NFS

Why use NFS ?
Scenario
A small office has an old Linux server that is running out of disk space.
The office can't tolerate any down time; even hours, because the server is
accessed by overseas programmers and clients at nights and local ones by day.
Budgets are tight and the company needs a quick solution until it can get a purchase order approved for a hardware upgrade.
Another Linux server on the network has additional disk capacity in its
/jokes partition and the office would like to expand into it as an
interim expansion NFS server.
For the scenario you need:
Read-only access to the /jokes directory to all networks
Read/write access to the /jokes from all servers on the 192.168.0.0 /24
network, which is all addresses from 192.168.0.0 to 192.168.0.255
In all cases, use the sync option to ensure that file data cached in
memory is automatically written to the disk after the completion of any
disk data copying operation.


Part - I
Server-side NFS Config
1. Which dir do u want to share
2. configure /etc/exports
3. service portmap restart
4. service nfs restart [Use "exportfs -r" to refresh rpc.nfsd which re-reads
/etc/exports - of course, when you modify it only]
5. service nfslock restart

Testing tools :
===============
6. showmount -e [localhost]
7. rpcinfo -p [localhost]
aka
/etc/rc.d/init.d/portmap
portmap* : Port 111 [portmapper]
Note: # ldd `which portmap`
> libwrap.so.0 => /usr/lib/libwrap.so.0 (0x40034000)
Hence one can use TCP wrappers to block portmap ergo nfs from clients
eg /etc/hosts.deny
===============
portmap:192.168.0.30
/etc/rc.d/init.d/nfs
====================
rpc.mountd* : Emphemeral Ports provided by portmap [mountd] Remote Mounting
rpc.nfsd* : Port 2049 This is the NFS server [nfsd] Big Boss
rpc.rquotad* : Emphemeral Ports provided by portmap [rquotad] NFS Quotas
/etc/rc.d/init.d/nfslock
========================
rpc.lockd* : Emphemeral Ports provided by portmap [nlockmgr] Concurrency Ctl
rpc.statd* : ------- do ------- [status] NFS status
8. nfsstat -s <-------- Server stats : see that bad calls is < 3%
9. nfsstat -c <-------- Clients stats : see that bad calls is < 3%
10 nfsstat -a <--------

Part - II
Client-side NFS Config

1. service portmap restart
Always start this first if 2 m/cs have to share files
2. service nfslock restart
3 Find out what the NFS server is sharing :
showmount -e NFSServer
4. mkdir /funny Default: is UDP
5. mount ganesh:/jokes /
mount ganesh:/jokes /funny -o soft,intr,rsize=8192,wsize=8192 tcp
\6. cd /funny
7. ls


/etc/exports
============
/jokes *.bom.labs.net(rw)
Note : NFS uses UDP but one can use TCP too if the kernel supports it

Automation of NFS Server and Client
using fstab and automount*
Using fstab
===========
Server :
======
1. Disable FWs
2. which dir do u want to share
3. configure /etc/exports
==> /jokes
4. Using chkconfig enable portmap, nfs and nfslock
Client :
======
1. Configure /etc/fstab
====> 192.168.0.20:/jokes /funny nfs soft,intr 0 0
2. Using chkconfig see that portmap, nfslock and netfs are set on
3. On reboot, /etc/rc.d/rc.sysinit will automount
Using autofs
============
Example I
=========
Server :
======
Same as above
Client :
======
1. # mkdir -p /export/nfs/
2. Configure /etc/auto.master
====> /export /etc/auto.misc --timeout=60
3. Configure /etc/auto.misc
key

\/
====> nfs 192.168.0.20:/jokes
or
====> nfs -fstype=nfs,soft,intr,rsize=8192,wsize=8192,nosuid,tcp \
192.168.0.20:/jokes
4. service autofs restart
5. cd /export/nfs/
and you will see the contents of /jokes/ dir on nfs server ganesh
6. Using chkconfig see that portmap, nfslock and autofs are set on
On reboot, the autofs script will start automount*
Example II
==========
Server :
======
1. Disable FWs
2. which dir do u want to share
3. configure /etc/exports
==> /home *(rw)
4. Using chkconfig enable portmap, nfs and nfslock
Client :
======
1. Configure /etc/auto.master
====> /home /etc/auto.misc --timeout=60
2. Configure /etc/auto.misc
key

