Understanding NFS 138
LiquidPC writes: "ONLamp.com's Big Scary Daemons section has yet another great new BSD article, this one on Understanding NFS and using it in FreeBSD."
Math is like love -- a simple idea but it can get complicated. -- R. Drabek
So who's NFS? (Score:3, Funny)
Re:BSD SUCKS! (Score:1)
At the risk of feeding the trolls...
My firm uses openBSD extensively as a firewall. Where Linux is flexible and versatile, *BSD is more logically put together and better documented. The clear advantage to *BSD, however, is security. Nothing can touch it.
A printer and human friendly version (Score:3, Informative)
What about security??? (Score:4, Interesting)
Re:What about security??? (Score:2)
While I admire the effort, Coda is far and away from addressing real world connectivity problems. rsync works just as well without the major headaches and overhead.
Re:What about security??? (Score:5, Informative)
You could also establish an encrypted tunnel between the two machines using whatever implementation of IPSEC they have (Linux has FreeSWAN, OpenBSD has something built into the kernel, not sure about others). Then you could share stuff however you wanted.
We're currently using NFS to share our MP3 collections on our private network (behind the firewall/gateway), and it's not a big problem there. But for any network I don't trust (and I'm not very trustworthy
Re:What about security??? (Score:2)
Re:What about security??? (Score:2)
I always thought NFS meant "No File Security"
DJB [qmail.org] calls it Network Failure System.
Re:What about security??? (Score:1)
Re:What about security??? (Score:3, Informative)
Simple tricks no longer works when we switched to something more secure, AFS [cmu.edu], in our case.... It is way more advanced than NFS. For example, as a normal user, I can authorise only a few trusted person to have access to one of my designated subdir.
Re:What about security??? (Score:2)
You're lucky you're not on any network I've ever admin'd. In my mind, no end-user ever has a need to use a boot floppy. If they do, then that means the machine is broken and, ergo, they should come and find me.
If they need to use a boot floppy -- perhaps to demonstrate some elegant 1.44MB proof of concept, then they can use a development machine on a development network. (Please read "development" as "I don't give a rat's ass; we blow them away every Friday anyway").
In a production network, there is no reason that an end-user would ever need to use a boot floppy. Well, there is no legitimate reason that an end-user would need one. In fact, it's difficult to determine a legitimate reason that an end-user would need to use a boot floppy on a development network.
Re:What about security??? (Score:1)
It makes sense to separate the network into a production and development subsystems... I wish my system admin is as cool as you.
However, I have some serious doubt whether we can eliminate the need of boot floppy in a development network altogether. Say, you are playing around with RTLinux or other kernel hacks for your project, you just leave with 2 options:
1) using boot floppy (boot CD, zip etc)
2) write that directly to harddrive
Let's forget about bad intentions first. Option 2 needs more attention from sysadmin. (A careless student may overwrite the original linux kernel with his hack... you may need to wipe the the development machine clean before Friday....)
Re:What about security??? (Score:1)
Just my $0.02.
Re:What about security??? (Score:1)
However, if you mean another machine on the LAN having the IP address as you expect your other machine to have then ok, yes, and especially with DHCP in effect...
But there is a simple solution: Have each machine only open one port to the outside world, use scp (secure copy) and even run it on a non-standard port and change the password every day if you feel like it.
graspee
Re:Kaos BSD has a better FS. (Score:1)
Corrections, pointers, and cautions (Score:5, Informative)
Second, if you export NFS to the world, you're insane and deserve what you get. If you want remote filesystem access, use a secure protocol like the Self-Certifing Filesystem (SFS) [fs.net]. SFS also avoids completely the problem of having a shared UID space.
Finally, his advice to mount your filesystems intr is good. But insufficient - also mount them soft, so that filesystem calls will eventually timeout if the server goes poof.
Re:Corrections, pointers, and cautions (Score:2)
* rpc.ugidd - easy, but insecure. can leak u/gid info to untrusted parties. only works with userspace nfs server in linux - don't know about other opsystems.
* use the same u/gids on every server - almost certainly not an option.
* use a shared PAM back-end, such as LDAP [openldap.org] (what I use), MySQL [mysql.org], or PostgreSQL [postgresql.org]
Re:Corrections, pointers, and cautions (Score:1)
Yes this was should be avoided unless you are on a secured network and have you can block ips on udp/rpc.
SFS (was Re:Corrections, pointers, and cautions) (Score:3, Informative)
I haven't had any SFS problems for over 6 months, since 0.5i. But the notice is correct - your mileage may vary, and use with caution. I've seen SFS tickle bugs in the Linux NFS implementation, but the latest Linux NFS support is much improved over 2.2. On Open/FreeBSD, it's quite solid, IMHO.
