Arvutiteaduse instituut
  1. Kursused
  2. 2017/18 kevad
  3. Süsteemihaldus (LTAT.06.003)
EN
Logi sisse

Süsteemihaldus 2017/18 kevad

  • Home
  • Video Lectures
  • Practicals
  • Exam
  • References

0.Make sure you did finish all the tasks of the previous weeks.

This manual is tested and should work. If you find any errors or have a question about it report to alo.peets@ut.ee

1.Setting up File Server

In distributed systems a files server is one (or many) hosts attached to a network and providing a file storage service that the workstations or remote clients can use. The interaction between the client and server in this case is organized by the file server protocol. Multiple protocols exist in the domain of file services and can be categorized into groups:

  • LAN side vs. Internet side protocols
    • LAN side protocols usually offer tighter bindings between the server side storage and client side. The client in this case has the remote storage explicitly visible as a local file system ( we call it mapping or mounting the remote file system). The protocols here: NFS and CIFS/SMB. In addition to FS-level transparency the LAN side protocols usually offer a service discovery helping the clients to discover the file services in the scope of LAN.
    • Internet side protocols are mostly reduced to request/response protocol design (FTP,SFTP,HTTP) and therefore are focusing on download,upload,delete etc. primitive actions (as opposed to NFS where we can edit the file directly - in FTP we have to download the file first).
      • A special subset here are protocols like DropBox and OwnCloud (and SSHFS) which are in fact Internet side protocols but do offer remote directory mapping (to local file systems). However when editing the file on the mapped directory - the changes are stored locally first and then synced to the remote storage by the corresponding client software. Here the software on client side is determined to watch for the changes on both remote and local files and sync them correspondingly).
  • Standalone vs. Network File System vs. Distributed File System
    • How the actual data is stored:
      • on single server standalone
      • on multiple servers hierarchically
      • on multiple servers with block-level redundancy

In case of NFS and CIFS/SMB the redundancy is usually achieved by having different physical servers contributing to different portions of so called common file tree. Just like we have different partitions of hard drive contributing to one root tree:

  • /dev/sda1 -> /
  • /dev/sda2 -> /var

... we can have different NFS and SMB servers contributing to local root tree:

  • smb://10.9.8.7/common/opt -> /opt
  • nfs://10.9.8.5/common/home -> /home
  • nfs://10.9.8.5/common/share -> /usr/share


Here we see clear resource distribution but we do not see redundancy yet as each subtree is still stored on only one physical server. Redundancy in this case can be achieved by applying a distributed file system (like GlusterFS) to aggregate the storages of multiple servers using file-based replicating image.
Finally the systems like HDFS allows as to have automatic block-level redundancy and distribution: image


!!! Make a backup! In this lab there is a higher than normal chance that you will break your machine (errors on boot) so you should make a backup.

Before you continue log into ETAIS https://minu.etais.ee -> Select your project -> Resources -> Virtual Machines -> Click on your machine name -> Backups -> Create

File System Quotas

A disk quota is a limit set by a system administrator that restricts certain aspects of file system usage on modern operating systems. The function of using disk quotas is to allocate fair distribution of storage resources and to protect against accidental filling of the file system.

First we need a disk that we can use without breaking things. When we created a machine in ETAIS we also specified one small separate 1GB disk. Now its time to start using it. Do not mix vda and vdb in this lab otherwise you might break your whole machine and in worst case scenario you break everything thus must start labs from Week 3.

