A Linux Foundation Certified Engineer (LFCE) is trained to set up, configure, manage, and troubleshoot network services in Linux systems, and is answerable for the design and implementation of system architecture and solving everyday related issues.
Introducing The Linux Foundation Certification Program (LFCE).
In Part 1 of this series we explained how to install a NFS (Network File System) server, and set the service to start automatically on boot. If you haven’t already done so, please refer to that article and follow the outlined steps before proceeding.
I will now show you how to properly configure your NFSv4 server (without authentication security) so that you can set up network shares to use in Linux clients as if those file systems were installed locally. Note that you can use LDAP or NIS for authentication purposes, but both options are out of the scope of the LFCE certification.
Configuring a NFSv4 server
Once the NFS server is up and running, we will focus our attention on:
- specifying and configuring the local directories that we want to share over the network, and
- mounting those network shares in clients automatically, either through the /etc/fstab file or the automount kernel-based utility (autofs).
We will explain later when to choose one method or the other.
Before we being, we need to make sure that the idmapd daemon is running and configured. This service performs the mapping of NFSv4 names (user@mydomain) to user and group IDs, and is required to implement a NFSv4 server.
Edit /etc/default/nfs-common to enable idmapd.
NEED_IDMAPD=YES
And edit /etc/idmapd.conf with your local domain name (the default is the FQDN of the host).
Domain = yourdomain.com
Then start idmapd.
# service nfs-common start [sysvinit / upstart based systems] # systemctl start nfs-common [systemd based systems]
Exporting Network Shares
The /etc/exports file contains the main configuration directives for our NFS server, defines the file systems that will be exported to remote hosts and specifies the available options. In this file, each network share is indicated using a separate line, which has the following structure by default:
/filesystem/to/export client1([options]) clientN([options])
Where /filesystem/to/export is the absolute path to the exported file system, whereas client1 (up to clientN) represents the specific client (hostname or IP address) or network (wildcards are allowed) to which the share is being exported. Finally, options is a list of comma-separated values (options) that are taken into account while exporting the share, respectively. Please note that there are no spaces between each hostname and the parentheses it precedes.
Here is a list of the most-frequent options and their respective description:
- ro (short for read-only): Remote clients can mount the exported file systems with read permissions only.
- rw (short for read-write): Allows remote hosts to make write changes in the exported file systems.
- wdelay (short for write delay): The NFS server delays committing changes to disk if it suspects another related write request is imminent. However, if the NFS server receives multiple small unrelated requests, this option will reduce performance, so the no_wdelay option can be used to turn it off.
- sync: The NFS server replies to requests only after changes have been committed to permanent storage (i.e., the hard disk). Its opposite, the async option, may increase performance but at the cost of data loss or corruption after an unclean server restart.
- root_squash: Prevents remote root users from having superuser privileges in the server and assigns them the user ID for user nobody. If you want to “squash” all users (and not just root), you can use the all_squash option.
- anonuid / anongid: Explicitly sets the UID and GID of the anonymous account (nobody).
- subtree_check: If only a subdirectory of a file system is exported, this option verifies that a requested file is located in that exported subdirectory. On the other hand, if the entire file system is exported, disabling this option with no_subtree_check will speed up transfers. The default option nowadays is no_subtree_check as subtree checking tends to cause more problems than it is worth, according to man 5 exports.
- fsid=0 | root (zero or root): Specifies that the specified file system is the root of multiple exported directories (only applies in NFSv4).
In this article we will use the directories /NFS-SHARE and /NFS-SHARE/mydir on 192.168.0.10 (NFS server) as our test file systems.
We can always list the available network shares in a NFS server using the following command:
# showmount -e [IP or hostname]
In the output above, we can see that the /NFS-SHARE and /NFS-SHARE/mydir shares on 192.168.0.10 have been exported to client with IP address 192.168.0.17.
Our initial configuration (refer to the /etc/exports directory on your NFS server) for the exported directory is as follows:
/NFS-SHARE 192.168.0.17(fsid=0,no_subtree_check,rw,root_squash,sync,anonuid=1000,anongid=1000) /NFS-SHARE/mydir 192.168.0.17(ro,sync,no_subtree_check)
After editing the configuration file, we must restart the NFS service:
# service nfs-kernel-server restart [sysvinit / upstart based system] # systemctl restart nfs-server [systemd based systems]
Mounting exported network shares using autofs
You may want to refer to Part 5 of the LFCS series (“How to Mount/Unmount Local and Network (Samba & NFS) Filesystems in Linux”) for details on mounting remote NFS shares on-demand using the mount command or permanently through the /etc/fstab file.
