LinuxSupportFAQForm | |
---|---|
SupportProblem | How to configure a SLC machine to be a NFS server? |
SupportAnswer |
rpc.mountd and rpc.statd: fix the port rpc.mountd is listening on so that it can be enabled in the firewall. Put MOUNTD_PORT=XXXX STATD_PORT=YYYY LOCKD_TCPPORT=ZZZZ LOCKD_UDPPORT=ZZZZin /etc/sysconfig/network. The port can be any unused port. The ports in use depend on the services the machine is running (and generally can be checked using the 'netstat -nl' command). If you want quota on NFS, put the following in /etc/services, and enable port 4003 in the firewall as shown below: rquotad 4003/tcp rquotad 4003/udp Firewall: Add to /etc/sysconfig/iptables before the first "REJECT": -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 0/0 -d 0/0 --dport XXXX -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp -s 0/0 -d 0/0 --dport XXXX -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 0/0 -d 0/0 --dport YYYY -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp -s 0/0 -d 0/0 --dport YYYY -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 0/0 -d 0/0 --dport ZZZZ -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp -s 0/0 -d 0/0 --dport ZZZZ -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 0/0 -d 0/0 --dport 4003 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp -s 0/0 -d 0/0 --dport 4003 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 0/0 -d 0/0 --dport sunrpc -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp -s 0/0 -d 0/0 --dport sunrpc -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 0/0 -d 0/0 --dport nfs -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp -s 0/0 -d 0/0 --dport nfs -j ACCEPTand restart the firewall: # /sbin/service iptables restart # /sbin/service ntpd restartIf you want to be more specific, please feel free to restrict the range of allowed clients - e.g. modify the "-s 0/0" to "-s 137.138.0.0/16" to allow access only from the main CERN network (caution, CERN has other networks as well). (XXXX, YYYY and ZZZZ are the ports specified above) Exported directories: Configure /etc/exports, see "man 5 exports" for details. Example (export /data/redhat to all cern.ch machines, read-only): /data/redhat *.cern.ch(ro,insecure,all_squash)Please note that in a real configuration this is probably not what you want to do: While exporting over NFS you should be more restrictive. This can be achieved by configuring your /etc/netgroup file in the following way: group_1 (yourclient1.cern.ch,,) (yourclient2.cern.ch,,) group_2 (trustedclient.cern.ch,,) (trustedclient2.cern.ch,,)Adjust access rights on /etc/netgroup: chmod 600 /etc/netgroup chown root.root /etc/netgroup(of course trustedclient and yourclient should be repaced by your machines names). Then use above group names in your /etc/exports which could look as the example below: /publicity @group_1(ro,insecure,all_squash) @group_2(rw) /restricted @group_2(rw,insecure,no_root_squash)(If in doubt: please check "man 5 exports" for the meaning of the above options.) Start portmapper and NFS server daemon # /sbin/chkconfig --add nfs # /sbin/chkconfig nfs on # /sbin/chkconfig --add portmap # /sbin/service portmap start # /sbin/service nfs start |
OsVersion | all |
HardwareArchitecture | any |
ApprovedBySupport | SupportApproved |