nfs部署
Fedora 31 自带了nfs服务
[yeqiang@harbor ~]$ rpm -qi nfs-utils
Name : nfs-utils
Epoch : 1
Version : 2.4.1
Release : 1.rc1.fc31
Architecture: x86_64
Install Date: Thu 24 Oct 2019 07:13:57 AM CST
Group : Unspecified
Size : 1690232
License : MIT and GPLv2 and GPLv2+ and BSD
Signature : RSA/SHA256, Tue 03 Sep 2019 10:48:53 PM CST, Key ID 50cb390b3c3359c4
Source RPM : nfs-utils-2.4.1-1.rc1.fc31.src.rpm
Build Date : Tue 03 Sep 2019 10:20:59 PM CST
Build Host : buildvm-12.phx2.fedoraproject.org
Packager : Fedora Project
Vendor : Fedora Project
URL : http://linux-nfs.org/
Bug URL : https://bugz.fedoraproject.org/nfs-utils
Summary : NFS utilities and supporting clients and daemons for the kernel NFS server
Description :
The nfs-utils package provides a daemon for the kernel NFS server and
related tools, which provides a much higher level of performance than the
traditional Linux NFS server used by most users.
This package also contains the showmount program. Showmount queries the
mount daemon on a remote host for information about the NFS (Network File
System) server on the remote host. For example, showmount can display the
clients which are mounted on that host.
This package also contains the mount.nfs and umount.nfs program.
[yeqiang@harbor ~]$ systemctl status nfs-server
● nfs-server.service - NFS server and services
Loaded: loaded (/usr/lib/systemd/system/nfs-server.service; disabled; vendor preset: disabled)
Active: inactive (dead)
创建nfs目录
[yeqiang@harbor ~]$ sudo mkdir /home/nfs -p
[sudo] password for yeqiang:
配置/etc/exports
/home/nfs *(rw,sync,no_subtree_check,no_root_squash)
配置参数说明:
(1) ro 该主机对该共享目录有只读权限
(2) rw 该主机对该共享目录有读写权限
(3) root_squash 客户机用root用户访问该共享文件夹时,将root用户映射成匿名用户
(4) no_root_squash 客户机用root访问该共享文件夹时,不映射root用户
(5) all_squash 客户机上的任何用户访问该共享目录时都映射成匿名用户
(6) anonuid 将客户机上的用户映射成指定的本地用户ID的用户
(7) anongid 将客户机上的用户映射成属于指定的本地用户组ID
(8) sync 资料同步写入到内存与硬盘中
(9) async 资料会先暂存于内存中,而非直接写入硬盘
(10) insecure 允许从这台机器过来的非授权访问
(11) subtree_check 如果共享/usr/bin之类的子目录时,强制NFS检查父目录的权限(默认)
(12) no_subtree_check 和上面相对,不检查父目录权限
(13) wdelay 如果多个用户要写入NFS目录,则归组写入(默认)
(14 )no_wdelay 如果多个用户要写入NFS目录,则立即写入,当使用async时,无需此设置。
(15) hide 在NFS共享目录中不共享其子目录
(16) no_hide 共享NFS目录的子目录
(17) secure NFS通过1024以下的安全TCP/IP端口发送
(18) insecure NFS通过1024以上的端口发送
启用nfs-server,并配置开启启动服务
[yeqiang@harbor ~]$ sudo systemctl enable nfs-server --now
Created symlink /etc/systemd/system/multi-user.target.wants/nfs-server.service → /usr/lib/systemd/system/nfs-server.service.
