Upload
eri-konica
View
256
Download
0
Embed Size (px)
Citation preview
8/13/2019 Network File System1
1/12
Network File System (NFS)
NFS u dizenjua nga Sun Microsystems ne fillimet e viteve 80 dhe u standartizua ne 1987 (RFS
1094).Meqenese NFS eshte open standart nuk eshte thjesht i kufizuar tek sistemet UNIX por
gjithashtu mund te veproje edhe ne platforma te shumta. NFS lejon sistemin te shperndaje
direktorite dhe file-et me te tjeret nepermjet rrjetit. Duke perdorur NFS , perdoruesit dhe
programet mund te aksesojne file ne sistemet e largeta (remote system) si te ishin file lokal.
Zakonisht NFS perdoret per te ofruar direktorine Home dhe akses ne aplikime.
Avantazhet e perdorimit te NFS jane te shumta, sidomos per GNU/Linux networks si psh:
1)Lejon nje menaxhim me te thjeshte te aplikacioneve, sepse mjafton nje aplikacion te jete I
instaluar ne serverin NFS dhe te gjithe userat e tjere mund ta aksesojne, pra nuk eshte e
nevojshme te instalohet ne cdo pike lokalisht.
2)Nje backup i qenderzuar, sepse te gjitha direktorite home, aplikacionet etj mund te mbahenne nje ose disa server qe kontrollohen nga administrator.
NFS perdor Remote Procedure Call (RPC), eshte stateless, komunikon nepermjet UDP(User
Datagram Protocol) por usera jo GNU/Linux mund gjithashtu te perdorin TCP-- dhe eshte e
bazuar ne rreth nje arkitekture klient-server. NFS na referohet si nje protokoll stateless , qe do
te thote se as klienti e as server mund t shkojn n nj state q varet mbi informacione t
mtejshme (apo te meparshme).
Kjo sht e mundur pr shkak se t gjitha informatat e nevojshme ofrohen brenda parametrave
te funksioneve q jan kaluar n server dhe kthyer pr te klienti. Kjo statelessness shton nj
shkall t besueshmris pr NFS.
8/13/2019 Network File System1
2/12
Kalimi I mesazheve RPC ndermjet platformave te ndryshme eshte bere e mundur fal protokollit XDR.
Sic e prmendem NFS (dhe RPC), sht prdorur nga platforma te ndryshme. Pr t
mbshtetur kto platforma t ndryshme u zhvillua XDR (External Data Representation). Si NFS
edhe XDR sht zhvilluar nga Sun Microsystems dhe sht standard i hapur(open standard)
(RFC 1014). XDR prcakton nj framework q duhet t prdoret pr t koduar vlerat n nj
mesazh RPC. Pr shkak t ksaj framework t standardizuar, kalimi I mesazheve RPC mes
platformave t ndryshme sht bere I mundur.
Disa nga benefitet me te rendesishme qe NFS mund te siguroje jane :
1. Workstatin-it lokal perdorin me pak hapsire ne disk sepse zakonisht te dhenat eperdorura mund te rregjistrohen ne nje makine te vetme dhe prape te mbeten te
aksesueshme nga te tjeret nepermjet rrjetit.
2. Nuk eshte e nevojshme qe perdoruesit te kene direktori home te ndara ne cdo makinerrjeti. Direktorite Home mund te krijohen ne serverat e NFS dhe te jene te
8/13/2019 Network File System1
3/12
8/13/2019 Network File System1
4/12
(GB);
2. Suport per shkrimet asinkrone ne server, per te permisuar performance e shkrimit3. Atributet shtes te file-ve n shum prgjigje , pr t shmangur nevojn pr t ri - sjelle ato;
4. Nj operacion READDIRPLUS , pr t marr file handles dhe atributet s bashku me emrat e file-ve kur skanohet nj direktori ;
5. Klasifikon prmirsime t tjera,N kohn e futjes s Versionit 3 , shitesit ofruan suport pr TCP nderkohe qe filloi te rritej protokolli i
transportitlayer(shtres). Nderkohe qe disa shits tashm kishin shtuar mbshtetjen pr NFS Version
2 me TCP si transport , Sun Microsystems kishte shtuar mbshtetjen pr TCP si transport pr NFS n t
njjtn koh ajo shtoi mbshtetjen pr versionin 3 .
