NFS (简体中文)
来自维基百科:NFS 网络文件系统(Network File System) 是由Sun公司1984年发布的分布式文件系统协议。它允许客户端上的用户像访问本地文件一样地访问网络上的文件。
- NFS不提供加密功能. 在处理敏感数据时,请使用类似Kerberos或安全的VPN的协议传输NFS流量.
- 与Samba不同, NFS默认不提供任何验证用户的方法,客户端访问限制是通过IP地址和/或hostname实现的.
- NFS期望user和/或user group的ID在客户端与服务端上是相同的.使用启用NFSv4 ID映射,或使用
anonuid/anongid并在/etc/exports中启用all_squash,手动改变UID/GID来解决这一问题.
安装
强烈建议使用时间同步守护进程以保持客户端/服务器之间的时间同步,如果各个节点上没有精确同步的时钟,NFS 可能产生非预期的延迟。
配置
服务端
全局设置选项在/etc/nfs.conf中被列出.只进行简单配置的用户无需编辑此文件.
NFS服务器需要/etc/exports或/etc/exports.d/*.exports文件中定义的共享(“导出”)列表(详细介绍参见exports(5))。这些共享的对象是相对于所谓的"NFS根目录"的.出于安全考虑,建议定义一个单独的目录为NFS根,这可以将用户限制在该挂载点中. 绑定的挂载点(bind mounts)将文件系统上他处的目录与被分享的挂载点连接起来.
查看下面的例子.在本例中:
- NFS 根目录是
/srv/nfs - 将要共享的目录是
/mnt/music,该目录被绑定挂载连接到了它实际的位置/mnt/music。
# mkdir -p /srv/nfs/music /mnt/music # mount --bind /mnt/music /srv/nfs/music
为了让服务器重启后共享仍旧有效,增加绑定到 fstab 文件:
/etc/fstab
/mnt/music /srv/nfs/music none bind 0 0
增加允许被挂载的目录和使其只能被属于特定CIDR所指定的IP范围或拥有特定主机名的客户端所访问的限制至/etc/exports文件,例如:
/etc/exports
/srv/nfs 192.168.1.0/24(rw,sync,crossmnt,fsid=0) /srv/nfs/music 192.168.1.0/24(rw,sync) /srv/nfs/home 192.168.1.0/24(rw,sync,nohide) /srv/nfs/public 192.168.1.0/24(ro,all_squash,insecure) desktop(rw,sync,all_squash,anonuid=99,anongid=99) # 将访客映射到特定用户组 - 在本例中是nobody
-
crossmnt选项使客户端可以访问所有挂载在文件系统上并标记有crossmnt的文件系统并且客户端不需要单独逐个挂载子共享. 请注意,你可能不希望在子共享同时被共享到另一端地址时使用该选项. - 除了
crossmnt之外,你也可以在子共享上使用nohide选项,这样的话,子共享就会在根共享被挂载时自动挂载.与crossmnt不同的是,nohide仍然会遵守子共享的地址范围. - 使用一个通配符(*)以允许来自所有接口的访问.
如果服务运行时修改了 /etc/exports 文件, 你需要重新导出使其生效:
# exportfs -arv
想要查看已经加载的共享的详细信息,请使用:
# exportfs -v
有关所有可用选项的详细介绍,请参阅exports(5).
fsid=1选项.开始运行服务
启用并运行nfs-server.service
rpc-gssd.service)只有在随机数生成池充分初始化后才会变得可用,这有可能会减缓启动速度.这个问题在无头服务器上特别常见.强烈建议使用类似于Rng-tools的工具来填充生成随机数所用的熵池(在你的设备支持TPM的情况下),如果不支持TPM,可以使用Haveged
限制NFS使其只允许来自特定接口/IP地址的访问
默认情况下,启动nfs-server.service会忽略/etc/exports文件的内容,而是在所有网络接口上监听连接.可以通过定义监听的IP和/或主机名来改变这一行为.
/etc/nfs.conf
[nfsd] host=192.168.1.123 # 或者也可以使用主机名. # host=myhostname
在修改完后,重启nfs-server.service以应用设置.
