Important Files for NFS Configuration

  • /etc/exports : main configuration file of NFS (all exported directories)
  • /etc/fstab : mount a NFS directory on your system across the reboots
  • /etc/sysconfig/nfs : configuration file to control ports and services are listening

Turn off v4 protocol support

vi /etc/sysconfig/nfs

RPCNFSDARGS="-N 4"

Increase the number of threads

vi /etc/sysconfig/nfs

RPCNFSDCOUNT=16

Export options (/etc/exports)

man 5 exports

directory_to_share    client(option1,option2...optionX) client(option1....optionX)
  • ro: Provide read only access to the shared directory (default)
  • rw: Allow both read and write requests on this NFS volume
  • sync: Reply to requests only after the changes have been committed to stable storage
  • async: Reply to requests before any changes made by that request have been committed to stable storage
  • wdelay: Causes the NFS server to delay writing to the disk if it suspects another write request is imminent
  • no_subtree_check: Prevents subtree checking (disabled by default)
  • root_squash: Map requests from uid/gid 0 to the anonymous uid/gid (user nfsnobody, enabled by default)
  • no_root_squash: Turn off root and any other user squashing
  • all_squash: Map all uids and gids to the anonymous user
  • no_all_squash: Turn off all squashing (default setting)
  • anonuid=\<uid-value>, anongid=\<gid-value>: Set the uid and gid of the anonymous account (primarily useful for PC/NFS clients)
  • no_acl: Disable this feature (By default ACLs are supported by NFS)

Mount options

mount command

mount -t <nfs-type> -o <options> <host>:</remote/export> </local/directory>

/etc/fstab file

server:/remote/export /local/directory nfs options 0 0
  • hard: A program using a file via an NFS connection should stop and wait
  • soft: If the host serving the exported file system is unavailable report an error
  • intr: Allows NFS requests to be interrupted if the server goes down or cannot be reached (by default it cannot be interrupted so use this with hard)
  • nfsvers=version: Specifies which version of the NFS protocol to use, where version is 2, 3, or 4 (vers is identical to nfsvers). If no version is specified, NFS uses the highest version supported by the kernel and mount command
  • noacl: Turns off all ACL processing
  • nolock: Disables file locking
  • noexec: Prevents execution of binaries on mounted file systems
  • nosuid: Disables set-user-identifier or set-group-identifier bits
  • rsize=num and wsize=num: If an rsize value is not specified then the client and server negotiate the largest resize value they can both support (NFS tuning)
  • timeo: Wait before resending a transmission after an RPC timeout (tenths of a second)
  • tcp: Instructs the NFS mount to use the TCP protocol
  • udp: Instructs the NFS mount to use the UDP protocol
  • _netdev: Wait until the network is up before trying to mount the share
  • sec=mode: Specifies the type of security to utilize when authenticating an NFS connection (default setting is sec=sys)
Mode Description
sec=sys uses local UNIX UIDs and GIDs by using AUTH_SYS to authenticate NFS operations
sec=krb5 uses Kerberos V5 instead of local UNIX UIDs and GIDs to authenticate users
sec=krb5i uses Kerberos V5 for user authentication and performs integrity checking of NFS operations using secure checksums to prevent data tampering
sec=krb5p uses Kerberos V5 for user authentication, integrity checking, and encrypts NFS traffic to prevent traffic sniffing. This is the most secure setting, but it also involves the most performance overhead

Examples

  • Mount NFS share (by default NFSv3 on RHEL 5 and NFSv4 on RHEL 6/7): mount -t nfs host:/remote/export /local/directory
  • Mount NFSv4 share (RHEL 6 & 7): mount -t nfs -o vers=4 host:/remote/export /local/directory
  • Mount NFSv4 share (RHEL 5): mount -t nfs4 host:/remote/export /local/directory
  • Mount NFS vers 3: mount -t nfs -o vers=3 host:/remote/export /local/directory

