filesystems (FS). As a long time industry standard in UNIX, NFS (network
file system) provides access to remote filesystems which appear similar
to local resources on client hosts. Since Sun Microsystems originally
devised NFS, the following focuses on simple NFS server and client
configuration in Solaris (see note 1). Our host details are:
HOST (server): snorkle (10.0.23.191) HOST (client): solex (10.0.23.161) PROMPT (root): HOST [0] PROMPT (user): troy@solex [0] USER UID:GID: 1000:1000 (on both server and client) OS: Solaris 10 NOTE: Aside from the use of SMF, the following should equally apply to previous versions of Solaris as well.Starting off with our server side, NFS requires at least 4 services
running (for sane usage), though possibly up to 8, depending on NFS
version and features (see note 2):
svc:/network/rpc/bind:default (required) svc:/network/nfs/status:default (required) svc:/network/nfs/nlockmgr:default (required) svc:/network/nfs/rquota:default (optional) svc:/network/nfs/server:default (required) svc:/network/nfs/mapid:default (NFSv4, required) svc:/network/rpc/gss:default (NFSv4, optional) /usr/lib/nfs/nfslogd (NFSv2, NFSv3, optional)(While NFSv3 is detailed herein, NFSv4 configuration and usage isn't much
different.) Below, we check which services are running and start those
that aren't:
snorkle [0] /usr/bin/svcs -v svc:/network/rpc/bind:default
STATE NSTATE STIME CTID FMRI
online - 0:32:19 44 svc:/network/rpc/bind:default
snorkle [0] /usr/bin/svcs -v svc:/network/nfs/status:default \
> svc:/network/nfs/nlockmgr:default svc:/network/nfs/rquota:default \
> svc:/network/nfs/server:default
STATE NSTATE STIME CTID FMRI
disabled - 0:30:32 - svc:/network/nfs/status:default
offline - 1:39:00 - svc:/network/nfs/nlockmgr:default
disabled - 0:32:40 - svc:/network/nfs/rquota:default
disabled - 0:30:42 - svc:/network/nfs/server:default
snorkle [0] for i in status nlockmgr rquota server ; do
> /usr/sbin/svcadm enable svc:/network/nfs/${i}:default
> done
(We could have alternately enabled the necessary NFS services via'svcadm enable -r svc:/network/nfs/server:default'.)
snorkle [0] /usr/bin/svcs -v svc:/network/nfs/status:default \ > svc:/network/nfs/nlockmgr:default svc:/network/nfs/rquota:default \ > svc:/network/nfs/server:default STATE NSTATE STIME CTID FMRI online - 1:46:25 81 svc:/network/nfs/status:default online - 1:46:26 82 svc:/network/nfs/nlockmgr:default online - 1:46:27 - svc:/network/nfs/rquota:default disabled - 1:46:31 - svc:/network/nfs/server:defaultAfter a recheck of the services, 'svc:/network/nfs/server:default'
is still disabled. A check of the problem via 'svcs' and the SMF log
aren't exactly helpful either:
snorkle [0] /usr/bin/svcs -xv svc:/network/nfs/server:default
svc:/network/nfs/server:default (NFS server)
State: disabled since February 20, 2011 1:46:31 AM EST
Reason: Disabled by an administrator.
See: http://sun.com/msg/SMF-8000-05
See: man -M /usr/share/man -s 1M nfsd
See: /var/svc/log/network-nfs-server:default.log
Impact: This service is not running.
snorkle [0] /usr/bin/cat /var/svc/log/network-nfs-server:default.log
[ Sep 1 19:55:44 Disabled. ]
[ Sep 1 19:55:44 Rereading configuration. ]
[ Feb 20 01:46:25 Enabled. ]
[ Feb 20 01:46:27 Executing start method ("/lib/svc/method/nfs-server start") ]
[ Feb 20 01:46:27 Method "start" exited with status 0 ]
[ Feb 20 01:46:27 Stopping because all processes in service exited. ]
[ Feb 20 01:46:28 Executing stop method ("/lib/svc/method/nfs-server stop 83") ]
[ Feb 20 01:46:28 Method "stop" exited with status 0 ]
[ Feb 20 01:46:28 Executing start method ("/lib/svc/method/nfs-server start") ]
[ Feb 20 01:46:29 Method "start" exited with status 0 ]
[ Feb 20 01:46:29 Stopping because all processes in service exited. ]
[ Feb 20 01:46:29 Executing stop method ("/lib/svc/method/nfs-server stop 85") ]
[ Feb 20 01:46:29 Method "stop" exited with status 0 ]
[ Feb 20 01:46:29 Executing start method ("/lib/svc/method/nfs-server start") ]
[ Feb 20 01:46:30 Method "start" exited with status 0 ]
[ Feb 20 01:46:30 Stopping because all processes in service exited. ]
[ Feb 20 01:46:30 Executing stop method ("/lib/svc/method/nfs-server stop 87") ]
[ Feb 20 01:46:31 Method "stop" exited with status 0 ]
[ Feb 20 01:46:31 Disabled. ]
The reason that 'svc:/network/nfs/server:default' is still disabled isbecause '/etc/dfs/dfstab' contains no entries of filesystems to share.
