Network File System (NFS)
A NFS allows remote hosts to mount the file system over a network and interact with those file system as though they are mounted locally.
1. Currently there are three version of NFSv2, NFSv3 and NFSv4
2. NFSv2 is older and is widely supported. NFSv3 support safe asynchronous writes and a more robust error handling that NFSv2; it also support 64-bit file sizes and offsets, allowing clients to access more than 2GB of file data.
3. NFSv4 works through firewalls and on the internet, no longer requires an “rpcbind” service, supports ACLs, and utilizes “stateful” operations. RHEL 6 support NFSv2, NFSv3 and NFSv4 clients. When mounting a file system via NFS, Red hat Enterprise Linux uses NFSv4 by default, if the server supports it.
4. All version of NFS can use “Transmission Control Protocol” (TCP) running over an IP network, with NFSv4 requiring it. NFSv2 and NFSv3 can use the “User Datagram Protocol” (UDP) running over an IP network to provide a “stateless” network connection between the client and server.
5. TCP port 2049 is the default protocol for NFSv2 and NFSv3 under RHEL. UDP can be used for compatibility purpose as needed, but is not recommended for wide usage. NFSv4 requires TCP.
Note:
1. A “stateful” protocol expects a response. A “stateless” protocol doesn’t care.
Example
A stateless protocol is akin to TV broadcast –the broadcast doesn’t care if you watch it, if you like it, if you talk to it etc. The TV broadcast has no expectations.
TCP |
UDP |
Reliable |
Unreliable |
Connection – oriented |
Connectionless |
Segment retransmission and flow control through windowing |
No windowing or retransmission |
Segment sequence |
No sequence |
Acknowledge segments |
No acknowledgement |
2. The “portmap” services was used to map RPC program numbers to IP address port number combination in earlier version of RHEL. This service is now replaced by “rpcbind” in RHEL 6 to enable IPv6 support.
*/etc/exports
*/var/lib/nfs/rmtab
*/var/lib/nfs/xtab
*/etc/hosts.allow
*/etc/hosts.deny
Daemons
*rpc.portmap(rpcbind for RHEL 6)
*rpc.mountd
*rpc.nfsd
*rpc.statd
*rpc.lockd
*rpc.rquotad
Scripts and commands
*/etc/rc.d/init.d/nfs
*nfstat
*showmount
*rpcinfo
*exportfs
a> nfs
“service nfs start” starts the NFS server and the appropriate RPC processes to service request for shared NFS file system.
b> nfslock
”service nfslock start” activates a mandatory service that starts the appropriate RPC processes which allow NFS clients to lock files on the server.
c> rpcbind
“rpcbind” accept port reservation from local RPC services. These ports are then made available (or advertised) so the responding remote RPC services can access them. rpcbind responds to request for RPC services and sets up connections to the requested RPC service. This is not used with NFSv4.
RPC services
rpc.mountd
This process is used by an NFS server to process MOUNT requests from NFSv2 and NFSv3 clients. It checks that the requested NFS share is currently exported by the NFS server, and that the client is allowed to access it. If the mount request is allowed, the rpc.mountd server replies with a Success status and provides the File-Handle for this NFS share back to the NFS client.
rpc.nfsd
rpc.nfsd allows explicit NFS versions and protocols the server advertises to be defined. It works with the Linux kernel to meet the dynamic demands of NFS clients, such as providing server threads each time an NFS client connects. This process corresponds to the nfs service.
lockd
lockd is a kernel thread which runs on both clients and servers. It implements the Network Lock Manager (NLM) protocol, which allows NFSv2 and NFSv3 clients to lock files on the server. It is started automatically whenever the NFS server is run and whenever an NFS file system is mounted.
rpc.statd
This process implements the Network Status Monitor (NSM) RPC protocol, which notifies NFS clients when an NFS server is restarted without being gracefully brought down. rpc.statd is started automatically by the nfslock service, and does not require user configuration. This is not used with NFSv4.
rpc.rquotad
This process provides user quota information for remote users. rpc.rquotad is started automatically by the nfs service and does not require user configuration.
rpc.idmapd
rpc.idmapd provides NFSv4 client and server upcalls, which map between on-the-wire NFSv4 names (which are strings in the form of user@domain) and local UIDs and GIDs. For idmapd to function with NFSv4, the /etc/idmapd.conf must be configured. This service is required for use with NFSv4, although not when all hosts share the same DNS domain name.
