本节介绍内容:
*一、NFS概述
*二、NFS服务器配置
*1、NFS配置文件
*2、选项解析
*3、环境搭建
*4、测试验证
*5、权限总结
三、自动挂载NFS
一、NFS概述
NFS网络文件系统(Network File System),由Sun公司开发,从名字上就能够知道 这个服务是通过网络的方式来共享文件系统,目前RHEL 6上使用的版本为NFSv4,提供有状态的连接,追踪连接状态可以增强安全性,监听端口为TCP2049端口。这里特别提一下rpcbind服务,rpcbind是RPC协议的服务(监听端口111),被称为远程调用协议英文名为Remove Procedure Call,RPC为远程通信程序管理互相通信即Call的所需基本信息,IP地址、服务端口号等,也就是说,当server和client双方通信时,这些基本的信息都是需要提供的,但是如果成千上万台client访问server就需要有一个专门的程序来管理这些信息,此时RPC协议就登台亮相了,有了RPC的代理,NFS就可以执掌共享大权了而不用分心其他的琐事,由此可见,NFS离不开NFS协议的助力,所以在RHEL6.5上需要同时启用两个服务才能正常使用,即nfs和rpcbind服务,尽管这个版本已经不再需要直接交互rpcbind。
[[email protected]~]# grep rpcbind /etc/services
sunrpc 111/tcp portmapper rpcbind # RPC 4.0 portmapper TCP
sunrpc 111/udp portmapper rpcbind # RPC 4.0 portmapper UDP
[[email protected]~]# grep nfs !$
grep nfs/etc/services
nfs 2049/tcp nfsd shilp # Network File System
nfs 2049/udp nfsd shilp # Network File System
nfs 2049/sctp nfsd shilp # Network File System
二、NFS服务器配置
1、NFS配置文件
NFS服务的配置文件为/etc/exports
格式:
共享路径 客户机IP(选项) 或者是 共享路径 客户机IP(选项) 客户机IP(选项)
如果不加选项的话,则NFS将使用默认配置:选项是ro、wdelay 、root_squash
2、选项解析
下面解析一下NFS选项的种类和其对应的功能
|
ro |
只读 |
|
rw |
可读写 |
|
Wdelay no_wdelay |
延迟写操作 不延迟写操作 |
|
sync |
同步写 |
|
async |
异步写 |
|
root_squash |
Root权限压制(自动转换为nfsnobady) |
|
no_root_squash |
Root权限不压制 |
|
all_squash |
所有远程用户权限压制 |
通过上面的选项,下面我们来详细的解析一下每一个选项对应的功能具体的描述。首先我们应该了解的是,计算机对数据的修改是先写入到内存中,再写入到速率缓慢的硬盘。
ro:客户机访问共享时的权限是只读模式访问
rw:客户机访问共享时的权限是可读写模式访问
wdelay:这个选项为延迟写入操作模式,数据写入内存后,先攒着,汇合多个写入操作,然后一起对硬盘执行写入的操作,这样可以提高NFS的性能,减少硬盘的写入次数。这里需要提醒的是,如果设置了这个选项虽然提高了NFS的性能但是存在一定的风险,如果NFS服务关闭了数据就会丢失。
no_wdelay: 不解释了
sync:这个和wdelay有点渊源,它是基于no_wdelay的,它会有响应,也就是说,它也是no_wdelay的拓展,同步的数据确实完全写入到硬盘后,返回一个成功的信息。
async:这个和wdelay有点渊源,延迟写入不同步的情况下,也就是在数据还在内存中,没有写入硬盘的时候就返回一个成功信息。注意事项同wdelay选项。
root_squash:远程用户以root身份登陆共享,root权限不会保留,而自动被转换为本地的nfsnobady匿名用户,此anonuid为65534,可以用anonuid来指定一下匿名账号ID
no_root_squash:保留root权限
all_squash登陆的所有远程用户权限都不被保留,但是默认情况下为root_squash,对于普通用户而言,不压制,这个选项就是用来更正默认设置的。
3、环境搭建
[[email protected] ~]# service rpcbind stop##前面提到开启rpcbind才能开启nfs服务
Stopping rpcbind: [ OK ]
[[email protected] ~]# service nfs start ##默认nfs rpcbind都已经安装且开启了服务此处模拟关闭rpcbind服务,开启nfs故障
Starting NFS services: [ OK ]
Starting NFS quotas: Cannot register service: RPC: Unable to receive; errno = Connection refused
rpc.rquotad: unable to register (RQUOTAPROG, RQUOTAVERS, udp).
