1. Introduction to NFS
1.1 NFS features
- NFS (Network File System), namely Network File System, is one of the file systems supported by FreeBSD. It allows computers in the network to share resources through TCP/IP network
- In NFS applications, local NFS client applications can transparently read and write files on remote NFS servers, just like accessing local files
- nfs is suitable for file sharing between Linux and Unix, but cannot realize the file sharing function between Linux and Windows
- nfs is a protocol running in the application layer, which listens on 2049/tcp and 2049/udp sockets
- nfs service can only authenticate based on IP
1.2 application scenarios of NFS
- Multiple machines share a CDROM or other device. This is cheaper and easier to install software in multiple machines
- In a large network, it may be convenient to configure a central NFS server to place the home directory of all users. These directories can be output to the network so that users can always get the same home directory no matter which workstation they log in on
- Different clients can watch video files on NFS to save local space
- The work data completed on the client can be backed up and saved to the user's own path on the NFS server
1.3 system composition of NFS
The nfs system has at least two main parts:
- An nfs server
- Several clients
The architecture of nfs system is as follows:
The client remotely accesses the data stored on the NFS server through the TCP/IP network
Before the NFS server is officially enabled, you need to configure some NFS parameters according to the actual environment and requirements
2. Working mechanism of NFS
nfs is based on rpc to realize network file system sharing. So let's talk about rpc first.
2.1 RPC
RPC (Remote Procedure Call Protocol), a Remote Procedure Call Protocol, is a protocol that requests services from remote computer programs through the network without understanding the underlying network technology.
RPC Protocol assumes the existence of some transmission protocols, such as TCP or UDP, to carry information data between communication programs. In the OSI network communication model, RPC spans the transport layer and application layer.
RPC adopts client / server mode. The requester is a client, and the service provider is a server.
The working mechanism of rpc is shown in the figure above. The following describes it:
- The client program initiates an RPC system call and sends it to another host (server) based on TCP protocol
- The server listens on a socket. After receiving the system call request from the client, it executes the received request and its passed parameters through the local system call, and returns the result to the local service process
- After receiving the returned execution result, the service process of the server encapsulates it into a response message, and then returns it to the client through rpc Protocol
- The client call process receives the reply information, gets the result of the process, and then calls the execution to proceed.
2.2 working mechanism of NFS
//The NFS server side runs four processes:
nfsd
mountd
idmapd
portmapper
idmapd //Realize the centralized mapping of user accounts, and map all accounts to NFSNOBODY, but they can be accessed as local users when accessing
mountd //It is used to verify whether the client is in the list of clients allowed to access this NFS file system. If it is, access is allowed (issue a token and go to nfsd with the token). Otherwise, access is denied
//The service port of mountd is random, and the random port number is provided by the rpc service (portmapper)
nfsd //The nfs daemon listens on 2049/tcp and 2049/udp ports
//It is not responsible for file storage (the local kernel of NFS server is responsible for scheduling storage). It is used to understand the rpc request initiated by the client, transfer it to the local kernel, and then store it on the specified file system
portmapper //RPC service of NFS server, which listens on 111/TCP and 111/UDP sockets and is used to manage remote procedure calls (RPCs)
The following is an example to illustrate the simple workflow of NFS:
Requirement: view the information of the file, which is stored on the remote NFS server host (mounted in the local directory / shared/nfs)
- The client initiates an instruction to view the file information (ls file) to the kernel. The kernel knows through the NFS module that this file is not a file in the local file system, but a file on the remote NFS host
- The kernel of the client host encapsulates the instruction to view the file information (system call) into RPC request through RPC Protocol and sends it to the portmapper of the NFS server host through port 111 of TCP
- The portmapper (RPC service process) of the NFS server host tells the client that the mountd service of the NFS server is on a certain port, and you go to it for verification
Because mountd must register a port number with portmapper when providing services, portmapper knows which port it works on
- After the client knows the mountd process port number of the server, it requests verification through the known mountd port number of the server
- After receiving the verification request, mountd verifies whether the requesting client is in the list of clients allowed to access the NFS file system. If it is, access is allowed (issue a token and go to nfsd with the token). Otherwise, access is denied
- After the verification is passed, the client holds the token issued by mountd to go to the nfsd process of the server and request to view a file
- The nfsd process on the server side initiates a local system call to request the kernel to view the information of the file to be viewed by the client
- The kernel of the server executes the system call of nfsd request and returns the result to the nfsd service
- After receiving the result returned by the kernel, the nfsd process encapsulates it into rpc request message and returns it to the client through tcp/ip protocol
3. Format of exports file
The main configuration file of NFS is / etc/exports. In this file, you can define the output directory (i.e. shared directory), access permissions and allowed hosts of NFS system. The file is empty by default and is not configured to output any shared directories. This is based on security considerations. In this way, even if the system starts NFS, it will not output any shared resources.
