I have setup nfs4 server (opensuse 12.1 ).
nfs4 client ( opensuse 12.1) is mounting fine to the nfs folder.
When I copy a file to the local mounted nfs folder /home/anton/bin on the workstation it is only copied local /home/anton/bin and cannot be found on the nfs server
/srv/nfs.
The NFS export is is either mounted on* /home/anton/bin* and then anytthing you do inside* /home/anton/bin* in realty happens in the exported directory on the server, or it is not mounted and then everyting happens the local /home/anton/bin.
You have a whole story, but your story is not backed by any evidence. And we are strict non-believers. We want to see computer output. That is, the computer output which led you to the conclusions you expressed above.
Things like:
mount
ls -l /home/anton
ls -l /home/anton/bin
and anything more you think you need to convince us that your conclusions are correct.
On the serverside
brender:~ # mount
devtmpfs on /dev type devtmpfs (rw,relatime,size=1537068k,nr_inodes=384267,mode=755)
tmpfs on /dev/shm type tmpfs (rw,relatime)
tmpfs on /run type tmpfs (rw,nosuid,nodev,relatime,mode=755)
devpts on /dev/pts type devpts (rw,relatime,gid=5,mode=620,ptmxmode=000)
/dev/sda2 on / type ext4 (rw,relatime,user_xattr,acl,barrier=1,data=ordered)
proc on /proc type proc (rw,relatime)
sysfs on /sys type sysfs (rw,relatime)
tmpfs on /sys/fs/cgroup type tmpfs (rw,nosuid,nodev,noexec,relatime,mode=755)
cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd)
cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpuacct,cpu)
cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/net_cls type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls)
cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=22,pgrp=1,timeout=300,minproto=5,maxproto=5,direct)
tmpfs on /var/lock type tmpfs (rw,nosuid,nodev,relatime,mode=755)
debugfs on /sys/kernel/debug type debugfs (rw,relatime)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime)
tmpfs on /var/run type tmpfs (rw,nosuid,nodev,relatime,mode=755)
securityfs on /sys/kernel/security type securityfs (rw,relatime)
mqueue on /dev/mqueue type mqueue (rw,relatime)
tmpfs on /media type tmpfs (rw,nosuid,nodev,noexec,relatime,mode=755)
/dev/sda3 on /home type ext4 (rw,relatime,user_xattr,acl,barrier=1,data=ordered)
nfsd on /proc/fs/nfsd type nfsd (rw,relatime)
/dev/sda2 on /srv/nfs/brender type ext4 (rw,relatime,user_xattr,acl,barrier=1,data=ordered)
rpc_pipefs on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime)
brender:~ # showmount -e localhost
Export list for localhost:
/srv/nfs/brender *
/srv/nfs *
brender:~ #
On the desktop side
linux-4kin:/home/anton # mount
devtmpfs on /dev type devtmpfs (rw,relatime,size=2018708k,nr_inodes=504677,mode=755)
tmpfs on /dev/shm type tmpfs (rw,relatime)
tmpfs on /run type tmpfs (rw,nosuid,nodev,relatime,mode=755)
devpts on /dev/pts type devpts (rw,relatime,gid=5,mode=620,ptmxmode=000)
/dev/sda2 on / type ext4 (rw,relatime,user_xattr,acl,barrier=1,data=ordered)
proc on /proc type proc (rw,relatime)
sysfs on /sys type sysfs (rw,relatime)
tmpfs on /sys/fs/cgroup type tmpfs (rw,nosuid,nodev,noexec,relatime,mode=755)
cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd)
cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpuacct,cpu)
cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/net_cls type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls)
cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=22,pgrp=1,timeout=300,minproto=5,maxproto=5,direct)
mqueue on /dev/mqueue type mqueue (rw,relatime)
tmpfs on /media type tmpfs (rw,nosuid,nodev,noexec,relatime,mode=755)
tmpfs on /var/lock type tmpfs (rw,nosuid,nodev,relatime,mode=755)
securityfs on /sys/kernel/security type securityfs (rw,relatime)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime)
debugfs on /sys/kernel/debug type debugfs (rw,relatime)
tmpfs on /var/run type tmpfs (rw,nosuid,nodev,relatime,mode=755)
/dev/sda3 on /home type ext4 (rw,relatime,user_xattr,acl,barrier=1,data=ordered)
rpc_pipefs on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime)
192.168.1.104:/ on /home/anton/bin type nfs4 (rw,relatime,vers=4,rsize=524288,wsize=524288,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.1.101,minorversion=0,local_lock=none,addr=192.168.1.104)
