nfs Notes

==============================================================================
=
Quick:
on server:
chkconfig nfs on
service nfs start
add to /etc/exports
[root@fedor etc]# cat exports
/home/tlucciano 192.168.1.5(mp,rw,secure,no_subtree_check)
On client:
edit /etc/fstab and add a mount point, i.e:
twain.mydomain.com:/home/huckleberry /mnt/home
0
0

nfs

rw

(/mnt/home must exist)

then cd /mnt/home - should see the files
==============================================================================
==
nfsstat cmd displays detailed informaiton about the status of the nfs
subsystem.
Display PIDs of nfs :
service nfs status
Display nfs daemons running:
rpcinfo -p
p option queries the portmapper and displays a list of all registered RPC
programs.
exportfs list all currently exported file systems; -v option lists with mount
options
To remove an exported file system, use the -u option
# exportfs -v -u 192.168.0.4:/home
showmount queries the mount daemon, mojntd, about status of the NFS server:
showmount [-adehv] [host]
Invoked with no options, showmount displays a list of all clients that have
mounted file systems
from the current host.
To check exports, run showmount -e computerName command (if not work, firewall
may be blocking)
check /etc/hosts /etc/hosts.deny, firewall, /var/log/messages, etc if issues
re-read /etc/fstab by cmd:
mount -a
==============================================================================
==
try to use v4 NFSv4 - has security and performance enhancements.
use chkconfig nfs on to have nfs start when computer boots.
nfs starts:
rpc.mountd - handles mount requests
nfsd - starts an nfsd kernel process for each shared directory
rpc.rquotad - reprots disk quota statistics to clients

can check for these by cmd: rpcinfo -p

/etc/exports - main NFS config file. It lists the file systems the server
exports,
the systems permitted to mount the exported file systems, and the mount
options
for each export.
status information about exports and client systems found in
/var/lib/nfs/rmtab and /var/lib/nfs/xtab
Also part of NFS:
daemons:
rpc.gssd (nfsv4)
rpc.idmapd (nfsv4)
rpc.lockd
rpc.mountd
rpc.nfsd
rpc.portmap
rpc.rquotad
rpc.statd
rpc.svcgssd (nfsv4)
Config files:
exports
gssapi_mech.conf (nfsv4)
idmapd.cof (nfsv4)
Init scripts:
nfs
rpcgssd (nfsv4)
rpcidmapd (nfsv4)
rpcsvcgssd (nfsv4)
Commands:
exportfs
nfsstat
showmount
rpcinfo
Note - 3 scripts control the required NFS daemons
/etc/rc.d/init.d/portmap, /etc/rc.d/init.d/nfs, and /etc/rc.d/init.d/nfslock

Add to /etc/exports file, the directories you want to share

i.e.
/documents
(ro,insecure,sync) centos.myname.net(rw,insecure,sync)
documents folder is exported to all users as read only and to a specific
machine: centos.myname.net as read/write
/tftpboot
nodisk.example.net(rw,insecure,no_root_squash,sync)
is shared with full read/write privileges,including root user,to the
nodisk.example.net computer
*.myname.net would specify a group of computers.
sync flag requires all changes to be written to disk before a cmd such as a
file copy is complete.
The insecure flag allows access on ports above 1024.
Don't put space between commas.
format of /etc/exports file:
dir [host](options) [...]
Do NOT insert a space between the hostname and the opening parenthesis that
contains the export options; this will