\/
====> ajay 192.168.0.20:/home/ajay
or
====> ajay 192.168.0.20:&
3. service autofs restart
4. Now log in as ajay
and you will see the contents of /home/ajay/, Ajay's home dir
on the NFS server
Here, the key is ajay, so the ampersand wildcard is interpreted to mean
ajay. This means you'll be mounting the ganesh:/home/ajay directory
from the NFS server on ajay's home dir here, on the Client, auto
5. Using chkconfig see that portmap, nfslock and autofs are set on

Part - IV
NFS log Files

/var/lib/nfs/
=============
etab : export perms of /jokes as shared with all users
====
/jokes (ro,sync,wdelay,hide,secure,root_squash,no_all_squash,subtree_check,secure_locks,mapping=identity,anonuid=-2,anongid=-2)
rmtab : which hosts have mounted your shares
=====
brahma.bom.labs.net:/jokes:0x00000001
shiva.bom.labs.net:/jokes:0x00000002
xtab : per host
====
/jokes brahma.bom.labs.net(ro,sync,wdelay,hide,secure,root_squash,no_all_squash,subtree_check,secure_locks,mapping=identity,anonuid=-2,anongid=-2)
/jokes shiva.bom.labs.net(ro,sync,wdelay,hide,secure,root_squash,no_all_squash,subtree_check,secure_locks,mapping=identity,anonuid=-2,anongid=-2)

Part - V
NFS Tuning
================================================================================
* rsize and wsize are defaulted to 4K in Linux. Increase to 8k
* For TCP make it 32K. UDP 8K is OK
* In 2.4 kernels, the default input queue is 64
# cat /proc/sys/net/core/rmem_default ----> 65535
# cat /proc/sys/net/core/rmem_max ----> 65535
Increase this to 256K, a good default
# echo 262144 > cat /proc/sys/net/core/rmem_default ----> Now 256K
# echo 262144 > cat /proc/sys/net/core/rmem_max ----> Now 256K
Now restart nfs : service nfs restart which is now tuned
Replace the defaults back to their original values so as not to negatively
affect other daemons
# echo 65535 > /proc/sys/net/core/rmem_default
# echo 65535 > /proc/sys/net/core/rmem_max
Additional use "procinfo*" to see kernel details


Part - VI
NFS Security

* NFS and portmap have had a number of known security deficiencies in
the past. As a result, its not recommended using NFS over insecure
networks.
* NFS doesn't encrypt data and it is possible for root users on NFS clients
to have root access the server's filesystems.
* You can exercise security-related caution with NFS by following a few
guidelines:
o Restrict its use to secure networks
o Export only the most needed data
o Consider using read-only exports whenever data updates aren't
necessary.
o Use the root_squash option in /etc/exports file (default) to reduce
the risk of the possibility of a root user on the NFS client having
root file permission access on the NFS server. This is normally an
undesirable condition, especially if the NFS client and NFS server
are being managed by different sets of administrators.
These points should be the foundation of your NFS security policy

Part - VII
NFS Hanging / TroubleShooting

* As seen before, if the NFS server fails, the NFS client waits indefinitely
for it to return. This also forces programs relying on the same client
server relationship to wait indefinitely too.
* For this reason, use the soft option in the NFS client's /etc/fstab
file. This causes NFS to report an I/O error to the calling program
after a long timeout.
You can reduce the risk of NFS hanging by taking a number of
precautions:
o Run NFS on a reliable network
o Avoid having NFS servers that NFS mount each other's filesystems or directories.
o Always use the sync option whenever possible.
o Do not have mission-critical computers rely on an NFS server to operate, unless the server's reliability can be guaranteed.
o Do not include NFS-mounted directories as part of your search path, because a hung NFS connection to a directory in your search path could cause your shell to pause at that point in the search path until the NFS session is regained.