NFS

来自 Arch Linux 中文维基

本文或本节需要翻译。要贡献翻译,请访问简体中文翻译团队

附注: Some content is not translated.(在 Talk:NFS# 中讨论)

来自维基百科:NFS 网络文件系统(Network File System) 是由Sun公司1984年发布的分布式文件系统协议。它允许客户端上的用户像访问本地文件一样地访问网络上的文件。

注意:
  • 默认情况下,NFS不提供加密功能. 在处理敏感数据时,请使用 #TLS 加密或类似 Kerberos 和安全的 VPN 的加密协议传输NFS流量.
  • Samba不同, NFS默认不提供任何验证用户的方法,客户端访问限制是通过IP地址和/或计算机名实现的.
  • NFS期望用户和/或用户组的ID在客户端与服务端上是相同的.使用启用NFSv4 ID映射,或使用anonuid/anongid并在/etc/exports中启用all_squash,手动改变UID/GID来解决这一问题.
  • NFS 不支持POSIX ACL

安装[编辑 | 编辑源代码]

客户端和服务端都只需要安装 nfs-utils 包。

强烈建议使用时间同步守护进程以保持客户端/服务器之间的时间同步,如果各个节点上没有精确同步的时钟,NFS 可能产生非预期的延迟。

配置[编辑 | 编辑源代码]

服务端[编辑 | 编辑源代码]

全局设置选项在/etc/nfs.conf中被列出.只进行简单配置的用户无需编辑此文件.

NFS 服务器需要按照 /etc/exports/etc/exports.d/*.exports 文件中定义的“导出”文件夹列表进行共享(详细介绍参见 exports(5))。这些共享的对象是相对于所谓的"NFS根目录"的.出于安全考虑,建议定义一个单独的目录为NFS根,这可以将用户限制在该挂载点中. 绑定的挂载点(bind mounts)将文件系统上他处的目录与被分享的挂载点连接起来.

查看下面的例子。在本例中:

  1. NFS 根目录是 /srv/nfs
  2. 将要共享的目录是 /srv/nfs/music,该目录以绑定挂载方式指向了它实际的位置/mnt/music
# mkdir -p /srv/nfs/music /mnt/music
# mount --bind /mnt/music /srv/nfs/music
注意: ZFS 文件系统对于 bindmounts 方式挂载要特殊处理,参阅 ZFS#Bind mount

为了让服务器重启后共享仍旧有效,增加绑定到 fstab 文件:

/etc/fstab
/mnt/music /srv/nfs/music  none   bind   0   0

增加允许被挂载的目录和使其只能被属于特定CIDR所指定的IP范围或拥有特定主机名的客户端所访问的限制至/etc/exports文件,例如:

/etc/exports
/srv/nfs        192.168.1.0/24(rw,sync,crossmnt,fsid=0)
/srv/nfs/music  192.168.1.0/24(rw,sync)
/srv/nfs/home   192.168.1.0/24(rw,sync,nohide)
/srv/nfs/public 192.168.1.0/24(ro,all_squash,insecure) desktop(rw,sync,all_squash,anonuid=99,anongid=99) # 将访客映射到特定用户组 - 在本例中是nobody
注意: 在使用 NFSv4 时,根文件夹是由 fsid=0 表示的条目指定的,其它文件夹必须位于该文件夹下。/etc/nfs.conf 文件中的 rootdir 选项在这种情况下不起效。
提示:
  • crossmnt 选项使客户端可以访问所有挂载在文件系统上并标记有crossmnt的文件系统并且客户端不需要单独逐个挂载子共享. 请注意,你可能不希望在子共享同时被共享到另一端地址时使用该选项.
  • 除了crossmnt之外,你也可以在子共享上使用nohide选项,这样的话,子共享就会在根共享被挂载时自动挂载.与crossmnt不同的是,nohide仍然会遵守子共享的地址范围.
  • insecure 选项使客户端可以用高于 1023 的端口进行连接。(大概是只有 root 用户可以使用较低编号的端口,因此阻断其它端口可以作为简单的访问控制方法。在实际使用中,使用 insecure 选项与否并不能带来任何安全方面的提升或是下降。)
  • 使用一个通配符(*)以允许来自所有接口的访问.