Starting and Stopping NFS
[root@server1 Desktop]# service rpcbind start
[root@server1 Desktop]# service nfs start
Starting NFS services: [ OK ]
Starting NFS quotas: [ OK ]
Starting NFS daemon: [ OK ]
Starting NFS mountd: [ OK ]
nfslock must also be started for both the NFS client and server to function properly. To start NFS locking, use the following command:
[root@server1 Desktop]# service nfslock start
[root@server1 Desktop]# chkconfig nfslock on
[root@server1 Desktop]# chkconfig nfs on
[root@server1 Desktop]# chkconfig rpcbind on
NFS Configuration
There are two ways to configure an NFS server
a> By manually editing the NFS configuration file, i.e. /etc/exports
b> Through the command link, i.et. through “exportfs”
The “/etc/exports” configuration file
Refer to “man exports” for details on these less-used options.
Export host(options)
Export – the directory being exported
Host – the host or network to which the export is being shared
Options – the options to be used for host
Export host1(options1) host2(options2) host3(options3)
Examples
/exported/directory server1.example.com
The default settings are (ro, sync, wdelay, root_squash)
ro, rw, sync, async, wdelay, no_wdelay, root_squash, no_root_squash
By default, access control lists ( ACLs) are supported by NFS under Red Hat Enterprise Linux. To disable this feature, specify the no_acl option when exporting the file system.
ro – read only
rw – read,write
sync – the server will only acknowledge data after it’s written out in the disk.
aync – the server will acknowledge data before it’s committed to disk, which can lead to data corruption if the server crachses.
wdelay – the nfs server will delay writing to the disk if it suspects another write request is imminent.
no_wdelay – disable the wdelay
root_squash – the nfs server will assign them the user ID nfsnobody.
no_root_squash – disable the root_squash
The exportfs command
Update the /etc/exports shared directory
Syntax:
exportfs [options]
-a – exports / unexports all directories
-r – reexports all directories
-u – unexports one or more directories
-v – provides verbose output
Example:
[root@server1 Desktop]#mkdir /share
[root@server1 Desktop]# vim /etc/exports
/share *.example.com(rw)
:wq!
[root@server1 Desktop]# exportfs -ar
[root@server1 Desktop]# exportfs -v
/share *.example.com(rw,wdelay,root_squash,no_subtree_check)
Discovering the NFS exports
[root@server1 Desktop]# showmount -e
Export list for server1.example.com:
/share *.example.com
[root@client1 Desktop]# showmount -e server1.example.com
Export list for server1.example.com:
/share *.example.com
[root@client1 ~]# mkdir /nfs
[root@client1 ~]# mount -t nfs server1.example.com:/share /nfs
[root@client1 ~]# cd /nfs
[root@client1 nfs]# ll
total 0
-rw-rw-r–. 1 nobody nobody 0 Nov 20 08:22 a
-rw-r–r–. 1 nfsnobody nfsnobody 0 Nov 20 08:23 b
-rw-rw-r–. 1 nobody nobody 0 Nov 20 08:25 c
[root@client1 nfs]#
Mounting NFS File Systems using /etc/fstab
Syntax:
server:/remote/export /local/directory nfs options 0 0
Example:
[root@client1 ~]# vim /etc/fstab
192.168.1.100:/share /nfs nfs defaults 0 0
:wq!
[root@client1 ~]# mount –a
[root@client1 ~]# mount | grep nfs
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
192.168.1.100:/share on /nfs type nfs (rw,vers=4,addr=192.168.1.100,clientaddr=192.168.1.101)
Mount options
-ro Read only
-rw Mount the file system read and write, but can be restricted by the server, and a warning is flagged
-soft if the server fails to respond, return an error after the timeout period ( -timeo=value ) expires and don’t bother to try again
-hard if the server fails to respond, retry until it does respond
-bg do the retrys in background mode
-nosuid Do not allow executables on the mounted file system to run as setuid.
