Linux云自动化运维第二十课

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Linux云自动化运维第二十课相关的知识,希望对你有一定的参考价值。

第五单元 iSCSI远程块存储

 

一、iSCSI概念

 

  iSCSI(Internet SCSI)支持从客户端(发起端)通过IP向远程服务器上的SCSI存储设备(目标)发送SCSI命令。iSCSI限定名称用于确定发起端和目

,并采用iqn.yyyy-mm.{reverse domain}:label的格式。默认情况下,网络通信是至iSCSI目标上的端口3260/tcp的明文。

1.iSCSI发起端:需要访问原始SAN存储的客户端。

2.iSCSI目标:从iSCSI服务器提供的远程硬盘磁盘,或“目标门户”

3.iSCSI目标门户:通过网络向发起端提供目标的服务器。

4.IQN:“iSCSI限定名称”。每个发起端和目标需要唯一名称进行标识,最好的做法是使用一个在Internet上可能独一无二的名称。

 

二、iSCSI目标配置

 

1.安装iSCSI目标软件包:

# yum install -y targetcli

2.启动服务:

# systemctl enable target; systemctl start target

3.进入iSCSI目标交互式配置模式:

# targetcli

4.示例:

[[email protected] ~]# fdisk /dev/vdb

Welcome to fdisk (util-linux 2.23.2).

 

Changes will remain in memory only, until you decide to write them.

Be careful before using the write command.

 

Device does not contain a recognized partition table

Building a new DOS disklabel with disk identifier 0x88535111.

 

Command (m for help): n

Partition type:

   p   primary (0 primary, 0 extended, 4 free)

   e   extended

Select (default p):

Using default response p

Partition number (1-4, default 1):

First sector (2048-20971519, default 2048):

Using default value 2048

Last sector, +sectors or +size{K,M,G} (2048-20971519, default 20971519): +1G

Partition 1 of type Linux and of size 1 GiB is set

 

Command (m for help): p

 

Disk /dev/vdb: 10.7 GB, 10737418240 bytes, 20971520 sectors

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk label type: dos

Disk identifier: 0x88535111

 

   Device Boot      Start         End      Blocks   Id  System

/dev/vdb1            2048     2099199     1048576   83  Linux

 

Command (m for help): wq

The partition table has been altered!

 

Calling ioctl() to re-read partition table.

Syncing disks.

[[email protected] ~]# partprobe

[[email protected] ~]# yum install targetcli -y

[[email protected] ~]# systemctl start target

[[email protected] ~]# systemctl status target

target.service - Restore LIO kernel target configuration

   Loaded: loaded (/usr/lib/systemd/system/target.service; disabled)

   Active: active (exited) since Tue 2017-05-02 04:04:07 EDT; 6s ago

  Process: 2385 ExecStart=/usr/bin/targetctl restore (code=exited, status=0/SUCCESS)

 Main PID: 2385 (code=exited, status=0/SUCCESS)

 

May 02 04:04:07 server42.example.com target[2385]: No saved config file at /...

May 02 04:04:07 server42.example.com systemd[1]: Started Restore LIO kernel ...

Hint: Some lines were ellipsized, use -l to show in full.

[[email protected] ~]# targetcli

Warning: Could not load preferences file /root/.targetcli/prefs.bin.

targetcli shell version 2.1.fb34

Copyright 2011-2013 by Datera, Inc and others.

For help on commands, type ‘help‘.

 

/> ls

o- / .................................................................... [...]

  o- backstores ......................................................... [...]

  | o- block ............................................. [Storage Objects: 0]

  | o- fileio ............................................ [Storage Objects: 0]

  | o- pscsi ............................................. [Storage Objects: 0]

  | o- ramdisk ........................................... [Storage Objects: 0]

  o- iscsi ....................................................... [Targets: 0]

  o- loopback .................................................... [Targets: 0]

/> /backstores/block create westos:111 /dev/vdb1

Created block storage object westos:111 using /dev/vdb1.

/> /iscsi create iqn.2017-05.com.example:111

Created target iqn.2017-05.com.example:111.

Created TPG 1.

/> /iscsi/iqn.2017-05.com.example:111/tpg1/luns create /backstores/block/westos:111

Created LUN 0.

/> /iscsi/iqn.2017-05.com.example:111/tpg1/acls create iqn.2017-05.com.example:key1

Created Node ACL for iqn.2017-05.com.example:key1

Created mapped LUN 0.

/> /iscsi/iqn.2017-05.com.example:111/tpg1/portals create 172.25.42.11

Using default IP port 3260

Created network portal 172.25.42.11:3260.

/> exit

Global pref auto_save_on_exit=true

Last 10 configs saved in /etc/target/backup.

Configuration saved to /etc/target/saveconfig.json

 

三、Demo

 

/> ls

o- / ..................................................................... [...]

o- backstores .......................................................... [...]

| o- block .............................................. [Storage Objects: 0]

| o- fileio ............................................. [Storage Objects: 0]

| o- pscsi .............................................. [Storage Objects: 0]

| o- ramdisk ............................................ [Storage Objects: 0]

o- iscsi ........................................................ [Targets: 0]

o- loopback ..................................................... [Targets: 0]

/> /backstores/block create server0.disk1 /dev/iSCSI_vg/disk1_lv

Created block storage object server0.disk1 using /dev/iSCSI_vg/disk1_lv.

/> /iscsi create iqn.2014-12.com.example:server0

Created target iqn.2014-12.com.example:server0.

Created TPG 1.

www.westos.org

9/> /iscsi/iqn.2014-12.com.example:server0/tpg1/acls create iqn.2014-12.com.example:desktop0

Created Node ACL for iqn.2014-12.com.example:desktop0

/> /iscsi/iqn.2014-12.com.example:server0/tpg1/luns create /backstores/block/server0.disk1

Created LUN 0.

Created LUN 0->0 mapping in node ACL iqn.2014-12.com.example:desktop0

/> /iscsi/iqn.2014-12.com.example:server0/tpg1/portals create 172.25.0.11

Using default IP port 3260

Created network portal 172.25.0.11:3260.

/> exit

 

四、访问iSCSI存储

 

1.安装iSCSI发起端软件包:

# yum install -y iscsi-initiator-utils

2.在/etc/iscsi/initiatorname.iscsi中设置发起端的IQN:

InitiatorName=iqn.2014-12.com.example:desktop0

3.查找iSCSI服务器所提供的iSCSI目标(目标门户)

# iscsiadm -m discovery -t st -p 172.25.0.11

4.登录服务器上的一个或多个iscsi目标

# iscsiadm -m node -T iqn.2024-12.com.example:server0 -p

172.25.0.11 -l

5.此时,可以使用iSCSI磁盘,就好像它是本地连接硬盘驱动器。可以挂载现有文件系统。如果磁盘未格式化,可以通过fdisk进行分区,例如,通过文件系统格式化分区或作为LVM物理卷。

6.在/etc/fstab中永久挂载文件系统

1)使用blkid确定文件系统UUID并使用UUID挂载,而不是/dev/sd*设备名称。(每次引导时显示的设备名称都不同,具体取决于iSCSI设备通过网络进行响应的顺序。如果按设备名称挂载,这会导致使用错误的设备。)

2)在/etc/fstab中使用_netdev作为挂载选项。(这将确保客户端不会尝试挂载文件系统,直至启用联网。否则,在引导时系统将出错。)

3)确保iscsi服务在引导时启动。

7.示例:

[[email protected] ~]# yum search iscsi

Loaded plugins: langpacks

============================= N/S matched: iscsi ==============================

iscsi-initiator-utils.i686 : iSCSI daemon and utility programs

iscsi-initiator-utils.x86_64 : iSCSI daemon and utility programs

iscsi-initiator-utils-iscsiuio.x86_64 : Userspace configuration daemon required

                                      : for some iSCSI hardware

libiscsi.i686 : iSCSI client library

libiscsi.x86_64 : iSCSI client library

 

  Name and summary matches only, use "search all" for everything.

[[email protected] ~]# yum install iscsi-initiator-utils.x86_64 -y

Loaded plugins: langpacks

Package iscsi-initiator-utils-6.2.0.873-21.el7.x86_64 already installed and latest version

Nothing to do

[[email protected] ~]# vim /etc/iscsi/initiatorname.iscsi

[[email protected] ~]# cat /etc/iscsi/initiatorname.iscsi

InitiatorName=iqn.2017-05.com.example:key1

[[email protected] ~]# systemctl restart iscsi

[[email protected] ~]# iscsiadm -m discovery -t st -p 172.25.42.11

172.25.42.11:3260,1 iqn.2017-05.com.example:111

[[email protected] ~]# iscsiadm -m node -T iqn.2017-05.com.example:111 -p 172.25.42.11 -l

Logging in to [iface: default, target: iqn.2017-05.com.example:111, portal: 172.25.42.11,3260] (multiple)

Login to [iface: default, target: iqn.2017-05.com.example:111, portal: 172.25.42.11,3260] successful.

