu na razie nie jest mo\u017cliwy:<\/p>\n<pre class=\"lang:sh decode:true\"># echo \u201eread\u201d &gt; \/mnt\/nfskrb\/new\r\nRead only file system<\/pre>\n<p>Skopiowanie pliku <code>\/etc\/krb5.conf<\/code> z serwera NFS (server.example.com):<\/p>\n<pre class=\"lang:sh decode:true \">scp root@server.example.com:\/etc\/krb5.conf  \/etc\/krb5.conf<\/pre>\n<p>Aktywacja klienta NFS:<\/p>\n<pre class=\"lang:sh decode:true \"># systemctl enable nfs-secure &amp;&amp; systemctl start nfs-secure\r\n# systemctl enable nfs-client &amp;&amp; systemctl start nfs-client<\/pre>\n<p>Edycja pliku \/etc\/ssh\/ssh_config file i dodanie\/odkomentowanie linii:<\/p>\n<pre class=\"lang:sh decode:true\">GSSAPIAuthentication yes\r\nGSSAPIDelegateCredentials yes<\/pre>\n<p>Prze\u0142adowanie demona <em>ssh<\/em>:<\/p>\n<pre class=\"lang:sh decode:true \"># systemctl reload sshd<\/pre>\n<p>Konfiguracja komponentu PAM z linii komend:<\/p>\n<pre class=\"lang:sh decode:true\"># authconfig --enablekrb5 --update<\/pre>\n<p>&nbsp;<\/p>\n<p>Je\u017celi mamy sk\u0105d pobra\u0107 plik<code> \/etc\/krb5.keytab<\/code>to go pobieramy.\u00a0 Zdarza si\u0119 jednak, \u017ce pobranie pliku nie pomaga i nale\u017cy i tak go wygenerowa\u0107 poniewa\u017c przy pr\u00f3bie podmontowania zasobu nfs w trybie krb5 (krb5p) b\u0119dzie pojawia\u0142 si\u0119 komunikat:<\/p>\n<pre class=\"lang:sh decode:true \"># mount server.example.com:\/nfskrb\r\nmount.nfs: access denied by server while mounting server.example.com:\/nfskrb<\/pre>\n<p>Je\u017celi nie mamy sk\u0105d pobra\u0107 <code>\/etc\/krb5.keytab<\/code> to musimy go wygenerowa\u0107. W tym celu logujemy si\u0119 do Kerberosa:<\/p>\n<pre class=\"lang:sh decode:true\"># kadmin\r\nAuthenticating as principal root\/admin@EXAMPLE.COM with password.\r\nPassword for root\/admin@EXAMPLE.COM: kerberos\r\n<\/pre>\n<p>Dodanie principal dla hosta o ile jeszcze nie dodane:<\/p>\n<pre class=\"lang:sh decode:true\">kadmin: addprinc -randkey host\/client.example.com\r\nWARNING: no policy specified for host\/client.example.com@EXAMPLE.COM; defaulting to no policy\r\nPrincipal \"host\/client.example.com@EXAMPLE.COM\" created.<\/pre>\n<p>Wylistowanie wszystkich principal:<\/p>\n<pre class=\"lang:sh decode:true\">kadmin: list_principals \r\nK\/M@EXAMPLE.COM \r\nhost\/server.example.com@EXAMPLE.COM \r\nhost\/client.example.com@EXAMPLE.COM \r\nkadmin\/admin@EXAMPLE.COM \r\nkadmin\/changepw@EXAMPLE.COM \r\nkadmin\/server.example.com@EXAMPLE.COM \r\nkiprop\/server.example.com@EXAMPLE.COM \r\nkrbtgt\/EXAMPLE.COM@EXAMPLE.COM \r\nnfs\/server.example.com@EXAMPLE.COM \r\nroot\/admin@EXAMPLE.COM \r\nuser01@EXAMPLE.COM \r\nuser02@EXAMPLE.COM<\/pre>\n<p>Dodanie klienta nfs do bazy kerberosa:<\/p>\n<pre class=\"lang:sh decode:true\">kadmin: ktadd host\/client.example.com \r\nEntry for principal host\/client.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:\/etc\/krb5.keytab.\r\nEntry for principal host\/client.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:\/etc\/krb5.keytab.\r\nEntry for principal host\/client.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:\/etc\/krb5.keytab.\r\nEntry for principal host\/client.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:\/etc\/krb5.keytab.\r\nEntry for principal host\/client.example.com with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:\/etc\/krb5.keytab.\r\nEntry for principal host\/client.example.com with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:\/etc\/krb5.keytab.\r\nEntry for principal host\/client.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:\/etc\/krb5.keytab.\r\nEntry for principal host\/client.example.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:\/etc\/krb5.keytab.<\/pre>\n<p>Wy\u015bwietlenie zawarto\u015bci <code>\/etc\/krb5.keytab<\/code>:<\/p>\n<pre class=\"lang:sh decode:true\">#  klist -k<\/pre>\n<p>lub<\/p>\n<pre class=\"lang:sh decode:true\"># strings \/etc\/krb5.keytab<\/pre>\n<p>Teraz zapis do katalogu \/nfskrb b\u0119dzie mo\u017cliwy:<\/p>\n<pre class=\"lang:sh decode:true\"># su user01@localhost\r\n$ echo \u201ewrite\u201d &gt; \/mnt\/nfskrb\/new \r\nRead only file system\r\n\r\n$ klist -l\r\nPrincipal name Cache name\r\n-------------- ----------\r\n\r\n[ldapuser1@desktop1 ~]$ kinit\r\nPassword for ldapuser1@EXAMPLE.COM: user01\r\n[ldapuser1@desktop1 ~]$ klist -l\r\nPrincipal name Cache name\r\n-------------- ----------\r\nldapuser1@EXAMPLE.COM KEYRING:persistent:3001:3001\r\n\r\n$ echo \u201ewrite\u201d &gt; \/mnt\/nfskrb\/new \r\nPlik utworzono\r\n\r\n$ kdestroy\r\n$ exit<\/pre>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>NFS (Network File System) to protok\u00f3\u0142 sieciowy, kt\u00f3ry umo\u017cliwia wsp\u00f3\u0142dzielenie plik\u00f3w pomi\u0119dzy maszynami Linux i Unix przez sie\u0107. To us\u0142uga oparta na architekturze klient\/serwer, dzi\u0119ki kt\u00f3rej klient ma dost\u0119p do plik\u00f3w, katalog\u00f3w i ca\u0142ego systemu plik\u00f3w na zdalnej maszynie tak jakby by\u0142y zamontowane na lokalnie. Proces udost\u0119pniania zasob\u00f3w na serwerze NFS klientowi nazywany jest eksportowaniem.<\/p>\n","protected":false},"author":1,"featured_media":1524,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[48],"tags":[],"_links":{"self":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts\/1523"}],"collection":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/comments?post=1523"}],"version-history":[{"count":30,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts\/1523\/revisions"}],"predecessor-version":[{"id":1832,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts\/1523\/revisions\/1832"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/media\/1524"}],"wp:attachment":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/media?parent=1523"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/categories?post=1523"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/tags?post=1523"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}