top of page

NFS CONFIGURATION IN LINUX UBUNTU -16.04.3-server

  • Writer: Sankalpa H.T.S
    Sankalpa H.T.S
  • Jul 4, 2018
  • 6 min read

Updated: Oct 14, 2019


ree

NFS, or Network File System, is a distributed file system protocol that allows you to mount remote directories on your server. This lets you manage storage space in a different location and write to that space from multiple clients. NFS provides a relatively quick and easy way to access remote systems over a network and works well in situations where the shared resources will be accessed regularly. In this guide, we'll cover how to configure NFS mounts.


Throughout the tutorial, we refer to the server that shares its directories as the host and the server that mounts these directories as the client. In order to keep them straight, we’ll use the following IP addresses as stand-ins for the host and client values:


Client: 192.168.100.8 host name - “nfs_client

Host: 192.168.100.9 host name - “nfs_server


You should replace these values with your own host and client ip addresses.


On the Host


On this server, we need to install a package called nfs-common, which provides NFS functionality without including unneeded server components. Again, we will refresh the local package index prior to installation to ensure that we have up-to-date information:

ree

On the Client


On this server, we will install the nfs-kernel-server package, which will allow us to share our directories. Since this is the first operation that we're performing with apt in this session, we'll refresh our local package index before the installation:

ree

Creating the Share Directories on the Client


We're going to share two separate directories, with different configuration settings, in order to illustrate two key ways that NFS mounts can be configured with respect to superuser access.


Superusers can do anything anywhere on their system. However, NFS-mounted directories are not part of the system on which they are mounted, so by default, the NFS server refuses to perform operations that require superuser privileges. This default restriction means that superusers on the client cannot write files as root, re-assign ownership, or perform any other superuser tasks on the NFS mount.


Sometimes, however, there are trusted users on the client system who need to be able to do these things on the mounted file system but who have no need for superuser access on the host. The NFS server can be configured to allow this, although it introduces an element of risk, as such a user could gain root access to the entire host system.


Example 1: Exporting a General Purpose Mount


In the first example, we’ll create a general-purpose NFS mount that uses default NFS behavior to makes it difficult for a user with root privileges on the client machine to interact with the client using those host superuser privileges. You might use something like this to store the files uploaded using a content management system or to create space for users to easily share project files. First, make a share directory called nfs:

ree

Since we’re creating it with super user mod, the directory is owned by root here on the client.

ree

NFS will translate any root operations on the host to the nobody:nogroup credentials as a security measure. Therefore, we need to change the directory ownership to match those credentials.

ree

Example 2: Exporting the Home Director


In our second example, the goal is to make user home directories stored on the host available on host servers, while allowing trusted administrators of those host servers the access they need to conveniently manage users.


To do this, we’ll export the /home directory. Since it already exists, we don’t need to create it. We won’t change the permissions, either. If we did, it would cause all kinds of issues for anyone with a home directory on the client machine.


Configuring the NFS Exports on the Client Server


Next, we’ll dive into the NFS configuration file to set up the sharing of these resources. Open the /etc/exports file in your text editor with root privileges:

ree

File looks like below:

ree

We’ll need to create a line for each of the directories that we plan to share. Since our example host has an IP of 192.168.100.9, our lines will look like the following. Be sure to change the IPs to match your host:

ree

We’re using the same configuration options for both directories with the exception of no_root_squash.


Let’s take a look at what each one means.


rw: This option gives the hostt computer both read and write access to the volume.

sync: This option forces NFS to write changes to disk before replying. This results in a more stable and consistent environment since the reply reflects the actual state of the remote volume. However, it also reduces the speed of file operations.

no_subtree_check: This option prevents subtree checking, which is a process where the client must check whether the file is actually still available in the exported tree for every request. This can cause many problems when a file is renamed while the client has it opened. In almost all cases, it is better to disable subtree checking.

no_root_squash: By default, NFS translates requests from a root user remotely into a non-privileged user on the server. This was intended as security feature to prevent a root account on the host from using the file system of the client as root. no_root_squash disables this behavior for certain shares.


When you are finished making your changes, save and close the file. Then, to make the shares available to the hosts that you configured, restart the NFS server with the following command:

ree

tail -f /var/log/syslog for errors:

ree

Service will be restarted.

ree

Adjusting the IPTABLES on the Client


First, let’s check the iptables rule list to see if it has some rules and if so, to see what's currently permitted:

ree

Here we can see there are no existing rules.


Best practice recommends that you add the most restrictive rule that will still allow the traffic you want to permit, so rather than enabling traffic from just anywhere, we’ll be specific.


Use the following command to open port 2049 on the client, being sure to substitute your client's ip address:

ree

Confirm the added iptable rule:

ree

Creating the Mount Points on the Host


Now that the client server is configured and serving its shares, we’ll prepare our host.

In order to make the remote shares available on the host, we need to mount the client directory on an empty host directory.


Note: If there are files and directories in your mount point, as soon as you mount the NFS share, they’ll be hidden. Be sure if you mount in a directory that already exists that the directory is empty.


We’ll create two directories for our mounts:

ree

Verify the directories we made:

ree

Mounting the Directories on the Host


Now that we have some place to put the remote shares and we've added the iptable rule to ACCEPT the incoming traffic to port 2049 , we can mount the shares by addressing our client server, which in this guide is 192.168.100.8, like this:


Before we mount type and see df -h command:

ree

These commands should mount the shares from the host computer onto the host machine.

ree

You can double-check that they mounted successfully in several ways. You can check this with a plain mount or findmnt command, but df -h will give you more human readable output illustrates how disk usage is displayed differently for the nfs shares:

ree

Testing NFS Access


First, write a test file to the /var/nfs/general share.

ree

touch amaa.txt

ree

Then, check its ownership:

ree

Because we mounted this volume without changing NFS’s default behavior and created the file as the host machine’s root user via the sudo command, ownership of the file defaults to nobody:nogroup. Host superusers won’t be able to perform typical administrative actions, like changing the owner of a file or creating a new directory for a group of users, on this NFS-mounted share.


In the client machine check whether the test file amaa.txt we created in client machine is also created in its mount point:

ree

The Home Directory Share


To compare the permissions of the General Purpose share with the Home Directory share, create a file Home Directory the same way:

ree

It already shows you the directories exist in client machine’s home folder in the host’s mount directory: write a test file to the /home/nfs/home:

ree

Verify it:

ree

On the client machine check whether the created file shared:

ree

Mounting the Remote NFS Directories at Boot


We can mount the remote NFS shares automatically at boot by adding them to /etc/fstab file on the host.


Open this file with root privileges in your text editor:

ree

File will looks like below:

ree

At the bottom of the file, we're going to add a line for each of our shares. They will look like this:

ree

The host server will automatically mount the remote partitions at boot, although it may take a few moments for the connection to be made and the shares to be available.

ree

Check now for verify mount points:

ree

Unmounting an NFS Remote Share


If you no longer want the remote directory to be mounted on your system, you can unmount it by moving out of the share's directory structure and unmounting, like this:

ree

Check whether unmount the remote share. This will remove the remote shares, leaving only your local storage accessible:

ree

If you also want to prevent them from being remounted on the next reboot, edit /etc/fstab and either delete the line or comment it out by placing a # symbol at the beginning of the line. You can also prevent auto-mounting by removing the auto option, which will allow you to mount it manually.


References

http://nfs.sourceforge.net/

https://help.ubuntu.com/community/NFSv4Howto

 
 
 

Comments


bottom of page