NFS
来自维基百科:NFS 网络文件系统(Network File System) 是由Sun公司1984年发布的分布式文件系统协议。它允许客户端上的用户像访问本地文件一样地访问网络上的文件。
安装[编辑 | 编辑源代码]
强烈建议使用时间同步守护进程以保持客户端/服务器之间的时间同步,如果各个节点上没有精确同步的时钟,NFS 可能产生非预期的延迟。
配置[编辑 | 编辑源代码]
服务端[编辑 | 编辑源代码]
全局设置选项在/etc/nfs.conf
中被列出.只进行简单配置的用户无需编辑此文件.
NFS 服务器需要按照 /etc/exports
或 /etc/exports.d/*.exports
文件中定义的“导出”文件夹列表进行共享(详细介绍参见 exports(5))。这些共享的对象是相对于所谓的"NFS根目录"的.出于安全考虑,建议定义一个单独的目录为NFS根,这可以将用户限制在该挂载点中. 绑定的挂载点(bind mounts)将文件系统上他处的目录与被分享的挂载点连接起来.
查看下面的例子。在本例中:
- NFS 根目录是
/srv/nfs
- 将要共享的目录是
/srv/nfs/music
,该目录以绑定挂载方式指向了它实际的位置/mnt/music
。
# mkdir -p /srv/nfs/music /mnt/music # mount --bind /mnt/music /srv/nfs/music
为了让服务器重启后共享仍旧有效,增加绑定到 fstab
文件:
/etc/fstab
/mnt/music /srv/nfs/music none bind 0 0
增加允许被挂载的目录和使其只能被属于特定CIDR所指定的IP范围或拥有特定主机名的客户端所访问的限制至/etc/exports
文件,例如:
/etc/exports
/srv/nfs 192.168.1.0/24(rw,sync,crossmnt,fsid=0) /srv/nfs/music 192.168.1.0/24(rw,sync) /srv/nfs/home 192.168.1.0/24(rw,sync,nohide) /srv/nfs/public 192.168.1.0/24(ro,all_squash,insecure) desktop(rw,sync,all_squash,anonuid=99,anongid=99) # 将访客映射到特定用户组 - 在本例中是nobody
fsid=0
表示的条目指定的,其它文件夹必须位于该文件夹下。/etc/nfs.conf
文件中的 rootdir
选项在这种情况下不起效。crossmnt
选项使客户端可以访问所有挂载在文件系统上并标记有crossmnt
的文件系统并且客户端不需要单独逐个挂载子共享. 请注意,你可能不希望在子共享同时被共享到另一端地址时使用该选项.- 除了
crossmnt
之外,你也可以在子共享上使用nohide
选项,这样的话,子共享就会在根共享被挂载时自动挂载.与crossmnt
不同的是,nohide
仍然会遵守子共享的地址范围. insecure
选项使客户端可以用高于 1023 的端口进行连接。(大概是只有 root 用户可以使用较低编号的端口,因此阻断其它端口可以作为简单的访问控制方法。在实际使用中,使用insecure
选项与否并不能带来任何安全方面的提升或是下降。)- 使用一个通配符(
*
)以允许来自所有接口的访问.
如果服务运行时修改了 /etc/exports
文件, 你需要重新导出使其生效:
# exportfs -arv
想要查看已经加载的共享的详细信息,请使用:
# exportfs -v
有关所有可用选项的详细介绍,请参阅exports(5).
fsid=1
选项.开始运行服务[编辑 | 编辑源代码]
Users of protocol version 4 exports will probably want to mask at a minimum both rpcbind.service
and rpcbind.socket
to prevent superfluous services from running. See FS#76453. Additionally, consider masking nfs-server.service
which pulled in for some reason as well.
限制NFS使其只允许来自特定接口/IP地址的访问[编辑 | 编辑源代码]
默认情况下,启动nfs-server.service
会忽略/etc/exports
文件的内容,而是在所有网络接口上监听连接.可以通过定义监听的IP和/或主机名来改变这一行为.
