NFS Network File System

NFS (Network File System) Network file systems allow us to share files between users on different systems, often with different operating systems The Windows® operating systems use CIFS (SMB) network file system as implemented by the Samba package on UNIX systems Developed by Sun Microsystems Uses the RPC (remote procedure call) service Requires portmap Directories shared through the /etc/exports file Directories mounted through the mount command

NFS: Service Profile Type: System-V managed service Package: nfs-utils Daemons: nfsd, lockd, rpciod, rpc.mountd rpc.rquotad, rpc.statd Scripts: nfs, nfslock Ports: assigned by portmap (111) Configuration: /etc/exports

Packaging for Unix/Linux Different packaging approaches Solaris: Pkg* (pkginfo, pkgadd, pkgmake) Linux: rpm / rpmbuild Uses digital signatures Overall objectives and approaches are similar Packages are created

NFS Server Components portmap: maps calls from other machines to the correct RPC service nfs: kernel module translates NFS requests into local file system requests rpc,mountd: file client used to mount and unmount remote file systems

/etc/exports examples /var/ftp/pub *.dit.ie(ro,sync) *.comp.dit.ie(rw,sync) /root/presentations rbradley.dit.ie(rw,sync) /data (sync) Note that whitespace makes a difference [server]([options]) applies the options to that server [server1] ([options]) applies the options to everything apart from the server

/etc/exports Exported with root-squashing turned on, this ensures that requests from the root user on a client machine are denied root access to root- owned files on a server machine Such requests are mapped onto a uid such as Can be prevented with the no_root_squash option, but this is not recommended

/etc/exports examples More examples: /usr/local (ro) (ro) /home (rw) (rw, no_root_squash) Also allow access to sets of computers: /usr/local / (ro) /home / (rw)

Controlling access Most services (anything controlled by inetd and also nfs) support access control with /etc/hosts.allow, /etc/hosts.deny Format of files is: [service name]: [host or network/netmask], [host or network/netmask] … E.g: portmap: , mountd: , All: all

Controlling access Any service using this approach will follow the process: Check in hosts.allow: if the requesting server is in this file, allow the access and finish Now check in hosts.deny, if the requesting server is not in this file, allow the access and finish. Allow access For nfs, to allow/deny access ALL the services need to be included in the file. portmap, lockd, mountd, rquotad, statd

NFS Client Client side NFS implemented as a kernel module /etc/fstab used to specify network mounts. NFS shares are mounted at boot time by /etc/rc.d/init.d/netfs

NFS Client Shares can be mounted manually by root, or automatically at boot time. The default /etc/fstab nfs entries in UML Device mountpoint type options dump fsckorder /dev/ubd/0 / ext2 defaults 1 1 /proc /proc proc defaults /dev/ubd/1 none swap sw /etc/fstab nfs entry Device mountpoint type options dump fsckorder Server1:/var/ftp/pub /mnt/pub nfs defaults 0 0

NFS Mount Options Options include rsize=8192 and wsize=8192 will speed up transfers considerably soft: processes return with an error on a failed I/O attempt hard: will block a process that tries to access an unreachable share. nolock: disables file locking and allows inter operation with older NFS servers nosuid: stops suid enabled programmes executing from the mounted file system. noexec: stops all programmes executing from the mounted file system. ro: Read only file system rw: Read/write access

NFS autofs autofs provides the ability to mount NFS shares on demand and to unmount them when they are idle autofs uses the files /etc/auto.master and /etc/auto.misc for configuration autofs is a kernel service, but must be enabled by configuring autofs to run in the appropriate run levels

NFS Services exportfs –r refreshes the server’s share list after modifying /etc/exports -v displays a list of the shared directories and options on a server -a exports all shares listed in the /etc/exports or a share named as an argument -u unexports the share named as an argument or all shares with no argument and a –a -e host shows the available shares on host

Trouble shooting nfs Unable to see a mounted file system: cat /proc/mounts mount –f Permission denied on mount attempt: Check that the fstab entry and exports have the same access (i.e. ro, rw etc) Check you haven’t attempted to export both a parent and a child i.e. /usr and /usr/local can’t be both exported.

Trouble shooting nfs II RPC: Program not registered On the server, use ps or rpcinfo –p to check that portmapper, nfs and mountd are running On the client, use rpcinfo –p [server] to check that it can see the services If the client gets No Remote programs registered, check hosts.allow and hosts.deny

Trouble shooting nfs III Permissions aren’t right /export/dir hostname(rw,no_root_squash) These statements aren’t the same. White space in the second will mean that everybody apart from hostname will get the privileges in the ().

NFS optimisation Issues: NFS is sensitive to network traffic NFS needs both read and write performance NFS traffic is bursty Detection: /usr/sbin/nfsstat –n -a

NFS optimisation Lower the nice value Switch to a journaling file system Spread NFS exported file systems across multiple disks and disk controllers. Use RAID 0/1 RAID 5 isn’t fast on writes Reduce the number of write intensive mounts Automount is difficult to get away from

FTP File Transfer Protocol

FTP Service Profile System-V managed Service Package: vsftpd Script: vsftpd Ports: 21 (ftp) 20 (ftp-data) Config Files: /etc/vsftpd/vsftpd.conf /etc/vsftpd.ftpusers /etc/pam.d/vsftpd Log File: /var/log/vsftpd.log

FTP (File Transfer Protocol) Linux uses vsftpd, which is no longer managed by inetd by default Can be configured to use xinetd. /etc/vsftpd/vsftpd.conf is the main configuration file Two levels of access: anonymous, by default, users are based in /var/ftp By default, anonymous users can download files, but not upload them

FTP (File Transfer Protocol) ftp taranaki Connected to taranaki.student.comp.dit.ie. 220 taranaki FTP server (SunOS 5.8) ready. Name (taranaki:rbradley): rbradley 331 Password required for rbradley. Password: 230 User rbradley logged in. Remote system type is UNIX. Using binary mode to transfer files.

FTP – User access In /etc/vsftpd/vsftpd.conf Control anonymous user access with anonymous_enable=YES/NO Control anonymous user access with upload anon_upload_enable=YES/NO Existing users on a system log in using their usual username and password By default, users can download any file they can read and upload to any directory to which they have write access

FTP – User access ftp> pwd 257 "/export/home/lecturer/rbradley" is current directory. ftp> cd CWD command successful. ftp> pwd 257 "/export/home/lecturer" is current directory. ftp> lcd.. Local directory now /home/staff ftp>

FTP – controlling user access /etc/vsftpd/vsftpd.conf the main configuration file Two additional files used to control access /etc/vsftpd.ftpusers /etc/vsftpd.user_list

FTP – controlling user access Individual users can be denied access by placing their names in /etc/vsftpd.ftpusers /etc/vsftpd.user_list is examined if userlist_enable=YES is set in /etc/vsftpd.conf The list file can be used either to grant access (userlist_deny=NO) or to deny access (userlist_deny=YES).message file will be displayed to anybody changing to a directory. Can also use hosts.allow and hosts.deny

FTP – Controlling directory access By default, ftp connects to the /usr/ftp/pub directory. Users can be restricted to only their home directory chroot_list_enable=NO/YES chroot_list_file=/usr/local/etc/vsftpd.chroot_list