192.168.1.104:/brender/ on /home/anton/bin/brender type nfs4 (rw,relatime,vers=4,rsize=524288,wsize=524288,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.1.101,minorversion=0,local_lock=none,addr=192.168.1.104)
fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime)
gvfs-fuse-daemon on /home/anton/.gvfs type fuse.gvfs-fuse-daemon (rw,nosuid,nodev,relatime,user_id=1000,group_id=100)
linux-4kin:/home/anton #
permissions server /srv/nfs/brender folder
brender:~ # cd /srv/nfs/
brender:/srv/nfs # ls -l
total 4
drwxrwxrwx 2 nobody nogroup 4096 jun 30 09:55 brender
But I cannot copy a file to it from desktop :
anton@linux-4kin:~> cd /home/anton/bin/
anton@linux-4kin:~/bin> ls -l
total 4
drwxrwxrwx 2 nobody nogroup 4096 jun 30 09:55 brender
anton@linux-4kin:~/bin> cd /home/anton/Downloads/
anton@linux-4kin:~/Downloads> cp settlers.png /home/anton/bin/brender/
cp: cannot create regular file `/home/anton/bin/brender/settlers.png': Bestandssysteem is alleen-lezen
anton@linux-4kin:~/Downloads>
Bestandssysteem is alleen lezen means : filesystem is read only.
How is that possible.
I asked three things (from the client), but the
ls -l /home/anton
is missing.
Also, please do all these commands as root, as normal users you might not have access to all we need.
I guess that everything inside* /home/anton*, including all inside* /home/anton/bin*, should be owned by the user anton and the group users. At least that is the normal case. But I see you have a directory named brender in */home/anton/bin *that is owned by nobody and *nogroup. *Which means that on the server side it is not owned by the userid and group belonging to anton and *users. *Thus you are blocked using it. It would be a big security issue.if this was allowed.
To show what is on the server, please (as root)
ls -l /srv/nfs/brender
And to show that this is the correct exported directory:
cat /etc/exports
nobody nogroup is for security reason if someone could get access improperly.
Default is root.
What do you recommend for ownership maybe its simple and that is the problem.
Why do you ask for “ls -l /home/anton” do not understand that one.
rights do not inherit
I normally login as user anton on the desktop that’s why I showed ls as user and not as root.
linux-4kin:/home/anton # ls -l /home/anton/bin
total 4
drwxrwxrwx 2 root root 4096 jun 30 2012 brender
brender:// # ls -l /srv/nfs/brender
total 564
-rwxrwxrwx 1 root root 575096 jan 23 19:10 cgc_basic_animation_rigs.blend
brender:// #
brender:// # cat /etc/exports
/srv/nfs *(fsid=0,crossmnt,ro,root_squash,sync,no_subtree_check)
/srv/nfs/brender *(ro,root_squash,sync,no_subtree_check,bind=/srv/nfs/brender)
brender:// #
Well, you see for yourself now that* /srv/nfs/brender *is owned by root:root. That will of course become nouser:nogroup on import (because of the root_squash in the configuration) because else root on the client could change root owned files on the server, which is normaly not something you want (every system has his own root and password and this would circumvent this).
And it would be even worse when a mere normal user on the client could meddle around with files owned by root (or any other user not himself) on the server!
You must decide if the files in the exported directory are rightly owned by root there. Most probably they should be owned by anton.
That is, the same userid (a number) and not the username anton is ruling here.
What is missing here IMHO is a planning about who is who in the environment you seem to manage and which seems to include at least two systems (maybe more). You, as system manager, should have a good idea about your users on those systems. And those systems, seemingly related to each other, shoud then have the same users with at least the same userid (the number) on all systems (where they need to be) and it would be most desirable to have the same usernames attached to these userids on all systems to avoid misunderstandings.
You can of course break all these security issues by no_rootsquash and by adding access bits, but IMO this is pretty dumb.
Changed ownership to anton (UID1000) same as desktop user.
Group users .
But desktop user is still not having write access.