  • Identify correct path and name of your secondary @@1GB disk
    • # lsblk
  • Now we need to configure (format) it before we can use it.
    • # fdisk /dev/vdb
    • hit o to create a new empty DOS partition table
    • hit n to add a new partition
    • hit p to select primary type
    • hit 1 - Partition number (1-4, default 1):
    • hit 2048 - First sector (2048-2097151, default 2048)
    • hit ENTER if asked Last sector, +sectors or +size{K,M,G,T,P} (2048-2097151, default 2097151):
    • hit w to write table to disk and exit
  • # mkfs.ext4 /dev/vdb1
  • # mkdir /mnt/vdb1
  • # mount -t ext4 /dev/vdb1 /mnt/vdb1

Our manual is based on public more detailed manual How To Enable User and Group Quotas : https://www.digitalocean.com/community/tutorials/how-to-enable-user-and-group-quotas

  • Install quota package
  • Initialize the user quotas on newly created file system
    • Edit the /etc/fstab and add mount point to /dev/vdb1 with usrquota parameter enabled.
    • /dev/vdb1       /mnt/vdb1       ext4    errors=remount-ro,usrquota,grpquota 0 1
      
  • remount the /mnt/vdb1 file system with mount -o remount /mnt/vdb1 command
  • Perform a quotacheck wit quotacheck -cugm /mnt/vdb1 command
  • Turn on quotas by running quotaon /mnt/vdb1


  • Create new user account called dataguy (use adduser command)


Before we continue with setting the quota for our new user. Let's figure out what is its UID ? A UID (user identifier) is a number assigned by Linux to each user on the system. This number is used to identify the user to the system and to determine which system resources the user can access. UIDs are stored in the /etc/passwd file. Groups in Linux are defined by GIDs (group IDs). Just like with UIDs, the first 100 GIDs are usually reserved for system use. The GID of 0 corresponds to the root group and the GID of 100 usually represents the users group. GIDs are stored in the /etc/groups file.
Let's first figure out what is current UID of a newly created user dataguy.

Lets have look at current dataguy UID and GID

  • # id dataguy

Later in this Lab we are going to setup NFS server and export file system for remote usage. In particular we are going to rely on user dataguy as NFS expects the UID will be the same on both NFS server and NFS client hosts. Usually centralized user directory server (DB or LDAP) is in use with NFS to guarantee the uniqueness of user/UID pairs. For our test-setup we just agree we force the dataguy user to be set with static UID.

Now we can change dataguy UID and GID to 2001 (they dont have to match but we like to keep them same)

  • # usermod -u 2001 dataguy
  • # groupmod -g 2001 dataguy

Following two command finds all files with old UID and GID and changes them to new ones. PS! <...ID> fields needs to be modified with correct parameters.

  • # find / -user <OLDUID> -exec chown -h <NEWUID> {} \;
  • # find / -group <OLDGID> -exec chgrp -h <NEWGID> {} \;

i.e. in teacher correct commands looked like this

  • # find / -user 1005 -exec chown -h 2001 {} \;
  • # find / -group 1005 -exec chgrp -h 2001 {} \;

Finally lets update dataguy group memberships status.

  • # usermod -g 2001 dataguy

Output of id dataguy should like this now.

uid=2001(dataguy) gid=2001(dataguy) groups=2001(dataguy),100(users)

After the UID of a dataguy user is fixed we may finally proceed to quota settings:

  • Set the quotas for dataguy with a command edquota dataguy
    • You can exit the editor with CTRL-K then q followed by y key combination
    • Set the soft quota of user dataguy to 10MB (10240kB)
    • Set the hard quota of user dataguy to 20MB (20480kB)

Setting the quotas for the user, root and mailuser is not recommended at this moment.

  • To test the quotas change user to dataguy.
    • Move to folder /mnt/vdb1/data where you set quota active earlier
  • Now lets create a big 100MB file ...
    • 100MB file can be created by running
      $ dd if=/dev/zero of=100MBfile count=1 bs=100M
    • How many MB were actually copied? (verify with ls -lah the situation)
  • The output of quota -v command should adequately reflect the situation
  • Check all user quotas with # repquota -a
  • Delete 100MBfile so dataguy quota would not be full.

Installing Samba


Samba is a free software re-implementation of the SMB/CIFS networking protocol, and was originally developed by Andrew Tridgell. Samba provides file and print services for various Microsoft Windows clients and can integrate with a Microsoft Windows Server domain, either as a Domain Controller (DC) or as a domain member. As of version 4, it supports Active Directory and Microsoft Windows NT domains.

