Chapter 24. Accessing Network Storage
The following topics are covered in this chapter:
The following RHCSA exam objective is covered in this chapter:
Mount and unmount network file systems using NFS
The RHCSA exam requires that you know how to access network storage. This encompasses different topics. We’ll discuss accessing network storage that has been provided through CIFS and NFS. You’ll learn how to mount network storage through the fstab file, as well as how to automatically mount this storage using automount.
“Do I Know This Already?” Quiz
The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 24-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes and ‘Review Questions.’”
Table 24-1 “Do I Know This Already?” Section-to-Question Mapping
Foundation Topics Section |
Questions |
|---|---|
1–4 |
|
5 |
|
6 |
|
7–10 |
1. If you want to enable an NFS share where all access to files in the share is anonymous, which of the following security options should you use?
a. You do not have to specify anything; the default setting is based on anonymous access to files.
b. none
c. sys
d. krb5
2. Which of the following is not a new feature in NFSv4?
a. Integration with Active Directory
b. Kerberized security
c. Services offered on TCP port 2049
d. The root mount
3. What is the name of the package that needs to be installed to mount NFS shares on an NFS client?
a. nfs-client
b. nfs-tools
c. nfs-utils
d. nfs
4. You type the command showmount -e to display available mounts on an NFS server, but you do not get any result. Which of the following is the most likely explanation?
a. The NFS client software is not running.
b. You are using a UID that does not exist on the server.
c. SELinux is not configured properly.
d. The firewall does not allow showmount traffic.
5. You want to log in to an SMB share. Which of the following commands shows correct syntax for doing so?
a. mount -o username=sambauser1 //server/share /somewhere
b. mount -o uname=sambauser1 //server/share /somewhere
c. mount sambauser1@//server/share /somewhere
d. mount -o username=sambauser1@//server/share /somewhere
6. Which of the following statements about authentication is true when configuring automatic mounts of SMB shares through fstab?
a. You need to specify the username; while the share is mounted, you’ll see a prompt for a password.
b. You can only specify a username and a password by using mount options in /etc/fstab.
c. You do not have to specify a username or a password in fstab; you are prompted for them when accessing the share.
d. A secure way to specify a username and a password is by using a credentials file while mounting the share.
7. Which of the following is not a required step in configuring automount?
a. Identify the name of the automount directory in /etc/auto.master.
b. Create an indirect file in /etc/auto.something.
c. Start and enable the autofs service.
d. On the local mount point, set the appropriate permissions.
8. Assuming that the name of the directory you want automount to monitor is /myfiles, what is the recommended name for the corresponding configuration file?
a. /etc/automount/auto.myfiles
b. /etc/auto.myfiles
c. /etc/myfiles.auto
d. There is no recommended name.
9. Which of the following lines correctly identifies the syntax of a wildcard automount configuration that uses the NFS protocol?
a. &. -rw server:/homes/*
b. &. rw. server:/homes/*
c. * -rw server:/homes/&
d. * rw. server:/homes/&
10. What is the name of the service that automount uses?
a. autofs
b. automount
c. autofiles
d. auto
Foundation Topics
Using NFS Services
In previous chapters, you learned how to work with local file systems and mount them into the file system structure. In this chapter, you learn how to work with network file systems. The classic network file system is NFS (which stands for Network File System). It is a protocol that was developed for UNIX by Sun in the early 1980s, and it has been available on Linux forever. Its purpose is to make it possible to mount remote file systems into the local file system hierarchy.
Understanding NFS Security
When NFS was developed in the 1980s, it was often used together with Network Information Service (NIS), a solution that provides a network-based authentication server. With the use of NIS, all servers connected to NIS used the same user accounts and security was dealt with by the NIS server. The only thing that needed to be configured on the NFS server was host access. So, NFS security by default was limited to allowing and restricting specific hosts to access it.
Since the 1990s, NIS is not used often anymore. NFS, however, continues to be a very popular service, primarily because it is fast and easy to configure. Without NIS, the feature that provided user-based security has been removed, and that may make NFS seem to be an unsecure solution. Let’s have a look at an example: Imagine that on server1, user linda has UID 1001. On server2, which is the NFS server, UID 1001 is used by user bob. After successfully connecting from server1 to server2, server1 user linda would have the same access to server2 resources as user bob. This obviously is an undesired situation.