The downside of mounting a network file system using these methods is that the system must allocate the necessary resources to keep the share mounted at all times, or at least until we decide to unmount them manually. An alternative is to mount the desired file system on-demand automatically (without using the mount command) through autofs, which can mount file systems when they are used and unmount them after a period of inactivity.
Autofs reads /etc/auto.master, which has the following format:
[mount point] [map file]
Where [map file] is used to indicate multiple mount points within [mount point].
This master map file (/etc/auto.master) is then used to determine which mount points are defined, and then starts an automount process with the specified parameters for each mount point.
Mounting exported NFS shares using autofs
Edit your /etc/auto.master as follows:
/media/nfs /etc/auto.nfs-share --timeout=60
and create a map file named /etc/auto.nfs-share with the following contents:
writeable_share -fstype=nfs4 192.168.0.10:/ non_writeable_share -fstype=nfs4 192.168.0.10:/mydir
Note that the first field in /etc/auto.nfs-share is the name of a subdirectory inside /media/nfs. Each subdirectory is created dynamically by autofs.
Now, restart the autofs service:
# service autofs restart [sysvinit / upstart based systems] # systemctl restart autofs [systemd based systems]
and finally, to enable autofs to start on boot, run the following command:
# chkconfig --level 345 autofs on # systemctl enable autofs [systemd based systems]
Examining mounted file systems after starting the autofs daemon
When we restart autofs, the mount command shows us that the map file (/etc/auto.nfs-share) is mounted on the specified directory in /etc/auto.master:
Please note that no directories have actually been mounted yet, but will be automatically when we try to access the shares specified in /etc/auto.nfs-share:
As we can see, the autofs service “mounts” the map file, so to speak, but waits until a request is made to the file systems to actually mount them.
Performing write tests in exported file systems
The anonuid and anongid options, along with the root_squash as set in the first share, allow us to map requests performed by the root user in the client to a local account in the server.
In other words, when root in the client creates a file in that exported directory, its ownership will be automatically mapped to the user account with UID and GID = 1000, provided that such account exists on the server:
Conclusion
I hope you were able to successfully setup and configure a NFS server fit for your environment using this article as a guide. You may also want to refer to the relevant man pages for further help (man exports and man idmapd.conf, for example).
Feel free to experiment with other options and test cases as outlined earlier and do not hesitate to use the form below to send your comments, suggestions, or questions. We will be glad to hear from you.
Can you please go to your server and do:
ls -ld /NFS-SHARE /NFS-SHARE/mydir
I need to see your permissions, the owner and the group of these folders, in order to troubleshoot some of my permission problems.
Hi Gabriel,
Many thanks for this guide….
But I was not able to find /etc/default/nfs-common under my CENTOS 7, i have installed the nfs-utils package.
What I could find is /etc/idmapd.conf that pertains to IDMAPD..
Any idea about this
I have been trying to setup this up under Centos 7.1 but RPCBIND service is always giving an error when I check the status:
root@LFCE ~]# service rpcbind status
Redirecting to /bin/systemctl status rpcbind.service
rpcbind.service – RPC bind service
Loaded: loaded (/usr/lib/systemd/system/rpcbind.service; static)
Active: failed (Result: exit-code) since Wed 2015-08-19 13:47:23 WAT; 15min ago
Main PID: 2412 (code=exited, status=2)
CGroup: /system.slice/rpcbind.service
Aug 19 13:46:03 LFCE.local systemd[1]: rpcbind.service: main process exited, code=exited, status=2/INVALIDARGUMENT
Aug 19 13:46:03 LFCE.local systemd[1]: Unit rpcbind.service entered failed state.
Aug 19 13:46:03 LFCE.local systemd[1]: Starting RPC bind service…
Aug 19 13:46:04 LFCE.local systemd[1]: Started RPC bind service.
Aug 19 13:47:23 LFCE.local systemd[1]: Stopping RPC bind service…
Aug 19 13:47:23 LFCE.local systemd[1]: rpcbind.service: main process exited, code=exited, status=2/INVALIDARGUMENT
Aug 19 13:47:23 LFCE.local systemd[1]: Stopped RPC bind service.
Aug 19 13:47:23 LFCE.local systemd[1]: Unit rpcbind.service entered failed state.
The LFCE exam is now using Centos 7! We need to fix this soon..
