NFS Server
--------------------
package - nfs-utils
demone- nfs
NAME
nfs - fstab format and options for the nfs file systems
SYNOPSIS
/etc/fstab
DESCRIPTION
NFS is an Internet Standard protocol created by Sun Micro systems in 1984. NFS was developed to allow file sharing between systems residing on a local area network. The Linux NFS client supports three versions of the NFS proto-col: NFS version 2 [RFC1094], NFS version 3 [RFC1813], and NFS version 4 [RFC3530].
Network File System (NFS) protocol allow Linux client to mount remote file systems and interact with those file systems as they are mounted locally.
* NFS was developed by Sun Microsystems in 1980
* NFS stand for Network File System
* NFS is used to share files and printer between Linux / Unix systems
* Red Hat Enterprise Linux 6 supports NFSv2, NFSv3, and NFSv4 clients.
By default RHEL6 use NFSv4 if the server supports it.
NFSv1
=======
NFSv1 was the development stage of NFS protocol. It was used only for in house experimental purpose. When a stable version of NFS was ready, Developers decided to release it as the new version of NFS known as NFSv2.
NFSv2
=======
NFSv2 supports only 32 bit.
NFSv2 only allowed the first 2 GB of a file to be read
NFSv2 operated only over UDP
NFSv3
=======
NFSv3 supports 64 bit file system.
NFSv3 can handle files larger than 2 GB.
NFSv3 supports asynchronous writes on the server. asynchronous writes improve write performance.
NFSv3 supports additional file attributes in many replies, to avoid the need to re-fetch them.
NFSv3 supports READDIRPLUS operation. READDIRPLUS operation get file handles and attributes along with file names when scanning a directory.
NFSv3 supports TCP. Using TCP as a transport made NFS over a WAN more feasible.
NFSv4
=======
NFSv4 retains all NFSv3 advantages.
NFSv4 supports ACLs.
NFSv4 uses the virtual file system to present the server's export.
NFSv4 supports Pseudo file system. Pseudo File System provide maximum flexibility. Exports Pathname on servers can be changed transparently to clients.
NFSv4 have locking operations as the part of protocol which keep track of open files and delegations.
NFSv4 works through firewalls and on the Internet.
------------------------------------------------
Configure NFS Server in RHEL6
**********************************
NFS - Network File System
Port no. - 2049
Package - nfs-utils
Deamon - nfs
------------------------------------------------
*set the static IP for the Server first
#service network restart
Our first task is to install the necessary RPM. Two RPM are required for NFS server
>nfs-utils
>rpcbind
nfs-utils
-----------
This is the main RPM which provide nfs service.
rpcbind
********
NFS depends on Remote Procedure Calls(RPC) service which is controlled by rpcbind service. In earlier version of RHEL portmap service was used to map RPC program numbers to IP address port number combinations. This service is now replaced by rpcbind to enable IPv6 support.
If you do not have above RPM installed, than first install them. You can use any method to install RPM.
"NFS file server" is the primary group associated with NFS. So if you have configured yum repository than following
*command will install the mandatory packages[nfs-utils and nfs4-acl-tools] from that group.
#yum groupinstall " NFS file server"
*Or alternatively you can use
# yum install nfs* -y
If you do not have yum repository use RPM command to install these packages. Go in the folder which contain RPM (In installation disk of RHEL6, Package folder contains all RPM ) and run following command.
#rpm -ivh nfs* --nodeps --force
#rpm -ivh rpcbind* --nodeps --force
*second task is to verify that the NFS services are installed. This can be done from following command.
#rpm –qa nfs-utils
*Verify that rpcbind package is installed.
#rpm -qa rpcbind
*Following services are associated with NFS daemons. Each service have its script file stored in init.d directory.
etc/init.d/nfs Main control script for NFS Daemons which control NFS services.
/etc/init.d/nfslock Script for lock files and the statd daemon, which locks and provides status of files those are currently in use.
/etc/init.d/portreserve Replacement script for the portmap which used to set up ports for RPC services.
