Network File System (NFS) is a distributed file system protocol that allows you to share remote folders over the network. With NFS, you can mount remote folders on your system and manipulate files on remote machines as convenient as local files.
The NFS protocol is not encrypted by default, and unlike Samba, it does not provide user authentication. The server restricts access by limiting the client's IP address and port.
In this guide, you will follow the necessary steps to build an NFSV4 server on CentOS 8. We will show you how to mount an NFS file system on the client.
We assume that you have a server running CentOS 8. On this server, we will set up an NFS server, and other machines will act as NFS clients. The server and client should be able to connect to each other through a private LAN. If you cannot provide a private IP address, you can use a public address, configure the server's firewall, and allow traffic from trusted sources to pass through port 2049
.
The machine in this example has the following IPs:
NFS Server IP:192.168.33.148
NFS Clients IPs: From the 192.168.33.0/24 range
This section explains how to install the necessary software packages, create and export NFS directories, and configure firewalls.
The "nfs-utils" package provides the NFS tools and daemons needed to build an NFS server. To install it, run the following command:
sudo dnf install nfs-utils
Once the installation is complete, enable and start the NFS service, enter:
sudo systemctl enable --now nfs-server
By default, on CentOS 8, both NFS 3 and NFS 4 are available, and NFS 2 is disabled. NFSV2 is very old and there is no reason to enable it. To verify, run the following cat
command:
sudo cat /proc/fs/nfsd/versions
-2+3+4+4.1+4.2
The NFS server configuration options are in the /etc/nfsmount.conf
and /etc/nfs.conf
files. The default settings are sufficient to meet our requirements.
When configuring an NFSv4 server, the best practice is to use a global NFS root directory and mount the actual directory here. In this example, we will use /srv/nfs4
as the NFS root directory.
To better explain the configuration of NFS mount, we will share two directories (/var/www
and /opt/backups
) in different configuration file settings.
/var/www/
belongs to the user and user group apache
, and /opt/backups
belongs to the root
user.
Use the mkdir
command to create this exported file system:
sudo mkdir -p /srv/nfs4/{backups,www}
Mount the actual directory:
sudo mount --bind /opt/backups /srv/nfs4/backups
sudo mount --bind /var/www /srv/nfs4/www
To make this mount persistent, add the following entry to the /etc/fstab
file:
sudo nano /etc/fstab
/opt/backups /srv/nfs4/backups none bind 00/var/www /srv/nfs4/www none bind 00
The next step is to locate the file system that will be exported by the NFS server, sharing options, and clients that are allowed to access the file system. To do this, open the /etc/exports
file:
sudo nano /etc/exports
Export the www
and backups
directories, and allow all clients from the 192.168.33.0/24
network:
/srv/nfs4 192.168.33.0/24(rw,sync,no_subtree_check,crossmnt,fsid=0)/srv/nfs4/backups 192.168.33.0/24(ro,sync,no_subtree_check)192.168.33.3(rw,sync,no_subtree_check)/srv/nfs4/www 192.168.33.110(rw,sync,no_subtree_check)
The first line contains fsid=0
which defines the NFS root directory /srv/nfs
. All clients from the 192.168.33.0/24
network are allowed to access the NFS volume. The crossmnt
option is necessary to share subdirectories of the exported directory.
The second line shows how to specify multiple export rules for a file system. It exports the /srv/nfs4/backups
directory and allows read-only access by clients from 192.168.33.0/24
, while clients from 192.168.33.3
can read and write at the same time. This sync
option tells NFS to write the changes to disk before replying.
The last line should be self-explanatory. To learn more about the available options, type man exports
in the terminal.
Save the file and export and share:
sudo exportfs -ra
You need to run the above command every time you modify the /etc/exports
file. If there are any errors or warnings, they will be displayed on the terminal.
To view the currently active exports and their status, use:
sudo exportfs -v
The output will contain all shares and their options. As you can see, there are also options that we did not define in the /etc/exports
file. Those are the default options, if you want to modify them, you need to explicitly set those options.
/srv/nfs4/backups
192.168.33.3(sync,wdelay,hide,no_subtree_check,sec=sys,rw,secure,root_squash,no_all_squash)/srv/nfs4/www 192.168.33.110(sync,wdelay,hide,no_subtree_check,sec=sys,rw,secure,root_squash,no_all_squash)/srv/nfs4 192.168.33.0/24(sync,wdelay,hide,crossmnt,no_subtree_check,fsid=0,sec=sys,rw,secure,root_squash,no_all_squash)/srv/nfs4/backups
192.168.33.0/24(sync,wdelay,hide,no_subtree_check,sec=sys,ro,secure,root_squash,no_all_squash)
root_squash
is one of the most important options, related to NFS security. It prevents the root user from the client from having root permissions for the mounted shared directory. It will map the root UID
and GID
to the UID
and GID
of nobody/nogroup
.
