最新消息:20210816 当前crifan.com域名已被污染,为防止失联,请关注(页面右下角的)公众号

【已解决】NFS客户端写入NFS共享文件夹出错:Permission denied

NFS crifan 17072浏览 0评论

【背景】

折腾:

【已解决】在远程Ubuntu服务器中开通NFS服务供别人访问服务器上的文件

期间,NFS服务器端已经配置了写权限:

/home/share/image *(rw,sync)

然后客户端去mount:

mount -t nfs 121.41.120.185:/home/share/image /root/nfs_client_root/

可以看到文件了:

root@chantyou:nfs_client_root# ls -l
total 240
-rw-r--r-- 1 root root 70545 May 28  2013 mmexport1369703131812.jpg
-rw-r--r-- 1 root root 82168 Sep 12  2013 mmexport1378988706739.jpeg
-rw-r--r-- 1 root root 85510 Nov 18  2013 p_large_0fOT_43d9000068f01263.jpg

但是却无法写入:

root@chantyou:nfs_client_root# sudo touch test_client_write.txt
touch: cannot touch ‘test_client_write.txt’: Permission denied

【解决过程】

1.搜:

NFS client Permission denied

参考:

linux – How to properly set permissions for NFS folder? Permission denied on mounting end. – Server Fault

去检查一下服务器端的确自己本身有写的权限:

root@iZ23lqgttauZ:image# ls /home/share/ -l
total 4
drwxr-xr-x 2 root root 4096 Jul 23 15:16 image
root@iZ23lqgttauZ:image# ls /home/share/image/ -l
total 240
-rw-r--r-- 1 root root 70545 May 28  2013 mmexport1369703131812.jpg
-rw-r--r-- 1 root root 82168 Sep 12  2013 mmexport1378988706739.jpeg
-rw-r--r-- 1 root root 85510 Nov 18  2013 p_large_0fOT_43d9000068f01263.jpg
root@iZ23lqgttauZ:image# 

好像:

NFS服务器端,没有给文件夹:

/home/share/image/

开通,g=group,o=other的写的权限。

所以去开通试试:

root@iZ23lqgttauZ:image# chmod go+w /home/share/image/
root@iZ23lqgttauZ:image# ls /home/share/ -l      
total 4
drwxrwxrwx 2 root root 4096 Jul 23 15:16 image
root@iZ23lqgttauZ:image# 

然后NFS客户端再去试试写入是否可行:

真的可以了:

root@chantyou:nfs_client_root# sudo touch test_client_write.txt
root@chantyou:nfs_client_root# 

 

【总结】

NFS的server端,虽然当前用户root,对于NFS共享出来的文件夹是有自己的写入权限,但是没有开通自己组group和其他人other的写权限:

root@iZ23lqgttauZ:image# ls /home/share/ -l
total 4
drwxr-xr-x 2 root root 4096 Jul 23 15:16 image

所以NFS客户端,去写入,应该属于other的权限,没法写出,出现Permission denied

解决办法是:

NFS客户端的共享出来的文件夹,开通other的写入权限:

root@iZ23lqgttauZ:image# chmod go+w /home/share/image/
root@iZ23lqgttauZ:image# ls /home/share/ -l      
total 4
drwxrwxrwx 2 root root 4096 Jul 23 15:16 image

然后NFS的客户端就可以正常写入了:

root@chantyou:nfs_client_root# sudo touch test_client_write.txt
root@chantyou:nfs_client_root# 

就是权限的问题。

 

【后记】

不过,后来看到了:

nfs 客户端操作 Permission denied – 崛望的生鱼片 – ITeye技术网站

说是加了no_root_squash,也可以解决问题。

那估计是:

参考:

How To Set Up an NFS Mount on Ubuntu 14.04 | DigitalOcean

  • rw: This option gives the client computer both read and write access to the volume.
  • sync: This option forces NFS to write changes to disk before replying. This results in a more stable and consistent environment, since the reply reflects the actual state of the remote volume.
  • no_subtree_check: This option prevents subtree checking, which is a process where the host must check whether the file is actually still available in the exported tree for every request. This can cause many problems when a file is renamed while the client has it opened. In almost all cases, it is better to disable subtree checking.
  • no_root_squash: By default, NFS translates requests from a root user remotely into a non-privileged user on the server. This was supposed to be a security feature by not allowing a root account on the client to use the filesystem of the host as root. This directive disables this for certain shares.

no_root_squash意思是:

NFS的服务器,默认会把从别处(NFS的客户端)来的请求,中的用户(此处是NFS客户端的超级用户root,拥有超级权限的)变成没有(超级)特权的用户

->从而导致了,NFS客户端的用户root,去访问NFS服务器端共享出来的文件夹的时候,就变成普通的一般的用户了,

然后根据NFS服务器上文件夹的权限设置drwxr-xr-x ,对于group和other是没写入权限的。

所以NFS客户端无法访问。

 

去验证此猜想:

