关闭NFS Server导致NFS Client非root用户ssh登录慢
今天在关闭了NFS服务器后发现了一个比较奇怪的现象,当用root用户ssh登录NFS client时速度正常,而使用其它用户ssh登录时速度很慢。同时由root用户su到其它用户时速度也很慢。以下是模拟测试:
192.168.2.45(主机名:jumpstart)是NFS服务器,192.168.2.30(主机名:vxsvr)是NFS client。
1. 在192.168.2.30上mount NFS
root@vxsvr:/ #>mount -F nfs 192.168.2.45:/jumpstart/Solaris10U10_x64/config /mnt
root@vxsvr:/ #>df -h
Filesystem size used avail capacity Mounted on……
192.168.2.45:/jumpstart/Solaris10U10_x64/config
9.8G 4.2G 5.5G 44% /mntroot@vxsvr:/ #>cd /mnt
root@vxsvr:/mnt #>ls
check profile rules rules.ok sysidcfg
2. 在192.168.2.30上测试root用户和非root用户ssh登录
登录速度均正常。
3. 停止NFS server
root@jumpstart:/ #>sync; sync;
root@jumpstart:/ #>halt (这里使用halt直接关机)
4. 在192.168.2.30上测试root用户和非root用户ssh登录
root用户登录速度正常,非root用户登录速度很慢。同时由root用户su到其它用户时也很慢。
5. debug ssh登录
-bash-3.2$ ssh -v jyu@192.168.2.30
Sun_SSH_1.1.4, SSH protocols 1.5/2.0, OpenSSL 0x0090704f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to 192.168.2.30 [192.168.2.30] port 22.
debug1: Connection established.
debug1: identity file /export/home/jyu/.ssh/identity type -1
debug1: identity file /export/home/jyu/.ssh/id_rsa type -1
debug1: identity file /export/home/jyu/.ssh/id_dsa type -1
debug1: Logging to host: 192.168.2.30
debug1: Local user: jyu Remote user: jyu
debug1: Remote protocol version 2.0, remote software version Sun_SSH_1.1.4
debug1: match: Sun_SSH_1.1.4 pat Sun_SSH_1.1.*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-Sun_SSH_1.1.4
debug1: use_engine is 'yes'
debug1: pkcs11 engine initialized, now setting it as default for RSA, DSA, and symmetric ciphers
debug1: pkcs11 engine initialization complete
debug1: Failed to acquire GSS-API credentials for any mechanisms (No credentials were supplied, or the credentials were unavailable or inaccessible
Unknown code 0
)
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: Peer sent proposed langtags, ctos: bn-IN,en-CA,en-IN,en-SG,en-US,es,es-MX,fr,fr-CA,gu-IN,hi-IN,id-ID,ja-JP,kn-IN,ko,ko-KR,mr-IN,ms-MY,ta-IN,te-IN,th-TH,zh,zh-CN,zh-HK,zh-SG,zh-TW,ja,th,i-default
debug1: Peer sent proposed langtags, stoc: bn-IN,en-CA,en-IN,en-SG,en-US,es,es-MX,fr,fr-CA,gu-IN,hi-IN,id-ID,ja-JP,kn-IN,ko,ko-KR,mr-IN,ms-MY,ta-IN,te-IN,th-TH,zh,zh-CN,zh-HK,zh-SG,zh-TW,ja,th,i-default
debug1: We proposed langtags, ctos: i-default
debug1: We proposed langtags, stoc: i-default
debug1: Negotiated lang: i-default
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: Remote: Negotiated main locale: C
debug1: Remote: Negotiated messages locale: C
debug1: dh_gen_key: priv key bits set: 135/256
debug1: bits set: 1576/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '192.168.2.30' is known and matches the RSA host key.
debug1: Found key in /export/home/jyu/.ssh/known_hosts:1
debug1: bits set: 1553/3191
debug1: ssh_rsa_verify: signature correct
debug1: newkeys: mode 1
debug1: set_newkeys: setting new keys for 'out' mode
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: set_newkeys: setting new keys for 'in' mode
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
debug1: Next authentication method: gssapi-keyex
debug1: Next authentication method: gssapi-with-mic
debug1: Failed to acquire GSS-API credentials for any mechanisms (No credentials were supplied, or the credentials were unavailable or inaccessible
Unknown code 0
)
debug1: Next authentication method: publickey
debug1: Trying private key: /export/home/jyu/.ssh/identity
debug1: Trying private key: /export/home/jyu/.ssh/id_rsa
debug1: Trying private key: /export/home/jyu/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
Password:
debug1: Authentication succeeded (keyboard-interactive)
debug1: channel 0: new [client-session]
debug1: send channel open 0
debug1: Entering interactive session.
debug1: ssh_session2_setup: id 0
debug1: channel request 0: pty-req
debug1: channel request 0: shell
debug1: fd 4 setting TCP_NODELAY
debug1: channel 0: open confirm rwindow 0 rmax 32768
Last login: Tue Mar 27 15:49:54 2012 from vxsvrDebug时发现,ssh登录时很快就提示输入密码,输入密码后很快出现了Authentication succeeded信息,而在出现last login提示信息后,要等一段时间才出现shell提示符。这说明登录慢并不是慢在用户验证上。
6. 问题处理和解决
由于发现问题时是在关闭NFS服务器以后,所以很容易就想到这个问题可能与NFS有关。
检查NFS Client mount的NFS文件系统
root@vxsvr:/ #>mount
……
/mnt on 192.168.2.45:/jumpstart/Solaris10U10_x64/config remote/read/write/setuid/devices/rstchown/xattr/dev=4f80002 on Tue Mar 27 15:32:24 2012
NFS Client中显示NFS文件系统还mount在mnt下
umount NFS文件系统
root@vxsvr:/ #>umount /mnt
如果直接umount不行的话,就使用-f强击umount.
root@vxsvr:/ #>umount -f /mnt
再次测试用户登录和su操作,发现此时登录速度恢复正常。
由此可以看出root用户登录和非root用户登录有很大不同。无论NFS文件系统是否正常,root用户都可以快速登录;而在NFS文件系统不正常时,非root用户似乎需要等待NFS超时后才能登录完成。