@Christopher,
The INVALIDARGUMENT message makes me think there must be a problem with your exports. Please refer to this link for the NFS server installation on CentOS 7, until I can revise this article and others in the LFCE/S series: http://www.server-world.info/en/note?os=CentOS_7&p=nfs
Hello, I have a problem when I do the mount | grep nfs-share step, nfs-share is not mounted I tried over and over and is not mounted,
Thanks
@Eduardo,
What distribution are you using? Should not make a significant difference but I just wanted to know.
Please write an outline of all the steps (both on the server and on the client) that you took and send it to me via email at gacanepa gmail dot com. I will take a look when I have a few minutes and then get back to you.
Hey,
I had this set of tutorials bookmarked for a while now, and was just getting in to it, but I seem to be finding some problems following this one in particular.
In the first tutorial you pointed that we should install portmap, and I cannot find it anywhere, but when I try to install it yum (I’m using a minimal install of CENTOS 6.6) tells me that there’s no need to install it because I have rpcbind installed (so I think that’s settled, and that it is not a problem, but I thought I might as well bring it up too).
And on this one, I can’t seem to install nfs-common, and there’s no /etc/nfs-common file to edit either (consequently, I’d say). I don’t know if this is a problem, but the idmapd service seems to be run by a package called rpc.idmapd. So basically I was wondering if this is a problem, and if so if it is solved by creating the /etc/nfs-common instead of editing it and then starting the rpcidmapd service instead of nfs-common, or if I’m missing some package, or if the solution is elsewhere I’m not seeing.
As a side note, the rest of the article is perfectly well written and clear. Also, I’m relatively new to Linux, only having completed the Intro to Linux course on EDx and not much else, so my doubts may be due to this.
Thanks for all the help and keep up the good work!
@JNat,
I am sorry it’s taken me so long to post a reply to your question. I used a Debian box as NFS server for this article, so it’s likely that some of the package name may differ a little. You may want to refer to this link for details on installing the server using a CentOS box: https://www.howtoforge.com/setting-up-an-nfs-server-and-client-on-centos-6.3. Hope it helps! Don’t hesitate to drop another comment if for some reason it doesn’t work for you – I promise to reply faster than this time.
On a side note, if you’re relatively new to Linux, I’d highly recommend you download The Linux Command Line from linuxcommand.org. It is by far the best introductory book to Linux.
Finally, thanks for your kind words about my work.
Hi,
I think this tutorial is missing the firewall configuration part that needs to be done in order to manage to mount and also access the share from another system.
Probably the firewall configuration will be covered in part 8 but I think you will have to mention the ports that need to be opened.
I have found a good guide here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/s2-nfs-nfs-firewall-config.html
Thanks.
@Vlad,
Thank you for taking the time to read and to comment on this article. Yes, you’re right, I will be covering firewall configuration later on the series but in Part 10 actually, where I will discuss firewall applications. That is why I did not cover the setup of a transparent proxy with Squid in Part 5 either (which will be covered in Part 10).
Just FYI, Part 8 will be more of setting up and configuring iptables, than specific applications as mentioned before.
Thanks also for the link that you shared. Both I and the rest of the readers thank you for that!
Best,
Gabriel
@Gabriel
Thanks for your feedback I am looking forward to see the next tutorials.
I noticed the selinux blocks the nfs connection if I disable it it works ok, for the moment I don’t know how to setup selinux for this job.
So in the LFCE context the configuration of the nfs should be done with selinux enabled?
Thanks,
Vlad
@Devil,
This article was prepared using a real system, as you can see in the images above.
If something does not work ok in your setup, please make sure you are using one of the distributions listed in the LFCE options.
Then feel free to get back to us if you run into any issues.
Thanls.
Hi,
Your article is very interesting as usual.
However, I saw a confusing thing: you are writing the term imapd instead of idmapd (I suppose) at least twice in the article.
Could you fix this mistake to avoid any confusion for all the beginners who are reading your series of articles?
Regards.
@CertDepot,
I just checked and can’t find the typo you’re referring to. Maybe it was fixed by the editor when you submitted your comment. Either way, you’re right, when we’re talking about NFS it should be idmapd and not imapd.
On a side note, I checked your web site the other day and liked it very much! Congrats for your work!
thats not sufficent for nfs server like to deep the solutions for nfs4 version
this typewritten i wii check but some kind of error is there like mount.nfs4 like that………………..please nfs4 berifly understand me ………..
Hi, Gabriel
how can we share the data directory so that it can be accessed from windows machine too
@Deepanjan,
Mounting network shares in Windows clients is out of the scope of this series. However, I like your question because you’ve brought up an interesting topic anyway. I do not have access to a Windows box right now but I promise to look into it later when I get home.
Thanks for taking the time to comment on this post.