(1)先恢复之前的权限:

root@iZ23lqgttauZ:image# chmod go-w /home/share/image/ 
root@iZ23lqgttauZ:image# ls /home/share/ -l           
total 4
drwxr-xr-x 2 root root 4096 Jul 23 15:42 image

客户端去访问,确保没权限:

root@chantyou:nfs_client_root# sudo touch test_client_write_2.txt
touch: cannot touch ‘test_client_write_2.txt’: Permission denied

然后NFS服务器端,只给文件夹开通other的write权限:

root@iZ23lqgttauZ:image# chmod o+w /home/share/image/  
root@iZ23lqgttauZ:image# ls /home/share/ -l          
total 4
drwxr-xrwx 2 root root 4096 Jul 23 15:42 image

然后客户端再去写入试试:

root@chantyou:nfs_client_root# sudo touch test_client_write_2.txt
root@chantyou:nfs_client_root# 

果然可以了

->验证了,从NFS客户端来到NFS服务器端的用户,属于other组;

(2)再恢复之前权限:

root@iZ23lqgttauZ:image# chmod o-w /home/share/image/ 
root@iZ23lqgttauZ:image# ls /home/share/ -l          
total 4
drwxr-xr-x 2 root root 4096 Jul 23 15:55 image
root@iZ23lqgttauZ:image# 

然后NFS服务器端加上那个no_root_squash

->这样NFS客户端来的用户就是root了

->root就可以访问服务器端的所有文件夹的权限了,应该是

->重启exportfs和重启NFS服务器:

root@iZ23lqgttauZ:image# vi /etc/exports 

# /etc/exports: the access control list for filesystems which may be exported
#               to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#
/home/share/image *(rw,sync,no_root_squash)
~                                                                                                                                            
"/etc/exports" 11L, 433C written                                                                                  
root@iZ23lqgttauZ:image# exportfs -a
exportfs: /etc/exports [1]: Neither 'subtree_check' or 'no_subtree_check' specified for export "*:/home/share/image".
  Assuming default behaviour ('no_subtree_check').
  NOTE: this default has changed since nfs-utils version 1.0.x

root@iZ23lqgttauZ:image# service nfs-kernel-server
 * Usage: nfs-kernel-server {start|stop|status|reload|force-reload|restart}
root@iZ23lqgttauZ:image# service nfs-kernel-server restart
 * Stopping NFS kernel daemon  [ OK ] 
 * Unexporting directories for NFS kernel daemon... [ OK ] 
 * Exporting directories for NFS kernel daemon...  
     exportfs: /etc/exports [1]: Neither 'subtree_check' or 'no_subtree_check' specified for export "*:/home/share/image".
  Assuming default behaviour ('no_subtree_check').
  NOTE: this default has changed since nfs-utils version 1.0.x [ OK ]
 * Starting NFS kernel daemon  [ OK ] 
root@iZ23lqgttauZ:image# 

->然后NFS客户端再去访问试试:

结果死掉了。。。

root@chantyou:nfs_client_root# sudo touch test_client_write_3.txt

即,无法正常的写入NFS服务器,没有写入的权限。

不过稍等片刻,就好了,就生效了,有写入权限了:

root@chantyou:nfs_client_root# sudo touch test_client_write_4.txt
^Croot@chantyou:nfs_client_root# sudo touch test_client_write_5.txt
root@chantyou:nfs_client_root#

服务器端可以看到新写入的文件了:

root@iZ23lqgttauZ:image# ls -l
total 240
-rw-r--r-- 1 root   root    70545 May 28  2013 mmexport1369703131812.jpg
-rw-r--r-- 1 root   root    82168 Sep 12  2013 mmexport1378988706739.jpeg
-rw-r--r-- 1 root   root    85510 Nov 18  2013 p_large_0fOT_43d9000068f01263.jpg
-rw-r--r-- 1 nobody nogroup     0 Jul 23 15:55 test_client_write_2.txt
-rw-r--r-- 1 root   root        0 Jul 23 16:02 test_client_write_5.txt
-rw-r--r-- 1 nobody nogroup     0 Jul 23 15:42 test_client_write.txt
root@iZ23lqgttauZ:image# 

注意,新写入的测试5文件的用户是root和root

->就是从NFS客户端来的root用户。

 

【总结】

之前两种办法,都可以解决此处的NFS客户端没有写入NFS服务器共享出来的文件夹的权限的问题:

(1)给NFS服务器端的文件夹添加other组的write权限:

 chmod o+w /home/share/image/

(2)给NFS服务器端的文件夹配置选项增加no_root_squash:

/home/share/image *(rw,sync,no_root_squash)

记得要:

重新导出配置,再重启NFS服务:

exportfs -a
service nfs-kernel-server restart

并且再稍等一小会,才能真正生效。

转载请注明:在路上 » 【已解决】NFS客户端写入NFS共享文件夹出错:Permission denied

发表我的评论
取消评论

表情

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址
83 queries in 0.188 seconds, using 22.12MB memory