如果服务运行时修改了 /etc/exports 文件, 你需要重新导出使其生效:

# exportfs -arv

想要查看已经加载的共享的详细信息,请使用:

# exportfs -v

有关所有可用选项的详细介绍,请参阅exports(5).

提示:ip2cidr 是一个可以将 IP 范围转换为 CIDR 的工具.
注意: 如果共享是tmpfs文件系统,你需要指定fsid=1选项.

开始运行服务[编辑 | 编辑源代码]

  • 要启动使用协议版本 3 的服务端,启动启用 nfs-server.service
  • 要启动使用协议版本 4 的服务端,启动启用 nfsv4-server.service

Users of protocol version 4 exports will probably want to mask at a minimum both rpcbind.service and rpcbind.socket to prevent superfluous services from running. See FS#76453. Additionally, consider masking nfs-server.service which pulled in for some reason as well.

注意: 在启用ZFS共享的同时,请也启动/启用zfs-share.service.如果不这么做的话,在重启之后ZFS目录不会被共享.参阅ZFS#NFS.

限制NFS使其只允许来自特定接口/IP地址的访问[编辑 | 编辑源代码]

默认情况下,启动nfs-server.service会忽略/etc/exports文件的内容,而是在所有网络接口上监听连接.可以通过定义监听的IP和/或主机名来改变这一行为.

/etc/nfs.conf
[nfsd]
host=192.168.1.123
# 或者也可以使用主机名.
# host=myhostname

在修改完后,重启nfs-server.service以应用设置.

防火墙配置[编辑 | 编辑源代码]

To enable access through a firewall, TCP and UDP ports 111, 2049, and 20048 may need to be opened when using the default configuration; use rpcinfo -p to examine the exact ports in use on the server:

$ rpcinfo -p | grep nfs
100003    3   tcp   2049  nfs
100003    4   tcp   2049  nfs
100227    3   tcp   2049  nfs_acl

When using NFSv4, make sure TCP port 2049 is open. No other port opening should be required:

/etc/iptables/iptables.rules
-A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT

When using an older NFS version, make sure other ports are open:

# iptables -A INPUT -p tcp -m tcp --dport 111 -j ACCEPT
# iptables -A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT
# iptables -A INPUT -p tcp -m tcp --dport 20048 -j ACCEPT
# iptables -A INPUT -p udp -m udp --dport 111 -j ACCEPT
# iptables -A INPUT -p udp -m udp --dport 2049 -j ACCEPT
# iptables -A INPUT -p udp -m udp --dport 20048 -j ACCEPT

To have this configuration load on every system start, edit /etc/iptables/iptables.rules to include the following lines:

/etc/iptables/iptables.rules
-A INPUT -p tcp -m tcp --dport 111 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20048 -j ACCEPT
-A INPUT -p udp -m udp --dport 111 -j ACCEPT
-A INPUT -p udp -m udp --dport 2049 -j ACCEPT
-A INPUT -p udp -m udp --dport 20048 -j ACCEPT

The previous commands can be saved by executing:

# iptables-save > /etc/iptables/iptables.rules
警告: This command will override the current iptables start configuration with the current iptables configuration!

If using NFSv3 and the above listed static ports for rpc.statd and lockd the following ports may also need to be added to the configuration:

/etc/iptables/iptables.rules
-A INPUT -p tcp -m tcp --dport 32765 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 32803 -j ACCEPT
-A INPUT -p udp -m udp --dport 32765 -j ACCEPT
-A INPUT -p udp -m udp --dport 32803 -j ACCEPT

To apply changes, Restart iptables.service.

启用NFSv4 ID映射[编辑 | 编辑源代码]

这篇文章的某些内容需要扩充。

原因: Missing lookup information, static binding examples, etc. (在 Talk:NFS 中讨论)
注意:
# dmesg | grep id_resolver
[ 3238.356001] NFS: Registering the id_resolver key type
[ 3238.356009] Key type id_resolver registered

NFSv4 协议将客户端的UID和GID值表示为user@domain形式的字符串.将UID和字符串互相转换的过程称为ID映射,详见 nfsidmap(8)

即使idmapd可能正在运行,它也可能未被完全启用。如果 /sys/module/nfs/parameters/nfs4_disable_idmapping/sys/module/nfsd/parameters/nfs4_disable_idmapping 在客户端或服务器上返回Y,请通过以下方式启用它:


注意: The kernel modules nfs4 and nfsd need to be loaded (respectively) for the following paths to be available.

