2 Managing the Network File System
This chapter includes information about managing the Network File System (NFS) in Oracle Linux 8, including tasks for configuring, administering, and using NFS.
For information about local file system management in Oracle Linux, see Oracle Linux 8: Managing Local File Systems.
About NFS
NFS (Network File System) is a distributed file system that enables a client system to access files over a network as though the files were on local storage.
An NFS server can share directory hierarchies in its local file systems with remote client systems over an IP-based network. After an NFS server exports a directory, NFS clients mount this directory, provided that the clients have been granted the appropriate permissions. To the client systems, the directory appears as if it were a local directory. The benefits of using NFS include centralized storage provisioning, improved data consistency, and reliability.
Supported Versions of NFS
The following versions of NFS are supported in Oracle Linux 8:
-
NFS version 3 (NFSv3), specified in RFC 1813.
-
NFS version 4 (NFSv4), specified in RFC 7530.
-
NFS version 4 minor version 1 (NFSv4.1), specified in RFC 5661.
-
NFS version 4 minor version 2 (NFSv4.2), specified in RFC 7862 .
Note:
NFSv2 is no longer supported.
NFSv3 provides safe, asynchronous writes, and efficient error handling. NFSv3 also supports 64-bit file sizes and offsets, which enable clients to access more than 2 GB of file data.
NFSv3 relies on Remote Procedure Call (RPC) services, which are
controlled by the rpcbind
service. The
rpcbind
service responds to requests for an
RPC service and then sets up connections for the requested
service. In addition, separate services are used to handle
locking and mounting protocols, as configuring a firewall to
cope with the various ports that are used by all these services
can be complex and error-prone.
Note:
In previous Oracle Linux releases, NFSv3 also used the User Datagram Protocol (UDP). However, in Oracle Linux 8, NFS over UDP is no longer supported. Further, UDP is disabled in the NFS server by default in this release.
NFSv4 can work through firewalls and the Internet. Also, NFSv4 doesn't require the
rpcbind
service. In addition, NFSv4 supports access Control Lists (ACLs),
and uses stateful operations.
NFSv4 requires the Transmission Control Protocol (TCP) running over an IP network. As
mentioned, NFSv4 doesn't use rpcbind
; as such, the NFS server listens on TCP
port 2049 for service requests. The mounting and locking protocols are also integrated into
the NFSv4 protocol, which means that separate services are also not required for these
protocols. These refinements make firewall configuration for NFSv4 no more difficult than for
a service such as HTTP.
Note that in Oracle Linux 8, NFS clients mount by using NFSv4.2 (the default version), but fall back to NFSv4.1 when the server doesn't support NFSv4.2. The mount later falls back to NFSv4.0 and then to NFSv3.
About NFS Services
In Oracle Linux 8, NFS versions rely on Remote Procedure Calls (RPC) between clients and servers. To share or mount NFS file systems, the following required services work together, depending on which version of NFS is implemented. Note that all of these services are started automatically:
- nfsd
-
Server kernel module that services requests for shared NFS file systems.
- rpcbind
-
Service that accepts port reservations from local RPC services, which are made available or advertised so that the corresponding remote RPC services can access them and also hat the client is allowed to access it.
- rpc.mountd
-
Process that is used by an NFS server to process mount requests from NFSv3 clients. The service checks that the requested NFS share is currently exported by the NFS server.
- rpc.nfsd
-
Process that enables explicit NFS versions and protocols the server advertises to be defined.
- lockd
-
Kernel thread that runs on both clients and servers. The
lockd
process implements the Network Lock Manager (NLM) protocol, which enables NFSv3 clients to lock files on the server. The daemon is started automatically whenever the NFS server is run and whenever an NFS file system is mounted. - rpc-statd
-
Process that implements the Network Status Monitor (NSM) RPC protocol, which notifies NFS clients when an NFS server is restarted without being gracefully brought down. The
rpc-statd
service is automatically started by thenfs-server
service. This service does not require configuration by the user and is not used with NFSv4. - rpc-idmapd
-
Process that provides NFSv4 client and server upcalls, which map between on-the-wire NFSv4 names (strings in the form of user@domain) and local UIDs and GIDs. Note that for the
idmapd
process to function with NFSv4, you must configure the/etc/idmapd.conf
file. Note that only NFSv4 uses therpc-idmapd
process.
Note:
The mounting and locking protocols are incorporated into the
NFSv4 protocol. Also, the server listens on TCP port 2049. For
this reason, NFSv4 does not need to interact with the
rpcbind
, lockd
, and
rpc-statd
services. However, the
nfs-mountd
service is still required to set
up exports on the NFS server; but, the service is not involved
in any over-the-wire operations.
The rpc-idmapd
service only handles upcalls
from the kernel and is not itself directly involved in any
over-the-wire operations. The service, however, might make
naming service calls, which do result in over-the-wire
lookups.
Configuring an NFS Server
You can configure an NFS server in Oracle Linux 8 in the following ways:
-
By editing the
/etc/exports
file manually.Exports can also be added to files that you create in the
/etc/exports.d
directory. -
By using the
exportfs
command.
Configuring an NFS Server by Editing the /etc/exports File
The following steps describe how to configure an NFS server by
editing the /etc/exports
file.
Note:
You can also add exports to files that you create in the
/etc/exports.d
directory in a similar
fashion.
