CIT 470: Advanced Network and System Administration

CIT 470: Advanced Network and System Administration Slide #1

CIT 470: Advanced Network and System Administration

Distributing Files


Topics

1. Sharing Files2. Copying Files: push vs pull3. rsync4. Network Filesystems5. Administering NFS


Sharing Files

System files– Centralize administration: shared logins, naming.– Solution: copy files between machines.– Alt Solution: Directory services (LDAP.)

User files– User wants access to files on every machine.– Solution: copy files between machines.– Alt Solution: Network filesystems.


Copying FilesAdvantages

– No network services to set up.– Works everywhere.

Decisions– Push vs Pull

Solutions– ftp– wget– ssh– rsync


Automating ftp#!/usr/bin/expect

spawn ftp mysvr.nku.eduexpect “username:”send “ftp\r”expect “password:”send “[email protected]\r” expect “ftp>”send “bin\r” expect “ftp>” send “prompt\r” expect “ftp>”send “mget *\r”expect “ftp>”send “bye\r”expect eof


wgetNon-interactive file retrieval

– Protocols: ftp, http, https.– Useful for automating file xfer in scripts.– Ex: wget http://svr.nku.edu/files/etc/hosts

Options– Authentication and proxying.– Quiet– Recursive: follows links in HTTP documents.– Resume– Retries

http://svr.nku.edu/files/etc/hosts


ssh-based copying• Securely copy files to/from another host.• Limitations

– scp copies list of files on command line (-r for recursive) to single destination.

– Copies all files, not just updated files.– Must share keys to authenticate securely.– sftp most suited for manual fs exploration.


rsync• Synchronizes file trees between machines.• Advantages

– Makes remote tree identical to local one.– Only copies files that have been changed.– Only copies file parts that have been changed.– Useful for local mirroring, staging dirs, &c too.

• Transport Mechanisms– rcp: insecure, avoid.– scp: secure, commonly used.– rsync: rsync protocol, best for anonymous use.


rsync over ssh

Pushrsync -av -e ssh local root@svr:test

Pullrsync -av -e ssh root@svr:test local

Testrsync -avn -e ssh root@svr:test local


Fine tuning rsyncDeleting removed files (be careful)

rsync -av -e ssh --delete local root@svr:test

Excluding unwanted files.On the command line

rsync -av -e ssh --exclude=“*.bak” --exclude=".?*.sw?” local root@svr:test

Through a filersync -av -e ssh --exclude-from=~/exclude-list local root@svr:test


rsync server

Setting up an rsync server– Create an rsyncd.conf file.– Server: rsync --daemon– Client: rsync svr::public/new.tgz .

Simple, but be careful about security.– Often secure by DNS name or IP address.– Can secure by user with rsync secrets file.– No encryption (need to use ssh tunnel.)


rsyncd.conf# "global-only" options syslog facility = local5 # global options which may also be defined in modules use chroot = yes uid = nobody gid = nobody max connections = 20 timeout = 600 read only = yes # module: [public]

path = /home/rsync comment = Tarball archive hosts allow = *.nku.edu, 10.18.3.0/24, 10.30.4.4 ignore nonreadable = yes refuse options = checksum dont compress = *


Other File Distribution Systemsrdist

– Older tool like rsync but slower, fewer features.

unison– Unlike rsync, handles updates on both sides.– Conflict resolution like CVS to handle case

when file is modified on both sides.

cfengine– Maintains state of system according to policy.– Copies files as needed to meet policy.


Automating File Copying

Write a cron job.– Script can verify data before/after copy too.

How to deal with many machines?– Add a random delay using a simple script:#!/usr/bin/perl# sleep 0-15 minutes (0-900s)sleep rand() * 900;


Network Filesystems

Idea: Use filesystem to transparently share files between computers.

Solution:– Client mounts network fs as normal.– Client filesystem code sends packets to server(s).– Server responds with data stored on a regular on-

disk filesystem.


NFSNetwork File System

– Transparent, behaves like a regular UNIX filesystem.– Uses UNIX UIDs,GIDs,perms but can work on Win.– Since NFS is stateless, file locking and recovery are

handled by rpc.lockd and rpc.statd daemons.

Security– Server only lets certain IP addresses mount filesystems.– Client UIDs have same permissions on server as client.– Client root UID is mapped to nobody, but– Root can su to any client UID to access any file.


CIFS

Microsoft Network Filesystem Derived from 1980s IBM SMB net filesystem. Originally ran over NetBIOS, not TCP/IP. \\svr\share\path Universal Naming Convention Auth: NTLM (insecure), NTLMv2, Kerberos

Implementation MS Windows-centric (filenames, ACLs, EOLs) Samba: UNIX client and server software.


AFSDistributed filesystem

– Global namespace: /afs/abc.com/vol_home1– Servers provide one or more volumes.– Volume replication with RO copies on other svrs.

Cells are administrative domains within AFS.– Cells contain multiple servers.– Each server provides multiple volumes.

Security– Kerberos authentication– ACLs with user-administered groups


NFSv4

New model of NFS– Only one protocol (no separate mount,lock,etc.)– Global namespace.– Security (ACLs, Kerberos, encryption)– Cross platform + internationalized.– Better caching via delegation of files to clients.


Adminstering NFS

1. NFS Versions2. Using NFS3. NFS Services4. Server and Client Configuration5. Automounter6. Security7. Performance


NFS Verions

v2 (1984) UDP 32-bitv3 (1992) TCP 64-bit.v4 (2000) Distributed, x-platform, security.