-fstype file system type of the remote partition to mount
ext2 linux native
nfs NFS type
iso9660 CDROM
-user Allow users to mount the filesystem
-noexec Don’t allow execution of files from this filesystem
-nosuid Don’t allow programs in this filesystem to run as setuid or setgid
Running NFS behind a Firewall
NFS requires rpcbind, which dynamically assigns ports for RPC services and can cause problems for configuring firewall rules. To allow clients to access NFS shares behind a firewall, edit the /etc/sysconfig/nfs configuration file to control which ports the required RPC services run on.
The /etc/sysconfig/nfs may not exist by default on all systems. If it does not exist, create it and add the following variables, replacing portwith an unused port number (alternatively, if the file exists, un-comment and change the default entries as required):
MOUNTD_PORT=port
Controls which TCP and UDP port mountd ( rpc.mountd) uses.
STATD_PORT=port
Controls which TCP and UDP port status ( rpc.statd) uses.
LOCKD_TCPPORT=port
Controls which TCP port nlockmgr ( lockd) uses.
LOCKD_UDPPORT=port
Controls which UDP port nlockmgr ( lockd) uses.
If NFS fails to start, check /var/log/messages. Normally, NFS will fail to start if you specify a port number that is already in use. After editing /etc/sysconfig/nfs, restart the NFS service using service nfs restart. Run the rpcinfo -p command to confirm the changes.
To configure a firewall to allow NFS, perform the following steps:
Configure a firewall to allow NFS
- Allow TCP and UDP port 2049 for NFS.
- Allow TCP and UDP port 111 ( rpcbind/ sunrpc).
- Allow the TCP and UDP port specified with MOUNTD_PORT=”port“
- Allow the TCP and UDP port specified with STATD_PORT=”port“
- Allow the TCP port specified with LOCKD_TCPPORT=”port“
- Allow the UDP port specified with LOCKD_UDPPORT=”port“
Note
To allow NFSv4.0 callbacks to pass through firewalls set /proc/sys/fs/nfs/nfs_callback_tcpport and allow the server to connect to that port on the client. This process is not needed for NFSv4.1 or higher, and the other ports for mountd, statd, and lockd are not required in a pure NFSv4 environment.
Troubleshooting NFS and rpcbind
[root@server1 Desktop]# rpcinfo -p
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 45999 status
100024 1 tcp 59207 status
100011 1 udp 875 rquotad
100011 2 udp 875 rquotad
100011 1 tcp 875 rquotad
100011 2 tcp 875 rquotad
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100227 2 tcp 2049 nfs_acl
100227 3 tcp 2049 nfs_acl
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100227 2 udp 2049 nfs_acl
100227 3 udp 2049 nfs_acl
100021 1 udp 56223 nlockmgr
100021 3 udp 56223 nlockmgr
100021 4 udp 56223 nlockmgr
100021 1 tcp 58726 nlockmgr
100021 3 tcp 58726 nlockmgr
100021 4 tcp 58726 nlockmgr
100005 1 udp 35175 mountd
100005 1 tcp 45458 mountd
100005 2 udp 37640 mountd
100005 2 tcp 58572 mountd
100005 3 udp 49202 mountd
100005 3 tcp 36921 mountd
NFS with SELinux
SELinux Boolean settings
[root@server1 ~]# getsebool -a | grep nfs
allow_ftpd_use_nfs –> off
allow_nfsd_anon_write –> off
cobbler_use_nfs –> off
git_system_use_nfs –> off
httpd_use_nfs –> off
nfs_export_all_ro –> on
nfs_export_all_rw –> on
qemu_use_nfs –> on
samba_share_nfs –> off
use_nfs_home_dirs –> on
virt_use_nfs –> off
xen_use_nfs –> off
Semanage require package
[root@server1 ~]# yum install policycoreutils*
[root@server1 ~]# semanage boolean -l | grep nfs
xen_use_nfs -> off Allow xen to manage nfs files
virt_use_nfs -> off Allow virt to manage nfs files
use_nfs_home_dirs -> on Support NFS home directories
allow_ftpd_use_nfs -> off Allow ftp servers to use nfs used for public file transfer services.
git_system_use_nfs -> off Allow Git daemon system to access nfs file systems.
qemu_use_nfs -> on Allow qemu to use nfs file systems
cdrecord_read_content -> off Allow cdrecord to read various content. nfs, samba, removable devices, user temp and untrusted content files
allow_nfsd_anon_write -> off Allow nfs servers to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t.
cobbler_use_nfs -> off Allow Cobbler to access nfs file systems.
httpd_use_nfs -> off Allow httpd to access nfs file systems
samba_share_nfs -> off Allow samba to export NFS volumes.
nfs_export_all_rw -> on Allow any files/directories to be exported read/write via NFS.
nfs_export_all_ro -> on Allow any files/directories to be exported read/only via NFS.
