NFS

Definitions

File system

A collection of data, normally stored on a device such as a hard disk partition, which can be accessed in Linux via the directory structure

NFS (Network File System)

Allows directories and files to be shared across a network
Why?

Centralize support tasks (ie, backups)
Reduces need for local disk storage
Prevent unnecessary duplication of the data on multiple systems
Share data among users in a group

How does it work?

Review of OSI Model

Application	Provides interfaces for apps to access network services
Presentation	Defines format for network communication
Session	Manages the dialog between two computers
Transport	Solves transmission problems, flow control, reliability
Network	Addresses the package, determines best route
Data-link	Converts data frames to bits, or bits to data frames
Physical	Converts bits to signals, knows what signal to use on cable type

From the OSI Perspective:

Application layer

Any program accessing an NFS mounted file system

Presentation Layer

XDR (External Data Representation)

Required for heterogeneous network

A way to encode RPC messages so they can be read on different machine architectures

Session Layer

RPC (Remote Procedure Call) Protocol

written by Sun in the early 1990s

A way of doing network programming

The procedure appears to be part of the local process but it is executed on another machine
RPC bundles arguments passed to the procedure in a network datagram

Transport Layer

RPC services may be built on either TCP or UDP but typically UDP
UDP (connectionless transport) no guarantee of packet order or arrival
Each request is self contained, server doesn't track requests (stateless)

Client / Server

The relationship between the host owning the resource and the client requesting it.
The resource being a shared filesystem (NFS)

Mounting Protocol

Client sends request to server with path name of directory to be mounted on the clients directory
If the path name exists and has been exported by the server, the server returns a file handle

file system type, disk, directory's inode number, permissions info

automounting also supported

File Service Interface

Server only retrieves the blocks requested, not the whole file
Client requests file offset (current location in the file to be read)
Client keeps table of open files
When the client is done with a block of data, it is written back to the server

Updates are not written instantly, small delay.

NFS uses read-ahead to improve access to sequential data
Typically 8K block size

What happens to the open file while you are writing to it?

Changes are only seen by other users (or other processes) when the file has been updated

(:w in vi) or closed (:wq)

Results are not predictable if two people are modifying the same file
Last process to close the file gets the changes

File Locking

Performed by lockd and statd
Not perfect!

NFS Client Side

Mount point

The path in the directory structure where the data in a file system can be accessed

Mount utility

Serves to attach a filesystem found on a device or remote machine to a mount point.

Procedure to mount a remote filesystem

mount hostname:remote-directory local-directory

# mkdir /mnt/gandalf
# mount gandalf:/var/ftp/pub/rh7.3 /mnt/gandalf

NOTE: You may need to use the server's IP number if your machine cannot resolve the hostname.

Query a fileserver to see what filesystems are exported (available to share)

$ showmount -e gandalf

Export list for gandalf:
/var/ftp/pub/rh7.3   10.2.135.0/24

Note: RPC is simply connecting to the portmapper on port 111 (tcp or upd), and asking on which port a particular service can be found. In the case of NFS, you are asking which port is running mountd, and nfsd.

NFS Server Side

NFS Daemons

nfsd -- Services client requests
rpc.mountd -- Processes client's mount requests

Exporting Filesystems

Server gives permission for access
Edit the /etc/exports text file and add entry for each filesystem to be exported

# cat /etc/exports

/var/ftp/pub/rh7.3 10.2.135.0/24(ro)

/home/samba *.example.com(rw)

/home/projects 192.168.1.0/24(rw)

/mnt/cdrom *.example.com(ro)

Re-export all directories. Synchronize /var/lib/nfs/xtab

# exportfs -r

Checking Server Daemons

rpcinfo will allow you to view the port on which you client will be connecting.

$ rpcinfo -p 
   program vers proto   port
    100000    2   tcp    111  portmapper
    100024    1   udp    938  status
    100005    1   udp   1025  mountd
    100003    2   udp   2049  nfs

NFS uses the following daemons:

portmapper, mountd, nfsd, status, rquotad

Checking the status of nfsd startup on RH Linux machines

$ chkconfig --list | grep nfs

nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off

nfslock 0:off 1:off 2:off 3:on 4:on 5:on 6:off

Starting nfsd at system start time

# chkconfig nfs on

You have created symbolic links in run levels 3, 4 and 5 using the chkconfig command.
chkconfig reads its configuration from the nfs script in /etc/init.d
builds symbolic links in the directories specified with a stop and start priority

From the chkconfig man page:

For example, random.init has these three lines:
       # chkconfig: 2345 20 80
       # description: Saves and restores system entropy pool for \
       #              higher quality random number generation.
       This says that the random script should be started in lev
       els 2, 3, 4, and 5, that its start priority should be 20,
       and that its stop priority should be 80.