本地挂载nfs目录
[yeqiang@harbor mnt]$ sudo mount -t nfs 127.0.0.1:/home/nfs /mnt/nfs
附:
查看exports出来的目录
[yeqiang@harbor mnt]$ sudo showmount -e 127.0.0.1
Export list for 127.0.0.1:
/home/nfs *
查看nfs状态
[yeqiang@harbor mnt]$ nfsstat
Server rpc stats:
calls badcalls badfmt badauth badclnt
66 0 0 0 0
Server nfs v4:
null compound
2 3% 64 96%
Server nfs v4 operations:
op0-unused op1-unused op2-future access close
0 0% 0 0% 0 0% 6 3% 1 0%
commit create delegpurge delegreturn getattr
0 0% 0 0% 0 0% 0 0% 40 21%
getfh link lock lockt locku
6 3% 0 0% 0 0% 0 0% 0 0%
lookup lookup_root nverify open openattr
9 4% 0 0% 0 0% 2 1% 0 0%
open_conf open_dgrd putfh putpubfh putrootfh
0 0% 0 0% 48 25% 0 0% 4 2%
read readdir readlink remove rename
0 0% 3 1% 0 0% 0 0% 0 0%
renew restorefh savefh secinfo setattr
0 0% 0 0% 0 0% 0 0% 1 0%
setcltid setcltidconf verify write rellockowner
0 0% 0 0% 0 0% 0 0% 0 0%
bc_ctl bind_conn exchange_id create_ses destroy_ses
0 0% 0 0% 4 2% 2 1% 1 0%
free_stateid getdirdeleg getdevinfo getdevlist layoutcommit
0 0% 0 0% 0 0% 0 0% 0 0%
layoutget layoutreturn secinfononam sequence set_ssv
0 0% 0 0% 2 1% 56 29% 0 0%
test_stateid want_deleg destroy_clid reclaim_comp allocate
0 0% 0 0% 1 0% 2 1% 0 0%
copy copy_notify deallocate ioadvise layouterror
0 0% 0 0% 0 0% 0 0% 0 0%
layoutstats offloadcancel offloadstatus readplus seek
0 0% 0 0% 0 0% 0 0% 0 0%
write_same
0 0%
Client rpc stats:
calls retrans authrefrsh
66 0 66
Client nfs v4:
null read write commit open
2 3% 0 0% 0 0% 0 0% 2 3%
open_conf open_noat open_dgrd close setattr
0 0% 0 0% 0 0% 1 1% 1 1%
fsinfo renew setclntid confirm lock
5 7% 0 0% 0 0% 0 0% 0 0%
lockt locku access getattr lookup
0 0% 0 0% 5 7% 11 16% 9 13%
lookup_root remove rename link symlink
2 3% 0 0% 0 0% 0 0% 0 0%
create pathconf statfs readlink readdir
0 0% 3 4% 0 0% 0 0% 3 4%
server_caps delegreturn getacl setacl fs_locations
8 12% 0 0% 0 0% 0 0% 0 0%
rel_lkowner secinfo fsid_present exchange_id create_session
0 0% 0 0% 0 0% 4 6% 2 3%
destroy_session sequence get_lease_time reclaim_comp layoutget
1 1% 2 3% 0 0% 2 3% 0 0%
getdevinfo layoutcommit layoutreturn secinfo_no test_stateid
0 0% 0 0% 0 0% 2 3% 0 0%
free_stateid getdevicelist bind_conn_to_ses destroy_clientid seek
0 0% 0 0% 0 0% 1 1% 0 0%
allocate deallocate layoutstats clone
0 0% 0 0% 0 0% 0 0%
查看nfs-server服务端口
[yeqiang@harbor mnt]$ sudo netstat -lnetp | grep 111
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 0 18854626 1/systemd
tcp6 0 0 :::111 :::* LISTEN 0 18853787 1/systemd
防火墙配置111端口暴露
[yeqiang@harbor mnt]$ sudo firewall-cmd --permanent --add-port=111/tcp
success
nfs的身份认证
基于ip的限制
限制某个ip地址
/home/nfs 127.0.0.1(rw,sync,no_subtree_check,no_root_squash)
限制某个ip段
/home/nfs 192.168.0.0/24(rw,sync,no_subtree_check,no_root_squash)
关于no_root_squash
配置no_root_squash(客户端挂载正常)
/root/podman-images 10.2.1.0/24(rw,sync,no_root_squash,no_subtree_check)
[root@ceph-191 ceph]# mount.nfs 10.2.1.176:/root/podman-images /mnt/nfsmount/
[root@ceph-191 ceph]# cd /mnt/nfsmount/
[root@ceph-191 nfsmount]# touch a
配置root_squash(客户端挂载失败)
/root/podman-images 10.2.1.0/24(rw,sync,root_squash,no_subtree_check)
[root@ceph-191 ceph]# mount.nfs 10.2.1.176:/root/podman-images /mnt/nfsmount/
mount.nfs: access denied by server while mounting 10.2.1.176:/root/podman-images