[[email protected] ~]# fdisk -l

 

Disk /dev/vda: 10.7 GB, 10737418240 bytes, 20971520 sectors

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk label type: dos

Disk identifier: 0x00013f3e

 

   Device Boot      Start         End      Blocks   Id  System

/dev/vda1   *        2048    20970332    10484142+  83  Linux

 

Disk /dev/vdb: 10.7 GB, 10737418240 bytes, 20971520 sectors

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

 

 

Disk /dev/sda: 1073 MB, 1073741824 bytes, 2097152 sectors

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 4194304 bytes

 

[[email protected] ~]# fdisk /dev/sda

Welcome to fdisk (util-linux 2.23.2).

 

Changes will remain in memory only, until you decide to write them.

Be careful before using the write command.

 

Device does not contain a recognized partition table

Building a new DOS disklabel with disk identifier 0x0eb780c0.

 

Command (m for help): n

Partition type:

   p   primary (0 primary, 0 extended, 4 free)

   e   extended

Select (default p):

Using default response p

Partition number (1-4, default 1):

First sector (8192-2097151, default 8192):

Using default value 8192

Last sector, +sectors or +size{K,M,G} (8192-2097151, default 2097151):

Using default value 2097151

Partition 1 of type Linux and of size 1020 MiB is set

 

Command (m for help): wq

The partition table has been altered!

 

Calling ioctl() to re-read partition table.

Syncing disks.

[[email protected] ~]# mkfs.xfs /dev/sda1

meta-data=/dev/sda1              isize=256    agcount=8, agsize=32640 blks

         =                       sectsz=512   attr=2, projid32bit=1

         =                       crc=0

data     =                       bsize=4096   blocks=261120, imaxpct=25

         =                       sunit=0      swidth=0 blks

naming   =version 2              bsize=4096   ascii-ci=0 ftype=0

log      =internal log           bsize=4096   blocks=853, version=2

         =                       sectsz=512   sunit=0 blks, lazy-count=1

realtime =none                   extsz=4096   blocks=0, rtextents=0

[[email protected] ~]# mount /dev/sda1 /mnt/

[[email protected] ~]# df

Filesystem     1K-blocks    Used Available Use% Mounted on

/dev/vda1       10473900 3170048   7303852  31% /

devtmpfs          493408       0    493408   0% /dev

tmpfs             508996      80    508916   1% /dev/shm

tmpfs             508996   13388    495608   3% /run

tmpfs             508996       0    508996   0% /sys/fs/cgroup

/dev/sda1        1041068   33056   1008012   4% /mnt

[[email protected] ~]# cd /mnt/

[[email protected] mnt]# ls

[[email protected] mnt]# touch file

[[email protected] mnt]# ls

file

[[email protected] mnt]# cd

[[email protected] ~]# umount /mnt/

[[email protected] ~]# df

Filesystem     1K-blocks    Used Available Use% Mounted on

/dev/vda1       10473900 3169992   7303908  31% /

devtmpfs          493408       0    493408   0% /dev

tmpfs             508996      80    508916   1% /dev/shm

tmpfs             508996   13388    495608   3% /run

tmpfs             508996       0    508996   0% /sys/fs/cgroup

[[email protected] ~]# blkid

/dev/vda1: UUID="9bf6b9f7-92ad-441b-848e-0257cbb883d1" TYPE="xfs"

/dev/sda1: UUID="2397cdcb-a0e6-4b3e-b478-6554a966976f" TYPE="xfs"

[[email protected] ~]# vim /etc/fstab

UUID="2397cdcb-a0e6-4b3e-b478-6554a966976f" /mnt xfs defaults 1 1

[[email protected] ~]# mount -a

[[email protected] ~]# df

Filesystem     1K-blocks    Used Available Use% Mounted on

/dev/vda1       10473900 3170016   7303884  31% /

devtmpfs          493408       0    493408   0% /dev

tmpfs             508996      80    508916   1% /dev/shm

tmpfs             508996   13392    495604   3% /run

tmpfs             508996       0    508996   0% /sys/fs/cgroup

/dev/sda1        1041068   33056   1008012   4% /mnt

[[email protected] ~]# vim /etc/fstab

/dev/sda1 /mnt xfs defaults,_netdev 0 0

[[email protected] ~]# umount /mnt/

[[email protected] ~]# df

Filesystem     1K-blocks    Used Available Use% Mounted on

/dev/vda1       10473900 3173828   7300072  31% /

devtmpfs          493408       0    493408   0% /dev

tmpfs             508996      80    508916   1% /dev/shm

tmpfs             508996   13392    495604   3% /run

tmpfs             508996       0    508996   0% /sys/fs/cgroup

[[email protected] ~]# mount -a

[[email protected] ~]# df

Filesystem     1K-blocks    Used Available Use% Mounted on

/dev/vda1       10473900 3173828   7300072  31% /

devtmpfs          493408       0    493408   0% /dev

tmpfs             508996      80    508916   1% /dev/shm

tmpfs             508996   13396    495600   3% /run

tmpfs             508996       0    508996   0% /sys/fs/cgroup

/dev/sda1        1041068   33056   1008012   4% /mnt

 

五、中断使用iSCSI目标

 

1.确保没有使用目标所提供的任何设备。

2.确保从/etc/fstab等位置中删除使用目标的所有永久挂载。

3.登出iSCSI目标,以暂时断开连接。

# iscsiadm -m node -T iqn.2010-09.com.example:rdisks.demo -p 192.168.0.254 -u

4.删除iSCSI目标的本地记录,以永久断开连接。

# iscsiadm -m node -T iqn.2010-09.com.example:rdisks.demo -p 192.168.0.254 -o delete

5.示例:

[[email protected] ~]# umount /mnt/

[[email protected] ~]# vim /etc/fstab

[[email protected] ~]# mount -a

[[email protected] ~]# df

Filesystem     1K-blocks    Used Available Use% Mounted on

/dev/vda1       10473900 3173828   7300072  31% /

devtmpfs          493408       0    493408   0% /dev

tmpfs             508996      80    508916   1% /dev/shm

tmpfs             508996   13392    495604   3% /run

tmpfs             508996       0    508996   0% /sys/fs/cgroup

[[email protected] ~]# fdisk -l

 

Disk /dev/vda: 10.7 GB, 10737418240 bytes, 20971520 sectors

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk label type: dos

Disk identifier: 0x00013f3e

 

   Device Boot      Start         End      Blocks   Id  System

/dev/vda1   *        2048    20970332    10484142+  83  Linux

 

Disk /dev/vdb: 10.7 GB, 10737418240 bytes, 20971520 sectors

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

 

 

Disk /dev/sda: 1073 MB, 1073741824 bytes, 2097152 sectors

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 4194304 bytes

Disk label type: dos

Disk identifier: 0x0eb780c0

 

   Device Boot      Start         End      Blocks   Id  System

/dev/sda1            8192     2097151     1044480   83  Linux

[[email protected] ~]# iscsiadm -m discovery -t st -p 172.25.42.11

172.25.42.11:3260,1 iqn.2017-05.com.example:111

[root[email protected] ~]# iscsiadm -m node -T iqn.2017-05.com.example:111 -p 172.25.42.11 -u

Logging out of session [sid: 1, target: iqn.2017-05.com.example:111, portal: 172.25.42.11,3260]

Logout of [sid: 1, target: iqn.2017-05.com.example:111, portal: 172.25.42.11,3260] successful.

[[email protected] ~]# fdisk -l

 

Disk /dev/vda: 10.7 GB, 10737418240 bytes, 20971520 sectors

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk label type: dos

Disk identifier: 0x00013f3e

 

   Device Boot      Start         End      Blocks   Id  System

/dev/vda1   *        2048    20970332    10484142+  83  Linux

 

Disk /dev/vdb: 10.7 GB, 10737418240 bytes, 20971520 sectors

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

 

[[email protected] ~]# systemctl restart iscsi

[[email protected] ~]# fdisk -l

 

Disk /dev/vda: 10.7 GB, 10737418240 bytes, 20971520 sectors

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk label type: dos

Disk identifier: 0x00013f3e

 

   Device Boot      Start         End      Blocks   Id  System

/dev/vda1   *        2048    20970332    10484142+  83  Linux

 

Disk /dev/vdb: 10.7 GB, 10737418240 bytes, 20971520 sectors

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

 

 

Disk /dev/sda: 1073 MB, 1073741824 bytes, 2097152 sectors

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 4194304 bytes

Disk label type: dos

Disk identifier: 0x0eb780c0

 

   Device Boot      Start         End      Blocks   Id  System

/dev/sda1            8192     2097151     1044480   83  Linux

[[email protected] ~]# iscsiadm -m node -T iqn.2017-05.com.example:111 -p 172.25.42.11 -u

Logging out of session [sid: 2, target: iqn.2017-05.com.example:111, portal: 172.25.42.11,3260]

Logout of [sid: 2, target: iqn.2017-05.com.example:111, portal: 172.25.42.11,3260] successful.