/etc/nfs.conf
[nfsd] host=192.168.1.123 # 或者也可以使用主机名. # host=myhostname
在修改完后,重启nfs-server.service
以应用设置.
防火墙配置[编辑 | 编辑源代码]
To enable access through a firewall, TCP and UDP ports 111
, 2049
, and 20048
may need to be opened when using the default configuration; use rpcinfo -p
to examine the exact ports in use on the server:
$ rpcinfo -p | grep nfs
100003 3 tcp 2049 nfs 100003 4 tcp 2049 nfs 100227 3 tcp 2049 nfs_acl
When using NFSv4, make sure TCP port 2049
is open. No other port opening should be required:
/etc/iptables/iptables.rules
-A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT
When using an older NFS version, make sure other ports are open:
# iptables -A INPUT -p tcp -m tcp --dport 111 -j ACCEPT # iptables -A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT # iptables -A INPUT -p tcp -m tcp --dport 20048 -j ACCEPT # iptables -A INPUT -p udp -m udp --dport 111 -j ACCEPT # iptables -A INPUT -p udp -m udp --dport 2049 -j ACCEPT # iptables -A INPUT -p udp -m udp --dport 20048 -j ACCEPT
To have this configuration load on every system start, edit /etc/iptables/iptables.rules
to include the following lines:
/etc/iptables/iptables.rules
-A INPUT -p tcp -m tcp --dport 111 -j ACCEPT -A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT -A INPUT -p tcp -m tcp --dport 20048 -j ACCEPT -A INPUT -p udp -m udp --dport 111 -j ACCEPT -A INPUT -p udp -m udp --dport 2049 -j ACCEPT -A INPUT -p udp -m udp --dport 20048 -j ACCEPT
The previous commands can be saved by executing:
# iptables-save > /etc/iptables/iptables.rules
If using NFSv3 and the above listed static ports for rpc.statd
and lockd
the following ports may also need to be added to the configuration:
/etc/iptables/iptables.rules
-A INPUT -p tcp -m tcp --dport 32765 -j ACCEPT -A INPUT -p tcp -m tcp --dport 32803 -j ACCEPT -A INPUT -p udp -m udp --dport 32765 -j ACCEPT -A INPUT -p udp -m udp --dport 32803 -j ACCEPT
To apply changes, Restart iptables.service
.
启用NFSv4 ID映射[编辑 | 编辑源代码]
- NFSv4 ID映射不适用于默认的
sec=sys
挂载选项.https://web.archive.org/web/20220602190451/https://dfusion.com.au/wiki/tiki-index.php?page=Why+NFSv4+UID+mapping+breaks+with+AUTH_UNIX] - 在客户端和服务器上均需要启用NFSv4 ID映射
- 另一个选择是确保用户ID和组ID(UID和GID)在客户端和服务器上相同.
- 不需要启用/启动
nfs-idmapd.service
,因为它已被新的id映射器替换:
# dmesg | grep id_resolver
[ 3238.356001] NFS: Registering the id_resolver key type [ 3238.356009] Key type id_resolver registered
NFSv4 协议将客户端的UID和GID值表示为user@domain
形式的字符串.将UID和字符串互相转换的过程称为ID映射,详见 nfsidmap(8)。
即使idmapd可能正在运行,它也可能未被完全启用。如果 /sys/module/nfs/parameters/nfs4_disable_idmapping
或 /sys/module/nfsd/parameters/nfs4_disable_idmapping
在客户端或服务器上返回Y
,请通过以下方式启用它:
nfs4
and nfsd
need to be loaded (respectively) for the following paths to be available.客户端:
# echo N > /sys/module/nfs/parameters/nfs4_disable_idmapping
服务器:
# echo N > /sys/module/nfsd/parameters/nfs4_disable_idmapping
设置为内核模块参数以使此更改永久生效,即:
/etc/modprobe.d/nfsd.conf
options nfs nfs4_disable_idmapping=0 options nfsd nfs4_disable_idmapping=0
要完全使用idmapping,请确保在服务器和客户端的/etc/idmapd.conf
文件中都配置了域:
/etc/idmapd.conf
# 以下应设置为本地NFSv4域名 # 默认为主机的DNS域名。 Domain = domain.tld
有关详细信息,请参见[1].
