NFS Configuration

NFS Configuration

This article provides an introduction to NFS configuration on Linux, with specific reference to the information needed for the RHCE EX300 certification exam.

Remember, the exams are hands-on, so it doesn’t matter which method you use to achieve the result, so long as the end product is correct.

• Installation
• Firewall
• SELinux
• Create Network Shares
• Create Network Shares for Group Collaboration
• Security
• Mounting NFS Shares

Related articles.

• File Systems (mkfs, mount, fstab)
• Samba Configuration

Installation

The NFS service is installed from a Yum repository using the following command.

# yum install nfs-utils

Turn on the NFS server and make sure it starts automatically on reboot.

# service nfs start
# chkconfig nfs on

NFS shares are configured by altering the contents of the “/etc/exports” file. Configuration changes have to be followed by a restart of the NFS service or a reload.

# service nfs restart
# # or
# exportfs -ra

Firewall

The ports used by NFS are assigned dynamically, which can present a problem if you are using the Linux firewall. To simplify matters, edit the “/etc/sysconfig/nfs” file, uncommenting the LOCKD_TCPPORT, LOCKD_UDPPORT, MOUNTD_PORT and STATD_PORT entries. This will fix the port numbers to those values specified by the entries, which in my case were the following.

LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
STATD_PORT=662

Once the service is restarted, we can now open these ports along with the 2049 and 111 ports for NFS and rpcbind respectively. Assuming you are using a firewall setup file, as described here, you can include the following additions to the INPUT chain.

# Open ports for NFS.
iptables -A INPUT -p tcp --dport 2049 -j ACCEPT
iptables -A INPUT -p udp --dport 2049 -j ACCEPT
iptables -A INPUT -p tcp --dport 111 -j ACCEPT
iptables -A INPUT -p udp --dport 111 -j ACCEPT
iptables -A INPUT -p tcp --dport 32803 -j ACCEPT
iptables -A INPUT -p udp --dport 32769 -j ACCEPT
iptables -A INPUT -p tcp --dport 892 -j ACCEPT
iptables -A INPUT -p udp --dport 892 -j ACCEPT
iptables -A INPUT -p tcp --dport 662 -j ACCEPT
iptables -A INPUT -p udp --dport 662 -j ACCEPT

SELinux

If you are using SELinux, you will need to consider the following points.

The SELinux booleans associated with the NFS service are displayed using the getsebool command.

# getsebool -a | grep nfs
allow_ftpd_use_nfs --> off
cobbler_use_nfs --> off
git_system_use_nfs --> off
httpd_use_nfs --> off
qemu_use_nfs --> on
rsync_use_nfs --> off
samba_share_nfs --> off
sanlock_use_nfs --> off
sge_use_nfs --> off
use_nfs_home_dirs --> on
virt_use_nfs --> off
xen_use_nfs --> off
#

The setsebool command is used to set a specific boolean value.

# setsebool virt_use_nfs on
# setsebool virt_use_nfs off

You probably don’t need to set file contexts. The public_content_t and public_content_rw_t contexts, amongst others, be assigned to the relevant content if required.

# semanage fcontext -a -t public_content_t "/u01(/.*)?"
# restorecon -F -R -v /u01

You can check the current context setting on files and directories using the “ls -alZ” command.

More information on SELinux can be found here.

Create Network Shares

Shares are created by editing the “/etc/exports” file. In RHEL5 and Fedora distributions you can use a GUI tool called system-config-nfs, but this has been removed from RHEL6.

If the “/etc/exports” file does not exist already, create it to define your shares. The shares can specify individual host names, IP addresses, subnets or wildcards, along with the read-only/read-write nature of the share.

/mount-point-1 host1(ro)
/mount-point-2 192.168.0.190(rw)
/mount-point-3 *(ro)
/mount-point-4 192.168.0.0/24(ro)
/mount-point-5 host1(ro) host2(rw) 192.168.0.0/24(ro)

There are lots of potential share and mount options. You can see the recommended options for mount points used by Oracle here.

Remember to reload the configuration, or restart the NFS service for the changes to take effect.

The next section shows a worked example, so this should make things a little clearer.

Create Network Shares for Group Collaboration

This section describes the steps necessary to create NFS shares suitable for group collaboration.

Create a group that will act as the owner of the shared files.

# groupadd -g 1000 developers

Create a directory to own the shared files, making sure its group is set correctly. The permissions are set to “+rwx” (0777)

# mkdir /developers_dir
# chgrp developers /developers_dir
# chmod g+s /developers_dir
# chmod -R 777 /developers_dir

Add the following share into the “/etc/exports” file, adjusted correctly for your network.

/developers_dir 192.168.0.0/24(rw)

Reload the NFS configuration.

# exportfs -ra
# showmount -e
Export list for rhce1.localdomain:
/developers_dir 192.168.0.0/24
#

From another machine on the network, mount the share.

# mkdir -p /u01/dev1
# mount -t nfs -o rw rhce1:/developers_dir /u01/dev1
# echo "apples" >> /u01/dev1/test.txt

From another machine on the network, mount the share.

# mkdir -p /u01/dev2
# mount -t nfs -o rw rhce1:/developers_dir /u01/dev2 
# echo "oranges" >> /u01/dev2/test.txt
# cat /u01/dev2/test.txt
apples
oranges
#

Security

Host-level security can be controlled using the Linux Firewall or in the share definition itself, as shown previously.

Regular file system permissions apply to NFS shares.

Mounting NFS Shares

The following links point to articles on this site about mounting NFS shares:

• mount and unmount
• /etc/fstab

For more information see:

• RHEL6 Managing Confined Services : Network File System (NFS)
• Linux man pages
• RHCSA and RHCE
• Linux File Systems (mkfs, mount, fstab)
• Linux Samba Configuration

Back to the Top.