19.2 About NFS

19.2.1 Configuring an NFS Server
19.2.2 Mounting an NFS File System

A Network File System (NFS) server can share directory hierarchies in its local file systems with remote client systems over an IP-based network. After an NFS server exports a directory, NFS clients mount this directory if they have been granted permission to do so. The directory appears to the client systems as if it were a local directory. NFS centralizes storage provisioning and can improves data consistency and reliability.

Oracle Linux supports three versions of the NFS protocol:

NFSv2 and NFSv3 rely on Remote Procedure Call (RPC) services, which are controlled by the rpcbind service. rpcbind responds to requests for an RPC service and sets up connections for the requested service. In addition, separate lockd and rpc.statd services are used to handle locking and mounting protocols. Configuring a firewall to cope with the various ranges of ports that are used by all these services is complex and error prone.

NFSv4 does not use rpcbind as the NFS server itself listens on TCP port 2049 for service requests. The mounting and locking protocols are also integrated into the NFSv4 protocol, so the lockd and rpc.statd services are also not required. These refinements mean that firewall configuration for NFSv4 is no more difficult than for a service such as HTTP.

The following table describes the various services that are used with versions 2, 3, and 4 of NFS:

Service

Used in Version

Description

lockd

2 and 3

Handles the RPC processes that allow NFS clients to obtain locks on files on the server.

Started by the nfslock service.

nfs

2, 3, and 4

Starts all services that are required to implement shared NFS file systems.

If only NFSv4 clients can access the server, this is the only NFS service that needs to be started explicitly.

nfsd

2, 3, and 4

Implements the kernel-space part of the NFS service.

Started by the nfs service.

nfslock

2 and 3

Starts the RPC processes that allow NFS clients to lock files on the server.

Start this service after the nfs service to support NFSv2 and NFSv3 clients.

rpcbind

2 and 3

Responds to requests for an RPC service and sets up connections for the requested service.

Start this service before the nfs service to support NFSv2 and NFSv3 clients.

For more information, see the rpcbind(8) manual page.

rpc.gssd and rpc.svcgssd

2,3, and 4

Implement the RPCSEC_GSS protocol, which provides authentication only (krb5), integrity protection (krb5i), or privacy protection (krb5p) security for protocols that use RPC. Before a client can send any RPC requests, it must first establish a security context with the server.

Started by the nfs service if cryptographic security is enabled.

For more information, see the exports(5), rpc.gssd(8), and rpc.svcgssd(8) manual pages.

rpc.idmapd

4

Provides mapping between NFSv4 names (strings of the form user@domain) and local UIDs and GIDs, using definitions in /etc/idmapd.conf.

Started by the nfs service.

For more information, see the idmapd.conf(5) and rpc.idmapd(8) manual pages.

rpc.mountd

2,3, and 4

Handles mount requests from NFSv2 and NFSv3 clients by checking that the NFS server exports the requested NFS share and that the client is allowed to access it.

For NFSv4, this service is required only to set up exports.

Started by the nfs service.

For more information, see the rpc.mountd(8) manual page.

rpc.nfsd

2,3, and 4

Implements the user-space part of the NFS service, which specifies on what sort of sockets the kernel service should listen, what NFS versions it supports, and how many kernel threads it should use. The number of threads is visible and settable via /proc/fs/nfsd/threads.

Started by the nfs service.

For more information, see the rpc.nfsd(8) manual page.

rpc.rquotad

2,3, and 4

Provides quota information for the quota command to display user quotas for remote file systems and the edquota command to set quotas on remote file systems.

Started by the nfs service.

For more information, see the rpc.rquotad(8) manual page.

rpc.statd

2 and 3

Implements the Network Status Monitor (NSM) RPC protocol, which notifies NFS clients when an NFS server has restarted after an uncontrolled shutdown or system crash.

Started by the nfslock service.

For more information, see the rpc.statd(8) manual page.

19.2.1 Configuring an NFS Server

To configure an NFS server:

  1. Install the nfs-utils package:

    # yum install nfs-utils
  2. Edit the /etc/exports file to define the directories that the server will make available for clients to mount, for example:

    /var/folder 192.0.2.102(rw,async)
    /usr/local/apps *(all_squash,anonuid=501,anongid=501,ro)
    /var/projects/proj1 192.168.1.0/24(ro) mgmtpc(rw)

    Each entry consists of the local path to the exported directory, followed by a list of clients that can mount the directory with client-specific mount options in parentheses. If this example:

    • The client system with the IP address 192.0.2.102 can mount /var/folder with read and write permissions. All writes to the disk are asynchronous, which means that the server does not wait for write requests to be written to disk before responding to further requests from the client.

    • All clients can mount /usr/local/apps read-only, and all connecting users including root are mapped to the local unprivileged user with UID 501 and GID 501.

    • All clients on the 192.168.1.0 subnet can mount /var/projects/proj1 read-only, and the client system named mgmtpc can mount the directory with read-write permissions.

    Note

    There is no space between a client specifier and the parenthesized list of options.

    For more information, see the exports(5) manual page.

