GrannyGeek
Packager
Vectorian
Posts: 2567
|
 |
« on: October 15, 2006, 01:02:02 pm » |
|
Disclaimer: I am far from an expert on networking. All I know is that what I'm describing works for me and I've done it many times as I've installed various versions of VectorLinux on different computers. It's been difficult to find an easy explanation of how to set up a simple nfs home network, which is why I'm writing this although I certainly don't have the expertise. If you see errors or know a better way to do anything I'm describing, please do let us know.
Setting Up an nfs Home Network
With an nfs network, the shared directories and files on the remote computers will be listed at a mount point you set up. I create a mount point in the /mnt directory and give it the name of the computer I'm mounting, such as /mnt/Toshiba or /mnt/hall. You can then use the files just as you do on your local computer.
I like to see and have all files accessible on the computers in my network. Therefore, I share the root directory, which includes all the directories that live on the partition. You can do more limited sharing, of course. When you share a directory, all files in that directory are also shared. You cannot network Windows computers to Linux with nfs without special Windows software. For Windows sharing, use Samba. Although I can see all the shared files, I can modify only the files for which I have permissions. Ownership works the same on the remote computers as it does on the local computer.
VL 5.8 Standard and later versions of VL have all files needed for setting up a home nfs network, so you can proceed to the next step if you're using 5.8 or later.
Next, make sure the computers you're networking have unchanging identifications. I've assigned fixed IP addresses to the three computers I network with nfs. There are other ways to make sure your computers do not change their IP addresses even if you use DHCP but I don't know how to do that. Also make sure that any users who want to share files over the network have the same user ID and group ID on all the networked computers. You can find the UID and GID for all users in the /etc/passwd file.
Now you need to edit some files: /etc/exports, /etc/hosts, /etc/hosts.allow, /etc/hosts.deny, and /etc/fstab.
/etc/hosts maps hostnames of remote computers to addresses. You'll need to add a line like this example:
192.168.1.10 Toshiba.mydomain Toshiba
If you have more than two computers networked, you'll need a line like that for all the IP addresses of your remote computers. See man hosts for more explanations and examples.
/etc/exports contains a list of all directories exported to other computers. This is the line in my /etc/exports file:
/ Toshiba(rw,async,no_root_squash) hall(rw,async,no_root_squash) compaq(rw,async,no_root_squash)
What this means is that I'm exporting the root directory to all computers on the list. I have the same line in /etc/exports on all my computers. When you export the root directory, you export all the directories under root. If you use no_root_squash, you can do anything as root on the other computers that you can do on the computer you're accessing from. By default in nfs, root has no privileges on the computer at the other end. This is a security feature, but it's not necessarily desirable for physically secure home networks. There are just two of us in our house and I'm the only one who uses the computers, so there is no risk that someone else by accident or on purpose could do something harmful to the other computer. If you are root on all the computers on your network, you probably want root privileges on the remote computers. In order to have root privileges on the other computers on the network, you need to add no_root_squash to whatever you're exporting in /etc/exports. rw means read/write access is allowed; async means the data is cached and written at the system's convenience. This may improve performance, but in case of a system crash, you would lose data. If you want safety over performance, use sync instead of async in the line above. sync means the data is written immediately, not cached.
/etc/hosts.allow shows which addresses are allowed to connect to your network services. Mine says:
ALL:192.168.1.
That means connections to any local network services are allowed from any computer starting with the address 192.168.1.--that is, any computer on my network. A computer with an address like 192.168.2.10, for example, would not be allowed access to any network services.
/etc/hosts.deny shows which addresses are NOT allowed to connect to your network services. Mine says:
ALL:ALL
That means no computer except the ones named in /etc/hosts.allow is allowed access to anything.
Now you'll add a line to /etc/fstab so you can mount the shared file system. On my computer called hall I have a /mnt/Toshiba directory for the laptop's file system. On my computer Toshiba I have a /mnt/hall directory. This is the line I have in /etc/fstab on hall:
# NFS file systems:
Toshiba:/ /mnt/Toshiba nfs users,noauto 0 0
and this line in /etc/fstab on Toshiba:
# NFS file systems:
hall:/ /mnt/hall nfs defaults,noauto,users 0 0
What the line above means is mount the root (and directories under root) from hall on the /mnt/hall mount point using the nfs file system, let any user mount and unmount it, and do not mount it automatically.
File systems mounted in the /mnt directory of the remote computer do not show up in the /mnt/hall or /mnt/Toshiba directory of the computer at which I'm working. So if, for example, I look in the /mnt/hall/windows_c directory, its files will not be displayed if I'm at the computer named Toshiba. It is possible to include shares in the /mnt directory but it needs its own topic.
After the files in /etc are edited to meet your needs for your home network, you then run a series of commands as root in this order:
# rpc.portmap
# rpc.mountd
# rpc.nfsd
# rpc.statd
# rpc.rquotad
# exportfs -a
These commands are in the /sbin and /usr/sbin directories. You should not get error messages if everything is set up correctly. Your nfs network should start automatically and you shouldn't need to run the commands again.
You have to do these steps on all the computers you want to network through nfs. Then you can try to mount the files from the other computer something like this:
mount /mnt/Toshiba
Make sure your firewall isn't blocking incoming connections from the local network. I don't use a software firewall and turn off any firewalls loaded in Linux, so I'm not familiar with what complications, if any, a firewall may add to the mix. I use the firewall built into my router. If you don't have a router, disconnect from the Internet if you're going to play with the firewall.
Security
A user account has access to the corresponding user account on the networked computers. User cannot do any root things on either computer. Your user account cannot do anything to files belonging to another user on the networked computers. Root cannot do anything on the remote computers unless the no_root_squash option is specified in /etc/exports. You are not asked for a password when you access the remote computer shares, but you have access only to the account with the same UID and GID. Only the computers specified in /etc/hosts.allow can have any access. If you let other people operate from your user account, they'll also have access to the same user account on the remote computer. If they know the root password, they'll be able to su to root and access the remote computer as root. If you are casual about letting other people use your own account, they could do serious damage to your account on the remote computer whether by accident or on purpose.
I also think that if you have a wireless network, you should be very sure it is well secured. WEP is considered nearly useless now because it's easily cracked. Use WPA or WPA2 with a very strong password.
You have several options with nfs for what you share and what you allow. There are man pages for exports and hosts and they are worth a look. Frankly, I understand almost nothing in those man pages and don't find them very helpful, but every little bit is worth something. If you're not up to deciphering man pages, just copy and paste the examples I included and change them to fit your situation. It's a lot easier to do this than to describe it.
--GrannyGeek
|
