查看“SettingUpNFSHowTo”的源代码


== SettingUpNFSHowTo ==
----
原文出处：https://help.ubuntu.com/community/SettingUpNFSHowTo

原文作者：UbuntuWiki

授权许可：

翻译人员：

校对人员：

贡献者：

适用版本：
文章状态：[[等待翻译]]
----

=== NFS Server ===

==== Pre-Installation Setup ====

===== User Permissions =====

NFS user permissions are based on user ID (UID). UIDs of any users on the client must match those on the server in order for the users to have access. The typical ways of doing this are:

* Manual password file synchronization
* Use of [[LDAPClientAuthentication|LDAP]]
* Use of [[SettingUpNISHowTo|NIS]]

It's also important to note that you have to be careful on
systems where the main user has root access - that user can change
UID's on the system to allow themselved access to anyone's files. This
page assumes that the administrative team is the only group with root
access and that they are all trusted. Anything else represents a more
advanced configuration, and will not be addressed here.

===== Host Names =====
~- optional if using DNS -~

Add any client name and IP addresses to /etc/hosts. The ''real'' (not 127.0.0.1) IP address of the server should already be here. This ensures that NFS will still work even if
DNS goes down. You could rely on DNS if you wanted, it's up to you.

===== NIS =====
~- optional - perform steps only if using NIS -~

'''Note:''' Ths '''only''' works if using NIS. Otherwise, you can't use netgroups, and should specify individual IP's or hostnames in <code><nowiki>/etc/exports</nowiki></code>. Read the '''BUGS''' section in <code><nowiki>man netgroup</nowiki></code>.

Edit /etc/netgroup and add a line to classify your clients. (This
step is not necessary, but is for convenience).
<pre><nowiki>
myclients (client1<sub>) (client2</sub>)
</nowiki></pre>
Obviously, more clients can be added. <code><nowiki>myclients</nowiki></code> can be anything
you like; this is a ''netgroup name''.

Run this command to rebuild the YP database:
<pre><nowiki>
sudo make -C /var/yp
</nowiki></pre>

===== Portmap Lockdown =====
~- optional -~

Add the following line to /etc/hosts.deny:
<pre><nowiki>
portmap mountd nfsd statd lockd rquotad : ALL
</nowiki></pre>
By blocking all clients first, only clients in /etc/hosts.allow below will be allowed to access the server.

Now add the following line to /etc/hosts.allow:
<pre><nowiki>
portmap mountd nfsd statd lockd rquotad : list of IP addresses
</nowiki></pre>
Where the "list of IP addresses" string is, you need to make a list
of IP addresses that consists of the server and all clients. These have
to be IP addresses because of a limitation in portmap (it doesn't like
hostnames). Note that if you have NIS set up, just add these to the
same line.

==== Installation and Configuration ====

===== Install NFS Server =====

<pre><nowiki>
sudo apt-get install portmap nfs-kernel-server
</nowiki></pre>

===== Shares =====

Edit /etc/exports and add the shares:
<pre><nowiki>
/home @myclients(rw,sync)
/usr/local @myclients(rw,sync)
</nowiki></pre>
The above shares /home and /usr/local to all clients in the
myclients netgroup. Clients prefixed with an @ are netgroups. Individual clients
may be specified as well, and different options may be used for each
client. <code><nowiki>rw</nowiki></code> makes the share read/write, and <code><nowiki>sync</nowiki></code> requires
the server to only reply to requests once any changes have been flushed
to disk. This is the safest option (<code><nowiki>async</nowiki></code> is faster, but
dangerous. It is strongly recommended that you read <code><nowiki>man exports</nowiki></code>.

After setting up /etc/exports, export the shares:
<pre><nowiki>
sudo exportfs -ra
</nowiki></pre>
You'll want to do this command whenever <code><nowiki>/etc/exports</nowiki></code> is modified.

