RHEL / CentOS 7 安裝 NFS Server

NFS Server 安裝
安裝 NFS:
# yum install nfs-utils nfs-utils-lib

設定分享的目錄, 以下是 /var/nfsshare:
# mkdir /var/nfsshare
# chmod -R 777 /var/nfsshare/

開啟 /etc/exports 檔案, 加入以下內容:
/var/nfsshare 192.168.0.11(rw,sync,no_root_squash,no_all_squash)

啟動 NFS Server, 設定開機自動執行及在 firewalld 開放 NFS:
# systemctl enable rpcbind
# systemctl enable nfs-server
# systemctl enable nfs-lock
# systemctl enable nfs-idmap
# systemctl start rpcbind
# systemctl start nfs-server
# systemctl start nfs-lock
# systemctl start nfs-idmap
# firewall-cmd –permanent –zone=public –add-service=nfs
# firewall-cmd –permanent –zone=public –add-service=rpc-bind
# firewall-cmd –reload

NFS Client 安裝
# yum install nfs-utils

建立 NFS 目錄掛載點:
mkdir -p /mnt/nfs/var/nfsshare

現在可以用 mount 指令掛載 192.168.0.10 分享出來的目錄:
# mount -t nfs 192.168.0.10:/var/nfsshare /mnt/nfs/var/nfsshare/

如果需要下次重新開機後就會自動掛載, 現在開啟 /etc/fstab, 加入以下內容:
192.168.0.10:/var/nfsshare /mnt/nfs/var/nfsshare nfs defaults 0 0

留意上面的 192.168.0.10 是 NFS Server 的 IP, 需要根據自己的情況修改。

—–

Fix the problem CentOS 7 won’t auto-mount NFS on boot

Append text to the end of /usr/lib/systemd/system/nfs-idmap.service

[Install]
WantedBy=multi-user.target

Append text to the end of /usr/lib/systemd/system/nfs-lock.service

[Install]
WantedBy=nfs.target

Enable related services

systemctl enable nfs-idmapd.service 
systemctl enable rpc-statd.service 

systemctl enable rpcbind.socket

systemctl status nfs-idmapd.service -l
systemctl status rpc-statd.service –l

Then restarted the OS, I got it.

shutdown -r now

Check whether mount works

systemctl start rpcbind
systemctl enable rpcbind
mount -a

===================

建置 NFS Server 有三個重點組態檔:
/etc/exports
/etc/hosts.allow
/etc/hosts.deny

通常編輯 /etc/exports 就能讓 NFS 運作。

當一個 request 進來,伺服器會依序這樣作:
一、首先檢查是不是 hosts.allow 裡列的client,如果是就允許存取,如果不是就到下一個檢查。
二、接著檢查是不是 hosts.deny 裡列的client,如果是就拒絕存取,如果不是就到下一個檢查。
三、若這個 client 不在 hosts.allow 也不在 hosts.deny,那就允許這個 client 存取。

//————————————————
(安裝 NFS 套件)
apt-get update &&
apt-get install nfs-kernel-server

=>修改 /etc/default/portmap
確認 -i 127.0.0.1 是註解掉的

(禁止主機和伺服器進行NFS連接)
=>修改 /etc/hosts.deny
——————————
ALL:ALL
——————————
portmap:ALL
lockd:ALL
mountd:ALL
rquotad:ALL
statd:ALL
——————————

(允許主機和伺服器進行NFS連接)
=>修改 /etc/hosts.allow
——————————
portmap:ALL
lockd:ALL
mountd:ALL
rquotad:ALL
statd:ALL
——————————
portmap: 192.168.0.
lockd:   192.168.0.
rquotad: 192.168.0.
mountd:  192.168.0.
statd:   192.168.0.
——————————

(NFS掛載目錄及權限)
=>修改 /etc/exports
——————————
/home/sw/open_fd *(rw,sync,no_root_squash)
/home/sw/share_folder 192.168.0.*(rw,sync,no_root_squash)
——————————
更新
sudo exportfs -ra
sudo /etc/init.d/nfs-kernel-server restart

權限方面常見的參數(小括號內的參數):
rw:read-write,可讀寫的權限。
ro:read-only,唯讀的權限。
sync:資料同步寫入到記憶體與硬碟當中。
async:資料會先暫存於記憶體當中,而非直接寫入硬碟。
no_root_squash:登入 NFS 的使用者,如果是 root 時,對於這個分享的目錄來說,使用者具有 root 的權限。
root_squash:登入 NFS 的使用者,如果是 root 時,對於這個分享的目錄來說,使用者的權限都會被壓縮成為匿名使用者。
all_squash:不論登入 NFS 的使用者身份為何,使用者的權限都會被壓縮成為匿名使用者。

(檢查配置)
showmount -e NFS-SERVER-IP
(e.g)
showmount -e 192.168.13.5

(掛載遠端目錄)
mount -t nfs NFS-SERVER-IP:SHARE-PATH-FD MOUNT
mount -F nfs [-o mount-options] server:/directory /mount-point
(e.g)
mount -t nfs 192.168.13.15:/home/sw/open_fd /mnt

===================

Reference URL:

https://www.phpini.com/linux/rhel-centos-7-install-nfs-server

https://unix.stackexchange.com/questions/211688/cannot-start-nfs-in-centos-7-failed-to-issue-method-call-no-such-file-or-direc

http://welkinchen.pixnet.net/blog/post/5251478-ubuntu-nfs-連線

https://dywang.csie.cyut.edu.tw/dywang/rhce7/node61.html

廣告

Git restricted shell script

1. The better way:

# create git user
sudo adduser git
su git
cd
## configure ssh
mkdir .ssh && chmod 700 .ssh
touch .ssh/authorized_keys && chmod 600 .ssh/authorized_keys
## append ssh public keys from your team members
cat /tmp/id_rsa.yours.pub >> ~/.ssh/authorized_keys
cat /tmp/id_rsa.others.pub >> ~/.ssh/authorized_keys

# restrict ssh access
cat /etc/shells   # see if `git-shell` is already in there.  If not…
which git-shell   # make sure git-shell is installed on your system.
sudo nano /etc/shells  # and add the path to git-shell from last command

sudo chsh git  # and enter the path to git-shell, usually: /usr/bin/git-shell

# create git repo
git init –bare project.git

Reference URL: http://blog.airobot.org/2016/10/09/搭建简易git私服/

 

2. The brute force way:

Put below restrict in the ~/.ssh/authorized_keys file:
command="/path/to/git_rsh.sh",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3….o9M9qz4xqGCqGXoJw= user@host

The git_rsh.sh script:
#!/bin/sh

if [ $# -ne 2 ] || [ “$1″ != “-c" ] ; then
printf “interactive login not permitted\n"
exit 1
fi

set — $2

if [ $# != 2 ] ; then
printf “wrong number of arguments\n"
exit 1
fi

case “$1″ in
( git-upload-pack | git-receive-pack )
;; # continue execution
( * )
printf “command not allowed\n"
exit 1
;;
esac

# Canonicalize the path name: we don’t want escape out of
# git via ../ path components.

gitpath=$(readlink -f “$2″) # GNU Coreutils specific

case “$gitpath" in
( /git/* )
;; # continue execution
( * )
printf “access denied outside of /git\n"
exit 1
;;
esac

if ! [ -e “$gitpath" ] ; then
printf “that git repo doesn’t exist\n"
exit 1
fi

“$1″ “$gitpath"

Reference URL: https://stackoverflow.com/questions/402615/how-to-restrict-ssh-users-to-a-predefined-set-of-commands-after-login