Below, we've updated 'dfstab' to include two shared filesystems (see
note 3):
snorkle [0] /usr/bin/egrep -v '^$|^#' /etc/dfs/dfstab share -F nfs -o nosuid,rw=@10.0.22.0/23,anon=60001 -d "home dirs" /export/home share -F nfs -o rw=beastie:@10.0.23.191,root=@10.0.23.191,ro,nosub /usr/sfwAs an aside, you can use entries from 'dfstab' directly on the
command line. This can be sometimes useful when you are initially
configuring a share and need to work out the appropriate export
options. You can also stop sharing an exported FS via 'unshare':
snorkle [0] /usr/sbin/share -F nfs -o ro=@10.0.22.0/23 /usr/share/man snorkle [0] /usr/sbin/unshare /usr/share/manWith 'dfstab' updated, 'svc:/network/nfs/server:default' will now start:
snorkle [0] /usr/sbin/svcadm enable svc:/network/nfs/server:default snorkle [0] /usr/bin/svcs -v svc:/network/nfs/server:default STATE NSTATE STIME CTID FMRI online - 2:56:43 91 svc:/network/nfs/server:defaultTo verify our exported filesystems, we can use 'dfshares', 'share',
or review the contents of 'sharetab':
snorkle [0] /usr/sbin/dfshares RESOURCE SERVER ACCESS TRANSPORT snorkle:/usr/sfw snorkle - - snorkle:/export/home snorkle - - snorkle [0] /usr/sbin/share - /usr/sfw rw=beastie:@10.0.23.191,root=@10.0.23.191,ro,nosub "" - /export/home nosuid,rw=@10.0.22.0/23,anon=60001 "home dirs" snorkle [0] /usr/bin/cat /etc/dfs/sharetab /usr/sfw - nfs rw=beastie:@10.0.23.191,root=@10.0.23.191,ro,nosub /export/home - nfs nosuid,rw=@10.0.22.0/23,anon=60001 home dirsNow that the server is setup, we can work on the client host. A Solaris
NFS client requires at least 4 services running (for sane usage), though
possibly 6 depending on NFS version (see note 2):
svc:/network/rpc/bind:default (required) svc:/network/nfs/status:default (required) svc:/network/nfs/nlockmgr:default (required) svc:/network/nfs/client:default (required) svc:/network/nfs/cbd:default (NFSv4, required) svc:/network/nfs/mapid:default (NFSv4, required)Below, we check the status of the services, starting them as needed, and
use 'dfshares' to review what shares are available from the NFS server:
solex [0] /usr/bin/svcs -v svc:/network/nfs/client:default svc:/network/nfs/status:default \
> svc:/network/nfs/nlockmgr:default svc:/network/rpc/bind:default
STATE NSTATE STIME CTID FMRI
disabled - 3:07:42 - svc:/network/rpc/bind:default
disabled - 3:07:44 - svc:/network/nfs/status:default
disabled - 3:07:44 - svc:/network/nfs/nlockmgr:default
disabled - 3:07:45 - svc:/network/nfs/client:default
solex [0] for i in rpc/bind nfs/status nfs/nlockmgr nfs/client ; do
> /usr/sbin/svcadm enable svc:/network/${i}:default ; done
solex [0] /usr/bin/svcs -v svc:/network/nfs/client:default svc:/network/nfs/status:default \
> svc:/network/nfs/nlockmgr:default svc:/network/rpc/bind:default
STATE NSTATE STIME CTID FMRI
online - 3:25:48 86 svc:/network/nfs/status:default
online - 3:25:49 85 svc:/network/rpc/bind:default
online - 3:25:49 87 svc:/network/nfs/nlockmgr:default
online - 3:25:49 - svc:/network/nfs/client:default
solex [0] /usr/sbin/dfshares 10.0.23.191
RESOURCE SERVER ACCESS TRANSPORT
10.0.23.191:/usr/sfw 10.0.23.191 - -
10.0.23.191:/export/home 10.0.23.191 - -
In Solaris, tradition has /export/home set up as the location of userhome directories with the intention that those home directories are
remounted to /home via NFS and AutoFS (automountd). Since we are only
