Shulou(Shulou.com)06/02 Report--

Table of contents:

(1) about the setting of NFS firewall

(2) setting of NFS permissions

(3) NFS based on kerberos

(1) about the setting of NFS firewall

NFS (Network File System), the network file system, is one of the file systems supported by FreeBSD, which allows computers in the network to share resources. In the application of NFS, the client application of the local NFS can read and write files located on the remote NFS server transparently, just like accessing the local file.

The advantages of NFS are:

1. Save local storage space, store commonly used data on a NFS server and can be accessed through the network, then the local terminal will be able to reduce the use of its own storage space.

two。 Users do not need to have a Home directory on every machine in the network, the Home directory can be placed on the NFS server and can be accessed and used on the network.

3. Some storage devices such as floppy drives, CDROM and ZIP (disk drives and disks with high storage density) can be used by other machines on the network. This reduces the number of removable media devices across the network.

Suppose we have a directory / xx that needs to be shared on the server, and we share it using the nfs service, because the nfs service uses port 2049, so port 2049 needs to be opened in the firewall. At the same time, the nfs service is called based on the rpc (remote process invocation) service, and the rpc service is on port 111. when the nfs service is restarted, it will be registered with the rpc service, so if the rpc service does not start normally, then the nfs service cannot be accessed normally, that is, we need to open port 111in the firewall. In the nfs system, we will encounter multiple client mounts. In order to avoid the problem of multiple users mounting at the same time, we need to use a lock to manage this mount problem, so we also need to start the mountd service and open the corresponding port in the firewall.

First of all, nfs service, rpc-bind service and mountd service are opened in the firewall on the vms001 host and written into the persistent state.

We can use systemctl list-unit-files to view all the services currently started, and we can see that the rpcbind.service service has been started and is in the status of static.

(2) setting of NFS permissions

(2.1) the configuration file for the general nfs service is configured in the / etc/exports file or / etc/exports.d/*.exports file, and the format of the file is as follows.

We create a / data directory on the vms001 host and share the / data directory out.

Then create a / data directory and take effect the settings in the exports file.

(2.4) then test whether the nfs service provided by the vms001 host is normal on the vms002 client host. Create a / nfsdata directory on the vms002 host and mount the / nfsdata directory to the data directory shared by the vms001 host.

(2.5) at this point, we tried to create a file aaa.txt with root identity on the vms002 host and found that the system indicated that the permissions were not enough. This is because the root_squash parameter is defined in the / var/lib/nfs/etab file on the vms001 host, that is, the permissions of the root user are compressed so that the permissions of the root user are the same as those of the anonuid=65534.

Since the other permission of the / data directory on the vms001 host is not writable, add w permission to the o of the / data directory.

If we want to write as root and do not compress the permissions of root, we can set it in the / etc/exports file.

At this time, the file is written to the / nfsdata directory from the vms002 host, and it is found that the file can be written normally, and it is written as root.

(2.9) because the default parameter in the / var/lib/nfs/etab file is no_all_squash, if you need to enable compression permissions for all users, you can set all_squash in the / etc/exports file.

(2.10) set the 192.168.26.102 host to be readable and writable with a mask of 32, and set the hosts in the 192.168.26.0 network segment to have read-only permissions.

(2.11) create a test102host.txt file under the / nfsdata directory of the vms002 host and find that the corresponding file can be created normally.

(2.12) experience summary, troubleshooting: then we tested on a host with IP address 192.168.26.200, entered the / nfsdata directory, tried to create a test200host.txt file, and found that it could not be created successfully.

Note: here we achieve the effect of other hosts by changing the IP address of the vms002 host to 192.168.26.200.

(2.13) after changing the IP address to 102 on the vms002 host, the file can be created normally.

(3) NFS based on kerberos

Kerberos is a network authentication protocol, which is designed to provide powerful authentication services for client / server applications through a key system. The implementation of the authentication process does not depend on the authentication of the host operating system, does not need the trust based on the host address, does not require the physical security of all hosts on the network, and assumes that the data packets transmitted on the network can be read, modified and inserted arbitrarily. In the above cases, Kerberos, as a trusted third-party authentication service, performs authentication services through traditional cryptographic technology. Kerberos also refers to a computer network security system developed by MIT for this protocol. The system adopts client / server structure and DES encryption technology, and can authenticate each other, that is, both the client and the server can authenticate each other. It can be used to prevent eavesdropping, prevent replay damage, protect data integrity and other occasions. It is a key management system using symmetric key system. Kerberos's extension products also enable the public key method for authentication.

MIT developed the kerberos protocol to protect the web servers provided by ProjectAthena. The agreement was named after the Greek mythological character kerberos, who was a fierce three-headed guard dog of Hades in Greek mythology.

There is a kerberos server in our environment, which we call the KDC, the key distribution center. There are many principals in our environment, including machines, service, user, and group. Now we have a server server and a client client. If we need to protect based on kerberos, KDC will assign a ticket to each principal. A lot of information is saved in the / etc/krb5.keytab file. Both the client and the server have their own separate keytab files. When the client accesses the server, the client will show its own ticket, and the server will use its own ticket ticket to verify the ticket validity of the client. This is the workflow of our entire kerberos. In our kerberos environment, the requirement for time synchronization is very high, and the time of all machines must be consistent, so we can achieve the requirement by configuring the NTP server.

(3.1) We use the install.sh script on the vms001 host to create three corresponding KVM virtual machines, where host.img (192.168.122.10) corresponds to the kerberos server, system1.img (192.168.122.100) corresponds to the nfs server, and system2.img (192.168.122.200) corresponds to the ordinary client.

Then log in from the vms001 host to the system1 host and the system2 host.

At this time, the host host is not only an kerberos server, but also an LDAP domain server.

First, we create a normal nfs server on the system1 host and open the firewall-related ports.

(3.5) Mount the / aa directory on the system2 host to the / aa directory shared by nfs on the system1 host, which can be mounted normally.

Then we build the nfs server based on kerberos service. We need to apply to the host host to download ticket on both the system1 host and the system2 host.

We create a kerberos service-based directory / kerberosDir on the system1 host and edit the / etc/exports file.

(3. 8) since SELinux is on, the context information of / kerberosDir is then modified.

(3.9) then set the mandatory nfs4 version in the / etc/sysconfig/nfs file.

(3.10) set the owner of the / kerberosDir directory on the system1 host to the ldapuser1 user, and restart the nfs-server service and nfs-secure-server service.

(3.11) then edit the / etc/fstab file on the system2 host, and the / aa directory on the system2 host can be hung directly in the / aa directory shared on the system1 host. We create the / kerberosDir directory on the system2 host, but when mounting the / kerberosDir directory on the system2 host to the / kerberosDir directory on the system1 host, note that you need to write a long hostname mount with v4.2 and sec=krb5p parameters.

# mkdir / kerberosDir

(3.12) at this time, it is found that the / kerberosDir directory created by the system2 server based on kerberos service has been normally mounted to the / kerberosDir directory of the system1 host.

-this is the end of this article. Thank you for reading-

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.