防火墙配置
To enable access through a firewall, TCP and UDP ports 111, 2049, and 20048 may need to be opened when using the default configuration; use rpcinfo -p to examine the exact ports in use on the server:
$ rpcinfo -p | grep nfs
100003 3 tcp 2049 nfs 100003 4 tcp 2049 nfs 100227 3 tcp 2049 nfs_acl
When using NFSv4, make sure TCP port 2049 is open. No other port opening should be required:
/etc/iptables/iptables.rules
-A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT
When using an older NFS version, make sure other ports are open:
# iptables -A INPUT -p tcp -m tcp --dport 111 -j ACCEPT # iptables -A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT # iptables -A INPUT -p tcp -m tcp --dport 20048 -j ACCEPT # iptables -A INPUT -p udp -m udp --dport 111 -j ACCEPT # iptables -A INPUT -p udp -m udp --dport 2049 -j ACCEPT # iptables -A INPUT -p udp -m udp --dport 20048 -j ACCEPT
To have this configuration load on every system start, edit /etc/iptables/iptables.rules to include the following lines:
/etc/iptables/iptables.rules
-A INPUT -p tcp -m tcp --dport 111 -j ACCEPT -A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT -A INPUT -p tcp -m tcp --dport 20048 -j ACCEPT -A INPUT -p udp -m udp --dport 111 -j ACCEPT -A INPUT -p udp -m udp --dport 2049 -j ACCEPT -A INPUT -p udp -m udp --dport 20048 -j ACCEPT
The previous commands can be saved by executing:
# iptables-save > /etc/iptables/iptables.rules
If using NFSv3 and the above listed static ports for rpc.statd and lockd the following ports may also need to be added to the configuration:
/etc/iptables/iptables.rules
-A INPUT -p tcp -m tcp --dport 32765 -j ACCEPT -A INPUT -p tcp -m tcp --dport 32803 -j ACCEPT -A INPUT -p udp -m udp --dport 32765 -j ACCEPT -A INPUT -p udp -m udp --dport 32803 -j ACCEPT
To apply changes, Restart iptables.service.
启用NFSv4 ID映射
- NFSv4 ID映射不适用于默认的
sec=sys挂载选项.[1] - 在客户端和服务器上均需要启用NFSv4 ID映射
- 另一个选择是确保用户ID和组ID(UID和GID)在客户端和服务器上相同.
- 不需要启用/启动
nfs-idmapd.service,因为它已被新的id映射器替换:
# dmesg | grep id_resolver
[ 3238.356001] NFS: Registering the id_resolver key type [ 3238.356009] Key type id_resolver registered
NFSv4 协议将客户端的UID和GID值表示为user@domain形式的字符串.将UID和字符串互相转换的过程称为ID映射.[2].
即使idmapd可能正在运行,它也可能未被完全启用。如果/sys/module/nfs/parameters/nfs4_disable_idmapping//sys/module/nfsd/parameters/nfs4_disable_idmapping在客户端或服务器上返回Y,请通过以下方式启用它:
客户端:
# echo "N" | tee /sys/module/nfs/parameters/nfs4_disable_idmapping
服务器:
# echo "N" | tee /sys/module/nfsd/parameters/nfs4_disable_idmapping
设置为内核模块参数以使此更改永久生效,即:
/etc/modprobe.d/nfsd.conf
options nfs nfs4_disable_idmapping=0 options nfsd nfs4_disable_idmapping=0
要完全使用idmapping,请确保在服务器和客户端的/etc/idmapd.conf文件中都配置了域:
/etc/idmapd.conf
# 以下应设置为本地NFSv4域名 # 默认为主机的DNS域名。 Domain = domain.tld
有关详细信息,请参见[3].
客户端
打算将NFS4与Kerberos一起使用的用户需要启动并启用nfs-client.target.