[[email protected] ~]# iscsiadm -m node -T iqn.2017-05.com.example:111 -p 172.25.42.11 -o delete

[[email protected] ~]# fdisk -l

 

Disk /dev/vda: 10.7 GB, 10737418240 bytes, 20971520 sectors

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk label type: dos

Disk identifier: 0x00013f3e

 

   Device Boot      Start         End      Blocks   Id  System

/dev/vda1   *        2048    20970332    10484142+  83  Linux

 

Disk /dev/vdb: 10.7 GB, 10737418240 bytes, 20971520 sectors

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

 

[[email protected] ~]# systemctl restart iscsi

[[email protected] ~]# fdisk -l

 

Disk /dev/vda: 10.7 GB, 10737418240 bytes, 20971520 sectors

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk label type: dos

Disk identifier: 0x00013f3e

 

   Device Boot      Start         End      Blocks   Id  System

/dev/vda1   *        2048    20970332    10484142+  83  Linux

 

Disk /dev/vdb: 10.7 GB, 10737418240 bytes, 20971520 sectors

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

 

[[email protected] ~]#

 

[[email protected] ~]# targetcli

targetcli shell version 2.1.fb34

Copyright 2011-2013 by Datera, Inc and others.

For help on commands, type ‘help‘.

 

/> clearconfig confirm=True

All configuration cleared

/> ls

o- / .................................................................... [...]

  o- backstores ......................................................... [...]

  | o- block ............................................. [Storage Objects: 0]

  | o- fileio ............................................ [Storage Objects: 0]

  | o- pscsi ............................................. [Storage Objects: 0]

  | o- ramdisk ........................................... [Storage Objects: 0]

  o- iscsi ....................................................... [Targets: 0]

  o- loopback .................................................... [Targets: 0]

/> exit

Global pref auto_save_on_exit=true

Last 10 configs saved in /etc/target/backup.

Configuration saved to /etc/target/saveconfig.json

[[email protected] ~]# 

 

第六单元 NFS文件的存储

 

一、NFS概念

 

  网络文件系统(NFS)是Unix系统和网络附加存储文件管理器常用的网络文件系统,允许多个客户端通过网络共享文件访问。它可用于提供对共享二进制目录的访问,也可用于允许用户在同一工作组中从不同客户端访问其文件。

  NFS协议有多个版本:Linux支持版本4、版本3和版本2, 而大多数系统管理员熟悉的是NFSv3。默认情况下,该协议并不安全,但是更新的版本(如NFSv4)提供了对更安全的身份验证的支持,甚至可以通过kerberos进行加密。

 

二、NFS服务器配置

 

1.若要配置基本NFS服务器,您应该安装nfs-utils软件包。然后,您应该编辑/etc/exports以列出您希望通过网络与客户端系统共享的文件系统,并指出哪些客户端对导出具有何种访问权限。例如:

/var/ftp/pub 192.168.0.0/24(ro,sync)

2.将目录/var/ftp/pub导出至192.168.0.0/24网络上的所有主机(对目录具有只读权限)。

3./export/homes *.example.com(rw,sync)

4.将目录/export/homes导出至exmaple.com中的所有主机(对目录具有读写权限)。

5.当NFS服务器运行时,每次您编辑/etc/exports后,都应通过在保存更改后执行exportfs -r来确保应用这些更改。您可以使用exportfs -v显示所有导出。

6.NFSv4还导出pseudo-root(所有导出的文件系统的root)。如果客户端挂载nfs-server:/ ,这将在NFS服务器上的/下面相对于其位置挂载所有导出文件系统。这对于浏览从客户端的服务器导出的所有文件系统有用。您仍可单独挂载文件系统。

7.默认情况下,NFS服务器将NFS客户端上的root视为用户nfsnobody。即,如果root尝试访问挂载的导出中的文件,服务器会将其视作用户nfsnobody访问。在NFS导出被无磁盘客户端用作/和root需要被视作root的情况中,这种安全措施存在隐患。若要禁用此保护,服务器需要将no_root_squash添加到在/etc/exports中导出设置的选项列表:

/exports/root 192.168.0.1(rw,no_root_squash)

8.对于NFSv4,必须在服务器上打开端口2049/TCP(对于nfsd)。对于NFSv3和更早版本,必须为rpcbind、rpc.mountd、lockd和rpc.rquotad打开更多端口,而在“随机”选择的端口上启动其中许多服务这一事实又增加了复杂性。此外,NFSv2和NFSv3支持UDP传输,还要求打开相应的端口

9.示例:

[[email protected] ~]# yum install nfs-utils -y

Loaded plugins: langpacks

Package 1:nfs-utils-1.3.0-0.el7.x86_64 already installed and latest version

Nothing to do

[[email protected] ~]# systemctl restart nfs

[[email protected] ~]# firewall-cmd --permanent --add-service=nfs

success

[[email protected] ~]# firewall-cmd --permanent --add-service=rpc-bind

success

[[email protected] ~]# firewall-cmd --permanent --add-service=mountd

success

[[email protected] ~]# firewall-cmd --reload

success

[[email protected] ~]# firewall-cmd --list-all

public (default, active)

  interfaces: eth0

  sources:

  services: dhcpv6-client mountd nfs rpc-bind samba ssh

  ports:

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules:

[[email protected] westos]# showmount -e 172.25.254.142

Export list for 172.25.254.142:

[[email protected] ~]# vim /etc/exports

  1 /westos         172.25.254.0/24(ro)      #将目录/westos导出至172.25.254.0/24网络上的所有主机,对目录具有只读权限

[[email protected] ~]# exportfs -rv      #-r,确保应用更改。-v,显示所有导出。

exporting 172.25.254.0/24:/westos

[[email protected] westos]# showmount -e 172.25.254.142

Export list for 172.25.254.142:

/westos 172.25.254.0/24

[[email protected] westos]# mount 172.25.254.142:/westos/ /mnt/

[[email protected] westos]# cd /mnt/

[[email protected] mnt]# ls

westosfile

[[email protected] mnt]# touch file

touch: cannot touch ‘file’: Read-only file system

[[email protected] ~]# vim /etc/exports

  1 /westos         172.25.254.0/24(rw)

[[email protected] ~]# exportfs -rv

exporting 172.25.254.0/24:/westos

[[email protected] mnt]# touch file

[[email protected] mnt]# ls

file  westosfile

[[email protected] mnt]# ll

total 0

-rw-r--r-- 1 nfsnobody nfsnobody 0 May  2 13:43 file

-rw-r--r-- 1 root      root      0 May  2 10:02 westosfile

[[email protected] ~]# vim /etc/exports

  1 /westos         172.25.254.0/24(rw,no_root_squash)

[[email protected] ~]# exportfs -rv

exporting 172.25.254.0/24:/westos

[[email protected] mnt]# touch file1

[[email protected] mnt]# ll

total 0

-rw-r--r-- 1 nfsnobody nfsnobody 0 May  2 13:43 file

-rw-r--r-- 1 root      root      0 May  2 13:59 file1

-rw-r--r-- 1 root      root      0 May  2 10:02 westosfile

[[email protected] mnt]#

 

三、Demo

 

1.启动NFS服务:

# systemctl start nfs-server ; systemctl enable nfs-server

2.创建共享目录并设置权限:

# mkdir /nfsshare ; chown nfsnobody /nfsshare

3.编辑/etc/exports。例如:

/nfsshare/read 172.25.0.0/24(ro,sync)

/nfsshare/write 172.25.0.0/24(rw,sync) 127.0.0.1(rw,sync)

4.从客户端查看并挂载NFS pseudo-root共享:

[[email protected] ~]# showmount -e server0

[[email protected] ~]# mkdir /mnt/nfsshare

[[email protected] ~]# mount -t nfs server0.example.com:/ /mnt/nfsshare

5.永久挂载NFS文件系统:

1)将相应的行添加至/etc/fstab:

nfsserver:/nfsshare /mnt/nfsshare nfs defaults 0 0

2)客户端NFS挂载选项

rw:挂载可读写的文件系统

ro:挂载只读文件系统

vers=4:尝试只使用指定的NFS版本进行挂载。如果服务器不支持该版本,则挂载请求失败

soft:如果NFS请求超时,三次尝试后返回错误。权衡数据完整性与提高客户端响应性。(默认行为hard,将无限期地重试)。

 

四、保护NFS输出

 

Demo:

serverx和desktopx上运行脚本,加入kerberos认证域:

# lab nfskrb5 setup

安装kerberos服务所需的keytab:(以下操作都在server0上进行)

# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/server0.keytab

激活NFS v4.2版本,可以输出selinux标签,编辑/etc/sysconfig/nfs修改如下选项:

RPCNFSDARGS="-V 4.2"

启动nfs-secure-server服务:

# systemctl start nfs-secure-server; systemctl enable nfs-secure-server

配置NFS输出:

# mkdir /securenfs

# echo ‘/securenfs desktop0(sec=krb5p,rw)‘ >> /etc/exports

# exportfs -r

安装kerberos服务所需keytab:(以下操作都在dekstop0进行)

# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/desktop0.keytab

启动nfs-secure服务:

# systemctl start nfs-secure; systemctl enable nfs-secure

配置客户端挂载:

# mkdir /mnt/secureshare

# echo ‘server0:/securenfs /mnt/secureshare

/etc/fstab

nfs defaults,v4.2,sec=krb5p 0 0‘ >>

# mount -a

示例:

[[email protected] Desktop]$ ssh [email protected]

[email protected]‘s password:

[[email protected] ~]# hostnamectl set-hostname server42.example.com

[[email protected] ~]# vim /etc/yum.repos.d/rhel_dvd.repo

[[email protected] ~]# yum clean all

Loaded plugins: langpacks

Cleaning repos: rhel_dvd

Cleaning up everything

[[email protected] ~]# exit

logout

Connection to 172.25.42.11 closed.

[[email protected] Desktop]$ ssh [email protected] -X

[email protected]‘s password:

Last login: Tue May  2 02:34:45 2017 from 172.25.42.250

/usr/bin/xauth:  file /root/.Xauthority does not exist

 

(process:1741): dconf-WARNING **: failed to commit changes to dconf: Could not connect: Connection refused

[[email protected] ~]# cd /mnt/

[[email protected] mnt]# vim auth-config.sh

[[email protected] mnt]# cat /mnt/auth-config.sh

#!/bin/bash

echo install packages...

yum install sssd krb5-workstation -y &> /dev/null

echo configure...

authconfig \

--enableldap \

--enablekrb5 \

--disableldapauth \

--enableldaptls \

--ldaploadcacert="http://172.25.254.254/pub/example-ca.crt" \

--ldapserver="classroom.example.com" \

--ldapbasedn="dc=example,dc=com" \

--krb5realm="EXAMPLE.COM" \

--krb5adminserver="classroom.example.com" \

--krb5kdc="classroom.example.com" \

--update && echo success!!

[[email protected] mnt]# sh auth-config.sh

install packages...

configure...

success!!

[[email protected] mnt]# id ldapuser1

uid=1701(ldapuser1) gid=1701(ldapuser1) groups=1701(ldapuser1)

[[email protected] mnt]# scp /mnt/auth-config.sh [email protected]:/mnt/

The authenticity of host ‘172.25.42.10 (172.25.42.10)‘ can‘t be established.

ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added ‘172.25.42.10‘ (ECDSA) to the list of known hosts.

[email protected]‘s password:

auth-config.sh                               100%  457     0.5KB/s   00:00    

[[email protected] mnt]# yum install nfs-utils -y

Loaded plugins: langpacks

Package 1:nfs-utils-1.3.0-0.el7.x86_64 already installed and latest version

Nothing to do

[[email protected] mnt]# systemctl stop firewalld.service

[[email protected] mnt]# mkdir /westos

[[email protected] mnt]# touch /westos/file

[[email protected] mnt]# vim /etc/exports

  1 /westos         *(rw)

[[email protected] mnt]# systemctl start nfs

[[email protected] mnt]# exportfs -rv

exporting 172.25.42.0/24:/westos

[[email protected] mnt]# vim /etc/sysconfig/nfs

 13 RPCNFSDARGS="-V 4.2"

[[email protected] mnt]# systemctl restart nfs

[[email protected] mnt]# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/server42.keytab

--2017-05-02 03:00:54--  http://classroom.example.com/pub/keytabs/server42.keytab

Resolving classroom.example.com (classroom.example.com)... 172.25.254.254

Connecting to classroom.example.com (classroom.example.com)|172.25.254.254|:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 1258 (1.2K)

Saving to: ‘/etc/krb5.keytab’

 

100%[=====================================>] 1,258       --.-K/s   in 0s      

 

2017-05-02 03:00:54 (166 MB/s) - ‘/etc/krb5.keytab’ saved [1258/1258]

 

[[email protected] mnt]# systemctl status nfs-secure-server

nfs-secure-server.service - Secure NFS Server

   Loaded: loaded (/usr/lib/systemd/system/nfs-secure-server.service; disabled)

   Active: inactive (dead)

 

[[email protected] mnt]# systemctl start nfs-secure-server

[[email protected] mnt]# vim /etc/exports

  1 /westos         *(sec=krb5p,rw)

[[email protected] mnt]# exportfs -rv

exporting 172.25.42.0/24:/westos

[[email protected] mnt]# systemctl restart nfs-secure-server.service

[[email protected] mnt]# systemctl status nfs-secure-server.service

nfs-secure-server.service - Secure NFS Server

   Loaded: loaded (/usr/lib/systemd/system/nfs-secure-server.service; disabled)

   Active: active (running) since Tue 2017-05-02 03:06:53 EDT; 2min 10s ago

  Process: 2644 ExecStart=/usr/sbin/rpc.svcgssd $RPCSVCGSSDARGS (code=exited, status=0/SUCCESS)

 Main PID: 2645 (rpc.svcgssd)

   CGroup: /system.slice/nfs-secure-server.service

           └─2645 /usr/sbin/rpc.svcgssd

 

May 02 03:06:53 server42.example.com systemd[1]: Starting Secure NFS Server...

May 02 03:06:53 server42.example.com systemd[1]: Started Secure NFS Server.

Hint: Some lines were ellipsized, use -l to show in full.

 

 

[[email protected] Desktop]$ ssh [email protected]

[email protected]‘s password:

[[email protected] ~]# hostnamectl set-hostname desktop42.example.com

[[email protected] ~]# vim /etc/yum.repos.d/rhel_dvd.repo

[[email protected] ~]# yum clean all

Loaded plugins: langpacks

Cleaning repos: rhel_dvd

Cleaning up everything

[[email protected] ~]# exit

logout

Connection to 172.25.42.10 closed.

[[email protected] Desktop]$ ssh [email protected] -X

[email protected]‘s password:

Last login: Tue May  2 02:33:42 2017 from 172.25.42.250

/usr/bin/xauth:  file /root/.Xauthority does not exist

[[email protected] ~]# cd /mnt/

[[email protected] mnt]# ls

auth-config.sh

[[email protected] mnt]# sh auth-config.sh

install packages...

configure...

success!!

[[email protected] mnt]# id ldapuser1

uid=1701(ldapuser1) gid=1701(ldapuser1) groups=1701(ldapuser1)

[[email protected] mnt]# cd

[[email protected] ~]# mount 172.25.42.11:/westos /mnt

mount.nfs: an incorrect mount option was specified

[[email protected] ~]# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/desktop42.keytab

--2017-05-02 03:04:47--  http://classroom.example.com/pub/keytabs/desktop42.keytab

Resolving classroom.example.com (classroom.example.com)... 172.25.254.254

Connecting to classroom.example.com (classroom.example.com)|172.25.254.254|:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 1274 (1.2K)

Saving to: ‘/etc/krb5.keytab’

 

100%[=====================================>] 1,274       --.-K/s   in 0s      

 

2017-05-02 03:04:47 (158 MB/s) - ‘/etc/krb5.keytab’ saved [1274/1274]

 

[[email protected] ~]# systemctl start nfs-secure

 

[[email protected] ~]# mount 172.25.42.11:/westos /mnt

mount.nfs: access denied by server while mounting 172.25.42.11:/westos

[[email protected] ~]# systemctl status nfs-secure.service

nfs-secure.service - Secure NFS

   Loaded: loaded (/usr/lib/systemd/system/nfs-secure.service; disabled)

   Active: active (running) since Tue 2017-05-02 03:10:34 EDT; 4min 32s ago

  Process: 1680 ExecStart=/usr/sbin/rpc.gssd $RPCGSSDARGS (code=exited, status=0/SUCCESS)

 Main PID: 1681 (rpc.gssd)

   CGroup: /system.slice/nfs-secure.service

           └─1681 /usr/sbin/rpc.gssd

 

May 02 03:10:34 desktop42.example.com systemd[1]: Starting Secure NFS...

