Difference between revisions of "Labeled NFS/Demo/Manual/NFSv4"
CraigGrube (Talk | contribs) (→NFS Server Packages) |
CraigGrube (Talk | contribs) (→SELinux Policy tweaks) |
||
(2 intermediate revisions by the same user not shown) | |||
Line 158: | Line 158: | ||
== NFS Client Packages == | == NFS Client Packages == | ||
− | The NFS client requires the installation of one package | + | The NFS client requires the installation of one package, the SEFOS Client SELinux policy package. The latest version of the package is identified on the main Labeled NFS demo page. |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
Other Useful Packages: | Other Useful Packages: | ||
Line 227: | Line 223: | ||
== SELinux Policy tweaks == | == SELinux Policy tweaks == | ||
− | The | + | The client package contains a script that performs some post install configuration. The core |
action performed by the script is to set these three SELinux booleans: | action performed by the script is to set these three SELinux booleans: | ||
<ul> | <ul> |
Latest revision as of 15:53, 15 December 2008
NFSv4 Server
NFS Server Packages
The NFS server installation requires three custom packages, two of which replace/upgrade existing packages to include support for Labeled NFS. The third package includes SELinux policy necessary for the NFS server to access and manage exported files and directories. The latest versions of the packages are identified on the main Labeled NFS demo page.
- Linux Kernel with Labeled NFS patches
- NFS Utils with Labeled NFS patches
- SEFOS Server SELinux policy
The NFS server is also a Kerberos client, so the packages identified in the Kerberos client configuration section are required.
Other useful packages:
- system-config-nfs
- nfswatch
Create Kerberos Principals
Run kadmin on the Kerberos Server and create the nfs principal for the server. Then, add the nfs principal's key to the local keytab file.
- Replace nfsserver.example.com with the fully qualified name of the NFSv4 server machine.
- The same machine may host the NFSv4 server and the Kerberos server. In that case, both the principle creation and the adding of the principle to the local key table are still required.
- Note the special way in which the NFS principal is added. The encryption key type is specified.
- If this is not done, NFS will fail in mysterious ways and it will be difficult to track down the problem.
- This is apparently because the NFS kernel code only supports des-cbc-crc.
# kadmin Authenticating as principal root/admin@server.example.com with password. Password for root/admin@server.example.com kadmin: addprinc -randkey nfs/nfsserver.example.com kadmin: ktadd -e des-cbc-crc:normal nfs/nfsserver.example.com kadmin: quit
Server Configuration
Create the necessary entries in /etc/exports.
- create an NFSv4 mount point.
- e.g. /mnt/export.
- Next bind the real path to the NFSv4 mount point.
- e.g. /mnt/export/home
- fstab entry binding the real path to the mount point should be added to to /etc/fstab so that it is remounted after each boot.
mkdir -m 1777 /mnt/export mkdir /mnt/export/home echo "/home /mnt/export/home none bind 0 0" >> /etc/fstab mount -a
/etc/exports
The exported directories need to be added to /etc/exports:
/mnt/export 192.168.201.0/24(sec=krb5:krb5i:krb5p,security_label,sync,rw,fsid=0,insecure,no_subtree_check,anonuid=65534,anongid=65534,no_root_squash) /mnt/export/home 192.168.201.0/24(sec=krb5:krb5i:krb5p,security_label,sync,rw,nohide,insecure,no_subtree_check,anonuid=65534,anongid=65534,no_root_squash)
and if legacy NFSv3 mounts are desired add:
# Legacy mounts /home 192.168.201.0/24(sync,rw,nohide,insecure,no_subtree_check,anonuid=65534,anongid=65534,no_root_squash)
Note On 64 bit machines, the anonuid and anongid above should be set to '4294967294'.
Modify /etc/idmapd.conf
You must change the domain to your current domain. Also, The user mapping for nobody should be checked and updated to nfsnobody if necessary.
- In general, the Domain value here should match Kerberos's krb5.conf file default_domain value.
[General] Verbosity = 0 Pipefs-Directory = /var/lib/nfs/rpc_pipefs Domain = example.com [Mapping] Nobody-User = nfsnobody Nobody-Group = nfsnobody [Translation] Method = nsswitch
Modify /etc/sysconfig/nfs
To enable secure NFS, the following line must be added to /etc/sysconfig/nfs:
SECURE_NFS=yes
The following are default ports. They may be reconfigured depending on local firewall setups.
