wp.jochen.hayek.name/blog-en

Category: Synology

  • NFS UID mapping without NIS – how to achieve that? is NFS weaker there than AFS and Samba?

    My (reduced) I.T. landscape:

    • a Synology DiskStation NAS (with some Linux and “Busybox”) functions as an NFS server
    • an openSUSE Linux VM is the relevant NFS client – the other clients don’t use NFS but AFS (for the Macs) and Samba (…)

    True, I am not using NIS.

    True, my server and my client don’t have the same values for corresponding users (UIDs). Should I better “chown -R …” the respective users’ directory trees on the NAS in order to achieve the proper UID mapping?!?

    My NFS server does not accept “root=…”.

    Is making brute force use of “anonuid=…” on the server side (mapping all accesses from outside to a single user w/o further proper authentication) the only (and admittedly unappropriate) way to achieve my goal then? Yes, I do have an idea of what anonuid should be used for.

    AFS and Samba seem to be able to deal with user accounts, that do not have the same UIDs on both sides – how to deal with that in the NFS context w/o NIS?!?

    Update 2015-01-26: Simply use the relevant NAS users’ UIDs also on the NFS clients. Get rid of all explicit UID squashing and mapping.

  • O’Reilly Media book: Managing NFS and NIS, 2nd Edition

    From the publisher:

    A modern computer system that’s not part of a network is even more of an anomaly today than it was when we published the first edition of this book in 1991. But however widespread networks have become, managing a network and getting it to perform well can still be a problem.Managing NFS and NIS, in a new edition based on Solaris 8, is a guide to two tools that are absolutely essential to distributed computing environments: the Network Filesystem (NFS) and the Network Information System (formerly called the “yellow pages” or YP).The Network Filesystem, developed by Sun Microsystems, is fundamental to most Unix networks. It lets systems ranging from PCs and Unix workstations to large mainframes access each other’s files transparently, and is the standard method for sharing files between different computer systems.As popular as NFS is, it’s a “black box” for most users and administrators. Updated for NFS Version 3, Managing NFS and NIS offers detailed access to what’s inside, including:

    • How to plan, set up, and debug an NFS network
    • Using the NFS automounter
    • Diskless workstations
    • PC/NFS
    • A new transport protocol for NFS (TCP/IP)
    • New security options (IPSec and Kerberos V5)
    • Diagnostic tools and utilities
    • NFS client and server tuning

    NFS isn’t really complete without its companion, NIS, a distributed database service for managing the most important administrative files, such as the passwd file and the hosts file. NIS centralizes administration of commonly replicated files, allowing a single change to the database rather than requiring changes on every system on the network.If you are managing a network of Unix systems, or are thinking of setting up a Unix network, you can’t afford to overlook this book.

    This book is rather focusing on Solaris, I still think, THIS IS THE BOOK, but then I really did not research the market before acquiring this book. E.g. regarding “exportfs”: the command just gets mentioned in a table, no further explanations. Right, the “current” main author was mostly on Sun’s payroll, but O’Reilly’s could have “forced” a more Linux/AIX/… oriented co-author on board of the authors.

    I acquired this book, when I had trouble making use

    • of a Synology DiskStation NAS as a server
    • and an openSUSE Linux VM as a client.

    True, I am not using NIS.

    True, my server and my client don’t have the same values for corresponding users (UIDs). Should I better “chown -R …” the respective users’ directory trees on the NAS in order to achieve the proper UID mapping?!?

    My NFS server does not accept “root=…”.

    Is making brute force use of “anonuid=…” on the server side (mapping all accesses from outside to a single user w/o further proper authentication) the only (and admittedly unappropriate) way to achieve my goal then? Yes, I do have an idea of what anonuid should be used for.

    AFS and Samba seem to be able to deal with user accounts, that do not have the same UIDs on both sides – how to deal with that in the NFS context w/o NIS?!?

    My notes following the TOC:

    Chapter 6 covers basic NFS operations, such as mounting and exporting filesystems.