Duke prdorur TCP si transporti bri beri perdorimin e NFS mbi nj WAN m t realizueshem.
Version 4(RFC 3010 , dhjetor 2000; rishikuar n RFC 3530 , prill 2003) , ndikuar nga PVF dhe
CIFS , prfshin prmirsime t performancs , garanton sigurin fort , dhe paraqet nj
protokoll te qendrueshem(stateful)
Version 4 u b versioni i par i zhvilluar me Task Force Internet Inxhinieri ( IETF ) pasi Sun
Microsystems dorzoi zhvillimin e protokolleve NFS.
NFS versioni 4.1 ( RFC 5661 , janar 2010) ka pr qllim t siguroj suportin e protokollit pr
t prfituar nga vendosjet e serverave te grumbulluar(clustered server ) , duke prfshir
aftsin pr t siguruar qasje t shkallzuar paralele n file-et e shprndar midis serverave te
shumte ( pNFS extension ) .
Qellimet e NFS v4: Suporton Unix dhe Windows Eshte dizenjuar duke pasur parasysh nje mjedis WAN Asnj supozim i dyanshm per rritjen e aftesive Siguri te mandatuar.
8/13/2019 Network File System1
5/12
Konfigurimi I NFS
Konfigurimi I NFS ka dy ceshtje kryesore:
1- Konfigurimi i Serverit NFS2- Konfigurimi i Klientit NFS
Konfigurimi I nje serveri NFS
Dy jane procedurat : Veprimi me skedaret e konfigurimit NFS dhe Startimi i sherbimeve te
NFS
Jane tre skedare kryesore konfigurimi
- /etc/exports- /etc/hosts.allow- /ect/hosts.denyMjafton vetem editimi i skedarit te pare per te vene ne pune NFS, sepse dy skedaret
pasardhes jane per te vendosur rregulla sigurie sipas nevojes apo deshires.
File i konfigurimit /ect/exports
Ne kete skedar percaktohen qarte direktorite qe deshirohen te behen share, makinat me te
cilat behen share, te drejtat etj.
HAPAT KONKRETE TE KONFIGURIMIT TE SERVERIT NFS
HAPI 1: Instalimi i Nfs ne makinen qe do bejme server
$sudo apt-get install nfs-kernel-server
8/13/2019 Network File System1
6/12
Hapi 2 :Pasi te jete instaluar me sukses krijojme (nqs nuk eshte akoma e krijuar) direktorine
qe do bejme share
$sudo mkdir /exports
Dhe
$sudo chmod 777 /exports per ti dhene te drejta rwx per te gjithe
Hapi 3: Editojme skedarin /etc/exports si me poshte:
Hapim skedarin per editim:
$sudo gedit /etc/exports
Shkruajme ne skedar :
/exports 192.168.32.1 (rw) kjo do te shtoje /exports ne clientin me ip, dhe me te drejta rw
E ruajme dhe mbyllim skedarin.