Using NFS

Client1. Start portmap2. …3. …4. …5. Mount filesystems.

Server1. Start portmap2. Start NFS services.3. Configure exports.4. Export filesystems.


NFS Services

portmap — RPC service for Linuxportmap

nfs — NFS file server processes.rpc.mountdrpc.rquotadnfsd

nfslock — Optional file locking service.rpc.statd


NFSv2/3 Processesrpc.mountd — Handles client mount requests.rpc.nfsd — NFS server processes.rpc.lockd — Process for optional nfslock service.rpc.statd — Handles server crashes for nfslock.rpc.rquotad — Quotas for remote users.


rpcinfo> rpcinfo -pprogram vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100021 1 udp 32774 nlockmgr 100021 1 tcp 34437 nlockmgr 100011 1 udp 819 rquotad 100011 2 udp 819 rquotad 100011 1 tcp 822 rquotad 100011 2 tcp 822 rquotad 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs 100005 2 udp 836 mountd 100005 2 tcp 839 mountd 100005 3 udp 836 mountd 100005 3 tcp 839 mountd


NFSv4 Processesnfsd — NFSv4 server processes. Handles mounts.rpc.idmapd — Maps NFSv4 names

(user@domain) and local UIDs and GIDs. Uses /etc/idmapd.conf.

rpc.svcgssd — Server transport Kerberos auth.rpc.gssd — Client transport Kerberos auth.


Server Configuration1. Configure /etc/exports

List filesystems to be exported.Specify export options (ro, rw, etc.)Specify hosts/networks to export to.

2. Export filesystems.exportfs

3. Start NFS server (if not already started)service portmap startservice nfs start


/etc/exportsFormat: directory hosts(options)Options

ro, rw Read-only, read-write.async Server replies before write.sync Save before reply (default)all_squash Map all users to anon UID/GID.root_squash Map root to anon UID (default)no_root_squash Don’t map root (insecure.)anon{uid,gid} Set anonymous UID, GID.

Examples:/home *.example.com(rw,sync)/backups 192.168.1.0/24(ro,all_squash)/ex/limited foo.example.com


Client Configuration

Manual mountingmount -t <nfs-type> -o <options>

server:/remote/export /local/directory

Mounting via /etc/fstabserver:/remote/export /local/directory <nfs-type>

<options> 0 0

NFS Type is either nfs or nfs4.


Mount Optionshard or soft — Error handling

hard: NFS requests will uninterruptible wait until server back.soft: NFS requests will timeout and report failure.

intr — NFS requests can be interrupted if server unreachable.nfsvers=2,3— NFS protocol version (not 4)noexec — Prevents execution of binaries.nosuid — Disables setuid for security.rsize,wsize=# — NFS data block size (default 8192) sec=mode — NFS security type.

sys uses local UIDs and GIDs.krb5 uses Kerberos5 authentication.krb5i uses Kerberos5 authentication + integrity checking krb5p uses Kerberos5 auth + integrity checking + encryption.

tcp, udp — Specifies protocol to use for mount.


AutomounterManages NFS mounts

Automounter maps vs /etc/fstab.Mounts filesystems only when needed:

Makes administering many filesystems easier.Improves startup speed.Provides uniform namespaces.Ex: mounts /home/home7 as /home on login.

/etc/auto.master points to maps/home /etc/auto.home

Maps describe mounts* -fstype=nfs4,soft,intr,nosuid server:/home


SecurityLimit which hosts have access to filesystems.

– Specify hosts in /etc/exports.– Use iptables to limit which hosts can use NFS.

Limit mount options– Default to ro unless writes are necessary.– Disable suid and execution unless needed.– Map root to nobody.

Block NFS at network firewalls.– Block all protocols, not just port 2049.

Use NFSv4 with Kerberos auth + encryption.


PerformanceMeasuring performance

nfsstat/proc/net/rpc/nfsd

Optimizations– Increase the block size. Problem: fragments?– Set the async option on mounts.– Faster network card.– Faster disk array.– NVRAM cache on array to save NFS writes.


References1. Michael D. Bauer, Linux Server Security, 2nd edition, O’Reilly, 2005.2. cfengine, http://www.cfengine.org/3. Mike Eisler, Ricardo Labiaga, Hal Stern, Managing NFS and NIS, 2nd

edition, O’Reilly, 2001.4. expect, http://expect.nist.gov/5. Aeleen Frisch, Essential System Administration, 3rd edition, O’Reilly, 2002.6. Evi Nemeth et al, UNIX System Administration Handbook, 3rd edition,

Prentice Hall, 2001.7. NFS HOWTO, http://nfs.sourceforge.net/nfs-howto8. RedHat, Red Hat Enterprise Linux 4 System Administration Guide,

http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/sysadmin-guide/, 2005.

9. RedHat, Red Hat Enterprise Linux 4 Reference Guide, http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/ref-guide/ch-nfs.html, 2005.

10. rsync, http://www.samba.org/rsync/11. Unison, http://www.cis.upenn.edu/~bcpierce/unison/

http://www.oreillynet.com/cs/catalog/view/au/690?x-t=book.view



http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/sysadmin-guide/

http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/sysadmin-guide/

http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/ref-guide/ch-nfs.html



CIT 470: Advanced Network and System Administration

Documents

copies files

testcomputer security

resumeretriescomputer

eof computer security

rsync svr

updated files

e ssh root

e ssh local root