|
| 1 | +--- |
| 2 | +title: Network File System |
| 3 | +author: Antoine Le Morvan |
| 4 | +contributors: Steven Spencer, Serge |
| 5 | +--- |
| 6 | +# Network File System |
| 7 | + |
| 8 | +**Knowledge**: :star: :star: |
| 9 | +**Complexity**: :star: :star: |
| 10 | + |
| 11 | +**Reading time**: 15 minutes |
| 12 | + |
| 13 | +**N**etwork **F**ile **S**ystem (**NFS**) is a network-mounted file-sharing system. |
| 14 | + |
| 15 | +## Generalities |
| 16 | + |
| 17 | +NFS is a client/server protocol: the server provides file system resources for all or part of the network (clients). |
| 18 | + |
| 19 | +The communication between clients and server takes place by way of **R**emote **P**rocedure **C**all (**RPC**) services. |
| 20 | + |
| 21 | +Remote files are mounted in a directory and appear as a local file system. Client users seamlessly access files shared by the server, browsing directories as if they were local. |
| 22 | + |
| 23 | +## Installation |
| 24 | + |
| 25 | +NFS requires two services to function: |
| 26 | + |
| 27 | +* The `network` service (of course) |
| 28 | +* The `rpcbind` service |
| 29 | + |
| 30 | +View the status of the services with the command: |
| 31 | + |
| 32 | +``` |
| 33 | +systemctl status rpcbind |
| 34 | +``` |
| 35 | + |
| 36 | +If the `nfs-utils` package is not installed: |
| 37 | + |
| 38 | +``` |
| 39 | +sudo dnf install nfs-utils |
| 40 | +``` |
| 41 | + |
| 42 | +The `nfs-utils` package requires the installation of several dependencies, including `rpcbind`. |
| 43 | + |
| 44 | +Start the NFS service with: |
| 45 | + |
| 46 | +``` |
| 47 | +sudo systemctl enable --now nfs-server rpcbind |
| 48 | +``` |
| 49 | + |
| 50 | +Installing the NFS service creates two users: |
| 51 | + |
| 52 | +* `nobody`: used for anonymous connections |
| 53 | +* `rpcuser`: for RPC protocol operation |
| 54 | + |
| 55 | +Configuring the firewall is necessary: |
| 56 | + |
| 57 | +``` |
| 58 | +sudo firewall-cmd --add-service={nfs,nfs3,mountd,rpc-bind} --permanent |
| 59 | +sudo firewall-cmd --reload |
| 60 | +``` |
| 61 | + |
| 62 | +## Server configuration |
| 63 | + |
| 64 | +!!! warning "warning" |
| 65 | + |
| 66 | + Directory rights and NFS rights must be consistent. |
| 67 | + |
| 68 | +### The `/etc/exports` file |
| 69 | + |
| 70 | +Set up resource shares with the `/etc/exports` file. Each line in this file corresponds to an NFS share. |
| 71 | + |
| 72 | +``` |
| 73 | +/share_name client1(permissions) client2(permissions) |
| 74 | +``` |
| 75 | + |
| 76 | +* **/share_name**: Absolute path of shared directory |
| 77 | +* **clients**: Clients authorized to access resources |
| 78 | +* **(permissions)**: Permissions on resources |
| 79 | + |
| 80 | +Declare machines authorized to access resources with: |
| 81 | + |
| 82 | +* **IP address**: `192.168.1.2` |
| 83 | +* **Network address**: `192.168.1.0/255.255.255.0` or CIDR format `192.168.1.0/24` |
| 84 | +* **FQDN**: client_*.rockylinux.org: allows FQDNs starting with client_ from the rockylinux.org domain |
| 85 | +* `*` for everybody |
| 86 | + |
| 87 | +Specification of multiple clients is possible on the same line separated by a space. |
| 88 | + |
| 89 | +### Permissions on resources |
| 90 | + |
| 91 | +There are two types of permissions: |
| 92 | + |
| 93 | +* `ro`: read-only |
| 94 | +* `rw`: read-write |
| 95 | + |
| 96 | +If no right is specified, then the right applied will be read-only. |
| 97 | + |
| 98 | +By default, the NFS server preserves the client user UIDs and GIDs (except for `root`). |
| 99 | + |