May 02 03:10:34 desktop42.example.com systemd[1]: Started Secure NFS.

May 02 03:10:42 desktop42.example.com rpc.gssd[1681]: ERROR: unable to resol...

May 02 03:10:42 desktop42.example.com rpc.gssd[1681]: ERROR: failed to read ...

Hint: Some lines were ellipsized, use -l to show in full.

[[email protected] ~]# vim /etc/hosts

[[email protected] ~]# cat /etc/hosts

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4

::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

 

172.25.254.254 classroom.example.com

172.25.254.254 content.example.com

172.25.42.10 desktop42.example.com

172.25.42.11 server42.example.com

[[email protected] ~]# systemctl status nfs-secure.service

nfs-secure.service - Secure NFS

   Loaded: loaded (/usr/lib/systemd/system/nfs-secure.service; enabled)

   Active: active (running) since Tue 2017-05-02 03:32:35 EDT; 11min ago

  Process: 1951 ExecStart=/usr/sbin/rpc.gssd $RPCGSSDARGS (code=exited, status=0/SUCCESS)

 Main PID: 1952 (rpc.gssd)

   CGroup: /system.slice/nfs-secure.service

           └─1952 /usr/sbin/rpc.gssd

 

May 02 03:32:35 desktop42.example.com systemd[1]: Starting Secure NFS...

May 02 03:32:35 desktop42.example.com systemd[1]: Started Secure NFS.

[[email protected] ~]# mount -o vers=4.2,sec=krb5p 172.25.42.11:/westos /mnt

[[email protected] ~]# df

Filesystem           1K-blocks    Used Available Use% Mounted on

/dev/vda1             10473900 3169228   7304672  31% /

devtmpfs                493408       0    493408   0% /dev

tmpfs                   508996      80    508916   1% /dev/shm

tmpfs                   508996   13380    495616   3% /run

tmpfs                   508996       0    508996   0% /sys/fs/cgroup

172.25.42.11:/westos  10473984 3168512   7305472  31% /mnt

[[email protected] ~]#

 

第七单元 CIFS文件的存储

 

一、SMB文件共享

 

1.通用Internet文件系统(CIFS)也称为服务器信息块(SMB),是适用于Microsoft Windows服务器和客户端的标准文件和打印机共享系统。Samba服务可用于将Linux文件系统作为CIFS/SMB网络文件共享进行共享,并将Linux打印机作为CIFS/SMB打印机共享进行共享。Samba服务的组成部分:

1)软件包:

Samba-common – Samba的支持文件

Samba-client – 客户端应用程序

Samba – 服务器应用程序

2)服务名称:smb nmb

3)服务端口: 通常使用TCP/445进行所有连接。还使用UDP137、UDP138和TCP/139进行向后兼容

4)主配置文件:/etc/samba/smb.conf

2./etc/samba/smb.conf: [global]部分

1)workgroup 用于指定Windows工作组或网络域名。

2)hosts allow hosts allow是用逗号、空格或制表符分隔的允许访问服务的主机集合。如果在[global]部分中指定, 将适用于所有服务,无论单个服务是否具有不同的设置。 您可以按名称或IP号指定主机。例如,您可以使用allow hosts = 192.168.0. 表示允许一个网络。

3)安全性

该选项影响客户端如何响应Samba,并且在smb.conf文件中是最重要的设置之一。

security = user 客户端必须通过有效的用户名和密码登录。

security = domain 只有当计算机已添加到NT域时才能正常工作。它要求将

encrypted passwords 参数设置为yes。在该模式中,Samba通过将用户名/密码传递至Windows NT主域控制器或备份域控 制器来进行验证,与Windows NT Server采用的方式完全一样。请注意,有效的UNIX用户以及域控制 器上的账户必须仍然存在,以允许Samba具有有效的UNIX账户,可用以映射文件访问。您必须设置 passwd server参数,为Samba提供服务器,以验证密码。

security = server Samba将通过将用户名/密码传递至另一个SMB服务器来尝试进行验证。您必须设置password server参数, 为samba提供服务器, 以验证密码。

security = ads Samba在ADS realm中作为域成员。如要在该模式下操作,运行Samba的计算机需要安装并配置Kerberos,并且需要使用net实用程序将Samba加入ADS realm。

3./etc/samba/smb.conf:其他部分

1)[homes]

此共享(默认情况下启用)是一个特别共享,通过CIFS使用户的主目录可。它包括browseable= no, 因此在用户进行身份验证之前,将不会显示为可用共享。共享名称可以指定为homes(在这种情况下, Samba服务器会将其转换为用户的主目录路径)或username。

2)[printers]

默认情况下也可用,将共享当前可用的打印机 。

3)[share]

如果您想要设置其他共享,请将共享名称放置在括号中,如上所示。共享需要至少一个path参数。

4.示例:

[[email protected] ~]# yum search samba

[[email protected] ~]# yum install samba-client.x86_64 -y

[[email protected] ~]# yum install samba-common.x86_64 -y

[[email protected] ~]# yum install samba.x86_64 -y

[[email protected] ~]# systemctl start smb

[[email protected] ~]# systemctl status smb

smb.service - Samba SMB Daemon

   Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled)

   Active: active (running) since Tue 2017-05-02 08:54:51 EDT; 5s ago

 Main PID: 2943 (smbd)

   Status: "smbd: ready to serve connections..."

   CGroup: /system.slice/smb.service

           ├─2943 /usr/sbin/smbd

           └─2944 /usr/sbin/smbd

 

May 02 08:54:51 desktop62.example.com smbd[2943]: [2017/05/02 08:54:51.686451...

May 02 08:54:51 desktop62.example.com systemd[1]: Started Samba SMB Daemon.

Hint: Some lines were ellipsized, use -l to show in full.

[[email protected] ~]# firewall-cmd --list-all

public (default, active)

  interfaces: eth0

  sources:

  services: dhcpv6-client ssh

  ports:

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules:

 

[[email protected] ~]# firewall-cmd --permanent --add-service=samba

success

[[email protected] ~]# firewall-cmd --reload

success

[[email protected] ~]# firewall-cmd --list-all

public (default, active)

  interfaces: eth0

  sources:

  services: dhcpv6-client samba ssh

  ports:

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules:

 

[[email protected] ~]# smbclient -L //172.25.254.63

Enter root‘s password:

Anonymous login successful

Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]

 

Sharename       Type      Comment

---------       ----      -------

IPC$            IPC       IPC Service (Samba Server Version 4.1.1)

Anonymous login successful

Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]

 

Server               Comment

---------            -------

 

Workgroup            Master

---------            -------

[[email protected] ~]# vim /etc/samba/smb.conf

 89         workgroup = WESTOS

[[email protected] ~]# systemctl restart smb.service

[[email protected] ~]# smbclient -L //172.25.254.63

Enter root‘s password:

Anonymous login successful

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

 

Sharename       Type      Comment

---------       ----      -------

IPC$            IPC       IPC Service (Samba Server Version 4.1.1)

Anonymous login successful

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

 

Server               Comment

---------            -------

 

Workgroup            Master

---------            -------

[[email protected] ~]# ls -ld /westos

ls: cannot access /westos: No such file or directory

[[email protected] ~]# mkdir /westos

[[email protected] ~]# vim /etc/samba/smb.conf

321 [TEST]

322         comment = WESTOS DIRECTORY

323         path = /westos

[[email protected] ~]# systemctl restart smb.service

[[email protected] ~]# smbclient -L //172.25.254.63

Enter root‘s password:

Anonymous login successful

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

 

Sharename       Type      Comment

---------       ----      -------

TEST            Disk      WESTOS DIRECTORY

IPC$            IPC       IPC Service (Samba Server Version 4.1.1)

Anonymous login successful

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

 

Server               Comment

---------            -------

 

Workgroup            Master

---------            -------

[[email protected] ~]# vim /etc/samba/smb.conf

 90         server string = SAMBA

[[email protected] ~]# systemctl restart smb.service

[[email protected] ~]# smbclient -L //172.25.254.63

Enter root‘s password:

Anonymous login successful

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

 

Sharename       Type      Comment

---------       ----      -------

TEST            Disk      WESTOS DIRECTORY

IPC$            IPC       IPC Service (SAMBA)

Anonymous login successful

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

 

Server               Comment

---------            -------

 

Workgroup            Master

---------            -------

[[email protected] ~]# vim /etc/samba/smb.conf

 96         hosts allow = 127.