$ chkconfig --list | grep nfs
nfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
nfslock 0:off 1:off 2:off 3:on 4:on 5:on 6:off

Starting nfsd now!

# /etc/init.d/nfs start

# service nfs start

Starting NFS services: [ OK ]

Starting NFS quotas: [ OK ]

Starting NFS mountd: [ OK ]

Starting NFS daemon: [ OK ]

Trouble Shooting Problems

rpcinfo

Make sure the client is running portmapper

rpcinfo -p client-name

Make sure server RPC daemons are running on the server

rpcinfo -p server-name

nfsstat

nfsstat -s : statistics for server process (set to zero when process started)

nfsstat -c : statistics for client process

Check your firewall configuration

Your firewall configuration may be blocking NFS ports

You need to figure out which ports NFS is using! Use rpcinfo -p servername

The command below will flush your ipchains rules and re-writes the ipchains config file
You may want to save that file first!

# cp /etc/sysconfig/ipchains /etc/sysconfig/ipchains.svd

# ipchains -L

# ipchains -F

# service ipchains save

# service ipchains stop

# chkconfig ipchains off

# ipchains -L

The /etc/services file contains a mapping of well known services to port numbers
look for portmap (sunrpc) and nfs

# less /etc/services

Looking at open ports on your machine

Use nmap on your own machine to find open ports

# nmap localhost -p 1-65535

lsof without options shows every open file on your systme, -i: open socket info, +M: include portmapper.

# lsof -i +M

netstat -a shows all open connections, t: tcp, u: udp

# netstat -atu

Example:

# nmap localhost -p 1-65535

Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Interesting ports on localhost (127.0.0.1):
(The 65493 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh
25/tcp     open        smtp
53/tcp     open        domain
111/tcp    open        sunrpc
953/tcp    open        rndc
6000/tcp   open        X11
32768/tcp open        unknown

Nmap run completed -- 1 IP address (1 host up) scanned in 22 seconds

# lsof | grep 32768
rpc.statd 790 root 4u IPv4 1237 UDP *:32768
rpc.statd 790 root 6u IPv4 1240 TCP *:32768 (LISTEN)

Typical ports used:

Client port Server port Name

600:1023/tcp 111/tcp Sunrpc

600:1023/udp 111/udp Sunrpc

600:1023/tcp 635/tcp Mount

600:1023/udp 635/udp Mount

760:800/tcp 2049/tcp NFS

600:1023/udp 2049/udp NFS

NFS Security

Files:

/etc/hosts.allow

/etc/hosts.deny

/etc/exports

What is host-based security?

host patching
host firewall
host anti-virus software
host IDS (Intrusion Detection System)

An example of Linux host-based security

TCP-wrappers
ipchains/iptables

Rule of thumb

don't export NFS outside your local network
block TCP and UDP ports 2049 at your firewall
block access to the portmap daemon which listens on port 111 at your firewall

NFS File access is based on UID, GID

Make sure your users have unique UID's

or they will have access to each others NFS mounted files

Users with root access can su to any user they want
use the root squashing when exporting filesystems

this is the default with Linux NFS server
the root user will not have root access to the NFS mounted filesystem

tcp_wrappers

Files: /etc/hosts.allow and /etc/hosts.deny
Provides host-based access control lists for network services
the service has to be compiled against libwrap

How it works

client connects to tcp_wrapped service
the file hosts.allow is consulted first, if the client has access rights, the service is delivered
if the client doesn't have access in hosts.allow, hosts.deny is consulted

Example configuration

# cat /etc/hosts.allow

ALL: 127.0.0.1
sendmail : ALL
https : ALL
http : ALL
sshd : ALL EXCEPT .crack.org 131.131.140.49
in.ftpd : 192.168.1.0/255.255.255.0
imapd : 192.168.1.0/255.255.255.0
in.telnetd, portmap : 192.168.1.25 192.168.1.1

# cat /etc/hosts.deny

ALL : ALL spawn /bin/echo `date` %c %d >> /var/log/tcpwrap.deny

In the above example, you are able to log denials. The %c is replaced with the client name, the %d is replaced with the daemon name.

