NFS v4 Kerberos Backup Recovery Strategy —
NFS v4 Kerberos
NFS v4 Kerberos Backup Recovery Network File System Authentication Encryption ACL Delegation Stateful Backup Strategy Disaster Recovery RPO RTO Enterprise Linux
| NFS Version | Port | Auth | State | Encryption | เหมาะกับ |
|---|---|---|---|---|---|
| NFSv3 | หลาย Port | AUTH_SYS | Stateless | ไม่มี | Legacy |
| NFSv4 | 2049 | Kerberos | Stateful | krb5p | Enterprise |
| NFSv4.1 | 2049 | Kerberos | Stateful | krb5p | pNFS Parallel |
| NFSv4.2 | 2049 | Kerberos | Stateful | krb5p | Server-side Copy |
NFS v4 + Kerberos Setup
=== NFS v4 Server Configuration ===
Server — Install and Configure
dnf install nfs-utils krb5-server krb5-workstation -y
systemctl enable --now nfs-server
/etc/exports — NFS Shares
/data/shared 10.0.0.0/24(rw, sync, no_subtree_check, sec=krb5p)
/data/backup 10.0.0.0/24(rw, sync, no_subtree_check, sec=krb5p)
/data/readonly 10.0.0.0/24(ro, sync, no_subtree_check, sec=krb5)
exportfs -rav # Apply changes
Kerberos KDC Setup
/etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
EXAMPLE.COM = {
kdc = kdc.example.com
admin_server = kdc.example.com
}
[domain_realm]
เนื้อหาเกี่ยวข้อง — แนะนำให้อ่าน MySQL InnoDB Tuning Service Mesh Setup
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
Create NFS Principals
kadmin.local
addprinc -randkey nfs/nfs-server.example.com@EXAMPLE.COM
addprinc -randkey nfs/nfs-client.example.com@EXAMPLE.COM
แนะนำเพิ่มเติม — เรียนเทรดกับ iCafeForex
ktadd -k /etc/krb5.keytab nfs/nfs-server.example.com@EXAMPLE.COM
Firewall
firewall-cmd --permanent --add-service=nfs
firewall-cmd --reload
Client Mount
mount -t nfs4 -o sec=krb5p nfs-server:/data/shared /mnt/shared
/etc/fstab — Persistent Mount
nfs-server:/data/shared /mnt/shared nfs4 sec=krb5p, rw, hard, intr 0 0
from dataclasses import dataclass
@dataclass
class NFSShare:
path: str
clients: str
security: str
access: str
purpose: str
เนื้อหาเกี่ยวข้อง — ทำความเข้าใจ Cloudflare R2 Open Source Contribution — คู่มือฉบับสมบูรณ์ 2026
shares = [
NFSShare("/data/shared", "10.0.0.0/24", "krb5p (encrypted)", "rw", "Shared workspace"),
NFSShare("/data/backup", "10.0.0.0/24", "krb5p (encrypted)", "rw", "Backup destination"),
NFSShare("/data/readonly", "10.0.0.0/24", "krb5 (auth only)", "ro", "Read-only reference"),
NFSShare("/data/home", "10.0.0.0/24", "krb5p (encrypted)", "rw", "Home directories"),
]
print("=== NFS Shares ===")
for s in shares:
print(f" [{s.path}] Security: {s.security}")
print(f" Clients: {s.clients} | Access: {s.access}")
print(f" Purpose: {s.purpose}")
Backup Strategy
=== NFS Backup Strategy ===
แนะนำเพิ่มเติม — สัญญาณเทรดรายวัน XM Signal
Backup Script — rsync with rotation
#!/bin/bash
# /usr/local/bin/nfs-backup.sh
BACKUP_SRC="/data/shared"
BACKUP_DST="/data/backup"
DATE=$(date +%Y-%m-%d)
LOG="/var/log/nfs-backup.log"
# LVM Snapshot for consistent backup
lvcreate -L 10G -s -n snap_shared /dev/vg0/lv_shared
mount /dev/vg0/snap_shared /mnt/snapshot -o ro
เนื้อหาเกี่ยวข้อง — ดูเพิ่มเติมเรื่อง สวตซโคด — คู่มือฉบับสมบูรณ์ 2026
# Incremental backup with rsync
rsync -avz --delete \
--link-dest="$BACKUP_DST/latest" \
/mnt/snapshot/ \
"$BACKUP_DST/$DATE/" \
>> "$LOG" 2>&1
# Update latest symlink
ln -snf "$BACKUP_DST/$DATE" "$BACKUP_DST/latest"
# Remove snapshot
umount /mnt/snapshot
lvremove -f /dev/vg0/snap_shared
# Retention: keep 30 daily, 12 weekly, 12 monthly
find "$BACKUP_DST" -maxdepth 1 -type d -mtime +30 \
! -name "*-01" ! -name "latest" -exec rm -rf {} \;
# Offsite copy to S3
aws s3 sync "$BACKUP_DST/$DATE/" "s3://backup-bucket/nfs/$DATE/" \