For further info, browse the SFS-users mailing list [mit.edu]. It's a good way to get a feel for the issues involved in running SFS.
(Obligatory disclosure: I'm not one of the developers, but my office is across the hall).
Re:Corrections, pointers, and cautions (Score:3, Informative)
The "soft" mount option used often to be called the "corrupt" option.
The problem is that programs rarely check to see if a write() fails after a successful open(). When the file system moves around under them, they can fail to write important data in blissful ignorance. This can lead to files whose contents are essentially broken.
The fault doesn't really lie with NFS, so much as with the lage body of code which assumes write() calls to a file are more reliable than NFS soft-mounted file systems allow.
Generally speaking, using soft mount is asking for trouble.
Re:Corrections, pointers, and cautions (Score:1)
As the author... (Score:1)
My original title on this piece was "Introduction to NFS". To the best of my knowledge, ten people in the world truly, deeply understand NFS. Six have won Nobel Prizes, three are in the Institute for the Criminally Insane, and one is not allowed sharp objects and drools on himself a lot. O'Reilly does not seem to like my original titles... ah, well.
Finally, if Slashdot was going to pick up one of my articles... why, my God, did they choose this one? There are many far more interesting and informative Big Scary Daemons out there... take a look at "Linux Emulation, the Hard Way" for one I'm especially proud of. Sigh. Obviously, they don't want the editorial standard to go above that maintained by other Slashdot authors...
caveats (Score:2)
Pre-planning is useful, as always
Good starter article, maybe (Score:2, Informative)
-Peter
Funny that. (Score:1)
Re:NFS does have problems... (Score:3, Informative)
For the other problem, you should look into the root_squash option.
Re:NFS does have problems... (Score:2)
NFS Howto (Score:4, Informative)
Re:NFS Howto (Score:2)
That's the Linux NFS HOWTO. Although it gives some good background on NFS (and in more depth than the article discussed here) it's pretty Linux-specific when it comes down to the actual setup process. It's not going to give you any FreeBSD-specific information, and so is of limited usefulness in setting up for that system.
I'm amazed that a comment that's arguably off-topic gets modded up twice as "Informative," but this is, after all, Slashdot.
Tip for better NFS performance in FreeBSD (Score:3, Informative)
Re:Tip for better NFS performance in FreeBSD (Score:2)
Coincidence? I think not.
NFS is REALLY insecure. But there are secure Alt. (Score:3, Informative)
Also in the article he claims: "You can reboot a server and the client won't crash." Maybe not crash but at least with Solaris (in my experience) you hang the entire system during the reboot. Sometimes it comes back and sometimes it doesn't.
For a secure alternative that runs on *BSD/Solaris/Linux w/(2.4 Kernels) try out:
Self-Certifying Filesystem [fs.net].
The authors do warn that it is in alpha stage but also claim they have never lost a file. VERY cool project.
And of course as the OpenBSD Journal [deadly.org] has noted, SysAdmin Mag [samag.com] is running an article on Tunneling NFS over SSH [samag.com].
You CAN have multiple lines for the same partition (Score:5, Informative)
"There are no identifiers between the components of the line. Yes, it would be easier to read if we could put each shared directory on its own line, but we can't; they're all on the same partition. The FreeBSD team could rewrite this so that it had more structure, but then our
What?!?! Did this guy even read the man page for
"Mount points for a filesystem may appear on multiple lines each with different sets of hosts and export options."
Michael's articles are usually of excellent quality, but I can't believe how many other mistakes he's made! The article is written to familiarize a "junior" sys admin to NFS, but only teaches them bad habits. Hopefully he'll do a little more research for his future articles.
This is incorrect information (Score:2)
The article is correct; only mountpoints (and not subdirectories) can be entries in /etc/exports. From the `exports' man page (emphasis mine):
Furthermore, the only example given in the man page explicitly identifies the directories listed as mountpoints.
Please don't moderate up comments that sound informational without actually checking your facts first.
Re:This is incorrect information (Score:1)
By "mount point(s)" the man page refers to what the client filesystem will use as mount points. Since you've obviously have no experience with NFS I'll give you a quick example of exporting a subdirectory inside a local mount point on its own line. (Notice how
#uname -r
4.5-STABLE
# cd
# mkdir test
# cd test
# touch hello
# echo "/tmp/test -maproot=0" >
# killall -HUP mountd
# mount localhost:/tmp/test
# cd
hello
#
I believe that the last statement in your post should probably apply to you.
Re:This is incorrect information (Score:1)
Re:You CAN have multiple lines for the same partit (Score:2)
NFS clients for windows? (Score:1)
I've found more than enough shareware/etc... but have been unable to find a open source solution.