Each line in the exports file provides the setting of a shared directory. The command format is:
<Output directory> [Client 1(Option 1,Option 2,...)] [Client 2(Option 1,Option 2,...)]
Except that the output directory is a required parameter, other parameters are optional. In addition, the output directory in the format is separated from the client, and between the client and the client, but there can be no space between the client and the option.
A client is a computer on the network that can access this NFS shared directory. The designation of the client is very flexible. It can be the IP or domain name of a single host, or the host in a subnet or domain.
4. nfs management
nfs installation:
//install
yum -y install nfs-utils
//start-up
systemctl start rpcbind nfs-server
Use the shoumount command to test the output directory status of the NFS server:
//Syntax: showmount [options] [NFS server name or address]
//Common options are:
-a //Displays all client hosts of the specified NFS server and the directories to which they are connected
-d //Displays all output directories connected by clients in the specified NFS server
-e //Displays the shared directory of all outputs on the specified NFS server
Mount on NFS client file system:
mount -t nfs SERVER:/path/to/sharedfs /path/to/mount_point
Set the client to automatically mount nfs after startup: edit the / etc/fstab file and add the content in the following format
SERVER:/PATH/TO/EXPORTED_FS /mnt_point nfs defaults,_netdev 0 0
Special options available for client mount:
- rsize: its value is the number of bytes (buffer) read from the server. The default is 1024. If a higher value is used, such as 8192, the transmission speed can be improved
- wsize: its value is the number of bytes written to the server (buffer). The default is 1024. If a higher value is used, such as 8192, the transmission speed can be improved
exportfs //Special tool for maintaining file system tables exported by exports file
-a //Output all directories set in the / etc/exports file
-r //Reread the settings in the / etc/exports file and make them take effect immediately without restarting the service
-u //Stop outputting a directory
-v //Displays the directory on the screen when outputting the directory
Check the options used by the output directory:
In the configuration file / etc/exports, even if only one or two options are set on the command line, there are actually many default options when actually outputting the directory. You can see what options are used by looking at the / var/lib/nfs/etab file
[root@localhost ~]# cat /var/lib/nfs/etab
5. Application examples
1. Manually build an nfs server
to open up/nfs/shared Directory for all users to open up/nfs/upload The directory is 172.16.12.0/24 The data upload directory of the network segment, and all users and their user groups are mapped to nfs-upload,his UID And GID All 300
install nfs [root@145 ~]# yum -y install nfs-utils Start service [root@145 ~]# ss -antl State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 64 0.0.0.0:39263 0.0.0.0:* LISTEN 0 64 0.0.0.0:2049 0.0.0.0:* LISTEN 0 128 0.0.0.0:111 0.0.0.0:* LISTEN 0 128 0.0.0.0:20048 0.0.0.0:* LISTEN 0 128 0.0.0.0:22 0.0.0.0:* LISTEN 0 128 0.0.0.0:53047 0.0.0.0:* LISTEN 0 64 [::]:2049 [::]:* LISTEN 0 128 [::]:34703 [::]:* LISTEN 0 128 [::]:111 [::]:* LISTEN 0 128 [::]:20048 [::]:* LISTEN 0 128 [::]:22 [::]:* LISTEN 0 64 [::]:44635 [::]:* Turn off firewalls and selinux [root@145 ~]# systemctl stop firewalld [root@145 ~]# setenforce 0 Verify on client [root@146 ~]# showmount -e 192.168.249.145 Export list for 192.168.249.145: /nfs/shared *
configure server [root@145 ~]# groupadd -g 300 nfsupload [root@145 ~]# useradd -u 300 -g 300 nfsupload [root@145 ~]# id nfsupload uid=300(nfsupload) gid=300(nfsupload) group=300(nfsupload) [root@145 ~]# vim /etc/exports /nfs/upload/ 192.168.249.146/24(rw,anonuid=300,anongid=300) [root@145 ~]# setfacl -m u:nfsupload:rwx /nfs/upload/ [root@145 ~]# setfacl -m g:nfsupload:rwx /nfs/upload/ Client authentication [root@146 ~]# showmount -e 192.168.249.145 Export list for 192.168.249.145: /nfs/upload/ 192.168.249.146/24 [root@146 ~]# mount -t nfs 192.168.136.129:/nfs/upload/ /nfs