Automatic Mounting of Filesystems

/etc/fstab
automount

The /etc/fstab configuration file

The key to automounting file systems
Used by the mount command
Contains following fields

Device where file system is located
Mount point in directory structure where the device will be accessed after being mounted
File system type
Options that apply (very important)
Whether the file system can respond to the dump command
Order used to check file systems when Linux is booted

LABEL=/          /             ext3    defaults    1 1
/dev/sdb6        /usr/bin      ext3    defaults    1 2
#/dev/sdb6       /mnt/ro       ext3    defaults    1 2
none            /dev/pts       devpts  gid=5,mode=620 0 0
none            /proc          proc    defaults    0 0
none            /dev/shm       tmpfs   defaults    0 0
LABEL=/var      /var           ext3    defaults    1 2
/dev/sdb5       swap           swap    pri=1,defaults 0 0
/dev/sda5       swap           swap    pri=1,defaults 0 0
/dev/sdb1       /home          ext3    usrquota    1 2
/dev/cdrom      /mnt/cdrom     iso9660 owner,kudzu,ro,nosuid 0 0
/dev/fd0        /mnt/floppy    auto    noauto,owner,kudzu,nosuid 0 0
gandalf:/var/ftp/pub/rh7.3  /mnt/gandalf   nfs  defaults  0 0

Settings for the Options Field in the /etc/fstab file


async	Specifies that all reads and writes to the file system should be asynchronous, ie, buffered in memory to improve access speed.
auto	Specifies that the file system should be automatically mounted at boot time or when the mount command is used with the -a option.
dev	Designates the file system as a special device in the ./dev directory (block or character).
exec	Permits execution of binaries stored on file system.
noauto	Can only be mounted explicitly, ie, the -a option will not cause the file system to be mounted.
noexec	Do not allow execution of any binaries on the mounted file system. Useful for a server's file system containing binaries for architectures other then its own.
nouser	Only root can mount the file system.
ro	Mount the file system read-only.
rw	Mount the file system read-write.
suid	Allows special user ID permissions to b used on this file system.
user	Allow an ordinary user to mount the file system, ie, floppy or CDROM.
owner	Owner is similar to user, with the restriction that the user must be the owner. e.g. for /dev/fd if a login script makes the console user owner of this device.
users	Same as user option, except any user can unmount the device.
defaults	Use default options: rw, suid, dev, exec, auto, nouser, and async.

Additional Points about the Options Field

The last options listed on each line of the fstab file override any earlier options used on the same line
The options can be added to the mount command by using the -o parameter

Exercise: Tcpdump

Check traffic between client and server with tcpdump
You can use IP numbers for the host names

# tcpdump host server-name and host client-name -s 512

Mounting filesystem from Windows 2000 machine, oaxaca, onto Linux machine, ponto.

On ponto
start tcpdump command in one window

# tcpdump host ponto and host oaxaca -s 512

issue mount command in another window

# mount -t smbfs -o username=pattyo //oaxaca/teaching /mnt/teaching

tcpdump: listening on eth0

10:30:07.668741 ponto.example.com.33756 > oaxaca.example.com.netbios-ssn: P 3597267976:3597268015(39) ack 3945417449 win 5840 <nop,nop,timestamp 126736208 4157496>NBT Packet (DF)

10:30:07.668741 arp who-has ponto.example.com tell oaxaca.example.com

10:30:07.668741 arp reply ponto.example.com is-at 0:1:2:65:95:25

10:30:07.668741 oaxaca.example.com.netbios-ssn > ponto.example.com.33756: P 1:40(39) ack 39 win 16852 <nop,nop,timestamp 4159607 126736208>NBT Packet (DF)

# tcpdump host ponto and host mammoth -s 512
# mount ponto:/distro /mnt/distro
# ls /mnt/distro/README*

10:56:17.508741 mammoth.example.com.1534335040 > ponto.example.com.nfs: 116 access fh 0,1/16779264 0002 (DF)

10:56:17.508741 ponto.example.com.nfs > mammoth.example.com.1534335040: reply ok 120 access c 0002 (DF)

...

Use the -v option to get more information
On the client machine cat an ascii file:

# cat TRANS.TBL On server run tcpdump:

# tcpdump host ponto and host mammoth -s 512

11:36:13.908741 mammoth.example.com.3614775360 > ponto.example.com.nfs: 136 lookup fh Unknown/1 "TRANS.TBL" (DF)

11:36:13.908741 ponto.example.com.nfs > mammoth.example.com.3614775360: reply ok 232 lookup fh Unknown/1 (DF)

11:36:13.908741 mammoth.example.com.3631552576 > ponto.example.com.nfs: 128 access fh Unknown/1 0001 (DF)

11:36:13.908741 ponto.example.com.nfs > mammoth.example.com.3631552576: reply ok 120 access c 0001 (DF)

11:36:13.908741 mammoth.example.com.3648329792 > ponto.example.com.nfs: 136 read fh Unknown/1 4096 bytes @ 0x000000000 (DF)

11:36:13.928741 ponto.example.com.nfs > mammoth.example.com.3648329792: reply ok 176 read (DF)

Mammoth asks ponto for a file handle (fh) for the file TRANS.TBL.
Ponto replies with an ok and the file handle
Mammoth checks the access permissions on the file
Ponto replies with permissions
Mammoth issues the read which was generated by the cat command.