Managing the Network File System

About NFS

NFS (Network File System) is a distributed file system that enables a client system to access files over a network as though the files were on local storage.

An NFS server can share directory hierarchies in its local file systems with remote client systems over an IP-based network. After an NFS server exports a directory, NFS clients mount this directory, provided that the clients have been granted the appropriate permissions. To the client systems, the directory appears as if it were a local directory. The benefits of using NFS include centralized storage provisioning, improved data consistency, and reliability.

Supported Versions of NFS

The following versions of NFS are supported in Oracle Linux 9:

NFS version 3 (NFSv3), specified in RFC 1813.
NFS version 4 (NFSv4), specified in RFC 7530.
NFS version 4 minor version 1 (NFSv4.1), specified in RFC 5661.
NFS version 4 minor version 2 (NFSv4.2), specified in RFC 7862 .

NFSv3 provides safe, asynchronous writes, and efficient error handling. NFSv3 also supports 64-bit file sizes and offsets, which enable clients to access more than 2 GB of file data.

NFSv3 relies on Remote Procedure Call (RPC) services, which are controlled by the rpcbind service. The rpcbind service responds to requests for an RPC service and then sets up connections for the requested service. In addition, separate services are used to handle locking and mounting protocols, as configuring a firewall to cope with the various ports that are used by all these services can be complex and error-prone.

Note:

In previous Oracle Linux releases, NFSv3 also used the User Datagram Protocol (UDP). However, beginning from Oracle Linux 8, NFS over UDP is no longer supported. Further, UDP is disabled in the NFS server by default in this release.

NFSv4 can work through firewalls and the Internet. Also, NFSv4 doesn't require the rpcbind service. In addition, NFSv4 supports access Control Lists (ACLs), and uses stateful operations.

NFSv4 requires the Transmission Control Protocol (TCP) running over an IP network. As mentioned, NFSv4 doesn't use rpcbind; as such, the NFS server listens on TCP port 2049 for service requests. The mounting and locking protocols are also integrated into the NFSv4 protocol, which means that separate services are also not required for these protocols. These refinements make firewall configuration for NFSv4 no more difficult than for a service such as HTTP.

Note that in Oracle Linux 9, NFS clients mount by using NFSv4.2 (the default version), but fall back to NFSv4.1 when the server doesn't support NFSv4.2. The mount later falls back to NFSv4.0 and then to NFSv3.

About NFS Services

In Oracle Linux 9, NFS versions rely on Remote Procedure Calls (RPC) between clients and servers. To share or mount NFS file systems, the following required services work together, depending on which version of NFS is implemented. Note that all of these services are started automatically:

nfsd: Server kernel module that services requests for shared NFS file systems.
rpcbind: Service that accepts port reservations from local RPC services, which are made available or advertised so that the corresponding remote RPC services can access them and also hat the client is allowed to access it.
rpc.mountd: Process that is used by an NFS server to process mount requests from NFSv3 clients. The service checks that the requested NFS share is currently exported by the NFS server.
rpc.nfsd: Process that enables explicit NFS versions and protocols the server advertises to be defined.
lockd: Kernel thread that runs on both clients and servers. The lockd process implements the Network Lock Manager (NLM) protocol, which enables NFSv3 clients to lock files on the server. The daemon is started automatically whenever the NFS server is run and whenever an NFS file system is mounted.
rpc-statd: Process that implements the Network Status Monitor (NSM) RPC protocol, which notifies NFS clients when an NFS server is restarted without being gracefully brought down. The rpc-statd service is automatically started by the nfs-server service. This service does not require configuration by the user and is not used with NFSv4.
rpc-idmapd: Process that provides NFSv4 client and server upcalls, which map between on-the-wire NFSv4 names (strings in the form of user@domain) and local UIDs and GIDs. Note that for the idmapd process to function with NFSv4, you must configure the /etc/idmapd.conf file. Note that only NFSv4 uses therpc-idmapd process.

Note:

The mounting and locking protocols are incorporated into the NFSv4 protocol. Also, the server listens on TCP port 2049. For this reason, NFSv4 does not need to interact with the rpcbind, lockd, and rpc-statd services. However, the nfs-mountd service is still required to set up exports on the NFS server; but, the service is not involved in any over-the-wire operations.

The rpc-idmapd service only handles upcalls from the kernel and is not itself directly involved in any over-the-wire operations. The service, however, might make naming service calls, which do result in over-the-wire lookups.

Configuring an NFS Server

You can configure an NFS server in Oracle Linux in the following ways:

By editing the /etc/exports file manually.

Exports can also be added to files that you create in the /etc/exports.d directory.
By using the exportfs command.

Configuring an NFS Server by Editing the /etc/exports File

The following steps describe how to configure an NFS server by editing the /etc/exports file.

Note:

You can also add exports to files that you create in the /etc/exports.d directory in a similar fashion.

If it is not yet in the system, install the nfs-utils package.
```
sudo dnf install nfs-utils
```
Edit the /etc/exports file to define the directories that the server makes available for clients to mount, for example:
```
/var/folder 192.0.2.102(rw,async)
/usr/local/apps *(all_squash,anonuid=501,anongid=501,ro)
/var/projects/proj1 192.168.1.0/24(ro) mgmtpc(rw)
```
Each entry includes the local path to the exported directory, followed by a list of clients that can mount the directory and client-specific exports options in parentheses. No spaces should separate a client specifier and the parenthesized list of options that apply to that client.