手动挂载
对于NFSv3,请使用以下命令显示服务器分享的文件系统:
$ showmount -e servername
对于NFSv4,请挂载NFS根目录,并查看可用的挂载:
# mount server:/ /mountpoint/on/client
然后挂载分享.挂载时省略服务器的NFS分享根目录:
# mount -t nfs -o vers=4 servername:/music /mountpoint/on/client
如果挂载失败,请尝试包括服务器的分享根目录(对于Debian/RHEL/SLES是必需的,某些发行版需要使用-t nfs4而不是-t nfs):
# mount -t nfs -o vers=4 servername:/srv/nfs/music /mountpoint/on/client
使用/etc/fstab挂载
Using fstab is useful for a server which is always on, and the NFS shares are available whenever the client boots up. Edit /etc/fstab file, and add an appropriate line reflecting the setup. Again, the server's NFS export root is omitted.
/etc/fstab
servername:/music /mountpoint/on/client nfs defaults,timeo=900,retrans=5,_netdev 0 0
Some additional mount options to consider:
- rsize and wsize
- The
rsizevalue is the number of bytes used when reading from the server. Thewsizevalue is the number of bytes used when writing to the server. By default, if these options are not specified, the client and server negotiate the largest values they can both support (see nfs(5) for details). After changing these values, it is recommended to test the performance (see #性能调优).
- soft or hard
- Determines the recovery behaviour of the NFS client after an NFS request times out. If neither option is specified (or if the
hardoption is specified), NFS requests are retried indefinitely. If thesoftoption is specified, then the NFS client fails a NFS request after retrans retransmissions have been sent, causing the NFS client to return an error to the calling application.
soft timeout can cause silent data corruption in certain cases. As such, use the soft option only when client responsiveness is more important than data integrity. Using NFS over TCP or increasing the value of the retrans option may mitigate some of the risks of using the soft option.- timeo
- The
timeovalue is the amount of time, in tenths of a second, to wait before resending a transmission after an RPC timeout. The default value for NFS over TCP is 600 (60 seconds). After the first timeout, the timeout value is doubled for each retry for a maximum of 60 seconds or until a major timeout occurs. If connecting to a slow server or over a busy network, better stability can be achieved by increasing this timeout value.
- retrans
- The number of times the NFS client retries a request before it attempts further recovery action. If the
retransoption is not specified, the NFS client tries each request three times. The NFS client generates a "server not responding" message after retrans retries, then attempts further recovery (depending on whether the hard mount option is in effect).
- _netdev
- The
_netdevoption tells the system to wait until the network is up before trying to mount the share - systemd assumes this for NFS.
fs_passno) to a nonzero value may lead to unexpected behaviour, e.g. hangs when the systemd automount waits for a check which will never happen.Mount using /etc/fstab with systemd
Another method is using the x-systemd.automount option which mounts the filesystem upon access:
/etc/fstab
servername:/home /mountpoint/on/client nfs _netdev,noauto,x-systemd.automount,x-systemd.mount-timeout=10,timeo=14,x-systemd.idle-timeout=1min 0 0
To make systemd aware of the changes to fstab, reload systemd and restart remote-fs.target [4].
- The
noautomount option will not mount the NFS share until it is accessed: useautofor it to be available immediately.
If experiencing any issues with the mount failing due to the network not being up/available, enableNetworkManager-wait-online.service. It will ensure thatnetwork.targethas all the links available prior to being active. - The
usersmount option would allow user mounts, but be aware it implies further options asnoexecfor example. - The
x-systemd.idle-timeout=1minoption will unmount the NFS share automatically after 1 minute of non-use. Good for laptops which might suddenly disconnect from the network. - If shutdown/reboot holds too long because of NFS, enable
NetworkManager-wait-online.serviceto ensure that NetworkManager is not exited before the NFS volumes are unmounted. Also try to add thex-systemd.requires=network-online.targetmount option if shutdown takes too long. - Using the
noctooption may improve performance for read-only mounts, but should be used only if the data on the server changes only occasionally.
作为systemd单元
在/etc/systemd/system目录下创建一个新.mount 文件,例如mnt-myshare.mount.有关详细信息,请参见systemd.mount(5).