Does anyone know of a free nfs client for windows?
Re:NFS clients for windows? (Score:1)
Re:NFS clients for windows? (Score:1)
Re:NFS clients for windows? (Score:1)
Umm.. yep, not to be mean but. (Score:1)
Re:Umm.. yep, not to be mean but. (Score:1)
NFS Rocks (Score:1)
Re:NFS Rocks (Score:1)
Re:NFS Rocks (Score:1)
Bad weed. It rains too much in the NW, the local weed crop blows big time.
Security (Score:3, Informative)
Interesting read... (Score:1)
Re:Bleak days, bitter nights, for *BSD (Score:2, Interesting)
> We all know *BSD keeps losing market share but why?
Um, because it is gaining market share?
Apple, in their last quarter report, announced the sale of one million boxes of OS X (a *BSD OS) and two million systems with it on the hard drive.
The new iMac, booting OS X by default, had 150,000 preorders.
The new iMac is the top selling computer for all time at Amazon. It is outselling every XP PC on Amazon.
Out of the top 25 bestselling computers on Amazon, 10 were Macs, and all Macs are now shipping OS X as the default booting OS.
ZDNet ran this (http://techupdate.zdnet.com/techupdate/stories/m
> An unremitting gloom hangs like a death shround over a once hopeful
> *BSD community. The hope is gone; a mournful nostalgia has
> settled in. Now is the end time for *BSD.
Sorry to burst your tragic bubble (not really
*BSD is in serious danger of growth!
Oh, there is a doomed OS alright. It is an evil empire, built on a foundation that now crumbles and groans under its weight. This empire doesn't see the danger. It never will, until it is too late. A hero thrice thought dead (Apple, Next, *BSD), now reborn, arises to shatter its foundations.
Beyond time, beyond terror, beyond death, Mothra:
Your heart can reach...Life!
Robust????!?!?! (Score:1)
From regular personal experience, I can state that NFS is hardly so robust under HPUX.... Is BSD really this foolproof?
Re:Robust????!?!?! (Score:2)
p.s. I suspect that a certain Sun rep deliberately sabotaged our servers in order to generate support calls. Obviously he is no longer a Sun rep.
Security issues .. (Score:2)
I had alot of fun with NFS during my Univerity years. Sure it has some nice features as it's lightning-fast and stateless but it's totally unsecure, period.
The NFS server has two parts, the authentication part and the data-server part. The authentication part authenticates based on the IP address of the requester, if successful, it will send the requester the 'key' for the export.
After that, anybody can use that key to request files from the data-server part. And from any IP address!!
There exist a very nice ftp-like tool that lets you play with NFS systems, enter the key manually or use the UID overflow bug to get root privs. And this is only the beginning of the fun !!
Trust me, "Don't use NFS" unless you are running it on a network that is not connected to the rest of the world, and you trust everyone that has access to this network.
Re:Security issues .. (Score:1)
Re:Security issues .. (Score:2)
Use IPSEC authentication (AH or ESP if you also need encryption).
Try that for 3000 clients and your performance is toast !
Re:Security issues .. (Score:2, Interesting)
For an organization with 3000 external clients, security shoult be at the top of the TODO-list. Finding a hacker/spoofer among 3000 clients is like finding a needle in a haystack. If this scenario is yours, then please reconsider some major security face lifts...
Re:Security issues .. (Score:2)
What you are proposing is throwing huge amounts of money out the window to fix a broken protocol.
Have you *any* idea what 3000 encryption hardware accelerators might cost ? (+ servers)
The "Correct" way, from every standpoint is simply not to use NFS, but some other protocol that has the security parts you need. For example, as long as you can protect the authentication credentials, encrypting the contents might not not be as important.
But, many have also taken the "more money" way, and the simplest path to follow there (from an administrational point of view) is simply to use microsoft.
The scenario is not mine, but not many years ago, a lot of universities had this setup. There are a LOT of hackers there, and many have switched to microsoft CIFS now.
Latest SysAdmin Magazine (Score:2)
Use of NFS Considered Harmful (Score:1)
Re:Use of NFS Considered Harmful (Score:1)
Old? It's ancient. Virtually every point
you have in your little paper is nonsense,
at least when it comes to commericial grade
NFS implementations.
Re:Use of NFS Considered Harmful (Score:1)
I'd be very interested to know which points are nonsense, and also what you consider a "commercial grade" NFS implementation. Remember that a lot of these issues are client-side related, and I'm especially not sure what a "commercial grade" NFS client is.
My experience with NFS is limited to Network Appliance, Solaris, Linux, BSDi, SCO, and Digital Unix (as well as some early Windows NFS applications).