RPC.FEDFSD(8) | System Manager's Manual | RPC.FEDFSD(8) |
NAME¶
rpc.fedfsd - FedFS administrative service daemon
SYNOPSIS¶
rpc.fedfsd [-?dF] [-u uid] [-g gid] [-o port]
DESCRIPTION¶
RFC 5716 introduces the Federated File System (FedFS, for short). FedFS is an extensible standardized mechanism by which system administrators construct a coherent namespace across multiple file servers using file system referrals. For further details, see fedfs(7).
The rpc.fedfsd(8) daemon runs on file servers participating in a FedFS domain. It enables secure remote administration of junctions on that file server. A remote FedFS administrative client can identify new NSDBs, update an NSDB's connection parameters (security information and DNS name), and create and delete FedFS junctions on that file server.
Because rpc.fedfsd(8) can operate on any object in an file server's local file systems, FedFS administrative clients should use strong security such as Kerberos when communicating with rpc.fedfsd(8).
Command line arguments¶
- -?, --help
- Prints rpc.fedfsd(8) version and usage message on stderr, then exits.
- -d, --debug
- Enables additional debugging messages to be produced during operation.
- -F, --foreground
- Keeps rpc.fedfsd(8) attached to its controlling terminal so that operation can be monitored directly, or run under a debugger. rpc.fedfsd(8) also writes log messages on stderr instead of to the system log. If this option is not specified, rpc.fedfsd(8) backgrounds itself soon after it starts.
- -u, --uid=id
- Specifies the numeric or text UID that rpc.fedfsd(8) runs under after dropping root privileges. By default, the UID for the user fedfs is used. If that user doesn't exist, then the UID for nobody is used instead.
- -g, --gid=id
- Specifies the numeric or text GID that rpc.fedfsd(8) runs under after dropping root privileges. By default, the GID for the group fedfs is used. If that group doesn't exist, then the GID for nobody is used instead.
- -o, --port=num
- Specifies the port number used for RPC listener sockets. If this option is not specified, rpc.fedfsd(8) chooses a random ephemeral port for each listener socket.
Access control¶
An Access Control List stored in /etc/fedfsd/access.conf manages whom rpc.fedfsd(8) allows to perform ADMIN operations. The following access types are supported:
- none
- Enabling none allows anyone using AUTH_NONE security to perform ADMIN operations. none is for backwards compatibility only. It is not recommended for use in production deployments.
- unix
- This setting specifies lists of users and groups who are allowed to use AUTH_SYS security to perform ADMIN operations. Though the unix setting provides more security than the none setting, unix is not recommended for use on untrusted networks.
- gss
- This setting specifies which GSS mechanisms, services, and principals are authorized to perform ADMIN operations. Currently the only supported GSS mechanism is kerberos_v5.
See comments in /etc/fedfsd/access.conf for details on syntax of the Access Control List.
To enable Kerberos security via GSS, a service principal for the fedfs-admin service must be created for each host running rpc.fedfsd(8). The resulting key must be retrieved from the KDC and stored in a keytab file (usually /etc/krb5.keytab) on each host running rpc.fedfsd(8).
The exact procedure for creating a service principal and retrieving and storing a secret key for it depends on the type of KDC in use for the local Kerberos realm. Consult your local Kerberos realm administrator for more information.
NOTES¶
To create, resolve, or delete a junction, FedFS admin clients specify the pathname of that junction as an argument to the requested operation. The FedFS admin protocol supports at least two types of these pathnames: ADMIN, and NFS. At this time the Linux rpc.fedfs(8) daemon supports only FedFS ADMIN pathnames. This type of pathname represents a fully-qualified POSIX pathname relative to the file server's physical root directory.
During each start-up, rpc.fedfsd(8) verifies that the local NSDB connection parameter database exists and is accessible. If it does not exist, rpc.fedfsd(8) attempts to create such a database. If it cannot, the daemon fails to start.
FILES¶
- /var/lib/fedfs/nsdbparam.sqlite3
- database of NSDB connection parameters
- /var/lib/fedfs/nsdbcerts
- local directory that stores X.509 certificates for NSDBs
- /etc/fedfsd/access.conf
- controls remote access to rpc.fedfsd
SEE ALSO¶
RFC 5661 for the NFS version 4 specification
RFC 5716 for FedFS requirements and overview
COLOPHON¶
This page is part of the fedfs-utils package. A description of the project and information about reporting bugs can be found at http://wiki.linux-nfs.org/wiki/index.php/FedFsUtilsProject.
AUTHOR¶
Chuck Lever <chuck.lever@oracle.com>
3 February 2014 |