To prevent situations like this from happening, NFS should be used together with a centralized authentication service. Commonly, a combination of the Lightweight Directory Access Protocol (LDAP) and Kerberos is used to provide this functionality. Configuration and integration of NFS with LDAP and Kerberos is not included in the RHCSA exam objectives, and for that reason will not be covered here.
RHEL 8 NFS Versions
On Red Hat Enterprise Linux 8, NFS 4 is the default version of NFS. If when making an NFS mount the NFS server offers a previous version of NFS, the client falls automatically back to that version. From a client, you can also force a specific NFS version to be used for the mount, by using the mount option nfsvers=. This can prove useful if you are connecting to a server or a device that offers NFS 3 only. Fortunately, this type of server or device is increasingly uncommon nowadays.
Mounting the NFS Share
Setting up an NFS server is not a part of the RHCSA exam. However, to practice your NFS-based skills, it’s useful to set up your own NFS test server. To do so, you need to go through a few tasks:
Create a local directory you want to share.
Edit the /etc/exports file to define the NFS share.
Start the NFS server.
Configure your firewall to allow incoming NFS traffic.
Exercise 24-1 guides you through these steps.
Exercise 24-1 Offering an NFS Share
You need a second server to do this exercise. A RHEL 8 server that was installed using the minimal server installation pattern is sufficient. This exercise assumes that a server with the name server2.example.com is available to offer these services.
Type mkdir -p /nfsdata /users/user1 /users/user2 to create some local directories that are going to be shared.
Copy some random files to this directory, using cp /etc/[a-c]* /nfsdata.
Use vim to create the /etc/exports file and give it the following contents:
/nfsdata. *(rw,no_root_squash) /users. *(rw,no_root_squash)
Type yum install -y nfs-utils to install the required packages.
Type systemctl enable --now nfs-server to start and enable the NFS server.
Type firewall-cmd --add-service nfs --permanent to add the NFSservice. Also type firewall-cmd --add-service rpb-bind --permanent and firewall-cmd --add-service mountd --permanent to add the bind and mountd services.
To make the newly added services effective at this point, type firewall-cmd --reload.
Mounting the NFS Share
To mount an NFS share, you first need to find the names of the shares. This information can be provided by the administrator, but it is also possible to find out yourself. To discover which shares are available, you have multiple options:
If NFSv4 is used on the server, you can use a root mount. That means that you just mount the root directory of the NFS server, and under the mount point you’ll only see the shares that you have access to.
Use the showmount -e nfsserver command to find out which shares are available.
Warning
The showmount command may have issues with NFSv4 servers that are behind a firewall. This is because showmount relies on the portmapper service, which uses random UDP ports while making a connection, and the firewalld nfs service opens port 2049 only, which does not allow portmapper traffic. If the firewall is set up correctly, the mountd and rpc-bind services need to be added to the firewall as well. It is very well possible that shares have been set up correctly on the server but you cannot see them because showmount does not get through the firewall. If you suspect that this is the case, use the NFS root mount as explained in Exercise 24-2, or just try mounting the NFS share.
Exercise 24-2 Mounting an NFS Share
On server1, type yum install -y nfs-utils to install the RPM package that contains the showmount utility.
Type showmount -e server2.example.com to see all exports available from server2.
On server1, type mount server2.example.com:/ /mnt. (Note the space between the slashes in the command.) This performs an NFSv4 pseudo root mount of all NFS shares.
Type mount | grep server2 to verify the mount has succeeded.
Still on server1, type ls /mnt. This shows the subdirectories data and home, which correspond to the mounts offered by the NFS server.
Using CIFS Services
In the 1990s, Microsoft published the technical specifications of its Server Message Block (SMB) protocol. This protocol is the foundation of all shares that are created in a Windows environment. Releasing these specifications led to the start of the Samba project. The goal of this project was to provide SMB services on top of other operating systems. Throughout the years, Samba has developed into the de facto standard for sharing files between different operating systems.
Samba is the standard Windows interoperability suite of programs for UNIX and Linux. As Samba has become such a common solution, it has been standardized and is now often referred to as the Common Internet File System (CIFS).
