Creating a Network File System (NFSv4.0) shared network resource is exactly like creating any other shared network resource in Linux or Unix for Apache / Lighttpd / Nginx web server. You need to type the following commands on vm05 having an IP address 192.168.1.14.
Linux NFS server: sync vs async option
You need to consider sync vs async issue. async option allows the NFS server to violate the NFS protocol and reply to requests before any changes made by that request have been committed to storage. This will improves performance, but at the cost that an unclean server restart (i.e. a crash) can cause data to be lost or corrupted. On other hand, sync option reply to requests only after the changes have been committed to stable storage. I strongly suggest that you use sync option and turn on nfs caching on local Apache / lighttpd / nginx nodes i.e. vm01 and vm02.
How to create an NFS shared network resource
First, install an nfs server using the yum command, enter:
# yum groupinstall "NFS file server"
OR
# yum install nfs-utils nfs4-acl-tools portmap
Turn on services:
# chkconfig nfs on
# chkconfig rpcbind on
# chkconfig rpcidmapd on
# chkconfig nfslock on
Creating an NFS server user account
I’m going to use apache user for sharing files on NFS server. You need to use the same user names on all servers i.e. vm01, vm02, vm03 and vm05. You can use the useradd command to create a user account as follows on the NFSv4 server:
#########################################################################################################
### Note UID/GID 48 is default on CentOS / RHEL - adjust apache UID / GID as per your vm01 and vm02 ###
#########################################################################################################
# /usr/sbin/groupadd -g 48 apache
# /usr/sbin/useradd -s /sbin/nologin -g 48 -u 48 -M -d /var/www apache
# /usr/bin/passwd -l apache
Do not install the Apache 2 web server on NFSv4 server.
/etc/idmapd.conf nfs server configuration
rpc.idmapd is the NFSv4 ID <-> name mapping daemon. It provides functionality to the NFSv4 kernel client and server, to which it commu nicates via upcalls, by translating user and group IDs to names, and vice versa. Edit /etc/idmapd.conf, enter:
# vi /etc/idmapd.conf
The following should be set to the local NFSv4 domain name. The default is the host’s DNS domain name (replace cyberciti.biz with your actual dns domain name).
Domain = cyberciti.biz
Also make sure Mapping is follows:
[Mapping]
Nobody-User = nobody
Nobody-Group = nobody
Save and close the file.
Sharing file system
To create the shared network resource for /var/www/static and /var/www/html, follow these steps. Use mkdir command to create required directory on NFSv04 server:
# mkdir -p /exports/{static,html}
Use the following command to bind file system at another location called /exports:
# mount --bind /var/www/html /exports/html
# mount --bind /var/www/static /exports/static
Edit /etc/fstab file, enter:
# vi /etc/fstab
Append the following entries:
/var/www/html /exports/html none bind
/var/www/static /exports/static none bind
Save and close the file. Edit /etc/exports file, enter:
# vi /etc/exports
Append the following config:
#################################
### Exports for vm01 and vm02 ###
### by vivek Thu June 21,2012 ###
#################################
## Base nfs Root, fsid=0 means NFSv4 ##
/exports 192.168.1.10(rw,fsid=0,no_subtree_check,async) 192.168.1.11(rw,fsid=0,no_subtree_check,async)
### NFS Config For www.cyberciti.biz Domain ##
/exports/html 192.168.1.10(rw,no_subtree_check,async,nohide) 192.168.1.11(rw,no_subtree_check,async,nohide)
# Static files are exported as ro, if user upload files, set it as rw #
/exports/static 192.168.1.10(ro,no_subtree_check,async,nohide) 192.168.1.11(ro,no_subtree_check,async,nohide)
Save and close the file. Start nfs and related servers, enter:
# /sbin/service rpcbind start
# /sbin/service rpcidmapd start
# /sbin/service nfslock start
# /sbin/service nfs start
Securing NFSv04 server
You can setup a firewall and configure TCPwrapper as described here. See how to configure iptbales to use fixed ports for NFS server. You can also use network/mask representing the machines (such as vm01, vm02) on your network which must mount NFS filesystems from this server. Edit /etc/sysconfig/iptables. Add the following lines, ensuring that they appear before the final LOG and DROP lines:
## open nfsv4 server port for the lan nodes/vms ##
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 2049 -j ACCEPT
Save and close the file. Restart iptables, enter:
# service iptables restart
Sharing files
You can now upload all static files in /var/www/static and php/html files /var/www/html directories. Do not put Unix sockets on nfs shared file system. If you are using SELinux you need to setup the standard file permissions and ownership, including the SELinux security context for NFS. For testing purpose you can disable SELinux (not recommended). See:
- HowTo: Temporarily Switch Off SELinux Enforcement
- Disable SELinux for only Apache / httpd in Linux (not recommended)
Final note about NFS
- In this example, NFS is a single point of failure for internal RAID based disks. However, you can mount from highly redundant storage such as a SAN or a NAS device. Highly redundant storage going to increase the cost of the project.
- Also, make each vm a client or a server, not both.
- NFS must be deployed in the simplest configuration to avoid maintainability and security problems.
The post Linux: Creating a Network File System (NFS) Share For Apache / Lighttpd / Nginx Web Server appeared first on nixCraft.