Samba runs on most Unix, OpenVMS and Unix-like systems, such as Linux, Solaris, AIX and the BSD variants, including Apple's macOS Server, and macOS client (Mac OS X 10.2 and greater). Samba is standard on nearly all distributions of Linux and is commonly included as a basic system service on other Unix-based operating systems as well. Samba is released under the terms of the GNU General Public License. The name Samba comes from SMB (Server Message Block), the name of the standard protocol used by the Microsoft Windows network file system. Source:Wikipedia.org

  • Install samba server and client packages
# apt install samba smbclient
  • Main samba configuration file is /etc/samba/smb.conf, what contains numerous parameters whose explanation can be read from man pages man smb.conf.
# nano /etc/samba/smb.conf
  • Most default parameters are very good, but add two new shares by adding a new blocks at the end
 [smbshare]
    comment = Some files from folder /mnt/vdb1/data/rw
    writable = yes
    locking = no
    path = /mnt/vdb1/data/rw
    guest ok = no
    browseable = yes

 [smbreadonly]
   comment = Some files from folder /mnt/vdb1/data/ro
   read only = yes
   locking = no
   path = /mnt/vdb1/data/ro
   guest ok = yes
   browseable = yes
  • Now lets create those folders we specified earlier in the configuration.
# mkdir -p /mnt/vdb1/data/rw
# mkdir -p /mnt/vdb1/data/ro
# chown -R dataguy:users /mnt/vdb1/data/rw
# chown -R dataguy:users /mnt/vdb1/data/ro
# chmod -R ug+rwx,o+rx-w /mnt/vdb1/data/rw
# chmod -R u+rwx,go+rx-w /mnt/vdb1/data/ro

Please, create one extra user smbtester (for us to be able to test you)

Now lets add users dataguy , smbtester and your main user debian to users group

# usermod -a -G users dataguy
  • Repeat the command for user debian and smbtester.
  • Samba uses it's own password system so users need to be added by root with a command # smbpasswd -a <user> . Note that the users have to exist in /etc/passwd.
# smbpasswd -a dataguy
  • Repeat the command for user debian and smbtester.
  • You will be prompted for a password for each of those users. (It can be different from the one the user has already). For smbtester use 12345 as password.
  • Restart smbd service.

To list existing Samba users:

pdbedit -w -L
  • You can verify a samba configuration with a command testparm
  • You can use smbclient for testing shares.
$ smbclient -U dataguy //localhost/dataguy
$ smbclient -U smbtester //localhost/smbreadonly

Now lets add Firewall rules to allow other machines to access our shares:

  • Use netstat -utpln command to check which ports are used by smbd and nmbd service.
  • Edit /etc/firewall.conf file and add TCP and UDP rules to allow incoming connections to those ports.
    • Use iptables-restore with correct input file parameters to apply changes.
  • Add new security group with name smb in ETAIS and add TCP and UDP rules to allow incoming connections to those ports.
    • Add previously created security group smb to your virtual machine

Now lets test our samba shares from our personal machine.

  • WINDOWS
    • Open File Explorer or press WIN+R and enter \\172.17.64.x\ (IP of your VM)
      • You should see two shared folders by default smbshare and smbreadonly
    • Accessing smbreadonly should work without any prompt of password or user.
      • Try to create a file in smbreadonly (should end in a error Permission Denied)
    • Accessing smbshare should prompt for a username and password,
      • In Windows 10 select More choices -> Use different account -> username: 172.17.64.x\<VM_username> and Password: <enter correct password> -> OK
      • You should see the folder now. Create a testfile there now. (It should work)
    • Go one folder up to \\172.17.64.x\ level and you should see now new folder user (or any other name that your user has) and its content should be readable.
      • The same should work with \\yourdomain.est\