Discovering CIFS Shares
Before a CIFS share can be mounted, make sure that the cifs-utils and the samba-client RPM packages are installed on the client. After installing this, you can use the smbclient -L <servername> command to discover available Samba shares.
The smbclient command will ask for the password of the current user. This is because smbclient is a very generic utility that allows you to list shares but also to log in to Samba shares on remote servers and fetch files from the remote server. To list shares, however, no credentials are required. So, when the command asks for the password, just press Enter. Example 24-1 shows the result of the smbclient -L command.
Example 24-1 Discovering CIFS Shares
[root@server1 ~]# smbclient -L server2.example.com
Enter SAMBA
oot's password:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
sambashare Disk sambashare
IPC$ IPC IPC Service (Samba 4.9.1)
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful
Server Comment
--------- -------
Workgroup Master
--------- -------
In Example 24-1, you can see how the smbclient utility is used to discover available shares on IP address 192.168.4.201. (To bypass possible problems in name resolution, the IP address of the host is used instead of the name.) The command then prompts for the password of the current user. Next, the current domain or workgroup of the Samba server is shown, as well as the available shares.
Mounting Samba Shares
To mount a Samba share, you can use the mount command. You can use the -t cifs option to specify that the mount is to a Samba share, but without this option it will also work because the mount command is smart enough to discover by itself that it is a Samba share you want to connect to. If guest access is allowed on the share, you can specify the -o guest option to authenticate as the guest user without a password. Alternatively, use the -o user=guest option for the same purpose. The complete mount command looks like this:
mount -t cifs -o user=guest //192.168.4.200/data /mnt
This command mounts the /data share that is available on 192.168.4.200 on the local /mnt directory. Note that you’ll be able to access files in the share but not write files in the share, because you are authenticated as the guest user, who has limited access permissions to the share.
Authenticating to Samba Shares
In the preceding section, you read how to mount a share with guest credentials. If you want to do something with the share, you should authenticate as a valid Samba user. This is a specific user account that has the credentials required to connect to a Samba share. (An ordinary Linux user cannot do that.) For this purpose, a Samba user must have been created.
To specify the Samba username you want to use, you can add the -o username=someone mount option:
mount -o username=sambauser1 //server/share /somewhere
When you do this, the mount command prompts for a password.
Configuring a Samba Server
For the RHCSA exam, you won’t have to configure a Samba server. To allow you to practice Samba in your own environment, Exercise 24-3 guides you through the steps that are required for setting up a Samba server. Perform these steps on a separate server with the name server2.example.com. Make sure to set up hostname resolution by using /etc/hosts so that this server can be reached by its name from server1.example.com.
Exercise 24-3 Setting Up a Samba Server
Log in to server2 and open a root shell; mounts need to be performed as the root user.
Type mkdir /sambashare so that you have a directory that can be shared through Samba.
Open the share for SELinux using semanage fcontext -a -t public_content_t "/sambashare(/.*)?".
Type restorecon -Rv /sambashare to apply the newly set SELinux context.
Copy some files to the share, using cp /etc/[fg]* /sambashare.
Enable the Linux-based access control by typing chmod 770 /sambashare.
Configure group ownership: chgrp sales /sambashare.
Install the Samba service by typing yum install -y samba.
Edit the /etc/samba/smb.conf configuration file and add the following lines:
[sambashare] comment = sambashare read only = No path = /sambashare
Type systemctl enable --now smb to start and enable the Samba server.
Open the firewall by typing firewall-cmd --add-service samba.
To create a CIFS-compatible user account, type smbpasswd -a linda. This will add Samba credentials to the Linux user linda. Notice that this only works if you have an existing Linux user with the name linda.
In Exercise 24-4, you learn how to discover and mount Samba shares from the command line.
Exercise 24-4 Discovering and Mounting SMB Shares
This exercise assumes that you have set up a Samba server on server2.example.com. You must have completed Exercise 24-3 before you can do this exercise.
Log in to server1 and open a root shell; mounts need to be performed as the root user.
Type yum install -y cifs-utils samba-client to install the required RPM packages.
Type smbclient -L server2.example.com to list available shares on the server.