To show that SELinux is still able to block access even when Linux permissions are completely open, give the /share directory full Linux access rights for all users:
[root@server1 ~]# chmod 777 /share
[root@server1 ~]# setsebool -P nfs_export_all_rw on
SELinux file context label
By default, mounted NFS file systems on the client side are labeled with a default context defined by policy for NFS file systems. In common policies, this default context uses the nfs_t type.The following types are used with NFS. Different types allow you to configure flexible access:
var_lib_nfs_t
This type is used for existing and new files copied to or created in the /var/lib/nfs directory. This type should not need to be changed in normal operation. To restore changes to the default settings, run the restorecon -R -v /var/lib/nfs command as the root user.
nfsd_exec_t
The /usr/sbin/rpc.nfsd file is labeled with the nfsd_exec_t, as are other system executables and libraries related to NFS. Users should not label any files with this type. nfsd_exec_t will transition to nfsd_t.
[root@client1 ~]# ls -dZ /nfs
drwxrwxrwx. root root system_u:object_r:nfs_t:s0 /nfs
NFS Server and Client example configuration
Server1.example.com – 192.168.1.100
Client1.example.com – 192.168.1.101
Check the NFS installation default installation packages
[root@server1 ~]# rpm -qa nfs*
nfs4-acl-tools-0.3.3-5.el6.x86_64
nfs-utils-lib-1.1.5-4.el6.x86_64
nfs-utils-1.2.3-15.el6.x86_64
[root@server1 ~]# rpm -qa rpcbind*
rpcbind-0.2.0-8.el6.x86_64
[root@server1 ~]# rpm -qlc nfs-utils
/etc/nfsmount.conf
/etc/rc.d/init.d/nfs
/etc/rc.d/init.d/nfslock
/etc/rc.d/init.d/rpcgssd
/etc/rc.d/init.d/rpcidmapd
/etc/rc.d/init.d/rpcsvcgssd
/etc/sysconfig/nfs
/var/lib/nfs/etab
/var/lib/nfs/rmtab
/var/lib/nfs/state
/var/lib/nfs/xtab
Create a shared directory and give full permission
[root@server1 ~]# mkdir /share
[root@server1 ~]# chmod 777 /share
[root@server1 ~]# ll -dZ /share/
drwxrwxrwx. root root unconfined_u:object_r:default_t:s0 /share/
[root@server1 ~]# service nfs start
Starting NFS services: [ OK ]
Starting NFS quotas: [ OK ]
Starting NFS daemon: [ OK ]
Starting NFS mountd: [ OK ]
[root@server1 ~]# service rpcbind status
rpcbind (pid 2054) is running…
[root@server1 ~]# vim /etc/exports
/share 192.168.1.0/24(rw)
:wq!
[root@server1 ~]# showmount -e
Export list for server1.example.com:
/share 192.168.1.0/24
[root@server1 ~]# exportfs -ar
[root@server1 ~]# exportfs -v
/share 192.168.1.0/24(rw,wdelay,root_squash,no_subtree_check)
[root@server1 ~]# getsebool -a | grep nfs
allow_ftpd_use_nfs –> off
allow_nfsd_anon_write –> off
cobbler_use_nfs –> off
git_system_use_nfs –> off
httpd_use_nfs –> off
nfs_export_all_ro –> on
nfs_export_all_rw –> on
qemu_use_nfs –> on
samba_share_nfs –> off
use_nfs_home_dirs –> on
virt_use_nfs –> off
xen_use_nfs –> off
Client side mountings steps
[root@client1 Desktop]# showmount -e server1.example.com
Export list for server1.example.com:
/share 192.168.1.0/24
[root@client1 Desktop]# mkdir /nfs
[root@client1 Desktop]# vim /etc/fstab
192.168.1.100:/share /nfs nfs defaults 0 0
:wq!