For those users who access through the client machine, NFS is expected to match the user and user group ID of the client to the user and user group on the server. Another option is to use the NFSv4 idmapping feature, which can convert users and user group IDs into names or other methods.
that's it. At this point, you have set up an NFS server on your CentOS server. You can see the next step and configure the client to connect to the NFS server.
FirewallD is the default firewall solution on CentOS 8.
The NFS service contains preset rules that allow access to the NFS server.
The following command will permanently allow access from the 192.168.33.0/24
subnet:
sudo firewall-cmd --new-zone=nfs --permanent
sudo firewall-cmd --zone=nfs --add-service=nfs --permanent
sudo firewall-cmd --zone=nfs --add-source=192.168.33.0/24--permanent
sudo firewall-cmd --reload
Now that the NFS server has been set up and the sharing has been exported, the next step is to configure the client and mount the remote file system.
You can also mount NFS shared directories on macOS and Windows machines, but we will focus on mounting shared directories on Linux systems.
On other client machines, install the tools that need to mount the remote NFS file system
nfs-common
. Install and run:nfs-utils
package on Red Hat and its derivatives:We will operate on the client machine whose IP is 192.168.33.110
. This machine has read and write permissions to /srv/nfs4/www
and read-only access permissions to the file /srv/nfs4/backups
.
Create two new directories as mount points. You can create these directories anywhere:
sudo mkdir -p /backups
sudo mkdir -p /srv/www
Use the mount
command to mount the exported file system:
sudo mount -t nfs -o vers=4192.168.33.148:/backups /backups
sudo mount -t nfs -o vers=4192.168.33.148:/www /srv/www
192.168.33.148
Is the IP address of the NFS server. You can also use the host name instead of the IP address, but it needs to be converted to ip on the client machine. This is usually done by mapping the host name and IP in the /etc/hosts
local file.
When mounting an NFSv4 file system, you need to ignore the NFS root directory, so instead of using /srv/nfs4/backups
, use /backups
instead.
To verify that the remote file system is successfully mounted, use the df
command:
df -h
This command will print out all mounted file systems. The last two lines are the mounted shares:
...192.168.33.148: /backups 9.7G 1.2G 8.5G 13%/backups
192.168.33.148: /www 9.7G 1.2G 8.5G 13%/srv/www
To persist these mounts, open the /etc/fstab
file:
sudo nano /etc/fstab
Add the following line:
192.168.33.148: /backups /backups nfs defaults,timeo=900,retrans=5,_netdev 00192.168.33.148:/www /srv/www nfs defaults,timeo=900,retrans=5,_netdev 00
To find out more about the available options for mounting NFS file systems, type in the terminal: man nfs
.
Another option for mounting a remote file system is to use the autofs
tool or create a systemd unit.
Let's test access to the shared folder by creating a new file in the shared directory.
First, create a test file in the /backups
directory by using the touch
command:
sudo touch /backups/test.txt
The backup
file system is exported as read-only, and you should see an error message similar to Permission denied
:
touch: cannot touch ‘/backups/test’: Permission denied
Next, create a test file in the /srv/www
directory as the root user through the sudo command:
sudo touch /srv/www/test.txt
Once again, you will see the message Permission denied
.
touch: cannot touch ‘/srv/www’: Permission denied
The /var/www
directory belongs to the apache
user, and this share has the root_squash
option, which maps the root user to the nobody
user and the nogroup
user group, causing the root user to have no write permissions on remote shared files .
Assuming that the apache
user exists on the client machine, and the GID
and UID
are also the same as on the remote server (for example, you have installed apache on both the server and the client), you can create it as the apache
user A file:
sudo -u apache touch /srv/www/test.txt
This command will not display any output, meaning the file was successfully created.
To verify the successful creation, list all files in the /srv/www
folder:
ls -la /srv/www
The output should show the newly created file:
drwxr-xr-x 3 apache apache 4096 Jun 2322:18.
drwxr-xr-x 3 root root 4096 Jun 2322:29..-rw-r--r--1 apache apache 0 Jun 2321:58 index.html
- rw-r--r--1 apache apache 0 Jun 2322:18 test.txt
If you no longer need the remote NFS share, you can use the umount command to unmount it. For example, to uninstall /backup
, you can run:
sudo umount /backups
If the mount point is defined in the /etc/fstab
file, make sure you remove the corresponding line, or use #
to comment at the beginning of the line.
In this guide, we show you how to set up a remote NFS server and how to mount a remote file system on the client. If you use NFS in a production environment and share sensitive data, we recommend that you enable kerberos authentication and authentication.
As an alternative to NFS, you can use SSHFS to mount remote directories via SSH connections. SSH is encrypted by default and is easy to configure and use.
Recommended Posts