Changes

From SME Server
Jump to navigationJump to search
262 bytes added ,  17:01, 3 May 2021
Line 4: Line 4:     
==Security and NFS==
 
==Security and NFS==
Something Interesting that will scare you http://www.tldp.org/HOWTO/NFS-HOWTO/security.html
+
Something interesting that will scare you http://www.tldp.org/HOWTO/NFS-HOWTO/security.html
 +
 
 +
NB: the above link is rather vintage, but still worth reading. If you intend to share NFS over the Internet you'd best be extremely careful.
 
===Version===
 
===Version===
 
{{#smeversion: smeserver-nfs }}
 
{{#smeversion: smeserver-nfs }}
Line 15: Line 17:     
2. Then execute the following:
 
2. Then execute the following:
 +
 
*sme8
 
*sme8
 +
 
  config setprop nfs status enabled
 
  config setprop nfs status enabled
 
  config setprop portmap status enabled
 
  config setprop portmap status enabled
Line 48: Line 52:       −
===== Couple of notes whilst installing on SME8..... =====
+
=====Couple of notes whilst installing on SME8.....=====
 
DB options as follows - status disabled by default :
 
DB options as follows - status disabled by default :
   Line 94: Line 98:     
==Usage==
 
==Usage==
* Each IP needs to be allowed if you want write permissions. For read only permissions, you can open the share to all defined local network in the server-manager
  −
* The NFS share works with Ibays whose the system of permissions are Group based and inherited from the ibay panel. Therefore for changing write/read and group  permissions you can do it in the NFS Ibay panel. You have at the top of the NFS panel boxes on the state of permissions and the group ownership.
  −
* NFS works with UID and GID, the user id and group id of the client system are sent in each RPC call, and the permissions these IDs have on the file being accessed are checked on the server. For this to work, the UID and GIDs must be the same on the server and the clients.
      +
*Each IP needs to be allowed if you want write permissions. For read only permissions, you can open the share to all defined local network in the server-manager
 +
*The NFS share works with ibays whose system of permissions is Group based and inherited from the ibay panel. Therefore for changing write/read and group  permissions you can do it in the NFS ibay panel. You have at the top of the NFS panel, boxes on the state of permissions and the group ownership.
 +
*NFS works with UID and GID, the user id and group id of the client system are sent in each RPC call, and the permissions these IDs have on the file being accessed are checked on the server. For this to work, the UID and GIDs must be the same on the server and the clients.
    
=====Read permissions=====
 
=====Read permissions=====
Line 122: Line 126:     
====UID/GID====
 
====UID/GID====
* see informations of a user
+
 
 +
*see informations of a user
 +
 
 
  id USER
 
  id USER
 +
 
*change the uid of a user
 
*change the uid of a user
 +
 
  usermod -u '''UID''' USER_NAME
 
  usermod -u '''UID''' USER_NAME
* create a group
+
 
 +
*create a group
 +
 
 
  groupadd -g '''GID''' -o GROUPE_NAME
 
  groupadd -g '''GID''' -o GROUPE_NAME
* modify the GID of a group
+
 
 +
*modify the GID of a group
 +
 
 
  groupmod -o -g '''GID''' GROUPE_NAME
 
  groupmod -o -g '''GID''' GROUPE_NAME
* add a principal group to a user
+
 
 +
*add a principal group to a user
 +
 
 
  usermod -g '''GROUP_NAME_OR_GID''' USER_NAME
 
  usermod -g '''GROUP_NAME_OR_GID''' USER_NAME
* add a secondary group to a user
+
 
 +
*add a secondary group to a user
 +
 
 
  usermod -a -G '''GROUP_NAME_OR_GID''' USER_NAME
 
  usermod -a -G '''GROUP_NAME_OR_GID''' USER_NAME
   Line 140: Line 156:     
but you cannot :
 
but you cannot :
* use the wildcard '*'
+
 
* open your shares to ip(s) outside of your local network(s)
+
*use the wildcard '*'
* use a domain to define your shares, the ip or the network are a mandatory
+
*open your shares to ip(s) outside of your local network(s)
* use the root '/'
+
*use a domain to define your shares, the ip or the network are a mandatory
* let a space between the ip and its share definition
+
*use the root '/'
 +
*let a space between the ip and its share definition
    
IF you want to do all these dangerous things, then you need to do them by custom templates.
 
IF you want to do all these dangerous things, then you need to do them by custom templates.
Line 176: Line 193:       −
==== Couple of notes whilst installing on SME9..... ====
+
====Couple of notes whilst installing on SME9.....====
 
DB options as follows - status enabled by default :
 
DB options as follows - status enabled by default :
   Line 216: Line 233:  
  /home/e-smith/files/ibays/admin_25465/files 192.168.15.0/24,192.168.12.0/24
 
  /home/e-smith/files/ibays/admin_25465/files 192.168.15.0/24,192.168.12.0/24
   −
* On a remote client  you can show all share exported by the NFS server
+
*On a remote client  you can show all share exported by the NFS server
    
   showmount -e  IpOrHostNameServer
 
   showmount -e  IpOrHostNameServer
Line 222: Line 239:  
==Show connected clients==
 
==Show connected clients==
 
  netstat -an | grep nfs.server.ip:port
 
  netstat -an | grep nfs.server.ip:port
* for example if you nfs server IP is 192.168.12.125
+
 
 +
*for example if you nfs server IP is 192.168.12.125
 +
 
 
  # netstat -an | grep 192.168.12.125:2049
 
  # netstat -an | grep 192.168.12.125:2049
 
  tcp        0      0 192.168.12.125:2049        192.168.12.25:850          ESTABLISHED
 
  tcp        0      0 192.168.12.125:2049        192.168.12.25:850          ESTABLISHED
Line 236: Line 255:  
  ll /mnt/partage
 
  ll /mnt/partage
   −
=== mount the network share in the fstab===
+
===mount the network share in the fstab===
    
If you want to get mounted the NFS remote share at boot, you can add  it in your fstab<br />
 
If you want to get mounted the NFS remote share at boot, you can add  it in your fstab<br />
Line 248: Line 267:  
Note: Consult the NFS and mount man pages for more mount options.
 