客户端:

# echo N > /sys/module/nfs/parameters/nfs4_disable_idmapping

服务器:

# echo N > /sys/module/nfsd/parameters/nfs4_disable_idmapping

设置为内核模块参数以使此更改永久生效,即:

/etc/modprobe.d/nfsd.conf
options nfs nfs4_disable_idmapping=0
options nfsd nfs4_disable_idmapping=0

要完全使用idmapping,请确保在服务器和客户端的/etc/idmapd.conf文件中配置了域:

/etc/idmapd.conf
# 以下应设置为本地NFSv4域名
# 默认为主机的DNS域名。
Domain = domain.tld

有关详细信息,请参见[1].

客户端[编辑 | 编辑源代码]

打算将NFS4与Kerberos一起使用的用户需要启动启用nfs-client.target.

手动挂载[编辑 | 编辑源代码]

对于NFSv3,请使用以下命令显示服务器分享的文件系统:

$ showmount -e servername

对于NFSv4,请挂载NFS根目录,并查看可用的挂载:

# mount servername:/ /mountpoint/on/client

然后挂载分享.挂载时省略服务器的NFS分享根目录:

# mount -t nfs -o vers=4 servername:/music /mountpoint/on/client

如果挂载失败,请尝试包括服务器的分享根目录(对于Debian/RHEL/SLES是必需的,某些发行版需要使用-t nfs4而不是-t nfs):

# mount -t nfs -o vers=4 servername:/srv/nfs/music /mountpoint/on/client
注意: servername 必须被替换为有效的主机名(而不仅仅是IP地址)。否则,挂载远程共享将挂起。

使用/etc/fstab挂载[编辑 | 编辑源代码]

Using fstab is useful for a server which is always on, and the NFS shares are available whenever the client boots up. Edit /etc/fstab file, and add an appropriate line reflecting the setup. Again, the server's NFS export root is omitted.

/etc/fstab
servername:/music   /mountpoint/on/client   nfs   defaults,timeo=900,retrans=5,_netdev	0 0
注意: Consult nfs(5) and mount(8) for more mount options.

Some additional mount options to consider:

rsize and wsize
The rsize value is the number of bytes used when reading from the server. The wsize value is the number of bytes used when writing to the server. By default, if these options are not specified, the client and server negotiate the largest values they can both support (see nfs(5) for details). After changing these values, it is recommended to test the performance (see #性能调优).
soft or hard
Determines the recovery behaviour of the NFS client after an NFS request times out. If neither option is specified (or if the hard option is specified), NFS requests are retried indefinitely. If the soft option is specified, then the NFS client fails an NFS request after retrans retransmissions have been sent, causing the NFS client to return an error to the calling application.
警告: A so-called soft timeout can cause silent data corruption in certain cases. As such, use the soft option only when client responsiveness is more important than data integrity. Using NFS over TCP or increasing the value of the retrans option may mitigate some of the risks of using the soft option.
timeo
The timeo value is the amount of time, in tenths of a second, to wait before resending a transmission after an RPC timeout. The default value for NFS over TCP is 600 (60 seconds). After the first timeout, the timeout value is doubled for each retry for a maximum of 60 seconds or until a major timeout occurs. If connecting to a slow server or over a busy network, better stability can be achieved by increasing this timeout value.
retrans
The number of times the NFS client retries a request before it attempts further recovery action. If the retrans option is not specified, the NFS client tries each request three times. The NFS client generates a "server not responding" message after retrans retries, then attempts further recovery (depending on whether the hard mount option is in effect).
_netdev
The _netdev option tells the system to wait until the network is up before trying to mount the share - systemd assumes this for NFS.
注意: Setting the sixth field (fs_passno) to a nonzero value may lead to unexpected behaviour, e.g. hangs when the systemd automount waits for a check which will never happen.

