NFS v4 Kerberos
NFS v4 Kerberos Backup Recovery Network File System Authentication Encryption ACL Delegation Stateful Backup Strategy Disaster Recovery RPO RTO Enterprise Linux
| NFS Version | Port | Auth | State | Encryption | เหมาะกับ |
|---|---|---|---|---|---|
| NFSv3 | หลาย Port | AUTH_SYS | Stateless | ไม่มี | Legacy |
| NFSv4 | 2049 | Kerberos | Stateful | krb5p | Enterprise |
| NFSv4.1 | 2049 | Kerberos | Stateful | krb5p | pNFS Parallel |
| NFSv4.2 | 2049 | Kerberos | Stateful | krb5p | Server-side Copy |
NFS v4 + Kerberos Setup
# === NFS v4 Server Configuration ===
# Server — Install and Configure
# dnf install nfs-utils krb5-server krb5-workstation -y
# systemctl enable --now nfs-server
# /etc/exports — NFS Shares
# /data/shared 10.0.0.0/24(rw, sync, no_subtree_check, sec=krb5p)
# /data/backup 10.0.0.0/24(rw, sync, no_subtree_check, sec=krb5p)
# /data/readonly 10.0.0.0/24(ro, sync, no_subtree_check, sec=krb5)
# exportfs -rav # Apply changes
# Kerberos KDC Setup
# /etc/krb5.conf
# [libdefaults]
# default_realm = EXAMPLE.COM
# dns_lookup_realm = false
# dns_lookup_kdc = false
#
# [realms]
# EXAMPLE.COM = {
# kdc = kdc.example.com
# admin_server = kdc.example.com
# }
#
# [domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
# Create NFS Principals
# kadmin.local
# addprinc -randkey nfs/nfs-server.example.com@EXAMPLE.COM
# addprinc -randkey nfs/nfs-client.example.com@EXAMPLE.COM
# ktadd -k /etc/krb5.keytab nfs/nfs-server.example.com@EXAMPLE.COM
# Firewall
# firewall-cmd --permanent --add-service=nfs
# firewall-cmd --reload
# Client Mount
# mount -t nfs4 -o sec=krb5p nfs-server:/data/shared /mnt/shared
# /etc/fstab — Persistent Mount
# nfs-server:/data/shared /mnt/shared nfs4 sec=krb5p, rw, hard, intr 0 0
from dataclasses import dataclass
@dataclass
class NFSShare:
path: str
clients: str
security: str
access: str
purpose: str
shares = [
NFSShare("/data/shared", "10.0.0.0/24", "krb5p (encrypted)", "rw", "Shared workspace"),
NFSShare("/data/backup", "10.0.0.0/24", "krb5p (encrypted)", "rw", "Backup destination"),
NFSShare("/data/readonly", "10.0.0.0/24", "krb5 (auth only)", "ro", "Read-only reference"),
NFSShare("/data/home", "10.0.0.0/24", "krb5p (encrypted)", "rw", "Home directories"),
]
print("=== NFS Shares ===")
for s in shares:
print(f" [{s.path}] Security: {s.security}")
print(f" Clients: {s.clients} | Access: {s.access}")
print(f" Purpose: {s.purpose}")Backup Strategy
# === NFS Backup Strategy ===
# Backup Script — rsync with rotation
# #!/bin/bash
# # /usr/local/bin/nfs-backup.sh
# BACKUP_SRC="/data/shared"
# BACKUP_DST="/data/backup"
# DATE=$(date +%Y-%m-%d)
# LOG="/var/log/nfs-backup.log"
#
# # LVM Snapshot for consistent backup
# lvcreate -L 10G -s -n snap_shared /dev/vg0/lv_shared
# mount /dev/vg0/snap_shared /mnt/snapshot -o ro
#
# # Incremental backup with rsync
# rsync -avz --delete \
# --link-dest="$BACKUP_DST/latest" \
# /mnt/snapshot/ \
# "$BACKUP_DST/$DATE/" \
# >> "$LOG" 2>&1
#
# # Update latest symlink
# ln -snf "$BACKUP_DST/$DATE" "$BACKUP_DST/latest"
#
# # Remove snapshot
# umount /mnt/snapshot
# lvremove -f /dev/vg0/snap_shared
#
# # Retention: keep 30 daily, 12 weekly, 12 monthly
# find "$BACKUP_DST" -maxdepth 1 -type d -mtime +30 \
# ! -name "*-01" ! -name "latest" -exec rm -rf {} \;
#
# # Offsite copy to S3
# aws s3 sync "$BACKUP_DST/$DATE/" "s3://backup-bucket/nfs/$DATE/" \
# --storage-class STANDARD_IA
#
# echo "$(date): Backup completed" >> "$LOG"
# Cron Schedule
# 0 2 * * * /usr/local/bin/nfs-backup.sh # Daily 02:00
# 0 3 * * 0 /usr/local/bin/nfs-full-backup.sh # Weekly Sunday 03:00
@dataclass
class BackupPolicy:
backup_type: str
frequency: str
retention: str
storage: str
method: str
rpo: str
policies = [