result in: any nfs client can mount the export, numerous errors in
/var/log/messages, list options applied
to all clients, client id'ed by host specification will have the default
mount option applied (not those
specified by options
host specified as single name, an NIS netgroup, a subnet uing address/net mask
form, or group of hostnames
using wildcard chars ? and *.
Multiple host(options) entries, separated by whitespace, are accepted,
enabling you to specify different export
options for a single dir depending on client.
When you add a share to /etc/exports, the exportfs -r cmd adds the new dirs.
If modifying, moving, or deleting a share, safest to temporarily unexport all
filesystems first w/ exportfs -ua cmd
before re-exporting the shares w/ exportfs -a cmd
You can add a new export to etb and kernels' internal table of NFS exports
without editing /etc/exports,using:
exportfs -o opts host:dir
i.e:
# exportfs -o async,rw 192.168.0.3:/var/spool/mail
this exports /var/spool/mial with async and rw options to host 192.168.0.3
Exactly same as in /etc/exports;
/var/spool/mail 192.168.0.3(async,rw)
Set unused ports for the noted services: rpc.lockd (tcp), rpc.lockd (udp),
rpc.mountd (tcp), rpc.statd (tcp)
Common ports for these: 32764, 32765, 32766, 32767
Will need to designate a port for rpc.rquotad in /etc/services
you need to make sure these ports, as well as tcp and udp ports 111 for
portmap are allowd thru firewalls
Making nfs work with SELinux
- allow_gssd_read_tmp supports the reading of temporary directories by the
General Security Services daemon, gssd,
which helps protect NFS using kerberos 5.
- allow_nfsd_anon_write supports NFS servers when they modify files on public
file transfer services.
- nfs_export_all_ro supports read-only access to shared NFS dirs
- nfs_export_all_rw supports read-write access to shared NFS directories.
To set thes directives, use the setsebool command. I.E. to activate read-write
access, run:
# setsebool -P nfs_export_all_rw 1
performance:
eight kernel nfs daemons, (is the default), is usually sufficient for good
performance.
If NFS server is busy, you may want to add additional NFS daemons through the
RPCNFSDCOUNT directive
in /etc/init.d/nfs script, but remember that extra kernel processes consume
kernel resources.
i.e.
RPCNFSDCOUNT=3
nfs write performance can be extremely slow.

you can try specialized hardware w/nonvolatile RAM. Data on such ram isn't
losst if you have trouble with network
connectivity, or power failure.
In applications where data loss is not a big concern,,u can try the asnyc
option. This makes NFS faster because async
nfs mounts do not write files to disk until other operations are complete.
(a loss of power or network connectivity
can result in loss of data.
host name lookups are performed frequently by nfs server - you can start the
name switch cache daemon (nscd) to
speed up lookups.
SECURITY
- data accessible via nfs to any user can potentially be accessed by any other
user.
- not even secure nfs encrypts its network traffic
- portmap has been historically prone to serious security holes. portmap is
not recommended on computers
directly connected to internet
Use firewall settings to deny access to the portmapper and nfsd ports, except
with trusted hosts/networks
Known ports: 111 portmapper (server and client), 2049 nfsd (server)
Fix the ports associated with NFS - it is possible in /etc/sysconfig/nfs with
the following,
which are read by /etc/init.d/nfs script. You can choose a different port
number
LOCKD_TCPPORT=32765
LOCKD_UDPPORT=32765
MOUNTD_PORT=32767
STATD_PORT=32766
create a port for rquotad in /etc/services, stop, and restart the rpc.quotad
daemon
(use a port scanner to verify)
on nfs server:
create group it (in /etc/group)
create /MIS dir
assign ownership: chmod nobody.it /MIS (or use chgrp)
set the SGID bit on /MIS:
mod 2770 /MIS
or
chmod g+s /MIS
Update /etc/exports file and run :
#exportfs -a
then restart nfs
Client:
make sure that the portmapper and the NFS file locking daemons statd and lockd
are available, adding
entries to the clients' /etc/fstab for the NFS exports and mounting the
exports using the mount cmd
On client:
Create a dir for the server share: /mnt/MIS

Mount the shared NFS dir on /mnt/MIS:

# mount -t nfs centos:/MIS /mnt/MIS
(-t nfs specifies the nfs protocol) and this cmd mounts the share on the local
/mnt/MIS dir
Make a permanent connection by adding to /etc/fstab:
centos:/MIS
/mnt/MIS
nfs
soft,timeout=100
0
0
The /var/lib/nfs/rmtab file - entries are added to this file when rpc.mountd
receives a mount request.
rmtab contains 3 fields: host, exported file system and the mount options
/var/lib/nfs/etab contains exported file systems and will contain all options,
including the default ones.