===== Restart Services =====

If /etc/default/portmap was changed, portmap will need to be restarted: 
<pre><nowiki>
sudo /etc/init.d/portmap restart
</nowiki></pre>

The NFS kernel server will also require a restart: 
<pre><nowiki>
sudo /etc/init.d/nfs-kernel-server restart
</nowiki></pre>

==== Security Note ====

Aside from the UID issues discussed above, it should be noted that an
attacker could potentially masquerade as a machine that is allowed to
map the share, which allows them to create arbitrary UIDs to access
your files. One potential solution to this is [[IPSecHowTo|IPSec]], see also the NFS and IPSec section below. You can set up all your domain members to talk only to each other over IPSec, which will effectively authenticate that your client is who it says it is.

IPSec works by encrypting traffic to the server with the server's key,
and the server sends back all replies encrypted with the client's key.
The traffic is decrypted with the respective keys. If the client doesn't have the keys that the client is supposed to have, it can't send or receive data.

=== NFS Client ===

==== Installation ====

<pre><nowiki>
sudo apt-get install portmap nfs-common
</nowiki></pre>

===== Portmap Lockdown =====

~- optional -~

Add the following line to /etc/hosts.deny:
<pre><nowiki>
portmap : ALL
</nowiki></pre>
By blocking all clients first, only clients in /etc/hosts.allow below will be allowed to access the server.

Now add the following line to /etc/hosts.allow:
<pre><nowiki>
portmap : NFS server IP address
</nowiki></pre>
Where "NFS server IP address" is the IP address of the server. '''This must be numeric!''' It's the way portmap works.

===== Host Names =====

~- optional if using DNS -~

Add the server name to /etc/hosts.  This ensures the NFS mounts will still work even if
DNS goes down. You could rely on DNS if you wanted, it's up to you.

==== Mounts ====

NFS mounts can either be automatically mounted when accessed using autofs or can be setup with static mounts using entries in /etc/fstab.

===== Automounter =====

Install autofs:
<pre><nowiki>
sudo apt-get install autofs
</nowiki></pre>

The following configuration example sets up home directories to automount off an NFS server upon logging in.  Other directories can be setup to automount upon access as well.

Add the following line to the end of /etc/auto.master:
<pre><nowiki>
/home         /etc/auto.home
</nowiki></pre>

Now create /etc/auto.home and insert the following:
<pre><nowiki>
**             solarisbox1.company.com.au,solarisbox2.company.com.au:/export/home/&
</nowiki></pre>
The above line automatically mounts any directory accessed at /home/[username] on the client machine from either solarisbox1.company.com.au:/export/home/[username] or solarisbox2.company.com.au:/export/home/[username].

Restart autofs to enable the configuration:
<pre><nowiki>
sudo /etc/init.d/autofs start
</nowiki></pre>

===== Static Mounts =====

Prior to setting up the mounts, make sure the directories that will act as mountpoints are already created.

In /etc/fstab, add lines for shares such as:
<pre><nowiki>
servername:dir /mntpoint nfs rw,hard,intr 0 0
</nowiki></pre>
The <code><nowiki>rw</nowiki></code> mounts it read/write. Obviously, if the server is sharing
it read only,
the client won't be able to mount it as anything more than that. The
<code><nowiki>hard</nowiki></code> mounts the share such that if the server becomes
unavailable, the program will wait until it is available. The
alternative is <code><nowiki>soft</nowiki></code>. <code><nowiki>intr</nowiki></code> allows you to interrupt/kill the
process. Otherwise, it will ignore you. Documentation for these can be
found in the <code><nowiki>Mount options for nfs</nowiki></code> section of <code><nowiki>man mount</nowiki></code>.

The filesystems can now be mounted with <code><nowiki>mount /mountpoint</nowiki></code>, or <code><nowiki>mount -a</nowiki></code> to mount everything that should be mounted at boot.

=== IPSec Notes ===

If you're using IPSec, the default shutdown order in Breezy/Dapper causes the client to hang as it's being shut down because IPSec goes down before NFS does. To fix it, do:

<pre><nowiki>
sudo update-rc.d -f setkey remove
sudo update-rc.d setkey start 37 0 6 S .
</nowiki></pre>

A bug has been filed here:
https://launchpad.net/distros/ubuntu/+source/ipsec-tools/+bug/37536

=== Credits ===

* MatthewCaron - NFS Server, NFS Client, IPSec Notes
* NaamanCampbell - NFS Client - Automount

----
[[category:CategoryDocumentation]]