[[email protected] ~]# systemctl restart smb.service

[[email protected] ~]# smbclient -L //172.25.254.63

Enter root‘s password:

protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE

[[email protected] ~]# vim /etc/samba/smb.conf

 96         hosts allow = 127. 172.25.254.63

[[email protected] ~]# systemctl restart smb.service

[[email protected] ~]# smbclient -L //172.25.254.63

Enter root‘s password:

Anonymous login successful

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

 

Sharename       Type      Comment

---------       ----      -------

TEST            Disk      WESTOS DIRECTORY

IPC$            IPC       IPC Service (SAMBA)

Anonymous login successful

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

 

Server               Comment

---------            -------

 

Workgroup            Master

---------            -------

[[email protected] ~]# vim /etc/samba/smb.conf

 96         hosts deny = 127. 172.25.254.63  

[[email protected] ~]# systemctl restart smb.service

[[email protected] ~]# smbclient -L //172.25.254.63

Enter root‘s password:

protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE

[[email protected] ~]# vim /etc/samba/smb.conf

 96 ;       hosts deny = 127. 172.25.254.63  

[[email protected] ~]# systemctl restart smb.service

[[email protected] ~]# smbclient -L //172.25.254.63

Enter root‘s password:

Anonymous login successful

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

 

Sharename       Type      Comment

---------       ----      -------

TEST            Disk      WESTOS DIRECTORY

IPC$            IPC       IPC Service (SAMBA)

Anonymous login successful

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

 

Server               Comment

---------            -------

 

Workgroup            Master

---------            -------

[[email protected] ~]#

[[email protected] ~]# mount //172.25.254.63/TEST /mnt/ -o username=westos,password=westos

[[email protected] ~]# df

Filesystem           1K-blocks    Used Available Use% Mounted on

/dev/vda1             10473900 6809552   3664348  66% /

devtmpfs                493408       0    493408   0% /dev

tmpfs                   508996     140    508856   1% /dev/shm

tmpfs                   508996   13396    495600   3% /run

tmpfs                   508996       0    508996   0% /sys/fs/cgroup

/dev/loop0             3654720 3654720         0 100% /rhel7.0

//172.25.254.63/TEST  10473900 6809552   3664348  66% /mnt

[[email protected] ~]# ls /mnt/

file

[[email protected] ~]# touch /mnt/file1

touch: cannot touch ‘/mnt/file1’: Permission denied

[[email protected] ~]# vim /etc/samba/smb.conf

326         writable = yes

[[email protected] ~]# systemctl restart smb.service

[[email protected] ~]# rm -fr /mnt/file

rm: cannot remove ‘/mnt/file’: Permission denied

[[email protected] ~]# ls -ld /westos/

drwxr-xr-x. 2 root root 17 May  2 09:07 /westos/

[[email protected] ~]# chmod 777 /westos/

[[email protected] ~]# touch /mnt/file1

[[email protected] ~]# ls /mnt/

file  file1

[[email protected] ~]# rm -fr /mnt/file

[[email protected] ~]# ls /mnt/

file1

[[email protected] ~]# vim /etc/samba/smb.conf

323 [TEST]

324         comment = WESTOS DIRECTORY

325         path = /westos

326 ;       writable = yes

327         write list = westos

[[email protected] ~]# systemctl restart smb.service

[[email protected] ~]# touch /mnt/file2

[[email protected] ~]# ls /mnt/

file1  file2

[[email protected] ~]# umount /mnt/

[[email protected] ~]# mount //172.25.254.63/TEST /mnt/ -o username=linux,password=linux

[[email protected] ~]# ls /mnt/

file1  file2

[[email protected] ~]# touch /mnt/file3

touch: cannot touch ‘/mnt/file3’: Permission denied

[[email protected] ~]# rm -fr /mnt/file

[[email protected] ~]# ls /mnt/

file1  file2

[[email protected] ~]# rm -fr /mnt/file1

rm: cannot remove ‘/mnt/file1’: Read-only file system

[[email protected] ~]# ls /mnt/

file1  file2

[[email protected] ~]# vim /etc/samba/smb.conf

323 [TEST]

324         comment = WESTOS DIRECTORY

325         path = /westos

326 ;       writable = yes

327         write list = @westos

[[email protected] ~]# systemctl restart smb.service

[[email protected] ~]# usermod -G westos linux

[[email protected] ~]# touch /mnt/file3

[[email protected] ~]# ls /mnt/

file1  file2  file3

[[email protected] ~]# rm -fr /mnt/file1

[[email protected] ~]# ls /mnt/

file2  file3

[[email protected] ~]# vim /etc/samba/smb.conf

323 [TEST]

324         comment = WESTOS DIRECTORY

325         path = /westos

326 ;       writable = yes

327         write list = @westos

328         valid users = westos

[[email protected] ~]# umount /mnt/

[[email protected] ~]# systemctl restart smb.service

[[email protected] ~]# smbclient //172.25.254.63/TEST -U westos

Enter westos‘s password:

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

smb: \> ls

  .                                   D        0  Tue May  2 09:52:57 2017

  ..                                  D        0  Tue May  2 09:03:42 2017

  file2                               N        0  Tue May  2 09:49:42 2017

  file3                               N        0  Tue May  2 09:52:44 2017

 

40913 blocks of size 262144. 14298 blocks available

smb: \> quit

[[email protected] ~]# smbclient //172.25.254.63/TEST -U linux

Enter linux‘s password:

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

tree connect failed: NT_STATUS_ACCESS_DENIED

[[email protected] ~]# vim /etc/samba/smb.conf

323 [TEST]

324         comment = WESTOS DIRECTORY

325         path = /westos

326 ;       writable = yes

327         write list = @westos

328         valid users = +westos

[[email protected] ~]# systemctl restart smb.service

[[email protected] ~]# smbclient //172.25.254.63/TEST -U linux

Enter linux‘s password:

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

smb: \> ls

  .                                   D        0  Tue May  2 09:52:57 2017

  ..                                  D        0  Tue May  2 09:03:42 2017

  file2                               N        0  Tue May  2 09:49:42 2017

  file3                               N        0  Tue May  2 09:52:44 2017

 

40913 blocks of size 262144. 14297 blocks available

smb: \> quit

[[email protected] ~]# vim /etc/samba/smb.conf

323 [TEST]

324         comment = WESTOS DIRECTORY

325         path = /westos

326 ;       writable = yes

327         write list = @westos

328 ;       valid users = +westos

329         browseable = yes

[[email protected] ~]# systemctl restart smb.service

[[email protected] ~]# smbclient -L //172.25.254.63/TEST -U linux

Enter linux‘s password:

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

 

Sharename       Type      Comment

---------       ----      -------

TEST            Disk      WESTOS DIRECTORY

IPC$            IPC       IPC Service (SAMBA)

linux           Disk      Home Directories

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

 

Server               Comment

---------            -------

 

Workgroup            Master

---------            -------

[[email protected] ~]# vim /etc/samba/smb.conf

323 [TEST]

324         comment = WESTOS DIRECTORY

325         path = /westos

326 ;       writable = yes

327         write list = @westos

328 ;       valid users = +westos

329         browseable = no

[[email protected] ~]# systemctl restart smb.service

[[email protected] ~]# smbclient -L //172.25.254.63/TEST -U linux

Enter linux‘s password:

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

 

Sharename       Type      Comment

---------       ----      -------

IPC$            IPC       IPC Service (SAMBA)

linux           Disk      Home Directories

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

 

Server               Comment

---------            -------

 

Workgroup            Master

---------            -------

[[email protected] ~]# smbclient //172.25.254.63/TEST -U linux

Enter linux‘s password:

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

smb: \> ls

  .                                   D        0  Tue May  2 09:52:57 2017

  ..                                  D        0  Tue May  2 09:03:42 2017

  file2                               N        0  Tue May  2 09:49:42 2017

  file3                               N        0  Tue May  2 09:52:44 2017

 

40913 blocks of size 262144. 14297 blocks available

smb: \> quit

[[email protected] ~]# ll -d /westos/

drwxrwxrwx. 2 root root 30 May  2 09:52 /westos/

[[email protected] ~]# chmod 755 /westos/

[[email protected] ~]# vim /etc/samba/smb.conf

323 [TEST]