/etc/init.d/rpcbind RPC program number converter.
/etc/init.d/rpcgssd Script for RPC-related security services.
/etc/init.d/rpcidmapd Configuration script used for mapping of NFS user ID to LDAP and Kerberos systems.
/etc/init.d/rpcsvcgssd Control script for the server side of RPC-related general security services.
*You can start each script directly by following command
#/etc/init.d/[script name]
*For example to start nfs service
#/etc/init.d/nfs
*Or you can use service command to start / stop /restart the service
#service nfs start
*nfs and rpcbind are the compulsory services for nfs daemons.
Make sure nfs and rpcbind scripts are active before you configure NFS server.
*How to create NFS Share
*On Server /etc/exportfs defines what resources will be available for clients.
/etc/exports file use following syntax to share resources.
*Make direcotry to share on the NFS-Server and give the full permission to these directory to access from Client end.
#mkdir tom dic harry
#chmod 777 tom
#chmod 777 dic
#chmod 777 harry
*Make the Entry of these direcotry in "/etc/exports"
#vim /etc/exports (NFS sharing configuration file)
Ex. - [mountpoint] [host][permissions/options]
*Remember there is no space between the [host] field and the [permissions/options] field.
If you include a space, you receive a syntax error.
Common Mount permission options
------------------------------------------------------------------
*rw read/write permissions
*ro Sread-only permissions
*insecure Allows the use of ports over 1024
*sync Specifies that all changes must be written to disk before a command completes
*no_wdelay Forces the writing of changes immediately
*root_squash Prevents root users
-------------------------------------------------------------------
NFS Host Entries
-------------------------------------------------------------------
/etc/exportfs supports conventional wildcards which provide flexibility when specifying hosts.
you can use the hostname for hosts within your domain.
you need fully qualified domain name for outside hosts.
you can reference all the hosts within a specific domain.
You can use the * for the host segment, followed by the domain name for the network, such as *.example.com for all the hosts in the example.com network.
Instead of host name, You can also use single host's ip address.
you can use IP network addresses with a CNDR format
You can also use an NIS netgroup name to reference a collection of hosts. The NIS netgroup name is preceded by an @ sign.
For example following are the valid example for hosts entries
---------------------
For Example.
---------------------
directory host(options)
/nfs_share *(rw,sync)
/nfs_share *.example.com(rw,sync)
/nfs_share 192.168.1.10(rw,sync)
/nfs_share 192.168.1.0/255.255.255.0(rw,sync)
/nfs_share 192.168.1.0/24(rw,sync)
/nfs_share @netgroup(rw,sync
---------------------------------------------------------------------------------------
/tom *(rw,syn,root-squesh) (Where '*' indicates that all range of IP can read/write & syncronise this data.)
/dic *(ro,sync)
/harry 192.168.0.1(rw,sync) (Here only "192.168.0.1" ip can read/write and synchronaise)
:wq (save the file )
#service nfs restart
#chkconfig nfs on
*Show the mounted dir,
--------------------------------------
showmount command with -e option will display shared NFS directories locally and remotely. To review the export list for a NFS server, add the name /IP address of NFS server. If this command doesn't work, communication may be blocked with a firewall.
#showmount -e 192.168.0.1
*During the exam you may face two common errors as the output of showmount -e command
on NfS server
#showmount -e 192.168.0.1
*on NfS server
#clnt_create: RPC: Program not registered
(On server this is generated due to order of services. In exam always start /restart rpcbind service before nfs)
*on NFS client
#clnt_create: RPC: Port mapper failure - Unable to receive: errno 113 (No route to host)
(On client this is generated due to firewall configured on NFS server. On linuxclient system use showmount to list all NFS Share)
"clnt_create: RPC: Port mapper failure - Unable to receive: errno 113 (No route to host)"
*showmount -e command returns above error on NFS client if firewall is not properly configured on NFS Server.
*Configure IPTABLES rules for NFS Server.
-----------------------------------------------------------------
During the RHCE6 exam you may have a iptable firewall enabled system. You should know how to allow nfs through firewall.