客户端[编辑 | 编辑源代码]
打算将NFS4与Kerberos一起使用的用户需要启动并启用nfs-client.target
.
手动挂载[编辑 | 编辑源代码]
对于NFSv3,请使用以下命令显示服务器分享的文件系统:
$ showmount -e servername
对于NFSv4,请挂载NFS根目录,并查看可用的挂载:
# mount servername:/ /mountpoint/on/client
然后挂载分享.挂载时省略服务器的NFS分享根目录:
# mount -t nfs -o vers=4 servername:/music /mountpoint/on/client
如果挂载失败,请尝试包括服务器的分享根目录(对于Debian/RHEL/SLES是必需的,某些发行版需要使用-t nfs4
而不是-t nfs
):
# mount -t nfs -o vers=4 servername:/srv/nfs/music /mountpoint/on/client
servername
必须被替换为有效的主机名(而不仅仅是IP地址)。否则,挂载远程共享将挂起。使用/etc/fstab挂载[编辑 | 编辑源代码]
Using fstab is useful for a server which is always on, and the NFS shares are available whenever the client boots up. Edit /etc/fstab
file, and add an appropriate line reflecting the setup. Again, the server's NFS export root is omitted.
/etc/fstab
servername:/music /mountpoint/on/client nfs defaults,timeo=900,retrans=5,_netdev 0 0
Some additional mount options to consider:
- rsize and wsize
- The
rsize
value is the number of bytes used when reading from the server. Thewsize
value is the number of bytes used when writing to the server. By default, if these options are not specified, the client and server negotiate the largest values they can both support (see nfs(5) for details). After changing these values, it is recommended to test the performance (see #性能调优).
- soft or hard
- Determines the recovery behaviour of the NFS client after an NFS request times out. If neither option is specified (or if the
hard
option is specified), NFS requests are retried indefinitely. If thesoft
option is specified, then the NFS client fails an NFS request after retrans retransmissions have been sent, causing the NFS client to return an error to the calling application.
soft
timeout can cause silent data corruption in certain cases. As such, use the soft
option only when client responsiveness is more important than data integrity. Using NFS over TCP or increasing the value of the retrans
option may mitigate some of the risks of using the soft
option.- timeo
- The
timeo
value is the amount of time, in tenths of a second, to wait before resending a transmission after an RPC timeout. The default value for NFS over TCP is 600 (60 seconds). After the first timeout, the timeout value is doubled for each retry for a maximum of 60 seconds or until a major timeout occurs. If connecting to a slow server or over a busy network, better stability can be achieved by increasing this timeout value.
- retrans
- The number of times the NFS client retries a request before it attempts further recovery action. If the
retrans
option is not specified, the NFS client tries each request three times. The NFS client generates a "server not responding" message after retrans retries, then attempts further recovery (depending on whether the hard mount option is in effect).
- _netdev
- The
_netdev
option tells the system to wait until the network is up before trying to mount the share - systemd assumes this for NFS.
fs_passno
) to a nonzero value may lead to unexpected behaviour, e.g. hangs when the systemd automount waits for a check which will never happen.Mount using /etc/fstab with systemd[编辑 | 编辑源代码]
Another method is using the x-systemd.automount option which mounts the filesystem upon access:
/etc/fstab
servername:/home /mountpoint/on/client nfs _netdev,noauto,x-systemd.automount,x-systemd.mount-timeout=10,timeo=14,x-systemd.idle-timeout=1min 0 0
To make systemd aware of the changes to fstab, reload systemd and restart remote-fs.target
[2].