The following information explains the file entries in greater detail:
- Only the client system with the IP address 192.0.2.102 can mount the /var/folder directory with read and write permissions. All writes to the disk are asynchronous. Therefore, the server does not wait for write requests to be written to disk before responding to further requests from the client.
- As indicated by the wildcard (*), all of the clients can mount the /usr/local/apps directory as read-only. All connecting users, including root users, are mapped to the local, unprivileged user with UID 501 and GID 501.
- All of the clients on the 192.168.1.0/24 subnet can mount the /var/projects/proj1 directory as read-only. However, the client system named mgmtpc can mount the directory with read-write permissions.
For more information, see the exports(5) manual page.
If the server serves NFSv4 clients, edit the /etc/idmapd.conf file's definition for the Domain parameter by specifying the server's domain name.
```
Domain = mydom.com
```
This setting prevents the owner and group from being unexpectedly listed as the anonymous user or group (nobody or nogroup) on NFS clients when the all_squash mount option is not specified.
If you need to enable access through the firewall for NFSv4 clients only, use the following commands:
```
sudo firewall-cmd --permanent --zone=zone --add-service=nfs
```
This configuration assumes that rpc.nfsd listens for client requests on the default TCP port 2049.
If you need to enable access through the firewall for NFSv3 and NFSv4 clients, do the following:
1. Edit the /etc/nfs.conf file to create port settings for handling network mount requests and status monitoring. Additionally, set the TCP port on which the network lock manager should listen, for example:
```
# Ports that various services should listen on.

[mountd]
port = 892

[statd]
port = 662

[lockd]
port = 32803
```
  If any port is in use, NFS fails to start. Use the lsof -i command to locate an unused port and then amend the setting in the /etc/nfs.conf file as appropriate.
  
  To confirm on which ports RPC services are listening, use the rpcinfo -p command.
2. Restart the firewall service and configure the firewall to allow NFSv3 connections:
```
sudo firewall-cmd --permanent --zone=zone --add-port=2049/tcp --add-port=111/tcp --add-port=32803/tcp --add-port=892/tcp --add-port=662/tcp
```
3. Reboot the server.
```
sudo systemctl reboot
```
Start the nfs-server service and configure the service to start following a system reboot:
```
sudo systemctl enable --now nfs-server
```
Display a list of the exported file systems.
```
sudo showmount -e
```
```
Export list for host01.mydom.com
/var/folder 192.0.2.102
/usr/local/apps *
/var/projects/proj1 192.168.1.0/24 mgmtpc
```
The exportfs command on the server displays the same information as the showmount -e command.
```
sudo /usr/sbin/exportfs -v
```
The showmount -a command displays all of the current clients and all of the file systems that the clients have mounted.

Note:

To enable use of the showmount command from NFSv4 clients, specify a port number to the MOUNTD_PORT parameter in /etc/nfs.conf. Then, create a firewall rule to enable access to this TCP port.

Configuring an NFS Server by Using the exportfs Command

The exportfs command enables the administrator to export or unexport directories selectively, and eliminates the need to restart the NFS service. By providing the appropriate options, the exportfs command writes the exported file systems to the /var/lib/nfs/etab file. Changes to the list of exported file systems are effective immediately because the nfs-mountd service refers to the etab file for determining access privileges to a file system.

If used without any options, exportfs displays a list of currently exported file systems.

Options that you can specify with the exportfs command include the following:

-r: Refreshes the list of exported directories in the /var/lib/nfs/etab file by incorporating any changes that were made to the list in the /etc/exports file.
-a: Exports all of the file systems that are specified in the /etc/exports file. This option can be combined with other options, which determines the action the command performs.
-u: Unexports all of the shared directories.

Note:

The exportfs -ua command suspends NFS file sharing, but keeps all NFS services running. To re-enable NFS sharing, use the exportfs -r command.
-v: Specifies a verbose logging, which displays information about the file systems that are being exported or unexported in greater detail.

For more information, see the exportfs(8), exports(5), and showmount(8) manual pages.

Mounting an NFS File System

If it's not yet on the system, install the nfs-utils package.
```
sudo dnf install nfs-utils
```
Display the file systems that the NFS server exports.
```
sudo showmount -e host01.mydom.com
```
The output of the previous command would be similar to the following:
```
Export list for host01.mydom.com
/var/folder 192.0.2.102
/usr/local/apps *
/var/projects/proj1 192.168.1.0/24 mgmtpc
```
Note:

Some servers don't accept querying of this information but can still export NFS file systems.
Mount an exported NFS file system on an available mount point.
```
sudo mount -t nfs -r -o nosuid host01.mydoc.com:/usr/local/apps /apps
```
Typically, when mounting an NFS file system, the -t nfs option can be omitted.

This example mounts the /usr/local/apps directory that's exported by host01.mydoc.com with read-only permissions on /apps. The nosuid option prevents remote users from gaining higher privileges by running a setuid program.
To configure the system to mount an NFS file system at boot time, add an entry for the file system to the /etc/fstab file, as shown in the following example:
```
host01.mydoc.com:/usr/local/apps      /apps      nfs      ro,nosuid  0 0
```

For more information, see the mount(8), nfs(5), and showmount(8) manual pages.