| 100 | +To force the use of a UID or GID other than that of the user writing the resource, specify the `anonuid=UID` and `anongid=GID` options, or give `anonymous` access to the data with the `all_squash` option. |
| 101 | + |
| 102 | +!!! warning "warning" |
| 103 | + |
| 104 | + There is a parameter, `no_root_squash`, which identifies the client root user as the server root user. This parameter can be dangerous from a system security point of view. |
| 105 | + |
| 106 | +Activation of the `root_squash` parameter is a default (even if not specified), identifying `root` as an `anonymous` user. |
| 107 | + |
| 108 | +### Case studies |
| 109 | + |
| 110 | +* `/share client(ro,all_squash)` |
| 111 | +Client users have read-only access to resources and are identified as anonymous on the server. |
| 112 | + |
| 113 | +* `/share client(rw)` |
| 114 | +Client users can modify resources and keep their UID on the server. Only `root` is identified as `anonymous`. |
| 115 | + |
| 116 | +* `/share client1(rw) client2(ro)` |
| 117 | +Users on client workstation 1 can modify resources, while those on client workstation 2 have read-only access. |
| 118 | +UIDs are kept on the server, and only `root` is identified as `anonymous`. |
| 119 | + |
| 120 | +* `/share client(rw,all_squash,anonuid=1001,anongid=100)` |
| 121 | +Client1 users can modify resources. Their UID is changed to `1001` and their GID to `100` on the server. |
| 122 | + |
| 123 | +### The `exportfs` command |
| 124 | + |
| 125 | +The `exportfs` (exported file systems) command is used to manage the table of local files shared with NFS clients. |
| 126 | + |
| 127 | +``` |
| 128 | +exportfs [-a] [-r] [-u share_name] [-v] |
| 129 | +``` |
| 130 | + |
| 131 | +| Options | Description | |
| 132 | +| --------------- | ----------------------------------------- | |
| 133 | +| `-a` | Enables NFS shares | |
| 134 | +| `-r` | Applies shares from the `/etc/exports` file | |
| 135 | +| `-u share_name` | Disables a given share | |
| 136 | +| `-v` | Displays the list of shares | |
| 137 | + |
| 138 | +### The `showmount` command |
| 139 | + |
| 140 | +Use the `showmount` command to monitor clients. |
| 141 | + |
| 142 | +``` |
| 143 | +showmount [-a] [-e] [host] |
| 144 | +``` |
| 145 | + |
| 146 | +| Options | Description | |
| 147 | +| ------- | ----------------------------------------- | |
| 148 | +| `-e` | Displays shares on the designated server | |
| 149 | +| `-a` | Displays all current shares on the server | |
| 150 | + |
| 151 | +This command also determines whether the client workstation has authorization to mount shared resources. |
| 152 | + |
| 153 | +!!! note "note" |
| 154 | + |
| 155 | + `showmount` sorts and hides duplicates in the results, so it's impossible to determine whether a client has made multiple mounts of the same directory or not. |
| 156 | + |
| 157 | +## Client configuration |
| 158 | + |
| 159 | +Shared resources on an NFS server are accessible through a mount point on the client. |
| 160 | + |
| 161 | +If required, create a local folder for mounting: |
| 162 | + |
| 163 | +``` |
| 164 | +$ sudo mkdir /mnt/nfs |
| 165 | +``` |
| 166 | + |
| 167 | +List available NFS shares on the server: |
| 168 | + |
| 169 | +``` |
| 170 | +$ showmount –e 172.16.1.10 |
| 171 | +/share * |
| 172 | +``` |
| 173 | + |
| 174 | +Mount the server's NFS share: |
| 175 | + |
| 176 | +``` |
| 177 | +$ mount –t nfs 172.16.1.10:/share /mnt/nfs |
| 178 | +``` |
| 179 | + |
| 180 | +Automation of the mount can happen at system startup with the `/etc/fstab` file: |
| 181 | + |
| 182 | +``` |
| 183 | +$ sudo vim /etc/fstab |
| 184 | +172.16.1.10:/share /mnt/nfs nfs defaults 0 0 |
| 185 | +``` |
0 commit comments