- The
noauto
mount option will not mount the NFS share until it is accessed: useauto
for it to be available immediately.
If experiencing any issues with the mount failing due to the network not being up/available, enableNetworkManager-wait-online.service
. It will ensure thatnetwork.target
has all the links available prior to being active. - The
users
mount option would allow user mounts, but be aware it implies further options asnoexec
for example. - The
x-systemd.idle-timeout=1min
option will unmount the NFS share automatically after 1 minute of non-use. Good for laptops which might suddenly disconnect from the network. - If shutdown/reboot holds too long because of NFS, enable
NetworkManager-wait-online.service
to ensure that NetworkManager is not exited before the NFS volumes are unmounted. - Do not add the
x-systemd.requires=network-online.target
mount option as this can lead to ordering cycles within systemd [3]. systemd adds thenetwork-online.target
dependency to the unit for_netdev
mount automatically. - Using the
nocto
option may improve performance for read-only mounts, but should be used only if the data on the server changes only occasionally.
作为 systemd 单元[编辑 | 编辑源代码]
在/etc/systemd/system
目录下创建一个新.mount
文件,例如mnt-home.mount
.有关详细信息,请参见systemd.mount(5).
/mnt/home
时才能使用单元名称 mnt-home.mount
,否则可能会发生以下错误:systemd[1]: mnt-myshare.mount: Where= setting does not match unit name. Refusing.
。 If the mountpoint contains non-ASCII characters, use systemd-escape).What=
分享的路径
Where=
分享应当被挂载的路径
Options=
挂载分享的选项
- 网络安装单元会自动获取对
remote-fs-pre.target
,network.target
和network-online.target
的After
依赖,并获得对remote-fs.target
的Before
依赖,除非设置了nofail
挂载选项。在后一种情况下,还会添加一个Wants
单元。 - Append
noauto
toOptions
preventing automatically mount during boot (unless it is pulled in by some other unit). - If you want to use a hostname for the server you want to share (instead of an IP address), add
nss-lookup.target
toAfter
. This might avoid mount errors at boot time that do not arise when testing the unit.
/etc/systemd/system/mnt-home.mount
[Unit] Description=Mount home at boot [Mount] What=172.16.24.192:/home Where=/mnt/home Options=vers=4 Type=nfs TimeoutSec=30 [Install] WantedBy=multi-user.target
ForceUnmount=true
to [Mount]
, allowing the export to be (force-)unmounted.To use mnt-home.mount
, start the unit and enable it to run on system boot.
自动挂载[编辑 | 编辑源代码]
要想自动挂载一个分享,你可以使用下面的自动挂载单元:
/etc/systemd/system/mnt-home.automount
[Unit] Description=Automount home [Automount] Where=/mnt/home [Install] WantedBy=multi-user.target
Disable/stop the mnt-home.mount
unit, and enable/start mnt-home.automount
to automount the share when the mount path is being accessed.
使用autofs挂载[编辑 | 编辑源代码]
Using autofs is useful when multiple machines want to connect via NFS; they could both be clients as well as servers. The reason this method is preferable over the earlier one is that if the server is switched off, the client will not throw errors about being unable to find NFS shares. See autofs#NFS network mounts for details.
提示和技巧[编辑 | 编辑源代码]
性能调优[编辑 | 编辑源代码]
When using NFS on a network with a significant number of clients one may increase the default NFS threads from 8 to 16 or even a higher, depending on the server/network requirements:
/etc/nfs.conf
[nfsd] threads=16
It may be necessary to tune the rsize
and wsize
mount options to meet the requirements of the network configuration.
