8/13/2019 Network File System1

1/12

Network File System (NFS)

NFS u dizenjua nga Sun Microsystems ne fillimet e viteve 80 dhe u standartizua ne 1987 (RFS

1094).Meqenese NFS eshte open standart nuk eshte thjesht i kufizuar tek sistemet UNIX por

gjithashtu mund te veproje edhe ne platforma te shumta. NFS lejon sistemin te shperndaje

direktorite dhe file-et me te tjeret nepermjet rrjetit. Duke perdorur NFS , perdoruesit dhe

programet mund te aksesojne file ne sistemet e largeta (remote system) si te ishin file lokal.

Zakonisht NFS perdoret per te ofruar direktorine Home dhe akses ne aplikime.

Avantazhet e perdorimit te NFS jane te shumta, sidomos per GNU/Linux networks si psh:

1)Lejon nje menaxhim me te thjeshte te aplikacioneve, sepse mjafton nje aplikacion te jete I

instaluar ne serverin NFS dhe te gjithe userat e tjere mund ta aksesojne, pra nuk eshte e

nevojshme te instalohet ne cdo pike lokalisht.

2)Nje backup i qenderzuar, sepse te gjitha direktorite home, aplikacionet etj mund te mbahenne nje ose disa server qe kontrollohen nga administrator.

NFS perdor Remote Procedure Call (RPC), eshte stateless, komunikon nepermjet UDP(User

Datagram Protocol) por usera jo GNU/Linux mund gjithashtu te perdorin TCP-- dhe eshte e

bazuar ne rreth nje arkitekture klient-server. NFS na referohet si nje protokoll stateless , qe do

te thote se as klienti e as server mund t shkojn n nj state q varet mbi informacione t

mtejshme (apo te meparshme).

Kjo sht e mundur pr shkak se t gjitha informatat e nevojshme ofrohen brenda parametrave

te funksioneve q jan kaluar n server dhe kthyer pr te klienti. Kjo statelessness shton nj

shkall t besueshmris pr NFS.

8/13/2019 Network File System1

2/12

Kalimi I mesazheve RPC ndermjet platformave te ndryshme eshte bere e mundur fal protokollit XDR.

Sic e prmendem NFS (dhe RPC), sht prdorur nga platforma te ndryshme. Pr t

mbshtetur kto platforma t ndryshme u zhvillua XDR (External Data Representation). Si NFS

edhe XDR sht zhvilluar nga Sun Microsystems dhe sht standard i hapur(open standard)

(RFC 1014). XDR prcakton nj framework q duhet t prdoret pr t koduar vlerat n nj

mesazh RPC. Pr shkak t ksaj framework t standardizuar, kalimi I mesazheve RPC mes

platformave t ndryshme sht bere I mundur.

Disa nga benefitet me te rendesishme qe NFS mund te siguroje jane :

1. Workstatin-it lokal perdorin me pak hapsire ne disk sepse zakonisht te dhenat eperdorura mund te rregjistrohen ne nje makine te vetme dhe prape te mbeten te

aksesueshme nga te tjeret nepermjet rrjetit.

2. Nuk eshte e nevojshme qe perdoruesit te kene direktori home te ndara ne cdo makinerrjeti. Direktorite Home mund te krijohen ne serverat e NFS dhe te jene te

8/13/2019 Network File System1

3/12

8/13/2019 Network File System1

4/12

(GB);

2. Suport per shkrimet asinkrone ne server, per te permisuar performance e shkrimit3. Atributet shtes te file-ve n shum prgjigje , pr t shmangur nevojn pr t ri - sjelle ato;

4. Nj operacion READDIRPLUS , pr t marr file handles dhe atributet s bashku me emrat e file-ve kur skanohet nj direktori ;

5. Klasifikon prmirsime t tjera,N kohn e futjes s Versionit 3 , shitesit ofruan suport pr TCP nderkohe qe filloi te rritej protokolli i

transportitlayer(shtres). Nderkohe qe disa shits tashm kishin shtuar mbshtetjen pr NFS Version

2 me TCP si transport , Sun Microsystems kishte shtuar mbshtetjen pr TCP si transport pr NFS n t

njjtn koh ajo shtoi mbshtetjen pr versionin 3 .