Deri tani kemi bere gati per export kete direktori. Pas kesaj eshte e nevojshme te behen
hapat me poshte:
Hapi 4 : Ristartojme sherbimin e nfs, ne menyre qe nfs te rilexoje skedarin qe ne sapo
ndryshuam
$sudo /etc/init.d/nfs-kernel-server restart
8/13/2019 Network File System1
7/12
Shohim mountin qe kemi bere per tu siguruar:
$sudo showmounte
Hapi 5 : Bejme updatime te tilla qe sa here te bootohet serveri ti lexoje automatikisht keto
ndryshime qe beme ne nfs
$sudo update-rc.d portmap defaults
$sudo update-rc.d xxi-common defaults
8/13/2019 Network File System1
8/12
Konfigurimi I klientit NFS
Perdorim komanden mount per te ngritur nje direktori te perbashket nga nje makine
tjeter, duke shkruar nje command line te ngjashme me kete me poshte ne nje terminal
prompt :
sudo mount example.hostname.com:/ubuntu /local/ubuntu
Direktoria(The mount point directory ) /local/ubuntu duhet te egzistoje. Nuk duhet te kete
file ose nendirektori ne direktorine /local/ubuntu . Nje menyre alternativeper te ngritur nje
NFS te bashkperdorur ne nje makine tjeter eshte te shtojme nje rresht tek file
/etc/fstab .Rreshti duhet te deklaroje emrin e hostit te serverit NFS,direktoria ne server qe do
transportohet dhe direktoria ne makinen lokale ku NFS share duhe te montohet . Sintaksa
gjenerale per rreshtin ne file-in /etc/fstab eshte si me poshte :
example.hostname.com:/ubuntu /local/ubuntu nfs rsize=8192,wsize=8192,timeo=14,intr
Nese kemi ndonje problem me ngritjen e nje NFS share, duhet te sigurohemi qe paketa
nfs-common eshte e instaluar ne klientin tone. Per te instaluar nfs-common perdorim
komanden e meposhtme ne terminal prompt :
sudo apt-get install nfs-common
8/13/2019 Network File System1
9/12
Siguria:
Me NFS, ka dy hapa te nevojshem qe nje klient te fitoje akses ne nje skedar, qe ndodhet ne nje
direktori ne distance ne server. Hapi i pare eshte aksesi ngjitjes. Ky akses arrihet nga makina e
klientit ne tentative per tu lidhur me serverin. Siguria per kete mbulohet nga skedari
/etc/exports. Skedari liston emrat ose adresat IP te makinave, te cilave u lejohet te aksesojne
nje pike shperndarjeje (share point). Nese adresa IP e klientit perkon me nje nga ato ne listen e
atyre qe mund te aksesojne, atehere ajo do te lejohet te ngjitet. Kjo nuk eshte shume e sigurte.
Nese dikush eshte i afte te marre nen kontroll nje adrese te besueshme atehere ai mund te
aksesoje pikat tuaja te ngjitjes. Japim nje shembull real per kete lloj "autentifikimi": Kjo eshte e
barasvlefshme me nje situate ku dikush e prezanton veten te ju dhe ju ti besoni qe ai eshte
vertete ai qe pretendon se eshte, vetem sepse ai ka vene nje ngjitese, ku lexon "Ckemi, emri im
eshte...". Ne momentin qe makina ka ngarkuar nje vellim, OS e saj do te kete akses ne te gjithe
skedaret ne kete vellim ( me perjashtimin e mundshem te skedareve te rrenjes; shih me poshte)
dhe, nqs vellimi eshte eksportuar me opsionin THERW, do te kete akses gjithashtu te shkruaje
ne keto skedare.
Hapi i dyte eshte aksesi i skedarit. Ky eshte nje funksion i kontrolleve normale te aksesit te
skedareve te sistemit.
Nje shembull: bob ne hartat e serverit per ne userid 9999. Bob nderton nje skedar ne server qe
eshte i askesueshem vetem nga ky perdoruesi (njelloj si te shtypesh chmod 600 emerskedari).
Nje klienti i lejohet te ngjitet ne diskun, ku ruhet skedari, ne harten e klientit per ne userid
9999. Kjo do te thote qe perdoruesi-klient mund te aksesoje skedarin e bob qe eshte shenuar si
i aksesueshem vetem nga bob. Perkeqesohet dhe me tej: nese dikush eshte bere super-
perdorues te makina e klientit, ai mund te zevendesojne emrin e perdoruesit (username) dhe ta
bejne nje perdorues cfaredo. NFS nuk e kupton kete.
NFS OptionsSome other options we can use in /etc/exports file for file sharing is as follows.
ro: With the help of this option we can provide read only accessto the shared files
i.eclientwill only be able to read.
rw: This option allows the client serverto both readand writeaccess within the shared
directory.