*NFS port range
*In order to allow NFS through iptable firewall we need to open following ports
TCP and UDP port 2049 for NFS.
TCP and UDP port 111 (rpcbind/sunrpc).
TCP and UDP port specified with MOUNTD_PORT="port"
TCP and UDP port specified with STATD_PORT="port"
TCP port specified with LOCKD_TCPPORT="port"
UDP port specified with LOCKD_UDPPORT="port"
*NFS requires rpcbind, which dynamically assigns ports for RPC services at startup time. Dynamic ports could not be protected by iptables as these ports might change on reboot and make changes obsolete.
*So you need to configure NFS services to use fixed ports.
Open /etc/sysconfig/nfs
*Here is the sample listing with default port number
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
RQUOTAD_PORT=875
STATD_PORT=662
STATD_OUTGOING_PORT=2020
--------------------------------------------------------------------------------------------------
*Add the all port in the firewall (iptable)
*Configure the '/etc/sysconfig/nfs
#vim /etc/sysconfig/nfs
LOCKD-TCP 4001
LOCKD-UDP 4002
MOUNTD 4003
STATD 4004
STATD-OUTGOING 4005
RQUOTAD-PORT 4006
:wq save the file
*Now configure firewall to allow nfs traffic
*Run setup command
#setup
(Select firewall configuration)
(Select Customize [Make sure firewall option remain selected )
(Select NFS4)
(Select Forward and press enter)
(Select eth+ and press enter on close button)
(Select ok and press enter)
(Select Yes and press enter)
(Select Quit and press enter)
*Now open /etc/sysconfig/iptables file
#vim /etc/sysconfig/iptables
-A INPUT -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 32803 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 32769 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 892 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 892 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 875 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 875 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 662 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 662 -j ACCEPT
#iptables -I INPUT -s 192.168.0.0/24 -p tcp -m multiport --dport 4001,4002,4003,4005,4006, -j ACCEP T
[ SAME WITH 'UDP' ]
#service iptables save
#service iptables restart
#service nfs restart
NFS and SELinux
---------------------------
#getsebool -a |grep nfs [ To check the boolen value for NFS]
*SELinux is the integral part of RHEL6 and directories shared via NFS would not work without proper changes to SELinux.
Important SELinux Booleans for NFS
nfs_export_all_ro Allows NFS to share files and directories as read-only
nfs_export_all_rw Allows NFS to share files and directories as read/write
httpd_use_nfs Allows httpd to access NFS file systems
use_nfs_home_dirs Supports NFS home directories
samba_share_nfs Allows Samba to export NFS volumes
allow_nfsd_anon_write Allows NFS servers to modify public files
allow_ftpd_usr_nfs Allows FTP servers to use NFS for public file transfer services
During the exam Make sure the SELinux booleans are compatible, specifically nfs_export_all_ro and nfs_export_all_rw are set to on
*If nfs_export_all_ro and nfs_export_all_rw Booleans are set to off change the value to ON.
#setsebool -p nfs_export_all_rw=1
#setsebool -p nfs_export_all_ro=1
*Verify the boolen value again
#getsebool -a |grep nfs
*Restart the iptables , rpcbind, and nfs service
#service iptables restart
#service rpcbind restart
#service nfs restart
*Now try again to run showmount -e command on NFS client
#showmount -e 192.168.0.1
*If we add any dir. to share in the NFS-Server or made any changes in NFS-server - need to restart the server.
*But in real world I would recommended to use "exportfs" to manually export the directories rather than restart the service because while you restart the nfs service, you also disconnect your nfs clients as well.
*So use the "exportfs" command to manually export any new resources added to the /etc/exports file.
