Introduction
Debian 12, codenamed Bookworm, is the latest stable release of the Debian operating system. One of the key features of Debian is its robust support for Network File System (NFS), which allows for the sharing of files across a network. This guide provides an in-depth look into the 5W1H of Debian 12 Bookworm NFS, along with the consequences and a conclusion.
Overview
This section will delve into the details of Debian 12 Bookworm NFS by addressing What, Who, Where, When, Why, and How. We will also explore the consequences of using NFS and provide a concluding summary.
What
NFS (Network File System) is a distributed file system protocol that allows a user on a client computer to access files over a network in the same way that local storage is accessed. It enables multiple machines to share data, improving collaboration and resource efficiency.
Who
NFS is used by system administrators, network engineers, and IT professionals who require a reliable method to share files and directories across multiple systems within an organization. It is widely utilized in enterprise environments, data centers, and academic institutions.
Where
NFS is implemented in environments where there is a need to share data between multiple computers on a network. This includes corporate networks, cloud environments, and research facilities where data accessibility and collaboration are critical.
When
NFS is employed when there is a need for centralized data storage, simplified data management, and enhanced collaboration. It is used in scenarios where multiple users need access to the same set of files, such as in software development, data analysis, and content management.
Why
NFS offers numerous advantages for data sharing, but it also comes with some disadvantages. Here is a table outlining the pros and cons of using NFS:
| Pros | Cons |
|---|---|
| Easy to set up and manage. | Can be less secure if not properly configured. |
| Allows for centralized data management. | Performance can be affected by network issues. |
| Supports a wide range of client systems. | Requires proper permissions management. |
| Enhances collaboration and resource sharing. | May need additional configurations for optimal performance. |
How
To set up NFS on Debian 12, follow these steps:
| Install NFS server packages | Use the command (`sudo apt install nfs-kernel-server`). |
| Configure exports | Edit the (`/etc/exports`) file to specify directories to share. |
| Start NFS service | Run (`sudo systemctl start nfs-kernel-server`) and enable it to start at boot. |
| Set up client | Install NFS client packages using (`sudo apt install nfs-common`) and mount the NFS share. |
Consequences
text:
| Positive |
|
| Negative |
|
Conclusion
Debian 12 Bookworm NFS provides a robust solution for network-based file sharing. While it offers numerous benefits in terms of ease of use, centralized management, and enhanced collaboration, it also requires careful configuration and management to mitigate potential security and performance issues. Overall, NFS remains a valuable tool for organizations seeking efficient and reliable data sharing solutions.
Install and Configure NFS Server
Configure NFS Server to share directories on your Network. This example is based on the environment like follows.
+----------------------+ | +----------------------+ | [ NFS Server ] |10.0.0.30 | 10.0.0.51| [ NFS Client ] | | nfs.bizantum.lab +----------+----------+ node01.bizantum.lab | | | | | +----------------------+ +----------------------+
Step [1]Configure NFS Server.
root@node01:~# apt -y install nfs-kernel-server
root@node01:~# vi /etc/idmapd.conf
# line 5 : uncomment and change to your domain name
Domain = bizantum.lab
root@node01:~# vi /etc/exports
# add settings for NFS exports
# for example, set [/home/nfsshare] as NFS share
/home/nfsshare 10.0.0.0/24(rw,no_root_squash)
root@node01:~# mkdir /home/nfsshare
root@node01:~# systemctl restart nfs-server
Basic options of exports table:
| Option | Description |
|---|---|
| rw | It allows both read and write requests on a NFS volume. |
| ro | It allows only read requests on a NFS volume. |
| sync | It replies to requests only after the changes have been committed to stable storage. (Default) |
| async | This option allows the NFS server to violate the NFS protocol and reply to requests before any changes made by that request have been committed to stable storage. |
| secure | This option requires that requests originate on an Internet port less than IPPORT_RESERVED (1024). (Default). |
| insecure | This option accepts all ports. |
| wdelay | It delays committing a write request to disc slightly if it suspects that another related write request may be in progress or may arrive soon. (Default). |
| no_wdelay | This option has no effect if async is also set. The NFS server will normally delay committing a write request to disc slightly if it suspects that another related write request may be in progress or may arrive soon. This allows multiple write requests to be committed to disc with the one operation which can improve performance. If an NFS server received mainly small unrelated requests, this behaviour could actually reduce performance, so no_wdelay is available to turn it off. |
| subtree_check | This option enables subtree checking. (Default). |
| no_subtree_check | This option disables subtree checking, which has mild security implications, but can improve reliability in some circumstances. |
| root_squash | Map requests from uid/gid 0 to the anonymous uid/gid. Note that this does not apply to any other uids or gids that might be equally sensitive, such as user bin or group staff. |
| no_root_squash | Turn off root squashing. This option is mainly useful for disk-less clients. |
| all_squash | Map all uids and gids to the anonymous user. Useful for NFS exported public FTP directories, news spool directories, etc. |
| no_all_squash | Turn off all squashing. (Default). |
| anonuid=UID | These options explicitly set the uid and gid of the anonymous account. This option is primarily useful for PC/NFS clients, where you might want all requests appear to be from one user. As an example, consider the export entry for /home/joe in the example section below, which maps all requests to uid 150. |
| anongid=GID | Read above (anonuid=UID). |
Install and Configure NFS Client
Configure NFS Client to mount NFS Share on NFS Client. This example is based on the environment like follows.
