【背景】
折腾:
【已解决】在远程Ubuntu服务器中开通NFS服务供别人访问服务器上的文件
期间,NFS服务器端已经配置了写权限:
/home/share/image *(rw,sync)
然后客户端去mount:
mount -t nfs 121.41.120.185:/home/share/image /root/nfs_client_root/
可以看到文件了:
root@chantyou:nfs_client_root# ls -l total 240 -rw-r--r-- 1 root root 70545 May 28 2013 mmexport1369703131812.jpg -rw-r--r-- 1 root root 82168 Sep 12 2013 mmexport1378988706739.jpeg -rw-r--r-- 1 root root 85510 Nov 18 2013 p_large_0fOT_43d9000068f01263.jpg
但是却无法写入:
root@chantyou:nfs_client_root# sudo touch test_client_write.txt touch: cannot touch ‘test_client_write.txt’: Permission denied
【解决过程】
1.搜:
NFS client Permission denied
参考:
去检查一下服务器端的确自己本身有写的权限:
root@iZ23lqgttauZ:image# ls /home/share/ -l total 4 drwxr-xr-x 2 root root 4096 Jul 23 15:16 image root@iZ23lqgttauZ:image# ls /home/share/image/ -l total 240 -rw-r--r-- 1 root root 70545 May 28 2013 mmexport1369703131812.jpg -rw-r--r-- 1 root root 82168 Sep 12 2013 mmexport1378988706739.jpeg -rw-r--r-- 1 root root 85510 Nov 18 2013 p_large_0fOT_43d9000068f01263.jpg root@iZ23lqgttauZ:image#
好像:
NFS服务器端,没有给文件夹:
/home/share/image/
开通,g=group,o=other的写的权限。
所以去开通试试:
root@iZ23lqgttauZ:image# chmod go+w /home/share/image/ root@iZ23lqgttauZ:image# ls /home/share/ -l total 4 drwxrwxrwx 2 root root 4096 Jul 23 15:16 image root@iZ23lqgttauZ:image#
然后NFS客户端再去试试写入是否可行:
真的可以了:
root@chantyou:nfs_client_root# sudo touch test_client_write.txt root@chantyou:nfs_client_root#
【总结】
NFS的server端,虽然当前用户root,对于NFS共享出来的文件夹是有自己的写入权限,但是没有开通自己组group和其他人other的写权限:
root@iZ23lqgttauZ:image# ls /home/share/ -l total 4 drwxr-xr-x 2 root root 4096 Jul 23 15:16 image
所以NFS客户端,去写入,应该属于other的权限,没法写出,出现Permission denied
解决办法是:
NFS客户端的共享出来的文件夹,开通other的写入权限:
root@iZ23lqgttauZ:image# chmod go+w /home/share/image/ root@iZ23lqgttauZ:image# ls /home/share/ -l total 4 drwxrwxrwx 2 root root 4096 Jul 23 15:16 image
然后NFS的客户端就可以正常写入了:
root@chantyou:nfs_client_root# sudo touch test_client_write.txt root@chantyou:nfs_client_root#
就是权限的问题。
【后记】
不过,后来看到了:
nfs 客户端操作 Permission denied – 崛望的生鱼片 – ITeye技术网站
说是加了no_root_squash,也可以解决问题。
那估计是:
参考:
How To Set Up an NFS Mount on Ubuntu 14.04 | DigitalOcean
- rw: This option gives the client computer both read and write access to the volume.
- sync: This option forces NFS to write changes to disk before replying. This results in a more stable and consistent environment, since the reply reflects the actual state of the remote volume.
- no_subtree_check: This option prevents subtree checking, which is a process where the host must check whether the file is actually still available in the exported tree for every request. This can cause many problems when a file is renamed while the client has it opened. In almost all cases, it is better to disable subtree checking.
- no_root_squash: By default, NFS translates requests from a root user remotely into a non-privileged user on the server. This was supposed to be a security feature by not allowing a root account on the client to use the filesystem of the host as root. This directive disables this for certain shares.