Mount using /etc/fstab with systemd[编辑 | 编辑源代码]

Another method is using the x-systemd.automount option which mounts the filesystem upon access:

/etc/fstab
servername:/home   /mountpoint/on/client  nfs  _netdev,noauto,x-systemd.automount,x-systemd.mount-timeout=10,timeo=14,x-systemd.idle-timeout=1min 0 0

To make systemd aware of the changes to fstab, reload systemd and restart remote-fs.target [2].

本文或本章节的事实准确性存在争议。

原因: Not everyone uses NetworkManager. Refer to Systemd#Running services after the network is up instead?(在 Talk:NFS 中讨论)


提示:
  • The noauto mount option will not mount the NFS share until it is accessed: use auto for it to be available immediately.
    If experiencing any issues with the mount failing due to the network not being up/available, enable NetworkManager-wait-online.service. It will ensure that network.target has all the links available prior to being active.
  • The users mount option would allow user mounts, but be aware it implies further options as noexec for example.
  • The x-systemd.idle-timeout=1min option will unmount the NFS share automatically after 1 minute of non-use. Good for laptops which might suddenly disconnect from the network.
  • If shutdown/reboot holds too long because of NFS, enable NetworkManager-wait-online.service to ensure that NetworkManager is not exited before the NFS volumes are unmounted.
  • Do not add the x-systemd.requires=network-online.target mount option as this can lead to ordering cycles within systemd [3]. systemd adds the network-online.target dependency to the unit for _netdev mount automatically.
  • Using the nocto option may improve performance for read-only mounts, but should be used only if the data on the server changes only occasionally.

作为 systemd 单元[编辑 | 编辑源代码]

/etc/systemd/system目录下创建一个新.mount 文件,例如mnt-home.mount.有关详细信息,请参见systemd.mount(5).

注意: 确保文件名与您要使用的挂载点相对应.例如,仅当要将共享挂载到 /mnt/home 时才能使用单元名称 mnt-home.mount,否则可能会发生以下错误:systemd[1]: mnt-myshare.mount: Where= setting does not match unit name. Refusing.。 If the mountpoint contains non-ASCII characters, use systemd-escape).

What= 分享的路径

Where= 分享应当被挂载的路径

Options= 挂载分享的选项

注意:
  • 网络安装单元会自动获取对 remote-fs-pre.targetnetwork.targetnetwork-online.targetAfter 依赖,并获得对 remote-fs.targetBefore 依赖,除非设置了 nofail 挂载选项。在后一种情况下,还会添加一个 Wants 单元。
  • Append noauto to Options preventing automatically mount during boot (unless it is pulled in by some other unit).
  • If you want to use a hostname for the server you want to share (instead of an IP address), add nss-lookup.target to After. This might avoid mount errors at boot time that do not arise when testing the unit.
/etc/systemd/system/mnt-home.mount
[Unit]
Description=Mount home at boot

[Mount]
What=172.16.24.192:/home
Where=/mnt/home
Options=vers=4
Type=nfs
TimeoutSec=30

[Install]
WantedBy=multi-user.target
提示:In case of an unreachable system, append ForceUnmount=true to [Mount], allowing the export to be (force-)unmounted.

To use mnt-home.mount, start the unit and enable it to run on system boot.

自动挂载[编辑 | 编辑源代码]

要想自动挂载一个分享,你可以使用下面的自动挂载单元:

/etc/systemd/system/mnt-home.automount
[Unit]
Description=Automount home

[Automount]
Where=/mnt/home

[Install]
WantedBy=multi-user.target

Disable/stop the mnt-home.mount unit, and enable/start mnt-home.automount to automount the share when the mount path is being accessed.

提示:Append TimeoutIdleSec to enable auto unmount. See systemd.automount(5) for details.

使用autofs挂载[编辑 | 编辑源代码]

Using autofs is useful when multiple machines want to connect via NFS; they could both be clients as well as servers. The reason this method is preferable over the earlier one is that if the server is switched off, the client will not throw errors about being unable to find NFS shares. See autofs#NFS network mounts for details.

提示和技巧[编辑 | 编辑源代码]

性能调优[编辑 | 编辑源代码]

本文内容或本节内容已经过期。

原因: Mentions 32-bit and 2.6 Linux kernel... (在Talk:NFS讨论)

When using NFS on a network with a significant number of clients one may increase the default NFS threads from 8 to 16 or even a higher, depending on the server/network requirements:

/etc/nfs.conf
[nfsd]
threads=16

It may be necessary to tune the rsize and wsize mount options to meet the requirements of the network configuration.