+----------------------+ | +----------------------+ | [ NFS Server ] |10.0.0.30 | 10.0.0.51| [ NFS Client ] | | nfs.bizantum.lab +----------+----------+ node01.bizantum.lab | | | | | +----------------------+ +----------------------+
Step [1]Install and Configure NFS Client.
root@node01:~# apt -y install nfs-common
root@node01:~# vi /etc/idmapd.conf
# line 5 : uncomment and change to your domain name
Domain = bizantum.lab
root@node01:~# mount -t nfs dlp.bizantum.lab:/home/nfsshare /mnt
root@node01:~# df -hT
Filesystem Type Size Used Avail Use% Mounted on
tmpfs tmpfs 393M 1.1M 392M 1% /run
/dev/mapper/ubuntu--vg-ubuntu--lv ext4 27G 5.6G 20G 23% /
tmpfs tmpfs 2.0G 0 2.0G 0% /dev/shm
tmpfs tmpfs 5.0M 0 5.0M 0% /run/lock
/dev/vda2 ext4 2.0G 125M 1.7G 7% /boot
tmpfs tmpfs 393M 4.0K 393M 1% /run/user/0
dlp.bizantum.lab:/home/nfsshare nfs4 27G 5.6G 20G 23% /mnt
# NFS share is mounted
# if mount with NFSv3, add [-o vers=3] option
root@node01:~# mount -t nfs -o vers=3 dlp.bizantum.lab:/home/nfsshare /mnt
Step [2]To mount NFS share automatically when System starts, add setting in [/etc/fstab].
root@node01:~# vi /etc/fstab
# add to the end : set NFS share
dlp.bizantum.lab:/home/nfsshare /mnt nfs defaults 0 0
Step [3]To mount NFS share dynamically when anyone access to there, Configure AutoFS.
root@node01:~# apt -y install autofs
root@node01:~# vi /etc/auto.master
# add to the end
/- /etc/auto.mount
root@node01:~# vi /etc/auto.mount
# create new : [mount point] [option] [location]
/mnt -fstype=nfs,rw dlp.bizantum.lab:/home/nfsshare
root@node01:~# systemctl restart autofs
# move to the mount point to verify mounting
root@node01:~# cd /mnt
root@node01:/mnt# df -h /mnt
Filesystem Size Used Avail Use% Mounted on
dlp.bizantum.lab:/home/nfsshare 28G 1.3G 26G 5% /mnt
root@node01:/mnt# grep /mnt /proc/mounts
/etc/auto.mount /mnt autofs rw,relatime,fd=6,pgrp=2252,timeout=300,minproto=5,maxproto=5,direct,pipe_ino=21980 0 0
dlp.bizantum.lab:/home/nfsshare /mnt nfs4 rw,relatime,vers=4.2,rsize=524288,wsize=524288,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=10.0.0.51,local_lock=none,addr=10.0.0.30 0 0
Install and Configure NFS 4 ACL Tool
It's possible to set ACL on NFS(v4) filesystem to install NFS 4 ACL tool. Usage is mostly the same with POSIX ACL Tool.
Step [1]Install NFS 4 ACL Tool on NFS clients that mounts NFS share with NFSv4.
root@node01:~# apt -y install nfs4-acl-tools
Step [2]On this example, it shows usage examples on the environment like follows.
root@node01:~# df -hT /mnt
Filesystem Type Size Used Avail Use% Mounted on
dlp.bizantum.lab:/home/nfsshare nfs4 28G 1.3G 26G 5% /mnt
root@node01:~# ll /mnt
total 8
drwx------ 2 root root 4096 Jun 15 23:08 testdir
-rw------- 1 root root 10 Jun 15 23:08 testfile.txt
Step [3]Show ACL of a file or directory on NFSv4 filesystem.