NB! Windows 10 enterprise/education version 1709 and newer disabled guest (anonymous) access to samba shares so you need to enable "insecure" old behavior in Group Policy or registry. Easy way to do it is enter following command in Windows Powershell with Administative rights.
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters -Name AllowInsecureGuestAuth -Value 1

  • More info about Windows 10 issue here https://support.microsoft.com/de-ch/help/4046019/guest-access-smb2-disabled-by-default-in-windows-10-server-2016
  • In order to see cached network credentials to file shares you can use net use command
    • IN order to delete them you can use command like this

net use \\172.17.64.X\smbshare /delete

  • LINUX
    • enter smbclient -U dataguy //172.17.64.X/smbshare
    • enter smbclient -U dataguy //172.17.64.X/user
      • More info here
  • MAC OS
    • Follow this manual

Installing NFS

NFS is a network file system protocol allowing a client system access files over a network. The file system is presented to the end-user in a manner similar to a local file system. NFS allows the administrator to share sub-trees of a local file system to the network. The process of sharing is called "exporting".

  • NFS Server side
    1. Update package indexes
    2. Install packages nfs-common and nfs-kernel-server
    3. Restart service nfs-kernel-server
    4. Add Firewall rules to enable incoming NEW traffic to ports 111 and 2049 for both TCP and UDP
    5. Add new security group with name nfs in ETAIS and add TCP and UDP rules to allow incoming connections to those ports. Add previously created security group nfs to your virtual machine
    6. Data directories should be already created at samba manual
 /mnt/vdb1/data
 /mnt/vdb1/data/ro
 /mnt/vdb1/data/rw
  1. Assign all previously created directories ownership to user dataguy and set group owner to users. (we expect you to know how to complete this task without help.)
  2. Edit file /etc/exports and add lines
 /mnt/vdb1/data 172.17.64.0/22(rw,sync,fsid=0,crossmnt,subtree_check)
 /mnt/vdb1/data/ro 172.17.64.0/22(ro,nohide,insecure,sync,subtree_check)
 /mnt/vdb1/data/rw 172.17.64.0/22(rw,nohide,insecure,sync,subtree_check)
  1. Use command exportfs -a to make the newly created shares public
  • NFS Client side
  1. We will use package nfs-common you installed previously
  2. Use command rpcinfo -p teacher.est
 You should see:
    program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  33446  status
... many more lines
  1. Create directories
 /media/nfs_ro
 /media/nfs_rw
  1. Mount the remote FS using commands:
 mount -vvv -t nfs4 teacher.est:/ro -oro,vers=4,proto=tcp,port=2049,sec=sys /media/nfs_ro/
 mount -vvv -t nfs4 teacher.est:/rw -orw,vers=4,proto=tcp,port=2049,sec=sys /media/nfs_rw/
  • Lets test nfs client functionality
    1. Change to dataguy user
    2. List contents of ls /media/nfs_ro/
    3. Try to read some files from /media/nfs_ro/
    4. Try to write some files into /media/nfs_ro/
    5. Try to write some files into /media/nfs_rw/

To be continued by:

  • LDAP authentication
  • Nextcloud installation

New lab manual is separate file ... LDAP & Nextcloud

  • Arvutiteaduse instituut
  • Loodus- ja täppisteaduste valdkond
  • Tartu Ülikool
Tehniliste probleemide või küsimuste korral kirjuta:

Kursuse sisu ja korralduslike küsimustega pöörduge kursuse korraldajate poole.
Õppematerjalide varalised autoriõigused kuuluvad Tartu Ülikoolile. Õppematerjalide kasutamine on lubatud autoriõiguse seaduses ettenähtud teose vaba kasutamise eesmärkidel ja tingimustel. Õppematerjalide kasutamisel on kasutaja kohustatud viitama õppematerjalide autorile.
Õppematerjalide kasutamine muudel eesmärkidel on lubatud ainult Tartu Ülikooli eelneval kirjalikul nõusolekul.
Courses’i keskkonna kasutustingimused