For setting up nfs4 is followed this :
NFS4 - YouTube
I am a CG artist and want to give workstation members access to a network drive for rendering there work.
The desktops automatically login as user (UID1000)
root_squash
brender:~ # cat /etc/exports
/srv/nfs *(fsid=0,crossmnt,ro,root_squash,sync,no_subtree_check)
/srv/nfs/brender *(ro,root_squash,sync,no_subtree_check,bind=/srv/nfs/brender)
man exports page tells this:
root squashing means is that the files owned locally by root are not also mapped as root on an NFS volume. This particular sequence will provide R/W export of /mydir to all hosts (default is read-only) and maps the uid/gid 0 (root) to the anonymous uid/gid (usually 65534).
So R/W export from desktop /mydir to hosts should work?
As I said earlier, we are strict non-believers and want to see computer output. Thus when you changed something we want to see it again. Thus, from the server (as* root*):
ls -aln /srv/nfs/brender
Mind the extra n here, to see the numerics.
brender:/srv/nfs # cat /etc/exports
/srv/nfs *(fsid=0,crossmnt,root_squash,sync,no_subtree_check)
/srv/nfs/brender *(root_squash,sync,no_subtree_check,bind=/srv/nfs/brender)
brender:/srv/nfs #
brender:/srv/nfs # ls -aln /srv/nfs/brender
total 572
drwxrwxrwx 2 65534 65534 4096 jun 30 17:02 .
drwxrwxrwx 3 65534 65534 4096 jun 30 18:34 ..
-rwxrwxrwx 1 0 100 575096 jan 23 19:10 cgc_basic_animation_rigs.blend
ownership for security nobody nogroup
brender:/srv/nfs # ls -l /srv/nfs/
total 4
drwxrwxrwx 2 nobody nogroup 4096 jun 30 17:02 brender
If I add rw its working without not !.
Now I can copy paste from desktop /home/anton/bin/brender to host /srv/nfs/brender/
brender:/srv/nfs # cat /etc/exports
/srv/nfs *(fsid=0,crossmnt,rw,root_squash,sync,no_subtree_check)
/srv/nfs/brender *(rw,root_squash,sync,no_subtree_check,bind=/srv/nfs/brender)
brender:/srv/nfs #
brender:~ # ls -l /srv/nfs/brender/
total 568
-rwxrwxrwx 1 root users 575096 jan 23 19:10 cgc_basic_animation_rigs.blend
-rw-r--r-- 1 anton users 23 jun 30 18:55 testing
brender:~ #
solved.
I doubt. It may be that the action you wanted to do, works as you want. When that means “solved” to you, be happy with it.
Your not very friendly.
That is probably true,. I try to help. When being friendly goes with that, that is an extra.
But when I ask you to do three things and you do only two of them and if you change the things we are investigating without telling exactly what you did and what the results were for the data I asked you, I am not very pleased.
And when you are not glad with my last remark in post #12 above and value that as unfriendly, so be it. I am still convinced you solved a small step while walking the wrong path. But that shouldn’t bother you to much.
This is a forum for users to discuss not demanding questions or answers.
I have asked why you want to see ls -l /home/anton/ (you do not inherit rights )
With maintenance I can directly contact Novell but I choose to share ideas.
brender:~ # ls -aln /srv/nfs/brender
total 1764
drwxrwxrwx 2 65534 65534 4096 jun 30 19:02 .
drwxrwxrwx 3 65534 65534 4096 jun 30 18:46 ..
-rwxrwxrwx 1 0 100 575096 jan 23 19:10 cgc_basic_animation_rigs.blend
-rw-r--r-- 1 1000 100 796089 mei 28 14:29 nathanRig252_1-01.blend
-rw-r--r-- 1 1000 100 415367 jun 28 17:17 oenvoyage-brender-0.5a-165-g0d6c40a.tar.gz
-rw-r--r-- 1 1000 100 23 jun 30 18:55 testing
On 2012-06-30 22:26, anton wrote:
>
> This is a forum for users to discuss not demanding questions or answers.
> I have asked why you want to see ls -l /home/anton/ (you do not
> inherit rights )
It gives information we need to diagnose.
> With maintenance I can directly contact Novell but I choose to share
> ideas.
Please do contact Novell, that means you are using SLES/SLED, not openSUSE.
We do not have access to Novell help.