concerned with NFS at this time, we'll skip /home and create '/home2'
on the client host. Following that, we mount '/export/home' from the
NFS server (10.0.23.191) to '/home2' and verify the mount:
solex [0] /usr/bin/mkdir /home2 solex [0] /usr/bin/ls -ld /home2 drwxr-xr-x 2 root root 2 Feb 20 03:12 /home2/ solex [0] /usr/sbin/mount -F nfs -o rw,bg,intr 10.0.23.191:/export/home /home2 solex [0] /usr/bin/ls -ld /home2 drwxr-xr-x 4 root root 512 Dec 21 02:21 /home2/ solex [0] /usr/sbin/df -h /home2 Filesystem size used avail capacity Mounted on 10.0.23.191:/export/home 7.9G 4.4G 3.4G 57% /home2 solex [0] /usr/sbin/mount | /usr/bin/grep /home2 /home2 on 10.0.23.191:/export/home remote/read/write/setuid/devices/rstchown/bg/intr/xattr/dev=8740001 on Sun Feb 20 03:26:37 2011It's notable that the timestamp on '/home2' changes from its original
modification time to the last modification time of '/export/home' on the
NFS server after we mount the share. On 'solex' as user 'troy', we switch
to '/home2/troy' (10.0.23.191:/export/home/troy) and test out our access:
troy@solex [0] cd /home2/troy troy@solex [0] echo "this is my file" >> myfile troy@solex [0] /usr/bin/cat myfile this is my file troy@solex [0] /usr/bin/ls -l myfile -rw-r--r-- 1 troy sysvuser 16 Feb 20 03:32 myfileAlright, we can access and write to the shared filesystem. Below,
we try to make 'myfile' setuid and executable. Since '/export/home'
was deliberately exported 'nosuid', the NFS server allows us to set
'myfile' executable but silently ignores the setuid bit:
troy@solex [0] /usr/bin/chmod 4755 myfile troy@solex [0] /usr/bin/ls -l myfile -rwxr-xr-x 1 troy sysvuser 16 Feb 20 03:32 myfile troy@solex [0] /usr/bin/rm myfile troy@solex [0] /usr/bin/ls -l myfile myfile: No such file or directory troy@solex [2]Further testing the NFS server export options, on 'solex' we create
'/opt/sfw' and try to mount '10.0.23.191:/usr/sfw/bin' to '/opt/sfw'.
We are denied because of export option 'nosub' (see note 4):
solex [0] /usr/bin/mkdir -p /opt/sfw solex [0] /usr/sbin/mount -F nfs -o rw,intr,vers=3 10.0.23.191:/usr/sfw/bin /opt/sfw nfs mount: 10.0.23.191:/usr/sfw/bin: Permission deniedA subsequent mount of the exported FS to '/opt/sfw' succeeds and is verified:
solex [33] /usr/sbin/mount -F nfs -o rw,intr,vers=3 10.0.23.191:/usr/sfw /opt/sfw solex [0] /usr/sbin/mount | /usr/bin/grep /opt/sfw /opt/sfw on 10.0.23.191:/usr/sfw remote/read/write/setuid/devices/rstchown/intr/vers=3/xattr/dev=8740005 on Sun Feb 20 03:47:32 2011 solex [0] /usr/sbin/df -h /opt/sfw Filesystem size used avail capacity Mounted on 10.0.23.191:/usr/sfw 7.9G 4.4G 3.4G 57% /opt/sfw solex [0] /usr/bin/ls /opt/sfw bin info mysql swat doc lib sbin troy i386-sun-solaris2.10 libexec share include man srcAgain as user 'troy', on 'solex' we try to create another
file (also-mine), this time to the read-only exported FS
10.0.23.191:/usr/sfw (mounted at /opt/sfw):
troy@solex [0] /usr/bin/ls -ld /opt/sfw/troy drwxr-xr-x 2 troy sysvuser 512 Feb 20 03:49 /opt/sfw/troy troy@solex [0] cd /opt/sfw/troy troy@solex [0] echo "this is also my file" >> also-mine -ksh: also-mine: cannot create [Read-only file system] solex [0] /usr/sbin/umount /opt/sfw solex [0] /usr/sbin/umount /home2The above is to illustrate that export options (ro) from the NFS
server take precedence over the 'mount' options (rw) used by the client.