-a Exports directories
-r Reexports directories
-u Unexports directories
-v Show verbose output
#exportfs -a
NFS Tools
---------------
*During the exam following commands could be helpful for troubleshooting
#mountstats Shows information about mounted NFS shares
#nfsstat Shows statistics of exported resources
#nfsiostat Shows statistics of NFS mounted shares
-------------------------------------------------------------------------------------------
CLIENT END
===========
#showmount -e 192.168.0.1
#mount 192.168.0.1:/tom /mnt
#cd /mnt
#ls
=================================================================
Troubleshooting of NFS-Server and common query
=================================================================
NFS Server Interview Questions And Answers for Linux admin
Q: - Explain this entry /shared 192.168.1.0/255.255.255.0(sync,rw)?
allows all systems with 192.168.1.* IP addresses read-write access to the /shared/ directory:
Q: - What will happened if a space is given in between allowed_hosts and (options)?
If a space is included, the options are applied to any and all IP addresses, which can be quite dangerous if write permission is granted.
Q: - What is the role of "sync" option for NFS server ?
If sync is specified, the server waits until the request is written to disk before responding to the client. The sync option is recommended because it follows the NFS protocol.
Q: - How to retrieve a list of clients connected to the NFS server ?
To retrieve a list of clients connected to the NFS server, use the showmount command
from a shell prompt. To also show the directories the clients are connected to, use the
showmount -a command.
Q: - Name of Configuration file for NFS Server ?
/etc/exports
Q: - What is meaning of "no_root_squash" option ?
Treat remote root user as local root. Do not map requests from root to the anony-
mous user and group ID.
Q: - What is NFS ?
NFS stands for Network File System. NFS was originally developed by Sun Microsystems in the 1980's. NFS allows remote hosts to mount file systems over a network and interact with those file systems as though they are mounted locally. This enables system administrators to consolidate resources onto centralized servers on the network.
Q: - Which NFS versions are available ?
NFS Version 2
NFS Version 3
NFS Version 4
Q: - What is different between NFS Version 2 & 3 ?
nfs 2 default 8kb transfer rate,it did not check the authentication at the time connection.client wants to access unauthorized file it shows error messages like "write error","read error" nfs 3 32kb transfer rate. It check at the time connection- ACL Support.
Q: - Can we grant access by Username and password for nfs share?
No, access is granted only for IP address.
Q: - What is the role of "all_squash" option?
Treat all client users as anonymous users. Map all user and group IDs to the anonymous user and group ID.
Q: - What is the role of "root_squash" option?
All requests from the user root are translated or mapped as if they came from the user anonymous (default).
Q: - Explain option "all_squash"?
The UID and GID of exported files are mapped to the user anonymous. It is good for public directories.
Q: - Explain "exportfs" command?
The exportfs command is used to maintain the current table of exported file systems for NFS.
Q: - Explain command "/usr/sbin/exportfs -f"?
It will flush everything out of the kernels export table. Any clients that are active will get new entries added by mountd when they make their next request.
Q: - Which option is used with exportfs command to display the current export list, also displays the list of export options?
exportfs -v
Q: - Which option is used with exportfs command to re-export all directories?
exportfs -r
Q: - How you will export directory (/data) to host 192.168.1.51, allowing asynchronous writes without adding the entry in /etc/exports file?
# exportfs -o async 192.168.1.51:/data
Q: - Is rpc.mountd daemon supports TCP_WRAPPERS?
Yes, The rpc.mountd daemon is protected by the tcp_wrappers. You have to give the clients access to rpc.mountd if they should be allowed to use NFS Server.
Q: - Explain "nfsstat" command?
The nfsstat command displays the statistics about NFS client and NFS server activity.
Q: - What do you understand by "nfsstat -o all -234" command?
It will Show all information about all versions of NFS.
Q: - What do you understand by "nfsstat --nfs --server -3" command?
It will show statistics for NFS version 3 server.
Q: - Can NFS share mounted on Window XP and Justify your answer?
No, Window XP operating system doesn’t support nfs protocol.
Q: - 192.168.1.51:/data is exported by NFS Server and i want to add this NFS share to client /etc/fstab file. How you will add this entry in /etc/fstab file?
# device mount-point fs-type options dump fsckorder
192.168.1.51:/data /mnt nfs rw 0 0
Q: - Explain "Soft Mounting" option at NFS Client?
if a file request fails, the NFS client will report an error to the process on the client machine requesting the file access. if it cannot be satisfied (for example, the server is down), then it quits. This is called soft mounting.