In recent linux kernels (>2.6.18) the size of I/O operations allowed by the NFS server (default max block size) varies depending on RAM size, with a maximum of 1M (1048576 bytes), the max block size of the server will be used even if nfs clients requires bigger rsize
and wsize
. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/5/html/5.8_technical_notes/known_issues-kernel
It is possible to change the default max block size allowed by the server by writing to the /proc/fs/nfsd/max_block_size
before starting nfsd. For example, the following command restores the previous default iosize of 32k:
# echo 32768 > /proc/fs/nfsd/max_block_size
max_block_size
may decrease NFS performance on modern hardware.To make the change permanent, create a systemd-tmpfile:
/etc/tmpfiles.d/nfsd-block-size.conf
w /proc/fs/nfsd/max_block_size - - - - 32768
To mount with the increased rsize
and wsize
mount options:
# mount -t nfs -o rsize=32768,wsize=32768,vers=4 servername:/srv/nfs/music /mountpoint/on/client
Furthermore, despite the violation of NFS protocol, setting async
instead of sync
or sync,no_wdelay
may potentially achieve a significant performance gain especially on spinning disks. Configure exports with this option and then execute exportfs -arv
to apply.
/etc/exports
/srv/nfs 192.168.1.0/24(rw,async,crossmnt,fsid=0) /srv/nfs/music 192.168.1.0/24(rw,async)
async
comes with a risk of possible data loss or corruption if the server crashes or restarts uncleanly.处理自动挂载[编辑 | 编辑源代码]
This trick is useful for NFS-shares on a wireless network and/or on a network that may be unreliable. If the NFS host becomes unreachable, the NFS share will be unmounted to hopefully prevent system hangs when using the hard
mount option [4].
Make sure that the NFS mount points are correctly indicated in fstab:
/etc/fstab
lithium:/mnt/data /mnt/data nfs noauto 0 0 lithium:/var/cache/pacman /var/cache/pacman nfs noauto 0 0
Create the auto_share
script that will be used by cron or systemd/Timers to use ICMP ping to check if the NFS host is reachable:
/usr/local/bin/auto_share
#!/bin/bash function net_umount { umount -l -f $1 &>/dev/null } function net_mount { mountpoint -q $1 || mount $1 } NET_MOUNTS=$(sed -e '/^.*#/d' -e '/^.*:/!d' -e 's/\t/ /g' /etc/fstab | tr -s " ")$'\n'b printf %s "$NET_MOUNTS" | while IFS= read -r line do SERVER=$(echo $line | cut -f1 -d":") MOUNT_POINT=$(echo $line | cut -f2 -d" ") # Check if server already tested if [[ "${server_ok[@]}" =~ "${SERVER}" ]]; then # The server is up, make sure the share are mounted net_mount $MOUNT_POINT elif [[ "${server_notok[@]}" =~ "${SERVER}" ]]; then # The server could not be reached, unmount the share net_umount $MOUNT_POINT else # Check if the server is reachable ping -c 1 "${SERVER}" &>/dev/null if [ $? -ne 0 ]; then server_notok[${#server_notok[@]}]=$SERVER # The server could not be reached, unmount the share net_umount $MOUNT_POINT else server_ok[${#server_ok[@]}]=$SERVER # The server is up, make sure the share are mounted net_mount $MOUNT_POINT fi fi done
# Check if the server is reachable ping -c 1 "${SERVER}" &>/dev/null
with:
# Check if the server is reachable timeout 1 bash -c ": < /dev/tcp/${SERVER}/2049"in the
auto_share
script above.Make sure the script is executable.
Next check configure the script to run every X, in the examples below this is every minute.
Cron[编辑 | 编辑源代码]
# crontab -e
* * * * * /usr/local/bin/auto_share
systemd/Timers[编辑 | 编辑源代码]
/etc/systemd/system/auto_share.timer
[Unit] Description=Automount NFS shares every minute [Timer] OnCalendar=*-*-* *:*:00 [Install] WantedBy=timers.target
/etc/systemd/system/auto_share.service
[Unit] Description=Automount NFS shares After=syslog.target network.target [Service] Type=oneshot ExecStart=/usr/local/bin/auto_share [Install] WantedBy=multi-user.target
Finally, enable and start auto_share.timer
.