# Port rquotad should listen on. #RQUOTAD_PORT=875 ... # TCP port rpc.lockd should listen on. #LOCKD_TCPPORT=32803 # UDP port rpc.lockd should listen on. #LOCKD_UDPPORT=32769 ... # Port rpc.mountd should listen on. #MOUNTD_PORT=892 ... # Port rpc.statd should listen on. #STATD_PORT=662
For large number of connections, the number of NFS Daemons below may need to be increased:
RPCNFSDCOUNT=8
Firewalls
If there is a firewall on the server, the following default port should be allowed through to enable NFSv4.
NFSv4 Ports:
- 2049 TCP
To open this port through the firewall, add the following lines to /etc/sysconfig/iptables
right before the INPUT REJECT rule:
# nfs server -A INPUT -m tcp -p tcp --dport 2049 -j ACCEPT
Then restart iptables:
run_init service iptables restart
NFS Start at Boot
Make NFS start during boot:
# chkconfig nfs on
Note: The rpcsvcgssd service needs to start after network services on your host. If it does not start properly at boot time, try moving it to start after network initialization (e.g. NetworkManager) in the initial start order (i.e. within /etc/rc.d/).
SELinux Policy tweaks
Install the NFS Server SELinux policy binary RPM, or build and install from the available SRPM.
Start nfs
run_init service nfs start
NFSv4 Client
NFS Client Packages
The NFS client requires the installation of one package, the SEFOS Client SELinux policy package. The latest version of the package is identified on the main Labeled NFS demo page.
Other Useful Packages:
- nfswatch
Create Kerberos Principals
Run kadmin on the client and create an nfs principal for the client. Then, add the principal to the client's local key table.
- Replace seclient.example.com with the fully qualified name of the client machine.
- Note the special way in which the NFS principal is added. The encryption key type is specified.
- If this is not done, NFS will fail in mysterious ways and it will be difficult to track down the problem.
- This is apparently because the NFS kernel code only supports des-cbc-crc.
# kadmin Authenticating as principal root/admin@server.example.com with password. Password for root/admin@server.example.com kadmin: addprinc -randkey nfs/seclient.example.com kadmin: ktadd -e des-cbc-crc:normal nfs/seclient.example.com kadmin: quit
NFS Client File Configuration
Modify /etc/idmapd.conf
You must change the domain to your current domain. Also, The user mapping for nobody should be checked and updated to nfsnobody if necessary.
- In general, the Domain value here should match Kerberos's krb5.conf file default_domain value.
[General] Verbosity = 0 Pipefs-Directory = /var/lib/nfs/rpc_pipefs Domain = example.com [Mapping] Nobody-User = nfsnobody Nobody-Group = nfsnobody [Translation] Method = nsswitch
Modify /etc/sysconfig/nfs
To enable secure NFS, the following line must be included in /etc/sysconfig/nfs:
SECURE_NFS=yes
Modify /etc/fstab
Create a directory for the mount:
mkdir /mnt/nfs4
Add the directories to be mounted to fstab:
sefos:/ /mnt/nfs4 nfs4 users,sec=krb5 0 0
SELinux Policy tweaks
The client package contains a script that performs some post install configuration. The core action performed by the script is to set these three SELinux booleans:
- allow_kerberos - required for client-side Kerberos to function properly
- allow_gssd_read_tmp - required for RPC GSSD to read cached Kerberos credentials in /tmp (for passing credentials between NFS client and server)
- use_nfs_home_dirs - allow home directories (/home) to be mounted via NFS
The script is automatically run during the first normal system boot so no manual action beyond installing the package should be required.
Testing NFS
- Assumes that the Kerberos server is running and the client is configured for Kerberos.
The following should not produce errors and should show the contents of /mnt/export on the NFS server:
[root@seclient /]# kinit -p root/admin Password for root/admin@EXAMPLE.COM: [root@seclient /]# mount /mnt/nfs4 [root@seclient /]# ls /mnt/nfs4
NFS References
- Projects: NFS Version 4 Open Source Reference Implementation
- Network File System (NFS) version 4 Protocol, RFC 3530
- NFS Version 4 Design Considerations, RFC 2624