BackupPolicy("Incremental", "Daily 02:00", "30 days", "Local NFS", "rsync --link-dest", "24 hours"),
BackupPolicy("Full", "Weekly Sunday", "12 weeks", "Local NFS", "rsync full copy", "7 days"),
BackupPolicy("Offsite", "Daily 04:00", "12 months", "S3 Standard-IA", "aws s3 sync", "24 hours"),
BackupPolicy("Archive", "Monthly 1st", "7 years", "S3 Glacier", "aws s3 cp --storage-class", "30 days"),
BackupPolicy("Snapshot", "Every 4 hours", "48 hours", "LVM Snapshot", "lvcreate -s", "4 hours"),
]
print("\n=== Backup Policies ===")
for p in policies:
print(f" [{p.backup_type}] {p.frequency}")
print(f" Retention: {p.retention} | Storage: {p.storage}")
print(f" Method: {p.method} | RPO: {p.rpo}")Disaster Recovery
# === Disaster Recovery Plan ===
# DRBD Replication Setup
# drbdadm create-md nfs_data
# drbdadm up nfs_data
# drbdadm primary nfs_data --force
#
# # /etc/drbd.d/nfs_data.res
# resource nfs_data {
# protocol C;
# disk { on-io-error detach; }
# on nfs-primary {
# device /dev/drbd0;
# disk /dev/vg0/lv_shared;
# address 10.0.0.1:7789;
# meta-disk internal;
# }
# on nfs-secondary {
# device /dev/drbd0;
# disk /dev/vg0/lv_shared;
# address 10.0.0.2:7789;
# meta-disk internal;
# }
# }
# Recovery Procedures
# 1. Detect failure (monitoring alert)
# 2. Verify primary is down
# 3. Promote secondary: drbdadm primary nfs_data
# 4. Mount filesystem: mount /dev/drbd0 /data/shared
# 5. Start NFS server: systemctl start nfs-server
# 6. Update DNS/VIP to point to new primary
# 7. Verify client access
# 8. Notify stakeholders
@dataclass
class DRScenario:
scenario: str
rpo: str
rto: str
action: str
tested: str
scenarios = [
DRScenario("Disk Failure", "0 (DRBD sync)", "15 min", "DRBD failover + VIP switch", "Monthly"),
DRScenario("Server Failure", "0 (DRBD sync)", "30 min", "Promote secondary + DNS update", "Monthly"),
DRScenario("Datacenter Failure", "4 hours", "4 hours", "Restore from S3 at DR site", "Quarterly"),
DRScenario("Data Corruption", "Last good backup", "2 hours", "Restore from snapshot/backup", "Monthly"),
DRScenario("Ransomware", "Last clean backup", "8 hours", "Isolate + restore from offline backup", "Quarterly"),
]
print("Disaster Recovery Scenarios:")
for d in scenarios:
print(f" [{d.scenario}]")
print(f" RPO: {d.rpo} | RTO: {d.rto}")
print(f" Action: {d.action}")
print(f" Test Frequency: {d.tested}")
monitoring = {
"NFS Service Status": "systemctl is-active nfs-server",
"NFS Exports": "showmount -e localhost",
"DRBD Status": "drbdadm status",
"Disk Usage": "df -h /data/shared",
"Backup Status": "check last backup log",
"Kerberos Tickets": "klist -k /etc/krb5.keytab",
"Client Mounts": "nfsstat -m",
}
print(f"\n\nMonitoring Checks:")
for k, v in monitoring.items():
print(f" [{k}]: {v}")เคล็ดลับ
- krb5p: ใช้ krb5p เสมอสำหรับข้อมูลสำคัญ เข้ารหัสทั้งหมด
- Snapshot: ใช้ LVM Snapshot ก่อน Backup เพื่อ Consistency
- 3-2-1: Backup Rule 3 copies 2 media 1 offsite
- Test: ทดสอบ Restore ทุกเดือน DR ทุกไตรมาส
- Monitor: ตรวจสอบ DRBD Status Backup Status ทุกวัน
NFS v4 คืออะไร
Network File System v4 Port 2049 Kerberos ACL Delegation Stateful Lock Compound Operations Enterprise Linux Data Center
Kerberos Authentication ใช้กับ NFS อย่างไร
krb5 Auth krb5i Integrity krb5p Privacy Encryption KDC Principal keytab AUTH_SYS แข็งแรงกว่า
Backup Strategy สำหรับ NFS อย่างไร
Full Weekly Incremental Daily rsync LVM Snapshot S3 Glacier Retention 30 daily 12 weekly 12 monthly Test Restore Monitor
Disaster Recovery Plan ทำอย่างไร
RPO RTO Secondary DRBD GlusterFS Replication DR Test Quarterly Runbook Recovery Promote DNS VIP Failover
สรุป
NFS v4 Kerberos Backup Recovery Strategy krb5p Encryption rsync LVM Snapshot S3 DRBD Disaster Recovery RPO RTO Replication Production Operations