Duke prdorur TCP si transporti bri beri perdorimin e NFS mbi nj WAN m t realizueshem.

Version 4(RFC 3010 , dhjetor 2000; rishikuar n RFC 3530 , prill 2003) , ndikuar nga PVF dhe

CIFS , prfshin prmirsime t performancs , garanton sigurin fort , dhe paraqet nj

protokoll te qendrueshem(stateful)

Version 4 u b versioni i par i zhvilluar me Task Force Internet Inxhinieri ( IETF ) pasi Sun

Microsystems dorzoi zhvillimin e protokolleve NFS.

NFS versioni 4.1 ( RFC 5661 , janar 2010) ka pr qllim t siguroj suportin e protokollit pr

t prfituar nga vendosjet e serverave te grumbulluar(clustered server ) , duke prfshir

aftsin pr t siguruar qasje t shkallzuar paralele n file-et e shprndar midis serverave te

shumte ( pNFS extension ) .

Qellimet e NFS v4: Suporton Unix dhe Windows Eshte dizenjuar duke pasur parasysh nje mjedis WAN Asnj supozim i dyanshm per rritjen e aftesive Siguri te mandatuar.

8/13/2019 Network File System1

5/12

Konfigurimi I NFS

Konfigurimi I NFS ka dy ceshtje kryesore:

1- Konfigurimi i Serverit NFS2- Konfigurimi i Klientit NFS

Konfigurimi I nje serveri NFS

Dy jane procedurat : Veprimi me skedaret e konfigurimit NFS dhe Startimi i sherbimeve te

NFS

Jane tre skedare kryesore konfigurimi

- /etc/exports- /etc/hosts.allow- /ect/hosts.denyMjafton vetem editimi i skedarit te pare per te vene ne pune NFS, sepse dy skedaret

pasardhes jane per te vendosur rregulla sigurie sipas nevojes apo deshires.

File i konfigurimit /ect/exports

Ne kete skedar percaktohen qarte direktorite qe deshirohen te behen share, makinat me te

cilat behen share, te drejtat etj.

HAPAT KONKRETE TE KONFIGURIMIT TE SERVERIT NFS

HAPI 1: Instalimi i Nfs ne makinen qe do bejme server

$sudo apt-get install nfs-kernel-server

8/13/2019 Network File System1

6/12

Hapi 2 :Pasi te jete instaluar me sukses krijojme (nqs nuk eshte akoma e krijuar) direktorine

qe do bejme share

$sudo mkdir /exports

Dhe

$sudo chmod 777 /exports per ti dhene te drejta rwx per te gjithe

Hapi 3: Editojme skedarin /etc/exports si me poshte:

Hapim skedarin per editim:

$sudo gedit /etc/exports

Shkruajme ne skedar :

/exports 192.168.32.1 (rw) kjo do te shtoje /exports ne clientin me ip, dhe me te drejta rw

E ruajme dhe mbyllim skedarin.

Deri tani kemi bere gati per export kete direktori. Pas kesaj eshte e nevojshme te behen

hapat me poshte:

Hapi 4 : Ristartojme sherbimin e nfs, ne menyre qe nfs te rilexoje skedarin qe ne sapo

ndryshuam

$sudo /etc/init.d/nfs-kernel-server restart

8/13/2019 Network File System1

7/12

Shohim mountin qe kemi bere per tu siguruar:

$sudo showmounte

Hapi 5 : Bejme updatime te tilla qe sa here te bootohet serveri ti lexoje automatikisht keto

ndryshime qe beme ne nfs

$sudo update-rc.d portmap defaults

$sudo update-rc.d xxi-common defaults

8/13/2019 Network File System1

8/12

Konfigurimi I klientit NFS

Perdorim komanden mount per te ngritur nje direktori te perbashket nga nje makine

tjeter, duke shkruar nje command line te ngjashme me kete me poshte ne nje terminal

prompt :

sudo mount example.hostname.com:/ubuntu /local/ubuntu

Direktoria(The mount point directory ) /local/ubuntu duhet te egzistoje. Nuk duhet te kete

file ose nendirektori ne direktorine /local/ubuntu . Nje menyre alternativeper te ngritur nje