    • commands: exportfs, …
    • system files: …

    Chapter 13. Network Diagnostic and Administrative Tools

    • commands: showmount, …
    • NIS maps: …
    • system files: …

    Chapter 14. NFS Diagnostic Tools

    • commands: showmount, …

  • my Synology DiskStation now functions as a NAS to my entire I.T. landscape including Mac OS X, Windows, and NFS

    Actually (as you might remember) there is not just one Synology DiskStation (AKA NAS) here, but three of them – you will find more information here on the blog, if you follow category Synology or NAS. So I am referring to my “primary” NAS here.

    NFS is the most recent achievement, and it is the one, that will need a little more work to be production reliable, but functionally it serves its purposes and I am rather glad.

    NFS is the genuine way of “file serving” on Unix/Linux/… and alike systems.

    So as of today I am able to access the files sitting on my (“primary”) NAS from my Macs, my Windows boxes, and my Linux boxes.

    There are still files sitting within “Virtual Machines”, that are a little difficult to access from outside; but migrating them to the NAS is not a short-term goal.

    I would love to be able to “stroll around” with just my MacBook Air and my (mobile) NAS, and still be able to access every possible file and achieve every possible task.

    Alright, I do accept, some some tasks can only get performed on certain machines, but I can reach them (from remote) “at home” (via a command line, i.e. SSH) on a box (or a “Virtual Machine”).

    My 1st task performed under the new circumstances is my November payroll. Imagine:

    • a Mac
    • hosting a Virtual Machine (Oracle VirtualBox),
    • running openSUSE Linux,
    • accessing files through NFS served on my NAS,
    • (the Linux “box”) running GNU Emacs,
    • running a bash,
    • running a couple of shell sniplets converting simple CSV files into more readable / comparable ones (I dare to call this “data science”);
    • in the end telling me, that last month’s payroll files essentially look like this month’s ones;
    • so within my actual banking software (Lexware Quicken on Win8.1 in yet another Virtual Machine)
    • I will be able to kick off the new payroll payments
    • and also the monthly payment to the accountants.

    Why did an article with such a simple name get so extensive again? Well, I just needed to write it down again and “tell somebody”. Actually (yet another time) I have no idea, who will read it and whether this article will be read at all, but it does indead make me feel rather, rather well.

  • using a Synology DiskStation as an NFS4 server – client is an openSUSE in a virtual machine

    Facts (smile!):

    • the Synology DSM NFS server keeps its “mount information files” (etab, rmtab, …) at /var/lib/nfs/rmtab as opposed to /etc, where they “usually” go
    • make sure, that /var/lib/nfs/rmtab exists, otherwise you will find ongoing complaints in /var/log/messages; a “touch …/rmtab” will do

    “Last resort” resp. “desaster” suggestions – they should always only be of temporary use:

    • within /etc/exports set anonuid to the UID of the server-local user, that “deals” with the files in question

    I have tried quite a few variations, currently it seems to run (DO NOT TAKE THAT TOO LITERALLY!!!), but I am not very sure, why, and what the implications are.

    • http://forum.synology.com/wiki/index.php/How_to_enable_NFS_on_the_Synology_Server – looks a little outdated, but the suggestion to “touch /var/lib/nfs/rmtab”, so that “/usr/sbin/exportfs -a” (in order to make your changes to /etc/exports effective) would not result in an annoying entry in /var/log/messages, is quite nice
    • replacing no_root_squash with all_squash within /etc/exports and “…/exportfs -a” seems to help tremendously, setting “squash” to “no mapping” is not the same; looks like you can’t achieve the wished purpose through the web GUI

    Update 2015-01-26 / 0: /etc/idmap.conf – but the respective software on openSuSE seems to have problems.

    Update 2015-01-26 / 1:

    • no more UID squashing or mapping within the DSM GUI,
    • no more changes to /etc/exports on the NAS “under the hood”,
    • simple vanilla “Squash: No mapping” within the DSM GUI;
    • ie. the respective UIDs on the NFS server and the NFS clients must match 1:1.
    • It is quite simple to rectify this on the NFS clients.
    • I have no idea, why I hesitated doing that from the beginning (when I started using the Synology devices as NFS servers).
    • For the time being this is “the proper way” here.
    • For the “better future” of course implementation of a Kerberos set-up is the way to go:
    • https://en.wikipedia.org/wiki/Kerberos_(protocol)
    • http://linux.die.net/man/5/exports – /etc/exports

  • my NAS currently experiences a massive SSH login attack – I do have a couple of IP addresses, but which provider owns them?