324         comment = WESTOS DIRECTORY

325         path = /westos

326 ;       writable = yes

327         write list = @westos

328 ;       valid users = +westos

329         browseable = no

330         admin users = westos

[[email protected] ~]# systemctl restart smb.service

[[email protected] ~]# smbclient //172.25.254.63/TEST -U westos

Enter westos‘s password:

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

smb: \> ls

  .                                   D        0  Tue May  2 09:52:57 2017

  ..                                  D        0  Tue May  2 09:03:42 2017

  file2                               N        0  Tue May  2 09:49:42 2017

  file3                               N        0  Tue May  2 09:52:44 2017

 

40913 blocks of size 262144. 14297 blocks available

smb: \> !ls

anaconda-ks.cfg  Documents  Music     Public  Videos

Desktop  Downloads  Pictures  Templates

smb: \> put anaconda-ks.cfg

putting file anaconda-ks.cfg as \anaconda-ks.cfg (8416.2 kb/s) (average 8417.0 kb/s)

smb: \> quit

[[email protected] ~]# ls -l /westos/

total 12

-rwxr--r--. 1 root   westos 8619 May  2 10:01 anaconda-ks.cfg

-rw-r--r--. 1 westos westos    0 May  2 09:49 file2

-rw-r--r--. 1 linux  linux     0 May  2 09:52 file3

[[email protected] ~]# smbclient //172.25.254.63/TEST

Enter root‘s password:

Anonymous login successful

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

tree connect failed: NT_STATUS_ACCESS_DENIED

[[email protected] ~]# vim /etc/samba/smb.conf

125         map to guest = bad user

323 [TEST]

324         comment = WESTOS DIRECTORY

325         path = /westos

326 ;       writable = yes

327         write list = @westos

328 ;       valid users = +westos

329         browseable = no

330         admin users = westos

331         guest ok = yes

[[email protected] ~]# systemctl restart smb.service

[[email protected] ~]# smbclient //172.25.254.63/TEST

Enter root‘s password:

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

smb: \> ls

  .                                   D        0  Tue May  2 10:01:45 2017

  ..                                  D        0  Tue May  2 09:03:42 2017

  file2                               N        0  Tue May  2 09:49:42 2017

  file3                               N        0  Tue May  2 09:52:44 2017

  anaconda-ks.cfg                     A     8619  Tue May  2 10:01:45 2017

 

40913 blocks of size 262144. 14297 blocks available

smb: \> quit

[[email protected] ~]#

 

 

二、SMB用户

 

1.useradd

security = user需要UNIX和Samba账户信息。添加用户(最好使用与Samba账户一样的名称),或 在/etc/samba/smbusers中放置条目(有一些示例)。如果您创建仅Samba用户,请将UNIX密码设置为/sbin/nologin。

[[email protected] ~]# useradd -s /sbin/nologin wxh

2.smbpasswd

如果您没有Samba密码服务器,则必须在本地计算机上创建身份验证数据。使用smbpasswd创建 Samba账户和密码。

如果smbpasswd只传递一个用户名而不带任何选项,它将尝试更改账户密码。传递-a选项将添加账户 并设置密码。

[[email protected] ~]# smbpasswd -a wxh

New SMB password: westos

Retype new SMB password: westos

Added user wxh.

3.示例:

[[email protected] ~]# useradd westos

[[email protected] ~]# useradd linux

[[email protected] ~]# usermod -s /sbin/nologin westos

[[email protected] ~]# usermod -s /sbin/nologin linux

[[email protected] ~]# pdbedit -L

[[email protected] ~]# smbpasswd -a westos

New SMB password:

Retype new SMB password:

Added user westos.

[[email protected] ~]# smbpasswd -a linux

New SMB password:

Retype new SMB password:

Added user linux.

[[email protected] ~]# pdbedit -L

westos:1001:

linux:1002:

[[email protected] ~]# smbclient //172.25.254.63/TEST -U westos

Enter westos‘s password:

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

smb: \> ls

NT_STATUS_ACCESS_DENIED listing \*

smb: \> quit

[[email protected] ~]# smbclient -L //172.25.254.63/TEST -U westos

Enter westos‘s password:

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

 

Sharename       Type      Comment

---------       ----      -------

TEST            Disk      WESTOS DIRECTORY

IPC$            IPC       IPC Service (SAMBA)

westos          Disk      Home Directories

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

 

Server               Comment

---------            -------

 

Workgroup            Master

---------            -------

[[email protected] ~]# smbclient -L //172.25.254.63/TEST -U linux

Enter linux‘s password:

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

 

Sharename       Type      Comment

---------       ----      -------

TEST            Disk      WESTOS DIRECTORY

IPC$            IPC       IPC Service (SAMBA)

linux           Disk      Home Directories

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

 

Server               Comment

---------            -------

 

Workgroup            Master

---------            -------

[[email protected] ~]# smbpasswd -a user1

New SMB password:

Retype new SMB password:

Failed to add entry for user user1.

[[email protected] ~]# pdbedit -L

westos:1001:

linux:1002:

[[email protected] ~]#

 

三、保护SMB

 

1.samba_enable_home_dirs和use_samba_home_dirs SELinux布尔值

samba_enable_home_dirs布尔值允许本地Linux主目录作为CIFS文件共享导出至其他系统。另一方面 use_samba_home_dirs布尔值允许挂载远程CIFS文件共享并将其用作本地Linux主目录。

# setsebool -P samba_enable_home_dirs on

samba_share_t

用于共享用户自定义samba共享

# chcon -R -t samba_share_t /smbshare

# semanage fcontext -a -t samba_share_t ‘/smbshare(/.*)?‘

# restorecon -vvFR /smbshare

samba_export_all_ro 和 samba_export_all_rw

用于共享系统目录

# setsebool -P samba_export_all_ro on

# setsebool -P samba_export_all_rw on

2.示例:

[[email protected] ~]# smbclient //172.25.254.63/westos -U westos

Enter westos‘s password:

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

smb: \> ls

NT_STATUS_ACCESS_DENIED listing \*

smb: \> quit

[[email protected] ~]# getsebool -a | grep samba

samba_create_home_dirs --> off

samba_domain_controller --> off

samba_enable_home_dirs --> off

samba_export_all_ro --> off

samba_export_all_rw --> off

samba_portmapper --> off

samba_run_unconfined --> off

samba_share_fusefs --> off

samba_share_nfs --> off

sanlock_use_samba --> off

use_samba_home_dirs --> off

virt_sandbox_use_samba --> off

virt_use_samba --> off

[[email protected] ~]# setsebool -P samba_enable_home_dirs=on

[[email protected] ~]# getsebool -a | grep samba

samba_create_home_dirs --> off

samba_domain_controller --> off

samba_enable_home_dirs --> on

samba_export_all_ro --> off

samba_export_all_rw --> off

samba_portmapper --> off

samba_run_unconfined --> off

samba_share_fusefs --> off

samba_share_nfs --> off

sanlock_use_samba --> off

use_samba_home_dirs --> off

virt_sandbox_use_samba --> off

virt_use_samba --> off

[[email protected] ~]# smbclient //172.25.254.63/westos -U westos

Enter westos‘s password:

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

smb: \> ls

  .                                   D        0  Tue May  2 09:18:40 2017

  ..                                  D        0  Tue May  2 09:18:50 2017

  .bash_logout                        H       18  Wed Jan 29 07:45:18 2014

  .bash_profile                       H      193  Wed Jan 29 07:45:18 2014

  .bashrc                             H      231  Wed Jan 29 07:45:18 2014

  .mozilla                           DH        0  Thu Jul 10 18:29:32 2014

  .config                            DH        0  Thu Jul 10 19:06:52 2014

 

40913 blocks of size 262144. 14313 blocks available

smb: \> quit

[[email protected] ~]# smbclient //172.25.254.63/TEST -U westos

Enter westos‘s password:

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

smb: \> ls

NT_STATUS_ACCESS_DENIED listing \*

smb: \> quit

[[email protected] ~]# ls -Zd /westos/

drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /westos/

[[email protected] ~]# semanage fcontext -a -t samba_share_t ‘/westos(/.*)?‘

[[email protected] ~]# restorecon -RvvF /westos/

restorecon reset /westos context unconfined_u:object_r:default_t:s0->system_u:object_r:samba_share_t:s0

restorecon reset /westos/file context unconfined_u:object_r:default_t:s0->system_u:object_r:samba_share_t:s0

[[email protected] ~]# smbclient //172.25.254.63/TEST -U westos

Enter westos‘s password:

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

smb: \> ls

  .                                   D        0  Tue May  2 09:07:26 2017

  ..                                  D        0  Tue May  2 09:03:42 2017

  file                                N        0  Tue May  2 09:07:26 2017

 

40913 blocks of size 262144. 14314 blocks available

smb: \> quit

[[email protected] ~]#

 

四、访问CIFS共享

 

连接到CIFS文件共享的四个基本方法:

1.图形访问CIFS共享

转至 “网络” --> “连接服务器”。填写以下字段:

Server Address : 172.25.0.11

Userame: wxh

Password: westos

2.命令行FTP方式访问CIFS共享:

[[email protected] ~]# smbclient -L server0.example.com -U wxh

Enter wxh‘s password: westos

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

[[email protected] ~]# smbclient //server0.example.com/smbshare -U wxh

Enter wxh‘s password: westos

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

smb: \> ls

. D 0 Thu Dec 18 17:27:27 2014

.. D 0 Thu Dec 18 11:37:20 2014

testfile

N

12 Thu Dec 18 11:38:03 2014

3.手动挂载CIFS共享

[[email protected] ~]# mount -o username=wxh //server0.example.com/smbshare /mnt/wxh

4.永久挂载CIFS共享

将以下行添加到/etc/fstab:

//server0.example.com/smbshare /mnt/wxh

cifs

credentials=/root/userpasswd 0 0

创建/root/userpasswd:

user=wxh

pass=westos

 

五、Practice: ( 15 minutes )

 

configure a SMB share on the serverX system according to the following requirements:

share the newly create directory /smbshare with SMB.

members of the auxiliary group marketing have read and write permissions on the share.

all users that are not member of the marketing group have read permission.

the samba server is the mycompany workgroup and the share name is smbshare.

create the samba-only user brian, who is part of marketing team, with the password redhat.

create the new samba-only user rob with the password redhat, who is not part of the marketing team.

successfully grade the setup on the serverX system with lab smbshare grade.

 

六、SMB多用户挂载

 

Demo: (desktopX)

安装cifs-utils软件包,它包含了cifscreds命令:

# yum install -y cifs-utils

创建smb多用户挂载目录:

# mkdir /mnt/multiuser

建立smb认证文件:

# echo ‘username=brian‘ > /root/smb-multiuser.txt

# echo ‘password=redhat‘ > /root/smb-multiuser.txt

编辑/etc/fstab,永久挂载smb共享:

//server0/smbshare /mnt/multiuser cifs credentials=/root/smb-multiuser.txt,multiuser,

sec=ntlmssp 0 0

# mount -a

# su - brian

$ touch /mnt/multiuser/test.txt

touch: cannot touch ‘/mnt/multiuser/brian.txt’: Permission denied

$ cifscreds add server0

Password: redhat

$ echo "multiuser" > /mnt/multiuser/brian.txt

$ cat /mnt/multiuser/brian.txt

multiuser

$ exit

# su - rob

$ cifscreds add server0

Password: redhat

$ echo "multiuser" > /mnt/multiuser/rob.txt

-bash: /mnt/multiuser/rob.txt: Permission denied

$ cat /mnt/multiuser/brian.txt

multiuser

示例:

[[email protected] ~]# vim /etc/samba/smb.conf

322         [TEST]

323         comment = westos directory

324         path = /westos

325         writable = yes

[[email protected] ~]# chmod 777 /westos/

[[email protected] ~]# systemctl restart smb.service

[[email protected] Desktop]# cd /

[[email protected] /]# mkdir /westos

[[email protected] /]# mount //172.25.254.142/TEST /westos/ -o username=westos,password=westos

[[email protected] /]# df

Filesystem            1K-blocks     Used Available Use% Mounted on

/dev/sda5             255713288 18117768 237595520   8% /

devtmpfs                1813796        0   1813796   0% /dev

tmpfs                   1826872      452   1826420   1% /dev/shm

tmpfs                   1826872     9032   1817840   1% /run

tmpfs                   1826872        0   1826872   0% /sys/fs/cgroup

/dev/sda2                198380   134004     64376  68% /boot

tmpfs                    365376       16    365360   1% /run/user/1000

tmpfs                    365376        0    365376   0% /run/user/0

//172.25.254.142/TEST  10473900  3166708   7307192  31% /westos

[[email protected] /]# useradd hello

[[email protected] /]# su hello

[[email protected] /]$ cd westos/

[[email protected] westos]$ ls

anaconda-ks.cfg  westosfile

[[email protected] westos]$ rm -fr anaconda-ks.cfg

[[email protected] westos]$ ls

westosfile

[[email protected] westos]$ exit

exit

[[email protected] yum.repos.d]# yum install cifs-utils -y

[[email protected] yum.repos.d]# vim /root/smbpassfile

[[email protected] yum.repos.d]# cat /root/smbpassfile

username=westos

password=westos

[[email protected] yum.repos.d]# df

Filesystem            1K-blocks     Used Available Use% Mounted on

/dev/sda5             255713288 18138096 237575192   8% /

devtmpfs                1813796        0   1813796   0% /dev

tmpfs                   1826872      452   1826420   1% /dev/shm

tmpfs                   1826872     9032   1817840   1% /run

tmpfs                   1826872        0   1826872   0% /sys/fs/cgroup

/dev/sda2                198380   134004     64376  68% /boot

tmpfs                    365376       16    365360   1% /run/user/1000

tmpfs                    365376        0    365376   0% /run/user/0

[[email protected] yum.repos.d]# mount //172.25.254.142/TEST /westos/ -o username=westos,password=westos

[[email protected] yum.repos.d]# df

Filesystem            1K-blocks     Used Available Use% Mounted on

/dev/sda5             255713288 18137520 237575768   8% /

devtmpfs                1813796        0   1813796   0% /dev

tmpfs                   1826872      452   1826420   1% /dev/shm

tmpfs                   1826872     9032   1817840   1% /run

tmpfs                   1826872        0   1826872   0% /sys/fs/cgroup

/dev/sda2                198380   134004     64376  68% /boot

tmpfs                    365376       16    365360   1% /run/user/1000

tmpfs                    365376        0    365376   0% /run/user/0

//172.25.254.142/TEST  10473900  3166712   7307188  31% /westos

[[email protected] westos]# mount //172.25.254.142/TEST /westos -o credentials=/root/smbpassfile,multiuser,sec=ntlmssp

[[email protected] westos]# df

Filesystem            1K-blocks     Used Available Use% Mounted on

/dev/sda5             255713288 18137436 237575852   8% /

devtmpfs                1813796        0   1813796   0% /dev

tmpfs                   1826872      452   1826420   1% /dev/shm

tmpfs                   1826872     9032   1817840   1% /run

tmpfs                   1826872        0   1826872   0% /sys/fs/cgroup

/dev/sda2                198380   134004     64376  68% /boot

tmpfs                    365376       16    365360   1% /run/user/1000

tmpfs                    365376        0    365376   0% /run/user/0

//172.25.254.142/TEST  10473900  3166692   7307208  31% /westos

[[email protected] westos]# su - hello

Last login: Tue May  2 12:02:21 CST 2017 on pts/0

[[email protected] ~]$ cd /westos

[[email protected] westos]$ ls

ls: reading directory .: Permission denied

[[email protected] westos]$ exit

logout

[[email protected] westos]# su - westos

su: user westos does not exist

[[email protected] westos]# useradd westos

[[email protected] westos]# su - westos

[[email protected] ~]$ cd /westos

[[email protected] westos]$ ls

ls: reading directory .: Permission denied

[[email protected] westos]$ cifscreds add 172.25.254.142

Password:

[[email protected] westos]$ ls

westosfile

[[email protected] westos]$ touch file

[[email protected] westos]$ ls

file  westosfile

[[email protected] westos]$ exit

logout

[[email protected] westos]# su - hello

Last login: Tue May  2 12:08:48 CST 2017 on pts/0

[[email protected] ~]$ cd /westos

[[email protected] westos]$ ls

ls: reading directory .: Permission denied

[[email protected] westos]$ cifscreds add 172.25.254.142

Password:

[[email protected] westos]$

[[email protected] westos]$ ls

ls: reading directory .: Permission denied

[[email protected] westos]$ exit

logout

[[email protected] westos]# ls

file  westosfile

[[email protected] westos]# rm -fr file

[[email protected] westos]# ls

westosfile

[[email protected] westos]# 

以上是关于Linux云自动化运维第二十课的主要内容,如果未能解决你的问题,请参考以下文章

Linux云自动化运维第二课

Linux云自动化运维第四课

Linux云自动化运维第九课

Linux云自动化运维第十六课

Linux云自动化运维第十九课

Linux云自动化运维第十四课