Note: Consult the NFS and mount man pages for more mount options.
 
Some additional mount options to consider are include:
 
Some additional mount options to consider are include:
* rsize and wsize
+
 
 +
*rsize and wsize
 +
 
 
The rsize value is the number of bytes used when reading from the server. The wsize value is the number of bytes used when writing to the server. The default for both is 1024, but using higher values such as 8192 can improve throughput. This is not universal. It is recommended to test after making this change, see #Performance tuning.
 
The rsize value is the number of bytes used when reading from the server. The wsize value is the number of bytes used when writing to the server. The default for both is 1024, but using higher values such as 8192 can improve throughput. This is not universal. It is recommended to test after making this change, see #Performance tuning.
* timeo
+
 
 +
*timeo
 +
 
 
The timeo value is the amount of time, in tenths of a second, to wait before resending a transmission after an RPC timeout. After the first timeout, the timeout value is doubled for each retry for a maximum of 60 seconds or until a major timeout occurs. If connecting to a slow server or over a busy network, better performance can be achieved by increasing this timeout value.
 
The timeo value is the amount of time, in tenths of a second, to wait before resending a transmission after an RPC timeout. After the first timeout, the timeout value is doubled for each retry for a maximum of 60 seconds or until a major timeout occurs. If connecting to a slow server or over a busy network, better performance can be achieved by increasing this timeout value.
* _netdev
+
 
 +
*_netdev
 +
 
 
The _netdev option tells the system to wait until the network is up before trying to mount the share. systemd assumes this for NFS, but anyway it is good practice to use it for all types of networked file systems
 
The _netdev option tells the system to wait until the network is up before trying to mount the share. systemd assumes this for NFS, but anyway it is good practice to use it for all types of networked file systems
 
Note: Setting the sixth field (fs_passno) to a nonzero value may lead to unexpected behaviour, e.g. hangs when the systemd automount waits for a check which will never happen.
 
Note: Setting the sixth field (fs_passno) to a nonzero value may lead to unexpected behaviour, e.g. hangs when the systemd automount waits for a check which will never happen.
   −
=== NFS Timeout ===
+
===NFS Timeout===
    
Nfs can have a really long timeout in case if the remote host is not reachable, if you want to avoid it you can do
 
Nfs can have a really long timeout in case if the remote host is not reachable, if you want to avoid it you can do
Line 262: Line 287:  
  mount -t nfs -o nolock,timeo=30,retrans=1,retry=0 192.168.xx.xxx:/home/e-smith/files /mnt/partage
 
  mount -t nfs -o nolock,timeo=30,retrans=1,retry=0 192.168.xx.xxx:/home/e-smith/files /mnt/partage
   −
:* timeo : The -o timeo option allows designation of the length of time, in tenths of seconds, that the client will wait until it decides it will not get a reply from the server, and must try to send the request again. The default value is 7 tenths of a second
+
:*timeo : The -o timeo option allows designation of the length of time, in tenths of seconds, that the client will wait until it decides it will not get a reply from the server, and must try to send the request again. The default value is 7 tenths of a second
   −
:* retrans : The -o retrans option allows designation of the number of timeouts allowed before the client gives up, and displays the Server not responding message. The default value is 3 attempts.
+
:*retrans : The -o retrans option allows designation of the number of timeouts allowed before the client gives up, and displays the Server not responding message. The default value is 3 attempts.
   −
:* retry : The number of minutes that the mount command retries an NFS mount operation in the foreground or background before giving up. If a value of zero is specified, the mount command exits immediately after the first failure.  If this option is not specified, the default value for foreground mounts is 2 minutes, and the default value for background mounts is 10000 minutes (80 minutes shy of one week).
+
:*retry : The number of minutes that the mount command retries an NFS mount operation in the foreground or background before giving up. If a value of zero is specified, the mount command exits immediately after the first failure.  If this option is not specified, the default value for foreground mounts is 2 minutes, and the default value for background mounts is 10000 minutes (80 minutes shy of one week).
    
==Documentation==
 
==Documentation==
 
Additional documentation:
 
Additional documentation:
* [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/ch-nfs.html CentOS 6/SME9]
+
 
* [https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-nfs-client-config.html CentOS 5/SME8]
+
*[https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/storage_administration_guide/ch-nfs CentOS 7/SME10]
* [https://wiki.archlinux.org/index.php/NFS Archlinux NFS]
+
*[https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/ch-nfs.html CentOS 6/SME9]
 +
*[https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-nfs-client-config.html CentOS 5/SME8]
 +
*[https://wiki.archlinux.org/index.php/NFS Archlinux NFS]
    
[[Category:Contrib]]
 
[[Category:Contrib]]

Navigation menu