root@node01:~# nfs4_getfacl /mnt/testfile.txt
# file: /mnt/testfile.txt
A::OWNER@:rwatTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
root@node01:~# nfs4_getfacl /mnt/testdir
# file: /mnt/testdir
A::OWNER@:rwaDxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
# each entry means like follows
# ACE = Access Control Entry
# (ACE Type):(ACE Flags):(ACE Principal):(ACE Permissions)
| ACE Type | Description |
|---|---|
| A | A = Allow : it means Allow accesses. |
| D | D = Deny : it means Deny accesses. |
| ACE Flags | Description |
| d | Directory-Inherit : New sub-directory inherits the same ACE. |
| f | File-Inherit : New file inherits the same ACE but not inherit inheritance-flag. |
| n | No-Propogate-Inherit : New sub-directory inherits the same ACE but not inherit inheritance-flag. |
| i | Inherit-Only : New file/sub-directory inherits the same ACE but this directory does not have ACE. |
| ACE Principal | Description |
| (USER)@(NFSDomain) | Common User For [NFSDomain], it is just the Domain name that is specified for [Domain] value in [idmapd.conf]. |
| (GROUP)@(NFSDomain) | Common Group For group, Specify [g] flag like this ⇒ A:g:GROUP@NFSDomain:rxtncy |
| OWNER@ | Special Principal : Owner |
| GROUP@ | Special Principal : Group |
| EVERYONE@ | Special Principal : Everyone |
| ACE Permissions | Description |
| r | Read data of files / List files in directory |
| w | Write data to files / Create new files in directory |
| a | Append data to files / Create new sub-directory |
| x | Execute files / Change directory |
| d | Delete files or directories |
| D | Delete files or sub-directories under the directory |
| t | Read attributes of files or directories. |
| T | Write attributes to files or directories. |
| n | Read named attributes of files or directories. |
| N | Write named attributes of files or directories. |
| c | Read ACL of files or directories. |
| C | Write ACL of files or directories. |
| o | Change ownership of files or directories. |
| ACE Permissions Aliases*** | Description |
| R | R = rntcy : Generic Read. |
| W | W = watTNcCy : Generic Write. |
| X | X = xtcy : Generic Execute. |
*** For using nfs4_setfacl, possible to use Alias for ACE Permissions.
Step [4]Add or Delete ACE.
root@node01:~# ll /mnt
total 8
drwx------ 2 root root 4096 Jun 15 23:08 testdir
-rw------- 1 root root 10 Jun 15 23:08 testfile.txt
root@node01:~# nfs4_getfacl /mnt/testfile.txt
# file: /mnt/testfile.txt
A::OWNER@:rwatTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
# add generic read/execute for [debian] user to [/mnt/testfile.txt] file
root@node01:~# nfs4_setfacl -a A::debian@bizantum.lab:rxtncy /mnt/testfile.txt
root@node01:~# nfs4_getfacl /mnt/testfile.txt
# file: /mnt/testfile.txt
D::OWNER@:x
A::OWNER@:rwatTcCy
A::1000:rxtcy
A::GROUP@:tcy
A::EVERYONE@:tcy
# verify with [debian] user
debian@node01:~$ ll /mnt
total 8
drwx------ 2 root root 4096 Jun 15 23:08 testdir
-rw-r-x--- 1 root root 10 Jun 15 23:08 testfile.txt
debian@node01:~$ cat /mnt/testfile.txt
test file
# delete generic read/execute for [debian] user from [/mnt/testfile.txt] file
root@node01:~# nfs4_setfacl -x A::1000:rxtcy /mnt/testfile.txt
root@node01:~# nfs4_getfacl /mnt/testfile.txt
# file: /mnt/testfile.txt
A::OWNER@:rwatTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
Step [5]Edit ACL directly.
root@node01:~# nfs4_setfacl -e /mnt/testfile.txt
# run an editor on $EDITOR (if null, default is [vi] editor)
## Editing NFSv4 ACL for file: /mnt/testfile.txt
A::OWNER@:rwatTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
Step [6]Add ACE from a file.
# create ACL list
root@node01:~# vi acl.txt
A::debian@bizantum.lab:RX
A::bookworm@bizantum.lab:RWX
# add ACL from the file
root@node01:~# nfs4_setfacl -A acl.txt /mnt/testfile.txt
root@node01:~# nfs4_getfacl /mnt/testfile.txt
# file: /mnt/testfile.txt
D::OWNER@:x
A::OWNER@:rwatTcCy
A::1000:rxtcy
A::1002:rwaxtcy
A::GROUP@:tcy
A::EVERYONE@:tcy
Step [7]Replace current ACE to new ACE.
# create ACL list
root@node01:~# vi acl.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
# replace ACL from the file
root@node01:~# nfs4_setfacl -S acl.txt /mnt/testfile.txt
root@node01:~# nfs4_getfacl /mnt/testfile.txt
# file: /mnt/testfile.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
Step [8]Replace specific ACE to new ACE.
root@node01:~# nfs4_getfacl /mnt/testfile.txt
# file: /mnt/testfile.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
# replace EVERYONE's ACE to read/execute
root@node01:~# nfs4_setfacl -m A::EVERYONE@:tcy A::EVERYONE@:RX /mnt/testfile.txt
root@node01:~# nfs4_getfacl /mnt/testfile.txt
# file: /mnt/testfile.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:rxtcy
A::EVERYONE@:rxtcy
- Get link
- X
- Other Apps
Bizantum
Fajar Vicky
Posts
Comments
Post a Comment
Thank you for your comment! We appreciate your feedback, feel free to check out more of our articles.
Best regards, Bizantum Blog Team.