  3. If the server will serve NFSv2 and NFSv3 clients, start the rpcbind service, and configure the service to start following a system reboot:

    # service rpcbind start
    # chkconfig rpcbind on
  4. Start the nfs service, and configure the service to start following a system reboot:

    # service nfs start
    # chkconfig nfs on
  5. If the server will serve NFSv2 and NFSv3 clients, start the nfslock service, and configure the service to start following a system reboot:

    # service nfslock start
    # chkconfig nfslock on
  6. If the server will serve NFSv4 clients, edit /etc/idmapd.conf and edit the definition for the Domain parameter to specify the DNS domain name of the server, for example:

    Domain = mydom.com

    This setting prevents the owner and group being unexpectedly listed as the anonymous user or group (nobody or nogroup) on NFS clients when the all_squash mount option has not been specified.

  7. If you need to allow access through the firewall for NFSv4 clients only, use the following commands to configure iptables to allow NFSv4 connections and save the change to the firewall configuration:

    # iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT
    # service iptables save

    This configuration assumes that rpc.nfsd listens for client requests on TCP port 2049.

  8. If you need to allow access through the firewall for NFSv2 and NFSv3 clients as well as NFSv4 clients:

    1. Stop the firewall service:

      # service iptables stop
    2. Edit /etc/sysconfig/nfs and create entries for the following port settings:

      # TCP port rpc.lockd should listen on.
      LOCKD_TCPPORT=32803
      
      # UDP port rpc.lockd should listen on.
      LOCKD_UDPPORT=32769
      
      # Port rpc.mountd should listen on.
      MOUNTD_PORT=892
      
      # Port rpc.statd should listen on.
      STATD_PORT=662

      The port values shown in this example are the default settings that are commented-out in the file.

    3. To verify that none of the ports specified in /etc/sysconfig/nfs is in use, enter the following commands:

      # lsof -i tcp:32803
      # lsof -i udp:32769
      # lsof -i :892
      # lsof -i :662

      If any port is in use, use the lsof -i command to determine an unused port and amend the setting in /etc/sysconfig/nfs.

    4. Stop and restart the nfslock and nfs services:

      # service nfslock stop
      # service nfs stop
      # service nfs start
      # service nfslock start

      NFS fails to start if one of the specified ports is in use, and reports an error in /var/log/messages. Edit /etc/sysconfig/nfs to use a different port number for the service that could not start, and attempt to restart the nfslock and nfs services. You can use the rpcinfo -p command to confirm on which ports RPC services are listening.

    5. Restart the firewall service, configure iptables to allow NFSv2 and NFSv3 connections, and save the change to the firewall configuration:

      # service iptables stop
      # iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT
      # iptables -I INPUT -p udp -m udp --dport 2049 -j ACCEPT
      # iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT
      # iptables -I INPUT -p udp -m udp --dport 111 -j ACCEPT
      # iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 32803 -j ACCEPT
      # iptables -I INPUT -p udp -m udp --dport 32769 -j ACCEPT
      # iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 892 -j ACCEPT
      # iptables -I INPUT -p udp -m udp --dport 892 -j ACCEPT
      # iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 662 -j ACCEPT
      # iptables -I INPUT -p udp -m udp --dport 662 -j ACCEPT
      # service iptables save

      The port values shown in this example assume that the default port settings in /etc/sysconfig/nfs are available for use by RPC services. This configuration also assumes that rpc.nfsd and rpcbind listen on ports 2049 and 111 respectively.

  9. Use the showmount –e command to display a list of the exported file systems, for example:

    # showmount –e
    Export list for host01.mydom.com
    /var/folder 192.0.2.102
    /usr/local/apps *
    /var/projects/proj1 192.168.1.0/24 mgmtpc

    showmount -a lists the current clients and the file systems that they have mounted, for example:

    # showmount –a
    mgmtpc.mydom.com:/var/projects/proj1
    Note

    To be able to use the showmount command from NFSv4 clients, MOUNTD_PORT must be defined in /etc/sysconfig/nfs and a firewall rule must allow access on this TCP port.

If you want to export or unexport directories without editing /etc/exports and restarting the NFS service, use the exportfs command. The following example makes /var/dev available with read and write access by all clients, and ignores any existing entries in /etc/exports.

# exportfs -i -o ro *:/var/dev

For more information, see the exportfs(8), exports(5), and showmount(8) manual pages.

19.2.2 Mounting an NFS File System

To mount an NFS file system on a client:

  1. Install the nfs-utils package:

    # yum install nfs-utils
  2. Use showmount -e to discover what file systems an NFS server exports, for example:

    # showmount –e host01.mydom.com
    Export list for host01.mydom.com
    /var/folder 192.0.2.102
    /usr/local/apps *
    /var/projects/proj1 192.168.1.0/24 mgmtpc
  3. Use the mount command to mount an exported NFS file system on an available mount point:

    # mount -t nfs -o ro,nosuid host01.mydoc.com:/usr/local/apps /apps

    This example mounts /usr/local/apps exported by host01.mydoc.com with read-only permissions on /apps. The nosuid option prevents remote users from gaining higher privileges by running a setuid program.

  4. To configure the system to mount an NFS file system at boot time, add an entry for the file system to /etc/fstab, for example:

    host01.mydoc.com:/usr/local/apps      /apps      nfs      ro,nosuid  0 0

For more information, see the mount(8), nfs(5), and showmount(8) manual pages.