-
If it is not yet in the system, install the
nfs-utils
package.sudo dnf install nfs-utils
-
Edit the
/etc/exports
file to define the directories that the server makes available for clients to mount, for example:/var/folder 192.0.2.102(rw,async) /usr/local/apps *(all_squash,anonuid=501,anongid=501,ro) /var/projects/proj1 192.168.1.0/24(ro) mgmtpc(rw)
Each entry includes the local path to the exported directory, followed by a list of clients that can mount the directory and client-specific exports options in parentheses. No spaces should separate a client specifier and the parenthesized list of options that apply to that client.
The following information explains the file entries in greater detail:
-
Only the client system with the IP address 192.0.2.102 can mount the
/var/folder
directory with read and write permissions. All writes to the disk are asynchronous. Therefore, the server does not wait for write requests to be written to disk before responding to further requests from the client. -
As indicated by the wildcard (*), all of the clients can mount the
/usr/local/apps
directory as read-only. All connecting users, includingroot
users, are mapped to the local, unprivileged user with UID 501 and GID 501. -
All of the clients on the 192.168.1.0/24 subnet can mount the
/var/projects/proj1
directory as read-only. However, the client system namedmgmtpc
can mount the directory with read-write permissions.
For more information, see the
exports(5)
manual page. -
-
If the server serves NFSv4 clients, edit the
/etc/idmapd.conf
file's definition for the Domain parameter by specifying the server's domain name.Domain = mydom.com
This setting prevents the owner and group from being unexpectedly listed as the anonymous user or group (
nobody
ornogroup
) on NFS clients when theall_squash
mount option is not specified. -
If you need to enable access through the firewall for NFSv4 clients only, use the following commands:
sudo firewall-cmd --permanent --zone=zone --add-service=nfs
This configuration assumes that
rpc.nfsd
listens for client requests on the default TCP port 2049. -
If you need to enable access through the firewall for NFSv3 and NFSv4 clients, do the following:
-
Edit the
/etc/nfs.conf
file to create port settings for handling network mount requests and status monitoring. Additionally, set the TCP port on which the network lock manager should listen, for example:# Ports that various services should listen on. [mountd] port = 892 [statd] port = 662 [lockd] port = 32803
If any port is in use, NFS fails to start. Use the
lsof -i
command to locate an unused port and then amend the setting in the/etc/nfs.conf
file as appropriate.To confirm on which ports RPC services are listening, use the
rpcinfo -p
command. -
Restart the firewall service and configure the firewall to allow NFSv3 connections:
sudo firewall-cmd --permanent --zone=zone --add-port=2049/tcp --add-port=111/tcp --add-port=32803/tcp --add-port=892/tcp --add-port=662/tcp
-
Reboot the server.
sudo systemctl reboot
-
-
Start the
nfs-server
service and configure the service to start following a system reboot:sudo systemctl enable --now nfs-server
-
Display a list of the exported file systems.
sudo showmount -e
Export list for host01.mydom.com /var/folder 192.0.2.102 /usr/local/apps * /var/projects/proj1 192.168.1.0/24 mgmtpc
The exportfs command on the server displays the same information as the
showmount -e
command.sudo /usr/sbin/exportfs -v
The showmount -a command displays all of the current clients and all of the file systems that the clients have mounted.
Note:
To enable use of the showmount command from NFSv4 clients, specify a port number to the
MOUNTD_PORT
parameter in/etc/nfs.conf
. Then, create a firewall rule to enable access to this TCP port.
Configuring an NFS Server by Using the exportfs Command
The exportfs command enables the administrator to export or unexport
directories selectively, and eliminates the need to restart the NFS service. By providing the
appropriate options, the exportfs command writes the exported file
systems to the /var/lib/nfs/etab
file. Changes to the list of exported file
systems are effective immediately because the nfs-mountd
service refers to
the etab
file for determining access privileges to a file system.
If used without any options, exportfs
displays a list of currently exported
file systems.
Options that you can specify with the exportfs
command include the
following:
- -r
-
Refreshes the list of exported directories in the
/var/lib/nfs/etab
file by incorporating any changes that were made to the list in the/etc/exports
file. - -a
-
Exports all of the file systems that are specified in the
/etc/exports
file. This option can be combined with other options, which determines the action the command performs. - -u
-
Unexports all of the shared directories.
Note:
The exportfs -ua command suspends NFS file sharing, but keeps all NFS services running. To re-enable NFS sharing, use the exportfs -r command.
- -v
-
Specifies a verbose logging, which displays information about the file systems that are being exported or unexported in greater detail.
For more information, see the exportfs(8)
,
exports(5)
, and
showmount(8)
manual pages.
Mounting an NFS File System
-
If it's not yet on the system, install the
nfs-utils
package.sudo dnf install nfs-utils
-
Display the file systems that the NFS server exports.
sudo showmount -e host01.mydom.com
The output of the previous command would be similar to the following:
Export list for host01.mydom.com /var/folder 192.0.2.102 /usr/local/apps * /var/projects/proj1 192.168.1.0/24 mgmtpc
Note:
Some servers don't accept querying of this information but can still export NFS file systems.
-
Mount an exported NFS file system on an available mount point.
sudo mount -t nfs -r -o nosuid host01.mydoc.com:/usr/local/apps /apps
Typically, when mounting an NFS file system, the
-t nfs
option can be omitted.This example mounts the
/usr/local/apps
directory that's exported byhost01.mydoc.com
with read-only permissions on/apps
. Thenosuid
option prevents remote users from gaining higher privileges by running asetuid
program. -
To configure the system to mount an NFS file system at boot time, add an entry for the file system to the
/etc/fstab
file, as shown in the following example:host01.mydoc.com:/usr/local/apps /apps nfs ro,nosuid 0 0
For more information, see the mount(8)
,
nfs(5)
, and showmount(8)
manual pages.