21.2.1 Configuring an NFS Server

To configure an NFS server:

  1. Install the nfs-utils package:

    # yum install nfs-utils
  2. Edit the /etc/exports file to define the directories that the server will make available for clients to mount, for example:

    /var/folder 192.0.2.102(rw,async)
    /usr/local/apps *(all_squash,anonuid=501,anongid=501,ro)
    /var/projects/proj1 192.168.1.0/24(ro) mgmtpc(rw)

    Each entry consists of the local path to the exported directory, followed by a list of clients that can mount the directory with client-specific mount options in parentheses. If this example:

    • The client system with the IP address 192.0.2.102 can mount /var/folder with read and write permissions. All writes to the disk are asynchronous, which means that the server does not wait for write requests to be written to disk before responding to further requests from the client.

    • All clients can mount /usr/local/apps read-only, and all connecting users including root are mapped to the local unprivileged user with UID 501 and GID 501.

    • All clients on the 192.168.1.0 subnet can mount /var/projects/proj1 read-only, and the client system named mgmtpc can mount the directory with read-write permissions.

    Note

    There is no space between a client specifier and the parenthesized list of options.

    For more information, see the exports(5) manual page.

  3. If the server will serve NFSv2 and NFSv3 clients, start the rpcbind service, and configure the service to start following a system reboot:

    # service rpcbind start
    # chkconfig rpcbind on
  4. Start the nfs service, and configure the service to start following a system reboot:

    # service nfs start
    # chkconfig nfs on
  5. If the server will serve NFSv2 and NFSv3 clients, start the nfslock service, and configure the service to start following a system reboot:

    # service nfslock start
    # chkconfig nfslock on
  6. If the server will serve NFSv4 clients, edit /etc/idmapd.conf and edit the definition for the Domain parameter to specify the DNS domain name of the server, for example:

    Domain = mydom.com

    This setting prevents the owner and group being unexpectedly listed as the anonymous user or group (nobody or nogroup) on NFS clients when the all_squash mount option has not been specified.

  7. If you need to allow access through the firewall for NFSv4 clients only, use the following commands to configure iptables to allow NFSv4 connections and save the change to the firewall configuration:

    # iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT
    # service iptables save

    This configuration assumes that rpc.nfsd listens for client requests on TCP port 2049.

  8. If you need to allow access through the firewall for NFSv2 and NFSv3 clients as well as NFSv4 clients:

    1. Stop the firewall service:

      # service iptables stop
    2. Edit /etc/sysconfig/nfs and create entries for the following port settings:

      # TCP port rpc.lockd should listen on.
      LOCKD_TCPPORT=32803
      
      # UDP port rpc.lockd should listen on.
      LOCKD_UDPPORT=32769
      
      # Port rpc.mountd should listen on.
      MOUNTD_PORT=892
      
      # Port rpc.statd should listen on.
      STATD_PORT=662

      The port values shown in this example are the default settings that are commented-out in the file.

    3. To verify that none of the ports specified in /etc/sysconfig/nfs is in use, enter the following commands:

      # lsof -i tcp:32803
      # lsof -i udp:32769
      # lsof -i :892
      # lsof -i :662

      If any port is in use, use the lsof -i command to determine an unused port and amend the setting in /etc/sysconfig/nfs.

    4. Stop and restart the nfslock and nfs services:

      # service nfslock stop
      # service nfs stop
      # service nfs start
      # service nfslock start

      NFS fails to start if one of the specified ports is in use, and reports an error in /var/log/messages. Edit /etc/sysconfig/nfs to use a different port number for the service that could not start, and attempt to restart the nfslock and nfs services. You can use the rpcinfo -p command to confirm on which ports RPC services are listening.

    5. Restart the firewall service, configure iptables to allow NFSv2 and NFSv3 connections, and save the change to the firewall configuration:

      # service iptables start
      # iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT
      # iptables -I INPUT -p udp -m udp --dport 2049 -j ACCEPT
      # iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT
      # iptables -I INPUT -p udp -m udp --dport 111 -j ACCEPT
      # iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 32803 -j ACCEPT
      # iptables -I INPUT -p udp -m udp --dport 32769 -j ACCEPT
      # iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 892 -j ACCEPT
      # iptables -I INPUT -p udp -m udp --dport 892 -j ACCEPT
      # iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 662 -j ACCEPT
      # iptables -I INPUT -p udp -m udp --dport 662 -j ACCEPT
      # service iptables save

      The port values shown in this example assume that the default port settings in /etc/sysconfig/nfs are available for use by RPC services. This configuration also assumes that rpc.nfsd and rpcbind listen on ports 2049 and 111 respectively.

  9. Use the showmount -e command to display a list of the exported file systems, for example:

    # showmount -e
    Export list for host01.mydom.com
    /var/folder 192.0.2.102
    /usr/local/apps *
    /var/projects/proj1 192.168.1.0/24 mgmtpc

    showmount -a lists the current clients and the file systems that they have mounted, for example:

    # showmount -a
    mgmtpc.mydom.com:/var/projects/proj1
    Note

    To be able to use the showmount command from NFSv4 clients, MOUNTD_PORT must be defined in /etc/sysconfig/nfs and a firewall rule must allow access on this TCP port.

If you want to export or unexport directories without editing /etc/exports and restarting the NFS service, use the exportfs command. The following example makes /var/dev available with read and write access by all clients, and ignores any existing entries in /etc/exports.

# exportfs -i -o ro *:/var/dev

For more information, see the exportfs(8), exports(5), and showmount(8) manual pages.