/mnt/myshare时才能使用单元名称mnt-myshare.mount.否则可能会发生以下错误: systemd[1]: mnt-myshare.mount: Where= setting does not match unit name. Refusing..What= 分享的路径
Where= 分享应当被挂载的路径
Options= 挂载分享的选项
- 网络安装单元会自动获取对remote-fs-pre.target, network.target 和 network-online.target的
After依赖,并获得对remote-fs.target的Before依赖,除非nofail挂载选项被设置.在后一种情况下,还会添加一个Wants单元。 -
Append
noautotoOptionspreventing automatically mount during boot (unless it is pulled in by some other unit). - If you want to use a hostname for the server you want to share (instead of an IP address), add
nss-lookup.targettoAfterandWants. This might avoid mount errors at boot time that do not arise when testing the unit.
/etc/systemd/system/mnt-myshare.mount
[Unit] Description=Mount Share at boot [Mount] What=172.16.24.192:/mnt/myshare Where=/mnt/myshare Options=noatime Type=nfs TimeoutSec=30 [Install] WantedBy=multi-user.target
ForceUnmount=true to [Mount], allowing the share to be (force-)unmounted.To use mnt-myshare.mount, start the unit and enable it to run on system boot.
自动挂载
要想自动挂载一个分享,你可以使用下面的自动挂载单元:
/etc/systemd/system/mnt-myshare.automount
[Unit] Description=Automount myshare [Automount] Where=/mnt/myshare [Install] WantedBy=multi-user.target
Disable/stop the mnt-myshare.mount unit, and enable/start mnt-myshare.automount to automount the share when the mount path is being accessed.
使用autofs挂载
Using autofs is useful when multiple machines want to connect via NFS; they could both be clients as well as servers. The reason this method is preferable over the earlier one is that if the server is switched off, the client will not throw errors about being unable to find NFS shares. See autofs#NFS network mounts for details.
提示和技巧
性能调优
When using NFS on a network with a significant number of clients one may increase the default NFS threads from 8 to 16 or even a higher, depending on the server/network requirements:
/etc/nfs.conf
[nfsd] threads=16
It may be necessary to tune the rsize and wsize mount options to meet the requirements of the network configuration.
In recent linux kernels (>2.6.18) the size of I/O operations allowed by the NFS server (default max block size) varies depending on RAM size, with a maximum of 1M (1048576 bytes), the max block size of the server will be used even if nfs clients requires bigger rsize and wsize. See https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/5.8_Technical_Notes/Known_Issues-kernel.html
It is possible to change the default max block size allowed by the server by writing to the /proc/fs/nfsd/max_block_size before starting nfsd. For example, the following command restores the previous default iosize of 32k:
# echo 32768 > /proc/fs/nfsd/max_block_size
To make the change permanent, create a systemd-tmpfile:
/etc/tmpfiles.d/nfsd-block-size.conf
w /proc/fs/nfsd/max_block_size - - - - 32768
To mount with the increased rsize and wsize mount options:
# mount -t nfs -o rsize=32768,wsize=32768,vers=4 servername:/srv/nfs/music /mountpoint/on/client
Furthermore, despite the violation of NFS protocol, setting async instead of sync or sync,no_wdelay may potentially achieve a significant performance gain especially on spinning disks. Configure exports with this option and then execute exportfs -arv to apply.
/etc/exports
/srv/nfs 192.168.1.0/24(rw,async,crossmnt,fsid=0) /srv/nfs/music 192.168.1.0/24(rw,async)
处理自动挂载
This trick is useful for NFS-shares on a wireless network and/or on a network that may be unreliable. If the NFS host becomes unreachable, the NFS share will be unmounted to hopefully prevent system hangs when using the hard mount option [5].
