Manualshelf

System information

ManualsBrandsRed Hat ManualsComputer equipmentENTERPRISE LINUX - ONLINE STORAGE RECONFIGURATION GUIDE BETA
71727374757677787980
2. Ensure the package that provides the nfs-rdma service is installed and the service is enabled
with the following command:
# yum i nstal l rd ma; chkco nfi g --l evel 34 5 nfs-rd ma o n
3. Ensure that the RDMA port is set to the preferred port (default for Red Hat Enterprise Linux 6 is
2050). To do so, edit the /etc/rd ma/rd ma. co nf file to set NFSoRD MA_LOAD=yes and
NFSoRD MA_PORT to the desired port.
4. Set up the exported filesystem as normal for NFS mounts.
On the client side, use the following procedure:
Pro ced u re 9 .3. En ab le R DMA f ro m client
1. Ensure the RD MA rpm is installed and the RDMA service is enabled with the following
command:
# yum i nstal l rd ma; chkco nfi g --l evel 234 5 rd ma o n
2. Mount the NFS exported partition using the RDMA option on the mount call. The port option
can optionally be added to the call.
# mo unt -t nfs -o rd ma,po rt= port_number
9.8. Securing NFS
NFS is well-suited for sharing entire file systems with a large number of known hosts in a transparent
manner. However, with ease-of-use comes a variety of potential security problems. Consider the
following sections when exporting NFS file systems on a server or mounting them on a client. Doing
so minimizes NFS security risks and better protects data on the server.
9.8.1. NFS Securit y wit h AUT H_SYS and export cont rols
Traditionally, NFS has given two options in order to control access to exported files.
First, the server restricts which hosts are allowed to mount which filesystems either by IP address or
by host name.
Second, the server enforces file system permissions for users on NFS clients in the same way it does
local users. Traditionally it does this using AUT H_SY S (also called AUT H_UNIX) which relies on the
client to state the UID and GID's of the user. Be aware that this means a malicious or misconfigured
client can easily get this wrong and allow a user access to files that it should not.
To limit the potential risks, administrators often allow read-only access or squash user permissions
to a common user and group ID. Unfortunately, these solutions prevent the NFS share from being
used in the way it was originally intended.
Additionally, if an attacker gains control of the DNS server used by the system exporting the NFS file
system, the system associated with a particular hostname or fully qualified domain name can be
pointed to an unauthorized machine. At this point, the unauthorized machine is the system permitted
to mount the NFS share, since no username or password information is exchanged to provide
additional security for the NFS mount.
Chapt er 9 . Net work File Syst em (NFS)
69