no_root_squash意思是:
NFS的服务器,默认会把从别处(NFS的客户端)来的请求,中的用户(此处是NFS客户端的超级用户root,拥有超级权限的)变成没有(超级)特权的用户
->从而导致了,NFS客户端的用户root,去访问NFS服务器端共享出来的文件夹的时候,就变成普通的一般的用户了,
然后根据NFS服务器上文件夹的权限设置drwxr-xr-x ,对于group和other是没写入权限的。
所以NFS客户端无法访问。
去验证此猜想:
(1)先恢复之前的权限:
root@iZ23lqgttauZ:image# chmod go-w /home/share/image/ root@iZ23lqgttauZ:image# ls /home/share/ -l total 4 drwxr-xr-x 2 root root 4096 Jul 23 15:42 image
客户端去访问,确保没权限:
root@chantyou:nfs_client_root# sudo touch test_client_write_2.txt touch: cannot touch ‘test_client_write_2.txt’: Permission denied
然后NFS服务器端,只给文件夹开通other的write权限:
root@iZ23lqgttauZ:image# chmod o+w /home/share/image/ root@iZ23lqgttauZ:image# ls /home/share/ -l total 4 drwxr-xrwx 2 root root 4096 Jul 23 15:42 image
然后客户端再去写入试试:
root@chantyou:nfs_client_root# sudo touch test_client_write_2.txt root@chantyou:nfs_client_root#
果然可以了
->验证了,从NFS客户端来到NFS服务器端的用户,属于other组;
(2)再恢复之前权限:
root@iZ23lqgttauZ:image# chmod o-w /home/share/image/ root@iZ23lqgttauZ:image# ls /home/share/ -l total 4 drwxr-xr-x 2 root root 4096 Jul 23 15:55 image root@iZ23lqgttauZ:image#
然后NFS服务器端加上那个no_root_squash
->这样NFS客户端来的用户就是root了
->root就可以访问服务器端的所有文件夹的权限了,应该是
->重启exportfs和重启NFS服务器:
root@iZ23lqgttauZ:image# vi /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
/home/share/image *(rw,sync,no_root_squash)
~
"/etc/exports" 11L, 433C written
root@iZ23lqgttauZ:image# exportfs -a
exportfs: /etc/exports [1]: Neither 'subtree_check' or 'no_subtree_check' specified for export "*:/home/share/image".
Assuming default behaviour ('no_subtree_check').
NOTE: this default has changed since nfs-utils version 1.0.x
root@iZ23lqgttauZ:image# service nfs-kernel-server
* Usage: nfs-kernel-server {start|stop|status|reload|force-reload|restart}
root@iZ23lqgttauZ:image# service nfs-kernel-server restart
* Stopping NFS kernel daemon [ OK ]
* Unexporting directories for NFS kernel daemon... [ OK ]
* Exporting directories for NFS kernel daemon...
exportfs: /etc/exports [1]: Neither 'subtree_check' or 'no_subtree_check' specified for export "*:/home/share/image".
Assuming default behaviour ('no_subtree_check').
NOTE: this default has changed since nfs-utils version 1.0.x [ OK ]
* Starting NFS kernel daemon [ OK ]
root@iZ23lqgttauZ:image# ->然后NFS客户端再去访问试试:
结果死掉了。。。
root@chantyou:nfs_client_root# sudo touch test_client_write_3.txt
即,无法正常的写入NFS服务器,没有写入的权限。
不过稍等片刻,就好了,就生效了,有写入权限了:
root@chantyou:nfs_client_root# sudo touch test_client_write_4.txt ^Croot@chantyou:nfs_client_root# sudo touch test_client_write_5.txt root@chantyou:nfs_client_root#
服务器端可以看到新写入的文件了:
root@iZ23lqgttauZ:image# ls -l total 240 -rw-r--r-- 1 root root 70545 May 28 2013 mmexport1369703131812.jpg -rw-r--r-- 1 root root 82168 Sep 12 2013 mmexport1378988706739.jpeg -rw-r--r-- 1 root root 85510 Nov 18 2013 p_large_0fOT_43d9000068f01263.jpg -rw-r--r-- 1 nobody nogroup 0 Jul 23 15:55 test_client_write_2.txt -rw-r--r-- 1 root root 0 Jul 23 16:02 test_client_write_5.txt -rw-r--r-- 1 nobody nogroup 0 Jul 23 15:42 test_client_write.txt root@iZ23lqgttauZ:image#
注意,新写入的测试5文件的用户是root和root
->就是从NFS客户端来的root用户。
【总结】
之前两种办法,都可以解决此处的NFS客户端没有写入NFS服务器共享出来的文件夹的权限的问题:
(1)给NFS服务器端的文件夹添加other组的write权限:
chmod o+w /home/share/image/
(2)给NFS服务器端的文件夹配置选项增加no_root_squash:
/home/share/image *(rw,sync,no_root_squash)
记得要:
重新导出配置,再重启NFS服务:
exportfs -a service nfs-kernel-server restart
并且再稍等一小会,才能真正生效。