Mandriva.com
Store
Club
NFS II
Summary:
- Customizing And Securing NFS
- NFS Pitfalls
Customizing And Securing NFS
Your setup works basically now, but if you want to use NFS on a regular basis you want more convenience and more security.
To mount NFS directories at boot time, you have to enter appropriate lines into /etc/fstab. Here, this line looks like this
192.168.1.75:/usr/export /mnt/disk nfs rw,hard,intr 0 0
Apart from the options, all entries should be clear (if not, read the article on mounting). rw stands for read and write, the other two specify what the client should do in case of an NFS server outage. With these options set, the process will hang until the server is back up and then carry on running.
Having entered that line and saved the fstab file, do a
service netfs restart
which will mount the NFS directory instantly (you will need portmap running on the clients for that). In future sessions this will be done automatically.
NFS isn't a secure protocol. There are safety rules you should keep in mind:
- Do not use the 'no_root_squash' option. If you need safe root access, use SSH and su.
- 'portmap' has had a number of serious security issues in the past. Therefore secure portmap via '/etc/hosts.deny' and '/etc/hosts.allow'. Enter
portmap: ALL
into '/etc/hosts.deny' and then use something like
portmap: 192.168.1.0/255.255.255.0
in '/etc/hosts.allow' to unblock portmap for the machines in the 192.168.1.* subnet exclusively. Or even only allow single machines by IP.
man 5 hosts_access
Furthermore you should block the ports 111 (TCP/UDP), 745 (UDP), 747 (TCP) and 2049 (TCP/UDP) from all access by untrusted networks.
- Do not connect the NFS server to the Internet. Protect the clients with a firewall. At least shut NFS down while connected.
- NFS relies on the client to properly authenticate users. If your network has clients to which other people have root access, or which can be booted from a floppy, you have to consider that all NFS mounted data can be eventually read by any other user.
NFS Pitfalls
- Currently, ~ReiserFS and NFS do not work well together. You can install Linux from an NFS mount on ~ReiserFS partition, I've done that, but for bigger tasks you should rely on extfs2.
- 'supermount' and NFS don't work together. To export a CD, unmount it and remount it with 'mount'.
- /etc/exports is very picky about syntax: make sure you do not eventually leave an empty space between the client name and the option(s):
/export/dir hostname(rw,no_root_squash)<br> /export/dir hostname (rw,no_root_squash)
The first will grant hostname rw access to /export/dir without squashing root privileges. The second will grant hostname rw privs w/root squash and it will grant EVERYONE else read-write access, without squashing root privileges. Nice huh?" (NFS HOWTO)
- NFS is a stateless protocol. Therefore a wrong configuration on the client can have serious consequences if the NFS server goes down. Do not mount NFS exported directories to / or directories which are part of users' or root's $PATH. Consider changing the options in /etc/fstab from 'hard,intr', to 'soft,timeo=300'. This allows processes to die after 30 seconds of server inactivity.
- If you are installing ML via NFS, copy the content of the CDs onto the hard disk. You can't install from an NFS mounted CD. Copy the RPMS from the second, third etc CDs into the same directory where the RPMS from the first CD are. Apart from that, the process is pretty much the same like the other installation methods.
Related Resources:
man nfs, man exports, man mount
Revision / Modified: June 23, 2001
Author: Tom Berger
Legal: This page is covered by the GNU Free Documentation License. Standard disclaimers of warranty apply. Copyright LSTB and Mandrakesoft.
Version 1.4 modifié par conch le 19/12/2004 à 23:20
Données du document
Base de connaissances
- Compte perdu ?
- Rejoignez la communauté, faites partie du Club: c'est gratuit!
- Abonnez vous au service PWP!