Make sure that the NFS mount points are correctly indicated in fstab:
/etc/fstab
lithium:/mnt/data /mnt/data nfs noauto,noatime 0 0 lithium:/var/cache/pacman /var/cache/pacman nfs noauto,noatime 0 0
Create the auto_share script that will be used by cron or systemd/Timers to use ICMP ping to check if the NFS host is reachable:
/usr/local/bin/auto_share
#!/bin/bash
function net_umount {
umount -l -f $1 &>/dev/null
}
function net_mount {
mountpoint -q $1 || mount $1
}
NET_MOUNTS=$(sed -e '/^.*#/d' -e '/^.*:/!d' -e 's/\t/ /g' /etc/fstab | tr -s " ")$'\n'b
printf %s "$NET_MOUNTS" | while IFS= read -r line
do
SERVER=$(echo $line | cut -f1 -d":")
MOUNT_POINT=$(echo $line | cut -f2 -d" ")
# Check if server already tested
if [[ "${server_ok[@]}" =~ "${SERVER}" ]]; then
# The server is up, make sure the share are mounted
net_mount $MOUNT_POINT
elif [[ "${server_notok[@]}" =~ "${SERVER}" ]]; then
# The server could not be reached, unmount the share
net_umount $MOUNT_POINT
else
# Check if the server is reachable
ping -c 1 "${SERVER}" &>/dev/null
if [ $? -ne 0 ]; then
server_notok[${#server_notok[@]}]=$SERVER
# The server could not be reached, unmount the share
net_umount $MOUNT_POINT
else
server_ok[${#server_ok[@]}]=$SERVER
# The server is up, make sure the share are mounted
net_mount $MOUNT_POINT
fi
fi
done
# Check if the server is reachable
ping -c 1 "${SERVER}" &>/dev/null
with:
# Check if the server is reachable
timeout 1 bash -c ": < /dev/tcp/${SERVER}/2049"
in the auto_share script above.Make sure the script is executable:
# chmod +x /usr/local/bin/auto_share
Next check configure the script to run every X, in the examples below this is every minute.
Cron
# crontab -e
* * * * * /usr/local/bin/auto_share
systemd/Timers
/etc/systemd/system/auto_share.timer
[Unit] Description=Automount NFS shares every minute [Timer] OnCalendar=*-*-* *:*:00 [Install] WantedBy=timers.target
/etc/systemd/system/auto_share.service
[Unit] Description=Automount NFS shares After=syslog.target network.target [Service] Type=oneshot ExecStart=/usr/local/bin/auto_share [Install] WantedBy=multi-user.target
Finally, enable and start auto_share.timer.
Using a NetworkManager dispatcher
NetworkManager can also be configured to run a script on network status change.
The easiest method for mount shares on network status change is to symlink the auto_share script:
# ln -s /usr/local/bin/auto_share /etc/NetworkManager/dispatcher.d/30-nfs.sh
However, in that particular case unmounting will happen only after the network connection has already been disabled, which is unclean and may result in effects like freezing of KDE Plasma applets.
The following script safely unmounts the NFS shares before the relevant network connection is disabled by listening for the pre-down and vpn-pre-down events, make the script is executable:
/etc/NetworkManager/dispatcher.d/30-nfs.sh
#!/bin/bash
# Find the connection UUID with "nmcli con show" in terminal.
# All NetworkManager connection types are supported: wireless, VPN, wired...
WANTED_CON_UUID="CHANGE-ME-NOW-9c7eff15-010a-4b1c-a786-9b4efa218ba9"
if [[ "$CONNECTION_UUID" == "$WANTED_CON_UUID" ]]; then
# Script parameter $1: NetworkManager connection name, not used
# Script parameter $2: dispatched event
case "$2" in
"up")
mount -a -t nfs4,nfs
;;
"pre-down");&
"vpn-pre-down")
umount -l -a -t nfs4,nfs -f >/dev/null
;;
esac
fi
noauto option, remove this mount option or use auto to allow the dispatcher to manage these mounts.在/etc/NetworkManager/dispatcher.d/pre-down中创建一个符号链接以捕获pre-down事件:
# ln -s /etc/NetworkManager/dispatcher.d/30-nfs.sh /etc/NetworkManager/dispatcher.d/pre-down.d/30-nfs.sh
故障排查
There is a dedicated article NFS/Troubleshooting.
更多参考
- See also Avahi, a Zeroconf implementation which allows automatic discovery of NFS shares.
- HOWTO: Diskless network boot NFS root
- Microsoft Services for Unix NFS Client info
- NFS on Snow Leopard
- http://chschneider.eu/linux/server/nfs.shtml
- How to do Linux NFS Performance Tuning and Optimization
- Linux: Tune NFS Performance