In recent linux kernels (>2.6.18) the size of I/O operations allowed by the NFS server (default max block size) varies depending on RAM size, with a maximum of 1M (1048576 bytes), the max block size of the server will be used even if nfs clients requires bigger rsize and wsize. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/5/html/5.8_technical_notes/known_issues-kernel It is possible to change the default max block size allowed by the server by writing to the /proc/fs/nfsd/max_block_size before starting nfsd. For example, the following command restores the previous default iosize of 32k:

# echo 32768 > /proc/fs/nfsd/max_block_size
注意: This is mainly useful for 32-bit servers when dealing with the large numbers of nfsd threads. Lowering the max_block_size may decrease NFS performance on modern hardware.

To make the change permanent, create a systemd-tmpfile:

/etc/tmpfiles.d/nfsd-block-size.conf
w /proc/fs/nfsd/max_block_size - - - - 32768

To mount with the increased rsize and wsize mount options:

# mount -t nfs -o rsize=32768,wsize=32768,vers=4 servername:/srv/nfs/music /mountpoint/on/client

Furthermore, despite the violation of NFS protocol, setting async instead of sync or sync,no_wdelay may potentially achieve a significant performance gain especially on spinning disks. Configure exports with this option and then execute exportfs -arv to apply.

/etc/exports
/srv/nfs        192.168.1.0/24(rw,async,crossmnt,fsid=0)
/srv/nfs/music  192.168.1.0/24(rw,async)
警告: Using async comes with a risk of possible data loss or corruption if the server crashes or restarts uncleanly.

处理自动挂载[编辑 | 编辑源代码]

This trick is useful for NFS-shares on a wireless network and/or on a network that may be unreliable. If the NFS host becomes unreachable, the NFS share will be unmounted to hopefully prevent system hangs when using the hard mount option [4].

Make sure that the NFS mount points are correctly indicated in fstab:

/etc/fstab
lithium:/mnt/data           /mnt/data	        nfs noauto 0 0
lithium:/var/cache/pacman   /var/cache/pacman	nfs noauto 0 0
注意:
  • Use hostnames in fstab for this to work, not IP addresses.
  • In order to mount NFS shares with non-root users the users option has to be added.
  • The noauto mount option tells systemd to not automatically mount the shares at boot, otherwise this may cause the boot process to stall.

Create the auto_share script that will be used by cron or systemd/Timers to use ICMP ping to check if the NFS host is reachable:

/usr/local/bin/auto_share
#!/bin/bash

function net_umount {
  umount -l -f $1 &>/dev/null
}

function net_mount {
  mountpoint -q $1 || mount $1
}

NET_MOUNTS=$(sed -e '/^.*#/d' -e '/^.*:/!d' -e 's/\t/ /g' /etc/fstab | tr -s " ")$'\n'b

printf %s "$NET_MOUNTS" | while IFS= read -r line
do
  SERVER=$(echo $line | cut -f1 -d":")
  MOUNT_POINT=$(echo $line | cut -f2 -d" ")

  # Check if server already tested
  if [[ "${server_ok[@]}" =~ "${SERVER}" ]]; then
    # The server is up, make sure the share are mounted
    net_mount $MOUNT_POINT
  elif [[ "${server_notok[@]}" =~ "${SERVER}" ]]; then
    # The server could not be reached, unmount the share
    net_umount $MOUNT_POINT
  else
    # Check if the server is reachable
    ping -c 1 "${SERVER}" &>/dev/null

    if [ $? -ne 0 ]; then
      server_notok[${#server_notok[@]}]=$SERVER
      # The server could not be reached, unmount the share
      net_umount $MOUNT_POINT
    else
      server_ok[${#server_ok[@]}]=$SERVER
      # The server is up, make sure the share are mounted
      net_mount $MOUNT_POINT
    fi
  fi
done
注意: Test using a TCP probe instead of ICMP ping (default is tcp port 2049 in NFS4) then replace the line:
# Check if the server is reachable
ping -c 1 "${SERVER}" &>/dev/null

with:

# Check if the server is reachable
timeout 1 bash -c ": < /dev/tcp/${SERVER}/2049"
in the auto_share script above.

Make sure the script is executable.