Type mount -t cifs -o username=linda //server2.example.com/sambashare /mnt to mount the /data share as guest on the /mnt directory.
Type mount to verify that the mount has succeeded.
Mounting Remote File Systems Through fstab
You now know how to manually mount NFS and SMB file systems from the command line. If a file system needs to be available persistently, you need to use a different solution. Mounts can be automated either by using the /etc/fstab file or by using the autofs service. In this section, you learn how to make the mount through /etc/fstab. This is a convenient solution if you need the remote file system to be available permanently.
Mounting NFS Shares Through fstab
As you have learned in earlier chapters, the /etc/fstab file is used to mount file systems that need to be mounted automatically when a server restarts. Only the user root can add mounts to this configuration file, thus providing shares that will be available for all users. The /etc/fstab file can be used to mount the NFS file system as well as Samba. To mount an NFS file system through /etc/fstab, make sure that the following line is included:
server1:/share /nfs/mount/point nfs sync 0 0
When making an NFS mount through fstab, you have a few options to consider:
In the first column, you need to specify the server and share name. Use a colon after the name of the server to identify the mount as an NFS share.
The second column has the file system where you want to do the mount; this is not different from a regular mount.
The third column contains the NFS file system type.
The fourth column is used to specify mount options and includes the sync option. This ensures that modified files are committed to the remote file system immediately and are not placed in write buffers first (which would increase the risk of data getting lost).
The fifth column contains a zero, which means that no backup support through the dump utility is requested.
The sixth column also contains a zero, to indicate that no fsck has to be performed on this file system while booting to check the integrity of the file system. The integrity of the file system would need to be checked on the server, not on the client.
Mounting Samba Shares Through fstab
When mounting Samba file systems through /etc/fstab, you need to consider a specific challenge: You need to specify the user credentials that are needed to issue the mount. On an NFS share, this is not necessary because the user who accesses the shared file system by default does so using his own credentials. While mounting a Samba share through /etc/fstab, these user credentials are normally specified with the username= and password= mount options, but it is not a good idea to put these in clear text in the /etc/fstab file. The following line shows how you would automatically mount the file system that you created in Exercise 24-3:
//server2/sambashare /sambamount. cifs. username=linda, password=password. 0 0
Using Automount to Mount Remote File Systems
As an alternative to using /etc/fstab, you can configure automount to mount the share automatically. Automount can be used for SMB as well as NFS mounts, and the big difference is that mounts through automount are affected on demand and not by default. So, using automount ensures that no file systems are mounted that are not really needed.
Understanding Automount
Automount is implemented by the autofs service that takes care of mounting a share when an attempt is made to access it. That means it is mounted on demand and that it does not have to be mounted permanently. An important benefit of using automount is that it works completely in user space and, contrary to mounts that are made through the mount command, no root permissions are required.
Defining Mounts in Automount
In automount, mounts are defined through a two-step procedure. First, you need to edit the master configuration file /etc/auto.master. In this directory you identify the mount point (for instance, /nfsdata). Next, and on the same line, you identify the name of the secondary file, as all further configuration happens in this secondary file. The line you create could look as follows:
/nfsdata. /etc/auto.nfsdata
In the secondary file you put the name of the subdirectory that will be created in the mount point directory as a relative filename. For instance, you start the line with files, to mount /nfsdata/files. After the name of the subdirectory, you specify NFS mount options, as well as the server and share name to access the NFS share. This line could look as follows:
Files. -rw. server2:/nfsdata
Configuring Automount for NFS
Configuring an automount solution is a multistep procedure. To show how it works, Exercise 24-5 lists all steps involved. Follow the steps in this exercise to see for yourself how to configure automount.
Exercise 24-5 Configuring Direct and Indirect Maps to Mount NFS Shares
This exercise is performed on server1. It uses the NFS shares provided by server2 that you created in Exercise 24-1.
Type yum install -y autofs to install the autofs package.
Type showmount -e server2.example.com, which shows you NFS exports offered by server2.
Open the file /etc/auto.master and add the following line:
/nfsdata/etc/auto.nfsdata
Type vim /etc/auto.nfsdata and add the following line:
files -rw server2:/nfsdata
Type systemctl enable --now autofs to start and enable the autofs service.