    • 103.41.124.48
    • 103.41.124.32
    • 103.41.124.35
    • 103.41.124.38
    • 103.41.124.39
    • 103.41.124.17
    • 103.41.124.55
    • 103.41.124.27
    • 103.41.124.14
    • … – the attack ist still ongoing …

    All of them got automatically blocked forever, but still …

    And Synology provides me with no means to export a full machine-readable list of all the IP-addresses, that my NAS keeps as blocked. That’s actually rather sad.

  • Synology NAS ssh access – all of a sudden one of the computers on my LAN wasn’t able to log in again

    As I found out after quite some investigating and speculating, I ran into the NAS’s “auto block” capability. I had no idea I had logged into it a couple of times unsuccessfully, but that must have been it. As I was able to redisplay, I had tried to log in a couple of times and always interrupted that, and apparently that got counted as “unsuccessful log in attempts”, which led to “blocking for ever”. After cleaning that NAS’s block list, everything was fine again.

    Then I looked into my main NAS’s block list, and right now there are 1280 IP addresses on it. I would love to export that list and sort it a little and do a few reverse look-ups, in order to relate them to “countries of origin” of these attacks. But the DSM does not support exporting the block list. May I suggest doing that? I will create a separate article resp. tweet with a proper title, suggesting to support the export of the block list.

  • the Synology DSM / NAS “auto block” feature, its “block list”, and the missing “export” capability – pls add it soon!

    • Today I looked into my NAS’s block list, and it had 1280 entries.
    • The “DSM” does not allow me to export that list.
    • So I am not able to run evaluations on that list,
    • I can not apply “business / data intelligence” on that list,
    • and I am also not able to relate the attackers’ IP addresses to their countries of origin.
    • A report detailing countries and their frequencies of attacks would be impressive, wouldn’t it?
    • May I suggest, that Synology should add that capability soon?

  • Synology NAS ssh access – “hardware accelerated ciphers”

    In the Control Panel within the area “Terminal & SNMP” there is now a checkbox labeled “Only use hardware accelerated ciphers“. But only my DS115j has this checkbox, my DS112+ and my DS213+ don’t have it. I have no idea, for how long this difference has been effective. Maybe from when I started using the DS115j – it’s the most recently released product of all of them.

  • Synology DSM desktop: removed everything unnecessary today

    What is left?

    • Package Center (it would show the number of packages to be updated)
    • Control Panel (it would show necessary DSM updates, I think)
    • Widgets: Recent Logs, System Health, Resource Monitor

    I can reach more Desktop item through the “Main Menu” AKA “Start button” on the top left.

  • Synology DSM update settings: no, I must not be forced to download updates automatically




    <!–

    www.bibleserver.com | 522: Connection timed out


    body{margin:0;padding:0}
    <!–[if lte IE 9]>/cdn-cgi/scripts/jquery.min.js<![endif]–>
    /cdn-cgi/scripts/zepto.min.js<!–
    /cdn-cgi/scripts/cf.common.js

    Error
    522
    Ray ID: 3a8c54ebdcab279e • 2017-10-05 00:41:19 UTC

    Connection timed out


    You

    Browser

    Working


    Frankfurt

    Cloudflare

    Working


    www.bibleserver.com

    Host

    Error

    What happened?

    The initial connection between Cloudflare’s network and the origin web server timed out. As a result, the web page can not be displayed.

    What can I do?

    If you’re a visitor of this website:

    Please try again in a few minutes.

    If you’re the owner of this website:

    Contact your hosting provider letting them know your web server is not completing requests. An Error 522 means that the request was able to connect to your web server, but that the request didn’t finish. The most likely cause is that something on your server is hogging resources. Additional troubleshooting information here.

    Cloudflare Ray ID: 3a8c54ebdcab279e

    Your IP: 2001:638:d:c401::246

    Performance & security by Cloudflare