> Code:
> --------------------
> brender:~ # ls -aln /srv/nfs/brender
> total 1764
> drwxrwxrwx 2 65534 65534 4096 jun 30 19:02 .
> drwxrwxrwx 3 65534 65534 4096 jun 30 18:46 …
> -rwxrwxrwx 1 0 100 575096 jan 23 19:10 cgc_basic_animation_rigs.blend
> -rw-r–r-- 1 1000 100 796089 mei 28 14:29 nathanRig252_1-01.blend
> -rw-r–r-- 1 1000 100 415367 jun 28 17:17 oenvoyage-brender-0.5a-165-g0d6c40a.tar.gz
> -rw-r–r-- 1 1000 100 23 jun 30 18:55 testing
>
> --------------------
You have problems there. The directory is owned by “65534”, where it should
be owned by “1000”. That is a security issue. Another security issue is
that you allow read/writing by ALL, which is why your user “1000” is
allowed access.
See? Posting the output of the commands we request tell us a lot more
than descriptions.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
Sorry I thought novell gives directly support for openSuse but you right then we need to buy SLES.
Do you really need ls - l /home/anton for diagnose /home/anton/bin
All the other asked codes are posted by me.
I could not now these code where asked as root:
mount
ls -l /home/anton
ls -l /home/anton/bin
I have no experience with setting up NFS4.
I just followed this http://www.youtube.com/watch?v=LvgsXN90ug8 and this http://www.youtube.com/watch?v=NR9Ts8GV5Bo&feature=fvwrel
Is that not good.
On 07/01/2012 06:46 AM, anton wrote:
> Is that not good.
who are those guys?
- do either actually have a clue, or just THINK they do?
- does what they say track the official info available in
doc.opensuse.org and en.opensuse.org?
for the first listed video: is his 11.2 info suitable for your 12.1?
- i do not know the answer to that, and
- i don’t care to find out, because i don’t know why that guy decided
he is capable of covering - i can tell you that if i were about to attempt to set up NSF4 i
wouldn’t follow either
for the second listed video:
- what NSF is he using?
- is it the same as yours
- i doubt it as his video is dated from 2009!
if you have trouble after following those two videos i’d suggest contact
those video makers directly and ask them for help.
–
dd
perhaps there is someone willing to make a new video tutorial openSUSE 12.1 NFS4 server and client configuration.
On 2012-07-01 06:46, anton wrote:
>
> Sorry I thought novell gives directly support for openSuse but you right
> then we need to buy SLES.
>
> Do you really need ls - l /home/anton for diagnose /home/anton/bin
The idea is really to see the permissions of the mount points for the
imported directories. Ie, the contents of the home directory are irrelevant
and probably to much to ask because they may contain private data, but a
part of it is important.
> All the other asked codes are posted by me.
> I could not now these code where asked as root:
>
> Code:
> --------------------
> mount
> ls -l /home/anton
> ls -l /home/anton/bin
>
> Code:
> --------------------
It probably does not matter if you can list them. If you are denied access
then you do have to repeat as root, so it is better to do as root from the
start.
> I have no experience with setting up NFS4.
> I just followed this http://www.youtube.com/watch?v=LvgsXN90ug8 and this http://www.youtube.com/watch?v=NR9Ts8GV5Bo&feature=fvwrel
>
> Is that not good.
I don’t know, I haven’t seen them
First one description:
The SUSE 11 course introduce NFS4, although this became available with SLES
10. There are many new features including much higher security but here we
look at pseudo-root filesystem. The option fsid=0 and the crossmount
options to allow local filesystem to be added to the psuedo root.
It should be reliable.
I can’t watch it complete, but apparently it configures an nfs server using
yast.
Second one description:
This Clip shows you how to install NFS Server Service and configure a basic
NFS Share and export it.
So, this one is more general. Ah, no, Ubuntu. Then don’t follow it closely.
This is good:
[/URL
Then you have some misconceptions.
Having a directory owned by “nobody” does not, of itself, add security per
se. Without knowing your intentions I can’t give a detailed recomendation,
but if you are going to place an external directory inside your home user
directory, it would be normal to own that directory by your user, both in
the server and in the client. It is as simple as that.
If that directory is to be read by many, then you have to play with group
permissions.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
](“http://doc.opensuse.org/documentation/html/openSUSE/opensuse-reference/cha.nfs.html”)