Google


ADBRITE ads links
You are here: CodeIdol.com > Unix > Linux® Quick Fix > Remote Disk Access With NFS > Other NFS Considerations

SAVE
Digg
Shown on del.icio.us del.icio.us
See Whos Talking About This on Technorati Technorati
I've Reddit reddit

Other NFS Considerations

NFS can be temperamental. An incorrect configuration can cause it to be unresponsive. Its security is relatively weak, and you have to be aware of the file permissions on both the NFS client and server to get it to work correctly. Often these issues can be resolved with some basic guidelines outlined in this section.

Security

NFS and portmap have had a number of known security deficiencies in the past. As a result, I don't recommended using NFS over insecure networks. NFS doesn't encrypt data and it is possible for root users on NFS clients to have root access to the server's filesystems. You can exercise security-related caution with NFS by following a few guidelines:

  • Restrict its use to secure networks.

  • Export only the most needed data.

  • Consider using read-only exports whenever data updates aren't necessary.

  • Use the root_squash option in /etc/exports file (default) to reduce the risk of the possibility of a root user on the NFS client having root file permission access on the NFS server. This is normally an undesirable condition, especially if the NFS client and NFS server are being managed by different sets of administrators.

These points should be the foundation of your NFS security policy; the list, however, isn't comprehensive due to the concise scope of this book. I'd suggest that you refer to a dedicated NFS reference for more detailed advice.

NFS Hanging

As stated before, if the NFS server fails, the NFS client waits indefinitely for it to return. This also forces programs relying on the same client server relationship to wait indefinitely too.

For this reason, use the soft option in the NFS client's /etc/fstab file. This causes NFS to report an I/O error to the calling program after a long timeout.

You can reduce the risk of NFS hanging by taking a number of precautions:

  • Run NFS on a reliable network.

  • Avoid having NFS servers that NFS mount each other's filesystems or directories.

  • Always use the sync option whenever possible.

  • Do not have mission-critical computers rely on an NFS server to operate, unless the server's reliability can be guaranteed.

  • Do not include NFS-mounted directories as part of your search path, because a hung NFS connection to a directory in your search path could cause your shell to pause at that point in the search path until the NFS session is regained.

Following these simple but important guidelines will help to make NFS operate more predictably, allowing you more time to focus on other important administrative tasks.

File Locking

NFS allows multiple clients to mount the same directory, but NFS has a history of not handling file locking well, although more recent versions are said to have rectified the problem. Test your network-based applications thoroughly before considering using NFS.

Nesting Exports

NFS doesn't allow you to export directories that are subdirectories of directories that have already been exported unless they are on different partitions.

Limiting root Access

NFS doesn't allow a root user on a NFS client to have root privileges on the NFS server. This can be disabled with the no_root_squash export option in the /etc/exports file. This is normally an undesirable condition, especially if the NFS client and NFS server are being managed by different sets of administrators.

Restricting Access to the NFS Server

NFS doesn't provide restrictions on a per-user basis. If a user named nfsuser exists on the NFS client, then they will have access to all the files of a user named nfsuser on the NFS server. It is best, therefore, to use the /etc/exports file to limit access to certain trusted servers or networks.

You may also want to use a firewall to protect access to the NFS server. A main communication control channel is usually created between the client and server on TCP port 111, but the data is frequently transferred on a randomly chosen TCP port negotiated between them. There are ways to limit the TCP ports used, but that is beyond the scope of this book.

You may also want to eliminate any wireless networks between your NFS server and client, and it is not wise to mount an NFS share across the Internet as access could be either slow, intermittent or insecure.

File Permissions

The NFS file permissions on the NFS server are inherited by the client. It can become complicated especially if the users and user groups on the NFS client that are expected to access data on the NFS server don't exist on the NFS server.

For simplicity, make the key users and groups on both systems match and make sure the permissions on the NFS client mount point and the exported directories of the NFS server are in keeping with your operational objectives.

    SAVE
    Digg
    Shown on del.icio.us del.icio.us
    See Whos Talking About This on Technorati Technorati
    I've Reddit reddit

    You are here: CodeIdol.com > Unix > Linux® Quick Fix > Remote Disk Access With NFS > Other NFS Considerations
    		    
    Related tags







    Popular Categories
    Unix books and guides
    AJAX popular information
    C# language guides
    Windows books and cookbooks
    .......





    © CodeIdol Labs, 2007