[FAILED]
Starting NFS mountd: [FAILED]
Starting NFS daemon: rpc.nfsd: writing fd to kernel failed: errno 111 (Connection refused)
rpc.nfsd: unable to set any sockets for nfsd
[FAILED]
[[email protected] ~]#
第一步:查看环境是否安装了nfs-utils和rpcbind包
[[email protected] ~]# rpm -qa | grep nfs-utils
[[email protected] ~]# rpm -qa | grep rpcbind
第二步:安装nfs-utils 和rpcbind 包
[[email protected] ~]# yum install -y rpcbind nfs-utils
第三步:开启服务
[[email protected] ~]# service rpcbind start
Starting rpcbind: [ OK ]
[[email protected] ~]# service nfs start
Starting NFS services: [ OK ]
Starting NFS quotas: [ OK ]
Starting NFS mountd: [ OK ]
Starting NFS daemon: [ OK ]
Starting RPC idmapd: [ OK ]
[[email protected] ~]#
第四步:开机启动服务
[[email protected] ~]# chkconfig rpcbind on
[[email protected] ~]# chkconfig nfs on
第五步:创建共享目录及挂载同时添加用户shudaipiaoling
[[email protected] ~]# mkdir -p /var/www/html /var/{web,data} #创建测试目录并查看
[[email protected] ~]# ll -d /var/{web,data} /var/www/html/
drwxr-xr-x 2 root root 4096 Aug 7 01:27 /var/data
drwxr-xr-x 2 root root 4096 Aug 7 01:27 /var/web
drwxr-xr-x. 2 root root 4096 Aug 2 2013 /var/www/html/
[[email protected] ~]#
[[email protected] ~]# useradd shudaipiaoling # 添加测试账号,及初始密码
[[email protected] ~]# echo 123456 | passwd --stdin !$
echo 123456 |passwd --stdin shudaipiaoling
Changingpassword for user shudaipiaoling.
passwd: allauthentication tokens updated successfully.
[[email protected]~]#
[[email protected]~]# chmod a+w /var/{web,data} /var/www/html/ #所有测试目录all用户可写权限
[[email protected]~]# ll -d /var/{web,data} /var/www/html/ #查看目录的权限
drwxrwxrwx 2 root root 4096 Aug 7 01:27 /var/data
drwxrwxrwx 2 root root 4096 Aug 7 01:27 /var/web
drwxrwxrwx. 2root root 4096 Aug 2 2013 /var/www/html/
第六步:编写/etc/exports配置文件为
[[email protected]~]# echo "/var/web 192.168.15.33(rw,async,no_root_squash)" >>/etc/exports
[[email protected]~]# echo "/var/data *(ro,sync,all_squash)" >> /etc/exports
[[email protected]~]# echo "/var/www/html/ 192.168.15.3(rw,sync,all_squash)" >>/etc/exports
[[email protected]~]# cat !$ #验证写入正确性
cat /etc/exports
/var/web192.168.15.33(rw,async,no_root_squash)
/var/data*(ro,sync,all_squash)
/var/www/html/192.168.15.3(rw,sync,all_squash)
[[email protected]~]# service nfs restart #重启服务
Shutting downNFS daemon: [ OK ]
Shutting downNFS mountd: [ OK ]
Shutting downNFS quotas: [ OK ]
Shutting downRPC idmapd: [ OK ]
Starting NFSservices: [ OK ]
Starting NFSquotas: [ OK ]
Starting NFSmountd: [ OK ]
Starting NFSdaemon: [ OK ]
Starting RPCidmapd: [ OK ]
[[email protected]~]#
4、测试验证
客户机:IP:192.168.15.33 PAN-Client
[[email protected] ~]# mkdir -p /var/web /var/www/html #创建挂载点
[[email protected] ~]# chmod a+w /var/web/var/www/html #添加权限
[[email protected] ~]# echo"192.168.15.22:/var/web /var/web nfs defaults 0 0" >>/etc/fstab
[[email protected] ~]# mount –a # 设置开机挂载并本地挂载
[[email protected] ~]# tail -n 1 /etc/fstab #查看验证
192.168.15.22:/var/web /var/web nfsdefaults 0 0
[[email protected] ~]# ll -d /var/web//var/www/html/#查看验证
drwxrwxrwx 2 root root 4096 Aug 7 01:27/var/web/
drwxrwxrwx. 2 root root 4096 Aug 2 2013/var/www/html/
[[email protected] ~]# mount | grep nfs #查看本地挂载是否正常
sunrpc on /var/lib/nfs/rpc_pipefs typerpc_pipefs (rw)
192.168.15.22:/var/web on /var/web type nfs(rw,vers=4,addr=192.168.15.22,clientaddr=192.168.15.33)
[[email protected] ~]# touch /var/web/web.txt#创建测试文件验证rw 读写权限
[[email protected] ~]# ll /var/web/
total 0
-rw-r--r-- 1 root root 0 Aug 7 02:03 web.txt
[[email protected] ~]#
服务器PAN-Server 192.168.15.22
[[email protected] ~]# ll /var/web/
total 0
-rw-r--r-- 1 root root 0 Aug 7 02:03 web.txt
[[email protected] ~]# vim /etc/exports
[[email protected] ~]# head -n 1 !$
head -n 1 /etc/exports
/var/web192.168.15.33(rw,async,root_squash)
[[email protected] ~]# service nfs restart
再次回到PAN-Client上
[[email protected] ~]# umount /var/web/
[[email protected] ~]# mount -a
[[email protected] ~]# touch/var/web/web_squash.txt
[[email protected] ~]# ll !$ #验证no_root_squash 和root_squash 区别
ll /var/web/web_squash.txt
-rw-r--r-- 1 nfsnobody nfsnobody 0 Aug 7 02:13 /var/web/web_squash.txt
[[email protected] ~]#
[[email protected] ~]# useradd shudaipiaoling#添加一个账户映射PAN-Server上用户
[[email protected] ~]# echo 123456 | passwd--stdin shudaipiaoling
Changing password for user shudaipiaoling.