[root@client1 Desktop]# mount –a
[root@client1 Desktop]# mount | grep nfs
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
192.168.1.100:/share on /nfs type nfs (rw,vers=4,addr=192.168.1.100,clientaddr=192.168.1.101)
[root@client1 Desktop]# ls -dZ /nfs
drwxrwxrwx. root root system_u:object_r:nfs_t:s0 /nfs
[root@client1 Desktop]# cd /nfs/
[root@client1 nfs]# touch a b c
[root@client1 nfs]# ll
total 0
-rw-r–r–. 1 nfsnobody nfsnobody 0 Nov 20 13:37 a
-rw-r–r–. 1 nfsnobody nfsnobody 0 Nov 20 13:37 b
-rw-r–r–. 1 nfsnobody nfsnobody 0 Nov 20 13:37 c
[root@client1 nfs]# rm -rf c
Advanced Practical:
To share the nfs server for different networks.
1)To assigne the virtual IP.
2)export the directory & assigne the permitions.
3)restart the service.
4)Try to connect from client side.
*To assigne the virtual IP.
#netconfig –device eth0:1
10.0.0.2 255.0.0.0
*Restart the service.
#service network restart
*To configure the export file.
#vim /etc/exports
/share 10.0.0.3/8(ro,sync)
/share 10.0.0.0/8(rw,sync)
/reliance 192.168.1.0/24(rw,sync)
*To create the directory.
#mkdir /reliance
#chmod 777 /reliance/
*To restart the service.
# service portmap restart
#service nfs restart
*To check.
#exportfs -rav
Client side configuretion:
*To check from clientside.
#showmount -e (server IP)
#showmount -e 10.0.0.2
*To create the directory.
#mkdir /mount
*To mount the export directory by server.
#mount 10.0.0.2:/reliance /mount
*Directory should be mount but that directory is a read-only.
Common NFS errors & solutions:
1.”Server Not Responding” Message
2. “Access Denied” Message
3.”Permission Denied” Message
4. “Device Busy” Message
Error 1: If You Receive an NFS “Server Not Responding” Message
ping the nfs server from client
1.ping “nfs serer name or ip”
2./usr/bin/rpcinfo -p servername
The rpcinfo command should display the following processes:
* portmap
* nfs
* mountd
* status
* nlockmgr
* llockmgr
If any of these processes is not running, follow the below steps:
a.Make sure the /etc/rc.config.d/nfsconf file on the NFS server contains the following lines:
NFS_SERVER=1
START_MOUNTD=1
b.Make sure that the /etc/inetd.conf file on the NFS server does not contain a line to start rpc.mountd.
If it does, make sure the START_MOUNTD variable in /etc/rc.config.d/nfsconf is set to 0.
c.Issue the following command on the NFS server to start all the necessary NFS processes:
#/sbin/init.d/nfs.server start
Error 2: If You Receive an “Access Denied” Message
a.check the FS is exported or not
#/usr/sbin/showmount -e server_name
(If it is not exported means u have to edit /etc/exports file in NFS server and put the necessary entry and
then run the command
/usr/sbin/exportfs -a)
Error 3 :If You Receive a “Permission Denied” Message
a.Check the mount options in the /etc/fstab file on the NFS client. A directory you are attempting to write to may have
been mounted read-only.
b.Issue the ls -l command to check the HP-UX permissions on the server directory and on the client directory
that is the mount point. You may not be allowed access to the directory.
c.Issue the following command on the NFS server:
/usr/sbin/exportfs
Or, issue the following command on the NFS client:
/usr/sbin/showmount -e server_name
d. Check the export permissions on the exported directory. The directory may have been exported read-only to your client.
The system administrator of the NFS server can use the remount mount
option to mount the directory read/write without unmounting it
Error 4 : If You Receive a “Device Busy” Message
a.If you received the “device busy” message while attempting to mount a directory, try to access the mounted directory.
If you can access it, then it is already mounted.
b.If you received the “device busy” message while attempting to unmount a directory, a user or process is currently using the directory. Wait until the process completes, or follow these steps:
1.Issue the following command to determine who is using the mounted directory:
/usr/sbin/fuser -cu local_mount_point
The fuser(1M) command will return a list of process IDs and user names that are currently using the directory
mounted under local_mount_point. This will help you decide whether to kill the processes or wait for them to complete.
2. To kill all processes using the mounted directory, issue the following command:
/usr/sbin/fuser -ck local_mount_point
3. Try again to unmount the directory.