NFS te bashkperdorur ne nje makine tjeter eshte te shtojme nje rresht tek file

/etc/fstab .Rreshti duhet te deklaroje emrin e hostit te serverit NFS,direktoria ne server qe do

transportohet dhe direktoria ne makinen lokale ku NFS share duhe te montohet . Sintaksa

gjenerale per rreshtin ne file-in /etc/fstab eshte si me poshte :

example.hostname.com:/ubuntu /local/ubuntu nfs rsize=8192,wsize=8192,timeo=14,intr

Nese kemi ndonje problem me ngritjen e nje NFS share, duhet te sigurohemi qe paketa

nfs-common eshte e instaluar ne klientin tone. Per te instaluar nfs-common perdorim

komanden e meposhtme ne terminal prompt :

sudo apt-get install nfs-common

8/13/2019 Network File System1

9/12

Siguria:

Me NFS, ka dy hapa te nevojshem qe nje klient te fitoje akses ne nje skedar, qe ndodhet ne nje

direktori ne distance ne server. Hapi i pare eshte aksesi ngjitjes. Ky akses arrihet nga makina e

klientit ne tentative per tu lidhur me serverin. Siguria per kete mbulohet nga skedari

/etc/exports. Skedari liston emrat ose adresat IP te makinave, te cilave u lejohet te aksesojne

nje pike shperndarjeje (share point). Nese adresa IP e klientit perkon me nje nga ato ne listen e

atyre qe mund te aksesojne, atehere ajo do te lejohet te ngjitet. Kjo nuk eshte shume e sigurte.

Nese dikush eshte i afte te marre nen kontroll nje adrese te besueshme atehere ai mund te

aksesoje pikat tuaja te ngjitjes. Japim nje shembull real per kete lloj "autentifikimi": Kjo eshte e

barasvlefshme me nje situate ku dikush e prezanton veten te ju dhe ju ti besoni qe ai eshte

vertete ai qe pretendon se eshte, vetem sepse ai ka vene nje ngjitese, ku lexon "Ckemi, emri im

eshte...". Ne momentin qe makina ka ngarkuar nje vellim, OS e saj do te kete akses ne te gjithe

skedaret ne kete vellim ( me perjashtimin e mundshem te skedareve te rrenjes; shih me poshte)

dhe, nqs vellimi eshte eksportuar me opsionin THERW, do te kete akses gjithashtu te shkruaje

ne keto skedare.

Hapi i dyte eshte aksesi i skedarit. Ky eshte nje funksion i kontrolleve normale te aksesit te

skedareve te sistemit.

Nje shembull: bob ne hartat e serverit per ne userid 9999. Bob nderton nje skedar ne server qe

eshte i askesueshem vetem nga ky perdoruesi (njelloj si te shtypesh chmod 600 emerskedari).

Nje klienti i lejohet te ngjitet ne diskun, ku ruhet skedari, ne harten e klientit per ne userid

9999. Kjo do te thote qe perdoruesi-klient mund te aksesoje skedarin e bob qe eshte shenuar si

i aksesueshem vetem nga bob. Perkeqesohet dhe me tej: nese dikush eshte bere super-

perdorues te makina e klientit, ai mund te zevendesojne emrin e perdoruesit (username) dhe ta

bejne nje perdorues cfaredo. NFS nuk e kupton kete.

NFS OptionsSome other options we can use in /etc/exports file for file sharing is as follows.

ro: With the help of this option we can provide read only accessto the shared files

i.eclientwill only be able to read.

rw: This option allows the client serverto both readand writeaccess within the shared

directory.