Next check configure the script to run every X, in the examples below this is every minute.

Cron[编辑 | 编辑源代码]

# crontab -e
* * * * * /usr/local/bin/auto_share

systemd/Timers[编辑 | 编辑源代码]

/etc/systemd/system/auto_share.timer
[Unit]
Description=Automount NFS shares every minute

[Timer]
OnCalendar=*-*-* *:*:00

[Install]
WantedBy=timers.target
/etc/systemd/system/auto_share.service
[Unit]
Description=Automount NFS shares
After=syslog.target network.target

[Service]
Type=oneshot
ExecStart=/usr/local/bin/auto_share

[Install]
WantedBy=multi-user.target

Finally, enable and start auto_share.timer.

Using a NetworkManager dispatcher[编辑 | 编辑源代码]

NetworkManager can also be configured to run a script on network status change.

The easiest method for mount shares on network status change is to symlink the auto_share script:

# ln -s /usr/local/bin/auto_share /etc/NetworkManager/dispatcher.d/30-nfs.sh

However, in that particular case unmounting will happen only after the network connection has already been disabled, which is unclean and may result in effects like freezing of KDE Plasma applets.

The following script safely unmounts the NFS shares before the relevant network connection is disabled by listening for the down, pre-down and vpn-pre-down events, make sure the script is executable:

/etc/NetworkManager/dispatcher.d/30-nfs.sh
#!/bin/sh

# Find the connection UUID with "nmcli con show" in terminal.
# All NetworkManager connection types are supported: wireless, VPN, wired...
WANTED_CON_UUID="CHANGE-ME-NOW-9c7eff15-010a-4b1c-a786-9b4efa218ba9"

if [ "$CONNECTION_UUID" = "$WANTED_CON_UUID" ]; then
    
    # Script parameter $1: network interface name, not used
    # Script parameter $2: dispatched event
    
    case "$2" in
        "up")
            mount -a -t nfs4,nfs 
            ;;
        "down"|"pre-down"|"vpn-pre-down")
            umount -l -a -t nfs4,nfs -f >/dev/null
            ;;
    esac
fi
注意: This script ignores mounts with the noauto option, remove this mount option or use auto to allow the dispatcher to manage these mounts.

/etc/NetworkManager/dispatcher.d/pre-down中创建一个符号链接以捕获pre-down事件:

# ln -s /etc/NetworkManager/dispatcher.d/30-nfs.sh /etc/NetworkManager/dispatcher.d/pre-down.d/30-nfs.sh

TLS 加密[编辑 | 编辑源代码]

NFS traffic can be encrypted using TLS as of Linux 6.5 using the xprtsec=tls mount option. To begin, install the ktls-utilsAUR package on the client and server, and follow the below configuration steps for each.

服务端[编辑 | 编辑源代码]

Create a private key and obtain a certificate containing your server's DNS name (see Transport Layer Security for more detail). These files do not need to be added to the system's trust store.

注意: Using a self-signed certificate that has also been encrypted is currently not supported and will result in a mount failure.

Edit /etc/tlshd.conf to use these files, using your own values for x509.certificate and x509.private_key

/etc/tlshd.conf
[authenticate.server]
x509.certificate= /etc/nfsd-certificate.pem
x509.private_key= /etc/nfsd-private-key.pem

Now start and enable tlshd.service.

客户端[编辑 | 编辑源代码]

Add the server's TLS certificate generated in the previous step to the system's trust store (see Transport Layer Security for more detail).

Start and enable tlshd.service.

Now you should be able to mount the server using the server's DNS name:

# mount -o xprtsec=tls servername.domain:/ /mountpoint/on/client

Checking journalctl on the client should show that the TLS handshake was successful:

$ journalctl -b -u tlshd.service
Sep 28 11:14:46 client tlshd[227]: Built from ktls-utils 0.10 on Sep 26 2023 14:24:03
Sep 28 11:15:37 client tlshd[571]: Handshake with servername.domain (192.168.122.100) was successful

故障排查[编辑 | 编辑源代码]

参考单独的 NFS/Troubleshooting 页面。

更多参考[编辑 | 编辑源代码]