Using a NetworkManager dispatcher[编辑 | 编辑源代码]
NetworkManager can also be configured to run a script on network status change.
The easiest method for mount shares on network status change is to symlink the auto_share
script:
# ln -s /usr/local/bin/auto_share /etc/NetworkManager/dispatcher.d/30-nfs.sh
However, in that particular case unmounting will happen only after the network connection has already been disabled, which is unclean and may result in effects like freezing of KDE Plasma applets.
The following script safely unmounts the NFS shares before the relevant network connection is disabled by listening for the down
, pre-down
and vpn-pre-down
events, make sure the script is executable:
/etc/NetworkManager/dispatcher.d/30-nfs.sh
#!/bin/sh # Find the connection UUID with "nmcli con show" in terminal. # All NetworkManager connection types are supported: wireless, VPN, wired... WANTED_CON_UUID="CHANGE-ME-NOW-9c7eff15-010a-4b1c-a786-9b4efa218ba9" if [ "$CONNECTION_UUID" = "$WANTED_CON_UUID" ]; then # Script parameter $1: network interface name, not used # Script parameter $2: dispatched event case "$2" in "up") mount -a -t nfs4,nfs ;; "down"|"pre-down"|"vpn-pre-down") umount -l -a -t nfs4,nfs -f >/dev/null ;; esac fi
noauto
option, remove this mount option or use auto
to allow the dispatcher to manage these mounts.在/etc/NetworkManager/dispatcher.d/pre-down
中创建一个符号链接以捕获pre-down
事件:
# ln -s /etc/NetworkManager/dispatcher.d/30-nfs.sh /etc/NetworkManager/dispatcher.d/pre-down.d/30-nfs.sh
TLS 加密[编辑 | 编辑源代码]
NFS traffic can be encrypted using TLS as of Linux 6.5 using the xprtsec=tls
mount option. To begin, install the ktls-utilsAUR package on the client and server, and follow the below configuration steps for each.
服务端[编辑 | 编辑源代码]
Create a private key and obtain a certificate containing your server's DNS name (see Transport Layer Security for more detail). These files do not need to be added to the system's trust store.
Edit /etc/tlshd.conf
to use these files, using your own values for x509.certificate
and x509.private_key
/etc/tlshd.conf
[authenticate.server] x509.certificate= /etc/nfsd-certificate.pem x509.private_key= /etc/nfsd-private-key.pem
Now start and enable tlshd.service
.
客户端[编辑 | 编辑源代码]
Add the server's TLS certificate generated in the previous step to the system's trust store (see Transport Layer Security for more detail).
Start and enable tlshd.service
.
Now you should be able to mount the server using the server's DNS name:
# mount -o xprtsec=tls servername.domain:/ /mountpoint/on/client
Checking journalctl on the client should show that the TLS handshake was successful:
$ journalctl -b -u tlshd.service
Sep 28 11:14:46 client tlshd[227]: Built from ktls-utils 0.10 on Sep 26 2023 14:24:03 Sep 28 11:15:37 client tlshd[571]: Handshake with servername.domain (192.168.122.100) was successful
故障排查[编辑 | 编辑源代码]
参考单独的 NFS/Troubleshooting 页面。
更多参考[编辑 | 编辑源代码]
- See also Avahi, a Zeroconf implementation which allows automatic discovery of NFS shares.
- HOWTO: Diskless network boot NFS root
- Microsoft Services for Unix NFS Client info
- NFS on Snow Leopard
- http://chschneider.eu/linux/server/nfs.shtml
- How to do Linux NFS Performance Tuning and Optimization
- Linux: Tune NFS Performance