Type ls /; notice that there is no /nfsdata directory.
Type cd /nfsdata/files to get access to the /nfsdata directory.
Type mount and notice the last three lines in the mount output, created by the autofs service.
Using Wildcards in Automount
In Exercise 24-5, you learned how to perform automounts based on fixed directory names. In some cases, this is not very useful, and you are better off using dynamic directory names. This is, for example, the case for automounting home directories.
With home directories, a very helpful solution is to have the home directory of a specific user automounted when that user logs in. So, for example, if user linda logs in, she gets access to the NFS exported directory /home/linda, and when user anna logs in, she gets access to /home/anna. Using wildcards in automount offers an excellent tool to do this.
To create a wildcard mount, you will use lines like * -rw server2:/users/&. In this line, the * represents the local mount point, which in this case represents anything, and the & represents the matching item on the remote server.
Obviously, you could also choose to export the /home directory and mount just the /home directory, but that increases the risk that user anna gets access to user linda’s home directory. For that reason, using a wildcard mount is a much cleaner solution, as demonstrated in Exercise 24-6.
Exercise 24-6 Configuring Wildcard Mounts
This exercise is performed on server1. It uses the NFS shares that are provided by server2, which you created in Exercise 24-1. On server2, the directory /users is exported, which simulates an NFS server that exports home directories. You are going to configure a wildcard mount, such that when /users/user1 is accessed, that exact directory is mounted, and when /users/user2 is accessed, that directory is mounted.
Type yum install -y autofs to install the autofs package.
Open the file /etc/auto.master and make sure it includes the following line:
/users. /etc/auto.users
Create the file /etc/auto.users and give it the following contents:
*. -rw. server2:/users/&
Type systemctl restart autofs to restart the autofs service.
Type cd /users/user1 to get access to the NFS export /users/user1 on the server2 server.
Summary
In this chapter, you learned how to mount remote file systems and how to set up an FTP server. You first learned how to manually mount either an NFS or an SMB file system from the command line. Then you learned how these mounts can be automated through /etc/fstab or automount. In the last section in this chapter, you learned how to set up an FTP server to allow for anonymous file uploads.
Exam Preparation Tasks
As mentioned in the section “How to Use This Book” in the Introduction, you have several choices for exam preparation: the end-of-chapter labs; the memory tables in Appendix B; Chapter 26, “Final Preparation”; and the practice exams.
Review All Key Topics
Review the most important topics in the chapter, noted with the Key Topic icon in the outer margin of the page. Table 24-2 lists a reference of these key topics and the page number on which each is found.
Table 24-2 Key Topics for Chapter 24
Key Topic Element |
Description |
Page |
|---|---|---|
List |
Options to consider when making an NFS mount through fstab |
Define Key Terms
Define the following key terms from this chapter and check your answers in the glossary:
Review Questions
The questions that follow are meant to help you test your knowledge of concepts and terminology and the breadth of your knowledge. You can find the answers to these questions in Appendix A.
1. On your NFS server, you have verified that the nfs service is active, and the firewall allows access to TCP port 2049. A client uses showmount against your server but doesn’t see any exports. What is the most likely explanation?
2. Which command enables you to show available NFS mounts on server1?
3. Which command enables you to mount an NFS share that is available on server1:/share?
4. Which command can you use to discover SMB mounts on a specific server?
5. Which package must be installed on an SMB client before you can make an SMB mount?
6. How do you mount the Samba share data on server1 with guest access on the local directory /mnt?
7. How do you mount a Samba mount through fstab while avoiding putting the username and password in /etc/fstab?
8. What is the name of the main automount configuration file?
9. What is the name of the service that implements automount?
10. Which ports do you need to open in the firewall of the automount client?
End-of-Chapter Lab
In this chapter, you learned how to mount remote file systems and automate those mounts using /etc/fstab or automount. You also learned how to set up an FTP server and saw the essential parts of a typical FTP server. In this end-of-chapter lab, you practice these skills in a way that is similar to how you need to perform them on the exam.
Lab 24.1
1. Set up an NFS server that shares the /home directory on server2.
2. Configure server1 to access the NFS-shared home directory using automount. You need to do this using wildcard automount.