8/13/2019 Network File System1

10/12

sync: Sync confirms requests to the shared directory only once the changeshave been

committed.

no_subtree_check: This option prevents the subtreechecking. When a shared directory is

the subdirectory of a larger file system, nfsperforms scans of every directory above it, in order

to verify its permissions and details. Disabling the subtreecheck may increase the reliability

of NFS, but reduce security.

no_root_squash: This phrase allows rootto connectto the designated directory.

Common NFS Mount Options

Beyond mounting a file system with NFS on a remote host, it is also possible to specify other

options at mount time to make the mounted share easier to use. These options can be used

with manual mount commands, /etc/fstab settings, and autofs.

The following are options commonly used for NFS mounts:intr

Allows NFS requests to be interrupted if the server goes down or cannot be reached.

lookupcache=mode

Specifies how the kernel should manage its cache of directory entries for a given mount

point. Valid arguments for mode are all, none, or pos/positive.

nfsvers=version

Specifies which version of the NFS protocol to use, where version is 2, 3, or 4. This is useful

for hosts that run multiple NFS servers. If no version is specified, NFS uses the highest version

supported by the kernel and mount command.

The option vers is identical to nfsvers, and is included in this release for compatibility

reasons.

noacl

Turns off all ACL processing. This may be needed when interfacing with older versions of Red

Hat Enterprise Linux, Red Hat Linux, or Solaris, since the most recent ACL technology is not

compatible with older systems.nolock

Disables file locking. This setting is occasionally required when connecting to older NFS

servers.

noexec

Prevents execution of binaries on mounted file systems. This is useful if the system is

8/13/2019 Network File System1

11/12

mounting a non-Linux file system containing incompatible binaries.

nosuid

Disables set-user-identifier or set-group-identifier bits. This prevents remote users from

gaining higher privileges by running a setuid program.

port=num

port=num Specifies the numeric value of the NFS server port. If num is 0 (the default),

then mount queries the remote host's rpcbind service for the port number to use. If the remote

host's NFS daemon is not registered with its rpcbind service, the standard NFS port number of

TCP 2049 is used instead.

rsize=num and wsize=num

These settings speed up NFS communication for reads (rsize) and writes (wsize) by setting a

larger data block size (num, in bytes), to be transferred at one time. Be careful when changingthese values; some older Linux kernels and network cards do not work well with larger block

sizes. For NFSv2 or NFSv3, the default values for both parameters is set to 8192. For NFSv4, the

default values for both parameters is set to 32768.

sec=mode

Specifies the type of security to utilize when authenticating an NFS connection. Its default

setting is sec=sys, which uses local UNIX UIDs and GIDs by using AUTH_SYS to authenticate NFS

operations.

sec=krb5 uses Kerberos V5 instead of local UNIX UIDs and GIDs to authenticate users.

sec=krb5i uses Kerberos V5 for user authentication and performs integrity checking of NFS

operations using secure checksums to prevent data tampering.

sec=krb5p uses Kerberos V5 for user authentication, integrity checking, and encrypts NFS

traffic to prevent traffic sniffing. This is the most secure setting, but it also involves the most

performance overhead.

tcp

Instructs the NFS mount to use the TCP protocol.udp

Instructs the NFS mount to use the UDP protocol.

For a complete list of options and more detailed information on each one, refer to man

mountand man nfs.

8/13/2019 Network File System1

12/12

Referencat:

Linux NFS faq

Ubuntu Wiki NFS Howto

http://www.tldp.org/HOWTO/NFS-HOWTO/security.html

http://nfs.sourceforge.net/https://help.ubuntu.com/community/NFSv4Howtohttps://help.ubuntu.com/community/NFSv4Howtohttp://www.tldp.org/HOWTO/NFS-HOWTO/security.htmlhttp://www.tldp.org/HOWTO/NFS-HOWTO/security.htmlhttp://www.tldp.org/HOWTO/NFS-HOWTO/security.htmlhttps://help.ubuntu.com/community/NFSv4Howtohttp://nfs.sourceforge.net/