Q: - Explain "Hard Mounting" option at NFS Client?
If a file request fails, the NFS client will report an error to the process on the client machine requesting the file access. if it cannot be satisfied, then it will not quit until the request is satisfied. This is called Hard mounting.
Q: - What is "portmap"?
The portmapper keeps a list of what services are running on what ports. This list is used by a connecting machine to see what ports it wants to talk to access certain services.
Q: - How you will check "portmap" service is running or not?
rpcinfo -p
Q: - I am unable to mount a NFS share. How will you trace out the reason?
Firstly, check that you have permissions to mount nfs share or not. Check /etc/exports file.
Secondly you can get RPC error: Program Not Registered (or another "RPC" error)
For this check your NFS server and portmap service running or not by "rpcinfo -p"
Q: - Can I modify export permissions without needing to remount clients in order to have them take effect?
Yes. The safest thing to do is edit /etc/exports and run "exportfs -r".
--------------------------------------------------------------------------------------------------
Common-NFS-Errors & Solutions
====================
Common NFS errors & solutions:
**********************************
1."Server Not Responding" Message
2. "Access Denied" Message
3."Permission Denied" Message
4. "Device Busy" Message
Error 1: If You Receive an NFS "Server Not Responding" Message
-----------------------------------------------------------------------------------------------------
ping the nfs server from client
1.ping "nfs serer name or ip"
2./usr/bin/rpcinfo -p servername
The rpcinfo command should display the following processes:
* portmap
* nfs
* mountd
* status
* nlockmgr
* llockmgr
If any of these processes is not running, follow the below steps:
(I).Make sure the /etc/rc.config.d/nfsconf file on the NFS server contains the following lines:
NFS_SERVER=1
START_MOUNTD=1
(II).Make sure that the /etc/inetd.conf file on the NFS server does not contain a line to start rpc.mountd.
If it does, make sure the START_MOUNTD variable in /etc/rc.config.d/nfsconf is set to 0.
(III).Issue the following command on the NFS server to start all the necessary NFS processes:
#/sbin/init.d/nfs.server start
Error 2: If You Receive an "Access Denied" Message
------------------------------------------------------------------------------
(I).check the FS is exported or not
#/usr/sbin/showmount -e server_name
(If it is not exported means u have to edit /etc/exports file in NFS server and put the necessary entry and
then run the command
#/usr/sbin/exportfs -a
Error 3 :If You Receive a "Permission Denied" Message
--------------------------------------------------------------------------------
(I).Check the mount options in the /etc/fstab file on the NFS client. A directory you are attempting to write to may have
been mounted read-only.
(II).Issue the ls -l command to check the HP-UX permissions on the server directory and on the client directory
that is the mount point. You may not be allowed access to the directory.
(III).Issue the following command on the NFS server:
#/usr/sbin/exportfs
Or, issue the following command on the NFS client:
#/usr/sbin/showmount -e server_name
(IV). Check the export permissions on the exported directory. The directory may have been exported read-only to your client.
The system administrator of the NFS server can use the remount mount
option to mount the directory read/write without unmounting it
Error 4 : If You Receive a "Device Busy" Message
------------------------------------------------------------------------
(I) .If you received the "device busy" message while attempting to mount a directory, try to access the mounted directory.
If you can access it, then it is already mounted.
(II).If you received the "device busy" message while attempting to unmount a directory, a user or process is currently using the directory. Wait until the process completes, or follow these steps:
1.Issue the following command to determine who is using the mounted directory:
#/usr/sbin/fuser -cu local_mount_point
The fuser(1M) command will return a list of process IDs and user names that are currently using the directory
mounted under local_mount_point. This will help you decide whether to kill the processes or wait for them to complete.
2. To kill all processes using the mounted directory, issue the following command:
/usr/sbin/fuser -ck local_mount_point
3. Try again to unmount the directory.
-----------------------------------------------------------------------------------------