After the "Read-only" error, we've unmounted both '/opt/sfw' and '/home2'.
Rather than manually mounting an NFS share each time the host reboots,
I've added an entry to '/etc/vfstab' on the last line below for '/home2':
solex [0] /usr/bin/cat /etc/vfstab #device device mount FS fsck mount mount #to mount to fsck point type pass at boot options # /devices - /devices devfs - no - /proc - /proc proc - no - ctfs - /system/contract ctfs - no - objfs - /system/object objfs - no - sharefs - /etc/dfs/sharetab sharefs - no - fd - /dev/fd fd - no - swap - /tmp tmpfs - yes - /dev/zvol/dsk/rpool1/swap - - swap - no - 10.0.23.191:/export/home - /home2 nfs - yes rw,bg,intrOn the server, you can use 'unshareall' to stop sharing all exported
filesystems and verify with 'dfshares':
snorkle [0] /usr/sbin/unshareall snorkle [0] /usr/sbin/dfshares snorkle [1]
NOTES
Note 1: The details provided herein do not take into account any potential
security issues and assume access via a local LAN segment.
Note 2: Server / Client services:
server svc:/network/rpc/bind:default (rpcbind) converts rpc prog numbers into universal addresses (must be running to use rpc) svc:/network/nfs/status:default (statd) tracks clients holding file locks, informs server of client reboot so that locks can be released svc:/network/nfs/nlockmgr:default (lockd) manages file locks svc:/network/nfs/mapid:default (nfsmapid) v4, maps uids / gids svc:/network/nfs/server:default (nfsd) also starts 'mountd' svc:/network/rpc/gss:default (gssd) v4, gss-api protections svc:/network/nfs/rquota:default (rquotad) nfs quota reporting daemon, optional /usr/lib/nfs/nfslogd logs NFS RPC activity for FS exported with logging enabled, not supported with v4, Each record in the log file includes a time stamp, the IP address (or hostname if it can be resolved) of the client system, the file or directory name the operation was performed on, and the type of operation. (optional) client svc:/network/rpc/bind:default (rpcbind) converts rpc prog numbers into universal addresses (must be running to use rpc) svc:/network/nfs/status:default (statd) tracks clients holding file locks, informs server of client reboot so that locks can be released svc:/network/nfs/nlockmgr:default (lockd) manages file locks svc:/network/nfs/client:default runs 'mountall -F nfs' svc:/network/nfs/cbd:default (nfs4cbd) v4, callback daemon svc:/network/nfs/mapid:default (nfsmapid) v4, maps uids / gidsNote 3: The breakdown of 'dfstab' entries reads:
share -F nfs -o nosuid,rw=@10.0.22.0/23,anon=60001 -d "home dirs" /export/home share -F nfs -o rw=beastie:@10.0.23.191,root=@10.0.23.191,ro,nosub /usr/sfw share: NFS share command (/usr/sbin/share) -F nfs filesystem type to export -o nosuid,rw=@10.0.22.0/23,anon=60001 FS options nosuid client cannot create setuid executables (negates the default to allow setuid file creation) rw=@10.0.22.0/23 clients with IP addresses between 10.0.22.0 - 10.0.23.255 have write access anon=60001 unknown users will have an effective UID of 60001 rw=beastie:@10.0.23.191 write access only available to host beastie and host 10.0.23.191 root=@10.0.23.191 normally the root user on the client host accesses a share with permissions / UID set by anon, however 'root=' specifies that root on host 10.0.23.191 retains root privileges / UID ro read only access to any host not previously defined by 'rw=' nosub only the exported directory can be mounted by a client host, direct mounting of sub directories is disallowed -d "home dirs" FS description (/export/home|/usr/sfw) directory to be shared (exported)Note 4: Because NFSv4 does not use the MOUNT protocol, 'nosub' only
impacts client side mounting using NFSv2 and NFSv3. Since Solaris 10
attempts use of NFSv4 by default, falling back to v2 or v3 as necessary,
to illustrate 'nosub' I deliberately set option 'vers=3' in the mount
command:
solex [33] /usr/sbin/mount -F nfs -o rw,intr,vers=3 10.0.23.191:/usr/sfw /opt/sfw
see also:
Configuring NFS in Linux
Configuring NFS in FreeBSD
Configuring NFS in SmartOS