--storage-class STANDARD_IA
echo "$(date): Backup completed" >> "$LOG"
Cron Schedule
0 2 * * * /usr/local/bin/nfs-backup.sh # Daily 02:00
0 3 * * 0 /usr/local/bin/nfs-full-backup.sh # Weekly Sunday 03:00
เนื้อหาเกี่ยวข้อง — ทำความเข้าใจ Rust Serde Serverless Architecture — คู่มือฉบับสมบูรณ์ 2026
@dataclass
class BackupPolicy:
backup_type: str
frequency: str
retention: str
storage: str
method: str
rpo: str
policies = [
BackupPolicy("Incremental", "Daily 02:00", "30 days", "Local NFS", "rsync --link-dest", "24 hours"),
BackupPolicy("Full", "Weekly Sunday", "12 weeks", "Local NFS", "rsync full copy", "7 days"),
BackupPolicy("Offsite", "Daily 04:00", "12 months", "S3 Standard-IA", "aws s3 sync", "24 hours"),
BackupPolicy("Archive", "Monthly 1st", "7 years", "S3 Glacier", "aws s3 cp --storage-class", "30 days"),
BackupPolicy("Snapshot", "Every 4 hours", "48 hours", "LVM Snapshot", "lvcreate -s", "4 hours"),
]
print("\n=== Backup Policies ===")
for p in policies:
print(f" [{p.backup_type}] {p.frequency}")
print(f" Retention: {p.retention} | Storage: {p.storage}")
print(f" Method: {p.method} | RPO: {p.rpo}")
Disaster Recovery
# === Disaster Recovery Plan ===
# DRBD Replication Setup
# drbdadm create-md nfs_data
# drbdadm up nfs_data
# drbdadm primary nfs_data --force
#
# # /etc/drbd.d/nfs_data.res
# resource nfs_data {
# protocol C;
# disk { on-io-error detach; }
# on nfs-primary {
# device /dev/drbd0;
# disk /dev/vg0/lv_shared;
# address 10.0.0.1:7789;
# meta-disk internal;
# }
# on nfs-secondary {
# device /dev/drbd0;
# disk /dev/vg0/lv_shared;
# address 10.0.0.2:7789;
# meta-disk internal;
# }
# }
# Recovery Procedures
# 1. Detect failure (monitoring alert)
# 2. Verify primary is down
# 3. Promote secondary: drbdadm primary nfs_data
# 4. Mount filesystem: mount /dev/drbd0 /data/shared
# 5. Start NFS server: systemctl start nfs-server
# 6. Update DNS/VIP to point to new primary
# 7. Verify client access
# 8. Notify stakeholders
@dataclass
class DRScenario:
scenario: str
rpo: str
rto: str
action: str
tested: str
scenarios = [
DRScenario("Disk Failure", "0 (DRBD sync)", "15 min", "DRBD failover + VIP switch", "Monthly"),
DRScenario("Server Failure", "0 (DRBD sync)", "30 min", "Promote secondary + DNS update", "Monthly"),
DRScenario("Datacenter Failure", "4 hours", "4 hours", "Restore from S3 at DR site", "Quarterly"),
DRScenario("Data Corruption", "Last good backup", "2 hours", "Restore from snapshot/backup", "Monthly"),
DRScenario("Ransomware", "Last clean backup", "8 hours", "Isolate + restore from offline backup", "Quarterly"),
]
print("Disaster Recovery Scenarios:")
for d in scenarios:
print(f" [{d.scenario}]")
print(f" RPO: {d.rpo} | RTO: {d.rto}")
print(f" Action: {d.action}")
print(f" Test Frequency: {d.tested}")
monitoring = {
"NFS Service Status": "systemctl is-active nfs-server",
"NFS Exports": "showmount -e localhost",
"DRBD Status": "drbdadm status",
"Disk Usage": "df -h /data/shared",
"Backup Status": "check last backup log",
"Kerberos Tickets": "klist -k /etc/krb5.keytab",
"Client Mounts": "nfsstat -m",
}
print(f"\n\nMonitoring Checks:")
for k, v in monitoring.items():
print(f" [{k}]: {v}")เคล็ดลับ
- krb5p: ใช้ krb5p เสมอสำหรับข้อมูลสำคัญ เข้ารหัสทั้งหมด
- Snapshot: ใช้ LVM Snapshot ก่อน Backup เพื่อ Consistency
- 3-2-1: Backup Rule 3 copies 2 media 1 offsite
- Test: ทดสอบ Restore ทุกเดือน DR ทุกไตรมาส
- Monitor: ตรวจสอบ DRBD Status Backup Status ทุกวัน
NFS v4 คืออะไร
Network File System v4 Port 2049 Kerberos ACL Delegation Stateful Lock Compound Operations Enterprise Linux Data Center