passwd: all authentication tokens updatedsuccessfully.
[[email protected] ~]# su - shudaipiaoling
[[email protected] ~]$ touch/var/web/shudaipiaoling.txt #root_squash选项下普通用户可以创建文件
[[email protected] ~]$ ll !$ 验证普通用户不压制权限,保留shudaipiaoling用户权限
ll /var/web/shudaipiaoling.txt
-rw-rw-r-- 1 shudaipiaoling shudaipiaoling0 Aug 7 02:25/var/web/shudaipiaoling.txt
[[email protected] ~]$
[[email protected] ~]# echo"192.168.15.22:/var/www/html /var/www/html nfs defaults 0 0" >>/etc/fstab
[[email protected] ~]# mount -a
mount.nfs: access denied by server whilemounting 192.168.15.22:/var/www/html
PAN-Server下操作:
[[email protected] ~]# vim /etc/exports #修改最后一行内容为以下显示所示:
[[email protected] ~]# tail -n 1 !$
tail -n 1 /etc/exports
/var/www/html/192.168.15.3(rw,sync,all_squash) 192.168.15.33(rw,sync,all_squash)
[[email protected] ~]# service nfs restart # 重启服务
返回到PAN-Client下
[[email protected] shudaipiaoling]# cd
[[email protected] ~]# mount -a
[[email protected] ~]# mount | grep nfs
sunrpc on /var/lib/nfs/rpc_pipefs typerpc_pipefs (rw)
192.168.15.22:/var/web on /var/web type nfs(rw,vers=4,addr=192.168.15.22,clientaddr=192.168.15.33)
192.168.15.22:/var/www/html on/var/www/html type nfs (rw,addr=192.168.15.22)
[[email protected] ~]# touch/var/www/html/all_squash.txt #root用户创建一个文件
[[email protected] ~]# ll !$ #验证root用户也会被权限压制,自动转为nfsnobady
ll /var/www/html/all_squash.txt
-rw-r--r-- 1 nfsnobody nfsnobody 0 Aug 7 02:34 /var/www/html/all_squash.txt
[[email protected] ~]#
下面看看192.168.15.2:pan-C 这个客户端上的操作#测试ro 和PAN-Server上没有用户如何映射身份问题
先看以下PAN-Server 192.168.15.33 上的exports文件此时的配置是如下所示的
[[email protected] ~]# cat /etc/exports
/var/web 192.168.15.33(rw,async,root_squash)
/var/data *(ro,sync,all_squash)
/var/www/html/192.168.15.3(rw,sync,all_squash) 192.168.15.33(rw,sync,all_squash)
[[email protected] ~]#
192.168.15.2:pan-C上
[[email protected] ~]# mkdir -p /var/data
[[email protected] ~]# chmod a+w !$
chmod a+w /var/data
[[email protected] ~]# ll !$
ll /var/data
total 0
[[email protected] ~]# ll -d /var/data
drwxrwxrwx 2 root root 4096 Aug 7 02:37 /var/data
[[email protected] ~]# echo"192.168.15.22:/var/data /var/data nfs defaults 0 0" >> !$
echo "192.168.15.22:/var/data/var/data nfs defaults 0 0" >> /var/data
bash: /var/data: Is a directory
[[email protected] ~]# echo"192.168.15.22:/var/data /var/data nfs defaults 0 0" >>/etc/fstab
[[email protected] ~]#
[[email protected] ~]# mount -a
[[email protected] ~]# mount | grep nfs
sunrpc on /var/lib/nfs/rpc_pipefs typerpc_pipefs (rw)
192.168.15.22:/var/data on /var/data typenfs (rw,vers=4,addr=192.168.15.22,clientaddr=192.168.15.3)
[[email protected] ~]# touch/var/data/ro_all_squash.txt
touch: cannot touch`/var/data/ro_all_squash.txt‘: Read-only file system
[[email protected] ~]#
PAN-Server上 修改/etc/exports
[[email protected] ~]# cat /etc/exports
/var/web192.168.15.33(rw,async,root_squash)
/var/data *(rw,sync,all_squash)
/var/www/html/192.168.15.3(rw,sync,all_squash) 192.168.15.33(rw,sync,all_squash)
[[email protected] ~]# service nfs restart
回到pan-C 192.168.15.2上
[[email protected] ~]# useradd test #此用户test临时添加,在PAN-Server上没有
[[email protected] ~]# echo 123456 | passwd--stdin !$
echo 123456 | passwd --stdin test
Changing password for user test.