Commands

  • Show the NFS server’s export list for the local machine: showmount -e
  • Lists the available shares at the remote servers: showmount -e 192.168.100.26
  • List only the directories mounted by some client: showmount -d
  • Displaying the current export list on the server, (also display the list of export options): showmount -v
  • Export all directories listed in /etc/exports or given name: exportfs -a
  • Unexport directories listed in /etc/exports, or given name: exportfs -u
  • Reexport all directories (synchronizes /var/lib/nfs/xtab with /etc/exports): exportfs -r
  • Print information about mounted NFS file systems on the client: nfsstat -m or cat /proc/mounts
  • NFS Server Configuration GUI Tool (yum install system-config-nfs): system-config-nfs
  • Display a list of all registered RPC programs (defaults to the local host if host is not specified): rpcinfo -p 192.168.100.26
  • Displays statistics kept about NFS client: nfsstat -rc
  • Displays statistics kept about NFS server: nfsstat -rs
  • Get SELinux boolean value related to NFS: getsebool -a | grep nfs
  • Capture traffic on NFS client: tcpdump -s0 -i <ethx> host <nfsserverip> -w /tmp/dump.client.pcap
  • Capture traffic on NFS server: tcpdump -s0 -i <ethx> host <nfsclientip> -w /tmp/dump.server.pcap

TCP Wrappers

  • Only for NFSv2 and NFSv3
  • For RHEL 5 replace rpcbind with portmapper
  • 192.168.100.0/24 is not supported (only IPv6 rules), 192.168.100.0/255.255.255.0 can also be used

/etc/hosts.deny

ALL: ALL

/etc/hosts.allow

rpcbind: 192.168.100.
lockd: 192.168.100.
mountd: 192.168.100.
rquotad: 192.168.100.
statd: 192.168.100.

Firewall

  • For NFSv4 you only need port 2049 TCP

Setting static ports

vi /etc/sysconfig/nfs

RQUOTAD_PORT=875
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
STATD_PORT=662

IPtables configuration

vi /etc/sysconfig/iptables

-A INPUT -p tcp -m tcp --dport 111 -j ACCEPT
-A INPUT -p udp -m udp --dport 111 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 662 -j ACCEPT
-A INPUT -p udp -m udp --dport 662 -j ACCEPT
-A INPUT -p udp -m udp --dport 875 -j ACCEPT
-A INPUT -p udp -m udp --dport 875 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 892 -j ACCEPT
-A INPUT -p udp -m udp --dport 892 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT
-A INPUT -p udp -m udp --dport 2049 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 32803 -j ACCEPT
-A INPUT -p udp -m udp --dport 32769 -j ACCEPT

NFS server configuration

RHEL 5

  • Install packages: yum install nfs-utils portmap
  • Start and enable portmap at boot: service portmap start;chkconfig portmap on
  • Start and enable nfslock at boot: service nfslock start;chkconfig nfslock on
  • Start and enable NFS at boot: service nfs start;chkconfig nfs on

RHEL6

  • Install packages: yum install nfs-utils rpcbind
  • Start and enable rpcbind at boot: service rpcbind start;chkconfig rpcbind on
  • Start and enable nfslock at boot: service nfslock start;chkconfig nfslock on
  • Start and enable NFS at boot: service nfs start;chkconfig nfs on

RHEL 7

  • Install packages: yum install nfs-utils rpcbind
  • Start rpcbind, nfs-lock and nfs-server: systemctl start rpcbind nfs-lock nfs-server
  • Enable rpcbind, nfs-lock and nfs-server at boot: systemctl enable rpcbind nfs-lock nfs-server

NFS client configuration

RHEL 5

  • Install packages: yum install nfs-utils portmap
  • Start and enable portmap at boot: service portmap start;chkconfig portmap on
  • Start and enable nfslock at boot: service nfslock start;chkconfig nfslock on
  • Enable netfs at boot (only run at boot): chkconfig netfs on

RHEL 6

  • Install packages (portmap replaced by rpcbind): yum install nfs-utils rpcbind
  • Start and enable rpcbind at boot: service rpcbind start;chkconfig rpcbind on
  • Start and enable nfslock at boot: service nfslock start;chkconfig nfslock on
  • Enable netfs at boot: chkconfig netfs on

RHEL 7

  • Install packages: yum install nfs-utils rpcbind
  • Start rpcbing and nfs-lock: systemctl start rpcbind nfs-lock
  • Enable rpcbind and nfs-lock at boot: systemctl enable rpcbind nfs-lock
  • The netfs service is no longer required as it has been replaced by systemd-fstab-generator (for every entry in /etc/fstab a systemd unit file is generated in /run/systemd/generator)