8/13/2019 Network File System1
10/12
sync: Sync confirms requests to the shared directory only once the changeshave been
committed.
no_subtree_check: This option prevents the subtreechecking. When a shared directory is
the subdirectory of a larger file system, nfsperforms scans of every directory above it, in order
to verify its permissions and details. Disabling the subtreecheck may increase the reliability
of NFS, but reduce security.
no_root_squash: This phrase allows rootto connectto the designated directory.
Common NFS Mount Options
Beyond mounting a file system with NFS on a remote host, it is also possible to specify other
options at mount time to make the mounted share easier to use. These options can be used
with manual mount commands, /etc/fstab settings, and autofs.
The following are options commonly used for NFS mounts:intr
Allows NFS requests to be interrupted if the server goes down or cannot be reached.
lookupcache=mode
Specifies how the kernel should manage its cache of directory entries for a given mount
point. Valid arguments for mode are all, none, or pos/positive.
nfsvers=version
Specifies which version of the NFS protocol to use, where version is 2, 3, or 4. This is useful
for hosts that run multiple NFS servers. If no version is specified, NFS uses the highest version
supported by the kernel and mount command.
The option vers is identical to nfsvers, and is included in this release for compatibility
reasons.
noacl
Turns off all ACL processing. This may be needed when interfacing with older versions of Red
Hat Enterprise Linux, Red Hat Linux, or Solaris, since the most recent ACL technology is not
compatible with older systems.nolock
Disables file locking. This setting is occasionally required when connecting to older NFS
servers.
noexec
Prevents execution of binaries on mounted file systems. This is useful if the system is
8/13/2019 Network File System1
11/12
mounting a non-Linux file system containing incompatible binaries.
nosuid
Disables set-user-identifier or set-group-identifier bits. This prevents remote users from
gaining higher privileges by running a setuid program.
port=num
port=num Specifies the numeric value of the NFS server port. If num is 0 (the default),
then mount queries the remote host's rpcbind service for the port number to use. If the remote
host's NFS daemon is not registered with its rpcbind service, the standard NFS port number of
TCP 2049 is used instead.
rsize=num and wsize=num
These settings speed up NFS communication for reads (rsize) and writes (wsize) by setting a
larger data block size (num, in bytes), to be transferred at one time. Be careful when changingthese values; some older Linux kernels and network cards do not work well with larger block
sizes. For NFSv2 or NFSv3, the default values for both parameters is set to 8192. For NFSv4, the
default values for both parameters is set to 32768.
sec=mode
Specifies the type of security to utilize when authenticating an NFS connection. Its default
setting is sec=sys, which uses local UNIX UIDs and GIDs by using AUTH_SYS to authenticate NFS
operations.
sec=krb5 uses Kerberos V5 instead of local UNIX UIDs and GIDs to authenticate users.
sec=krb5i uses Kerberos V5 for user authentication and performs integrity checking of NFS
operations using secure checksums to prevent data tampering.
sec=krb5p uses Kerberos V5 for user authentication, integrity checking, and encrypts NFS
traffic to prevent traffic sniffing. This is the most secure setting, but it also involves the most
performance overhead.
tcp
Instructs the NFS mount to use the TCP protocol.udp
Instructs the NFS mount to use the UDP protocol.
For a complete list of options and more detailed information on each one, refer to man
mountand man nfs.
8/13/2019 Network File System1
12/12
Referencat:
Linux NFS faq
Ubuntu Wiki NFS Howto
http://www.tldp.org/HOWTO/NFS-HOWTO/security.html
http://nfs.sourceforge.net/https://help.ubuntu.com/community/NFSv4Howtohttps://help.ubuntu.com/community/NFSv4Howtohttp://www.tldp.org/HOWTO/NFS-HOWTO/security.htmlhttp://www.tldp.org/HOWTO/NFS-HOWTO/security.htmlhttp://www.tldp.org/HOWTO/NFS-HOWTO/security.htmlhttps://help.ubuntu.com/community/NFSv4Howtohttp://nfs.sourceforge.net/