passwd: all authentication tokens updated successfully.
[[email protected] ~]# su test
[[email protected] root]$ touch/var/data/rw_all_squash.txt
[[email protected] root]$ ll !$ #可以看到test用户被转换为nobady
ll /var/data/rw_all_squash.txt
-rw-rw-r-- 1 nobody nobody 0 Aug 7 02:50 /var/data/rw_all_squash.txt
[[email protected] root]$
5、权限问题
共享数据存储在服务器上,操作映射的是本地服务器上的账户来操作的,这样的话,服务器会根据自己本地的账户将远程账户映射为不同的本机账户(视情况而定,也就是选项在起作用。)如果是root账户,no_root_squash选项下,将远程root账户转换成本机的root账户保留权限而读取写入数据,在默认的情况下会将root远程账户转换为nfsnobady账户,这就是权限压制选项在起作用,即选项为空时,root_squash 是存在的。当远程账户为普通用户访问共享时,如果本地服务器上没有这个账户的话则转换为nobady账户。当然不管是root还是普通UID访问共享,all_squash 选项都会将远程访问账户转换为anonuid选项的值,自动转换为匿名账户,默认为65534:nfsnobady
三、自动挂载网络文件系统
客户机为192.168.15.106 :Mr.pan-S
[[email protected] ~]# showmount -e 192.168.15.22 #查看一下网络中的共享
Export list for 192.168.15.22:
/var/data *
/var/www/html 192.168.15.33,192.168.15.3
/var/web 192.168.15.33
[[email protected] ~]# cat /etc/redhat-release #声明主机版本
Red Hat Enterprise Linux Server release 6.3(Santiago)
[[email protected] ~]# hostname #声明主机名
Mr.pan-S.com
[[email protected] ~]# vim /etc/auto.master #添加了一行红色内容如下所示:
[[email protected] ~]# awk ‘/auto.data/ {print $0}‘!$
awk ‘/auto.data/ {print $0}‘/etc/auto.master
/var/data /etc/auto.data –timeout=60
[[email protected] ~]#
[[email protected] ~]# vim /etc/auto.data
[[email protected] ~]# awk ‘/autodata/ {print $0}‘ !$
awk ‘/autodata/ {print $0}‘ /etc/auto.data
autodata -fstype=nfs,rw192.168.15.22:/var/data #此处编写的时候读取/etc/auto.misc 参照实例做的,-fstype这个选项nfs必须放在第一位,才能生效,否则挂载不上。
[[email protected] ~]# mkdir -p /var/data
[[email protected] ~]# chmod a+w /var/data
[[email protected] ~]# service autofs restart
Stopping automount: [ OK ]
Starting automount: [ OK ]
[[email protected] ~]#
[[email protected] ~]# cd /var/data/autodata
[[email protected] autodata]# ls
rw_all_squash.txt
[[email protected] autodata]# touch autodata.txt
[[email protected] autodata]# ll !$
ll autodata.txt
-rw-r--r-- 1 nobody nobody 0 Aug 7 04:59 autodata.txt
[[email protected] autodata]# ls
autodata.txt rw_all_squash.txt
[[email protected] autodata]# cd #退出来等待1分钟,查看挂载点不见了
[[email protected] ~]# mount | grep autodata
[[email protected] ~]# ls /var/data/
[[email protected] ~]# cd /var/data/ #再次进入挂载点
[[email protected] data]# cd autodata
[[email protected] autodata]# ls #又自动挂载上了
autodata.txt rw_all_squash.txt
[[email protected] autodata]# mount | grep autodata #查看确认
192.168.15.22:/var/data on/var/data/autodata type nfs(rw,vers=4,addr=192.168.15.22,clientaddr=192.168.15.106)
[[email protected] autodata]#