What is NFS?
Network File System (NFS) is one of the oldest computer file sharing products in existence today. It is still the most popular for sharing directories of files between UNIX and Linux systems. NFS allows servers to designate specific directories to make available to designated hosts and then allows client systems to connect to those directories by mounting them locally.
NFS can be secured using firewall (iptables) rules, TCP wrappers (to allow and deny host access), and SELinux (to confine how file sharing protocols can share NFS resources). Although NFS was inherently insecure when it was created (data is shared unencrypted and user access is fairly open), features in NFS version 4 have helped improve the overall security of NFS.
What are NFS Server and RPC Processes
Starting the nfs-server service starts the NFS server and other RPC processes needed to service requests for shared NFS file systems. You can use the short name “nfs” rather than “nfs-server” when starting the service. Example:
# systemctl start nfs
This is the NFS server process that implements the user level part of the NFS service. The main functionality is handled by the nfsd kernel module. The user space program merely specifies what sort of sockets the kernel server listens on, what NFS versions it supports, and how many nfsd kernel threads it uses. Use the ps –e command to show the number of running threads.
# ps -ef | grep nfs root 9093 2 0 11:21 ? 00:00:00 [nfsd4_callbacks] root 9099 2 0 11:21 ? 00:00:00 [nfsd] root 9100 2 0 11:21 ? 00:00:00 [nfsd] root 9101 2 0 11:21 ? 00:00:00 [nfsd] root 9102 2 0 11:21 ? 00:00:00 [nfsd] root 9103 2 0 11:21 ? 00:00:00 [nfsd] root 9104 2 0 11:21 ? 00:00:00 [nfsd] root 9105 2 0 11:21 ? 00:00:00 [nfsd] root 9106 2 0 11:21 ? 00:00:00 [nfsd]
The number of nfsd threads to run is defined in the /proc/fs/nfsd/threads file. In this example, 8 nfsd threads are specified:
# cat /proc/fs/nfsd/threads 8
Starting the nfs-server service also starts the RPC processes. You can use the ps –e command to display the names of the RPC processes.
# ps -e | grep -i rpc 177 ? 00:00:00 rpciod 9080 ? 00:00:00 rpc.statd 9081 ? 00:00:00 rpc.idmapd 9082 ? 00:00:00 rpcbind 9083 ? 00:00:00 rpc.mountd 9084 ? 00:00:00 rpc.rquotad
This process implements the Network Status Monitor (NSM) RPC protocol, which notifies NFS clients when an NFS server is restarted without being gracefully brought down. This is not used with NFSv4.
This is the NFS mount daemon that implements the server side of the mount requests from NFSv3 clients. It checks that the requested NFS share is currently exported by the NFS server, and that the client is allowed to access it. For NFSv4, the rpc.mountd daemon is required only on the NFS server to set up the exports.
This provides NFSv4 client and server upcalls, which map between on-the-wire NFSv4 names (which are strings in the form of user@domain) and local UIDs and GIDs. For idmapd to function with NFSv4, /etc/idmapd.conf must be configured. This service is required for use with NFSv4, although not when all hosts share the same DNS domain name.
This process provides user quota information for remote users. It is started automatically by the nfs service and does not require user configuration. The results are used by the quota command to display user quotas for remote file systems and by the edquota command to set quotas on remote file systems.
This is a kernel thread that runs on both clients and servers. It implements the Network Lock Manager (NLM) protocol, which allows NFSv3 clients to lock files on the server. It is started automatically whenever the NFS server is run and whenever an NFS file system is mounted.
Starting this service starts the RPC processes that allow NFS clients to lock files on the server.
How to Configure NFS server and NFS client in CentOS/RHEL?
Please read the below posts to configure NFS server and client machines.
What are the Configuration files for NFS server?
The primary configuration for the NFS server is the /etc/exports file. This is the file that you use to specify what directories you want to share with the NFS clients. The syntax of this file is:
The value of Directory should be replaced with the name of the directory you want to share (for example, /usr/share/doc). The value hostname should be a client hostname that can be resolved into an IP address. The options value is used to specify how the resource should be shared.
For example, the following entry in the /etc/exports file would share the /usr/share/doc directory with the NFS client client01 (with the options of read-write) and the NFS client client02 (with the option of read-only):
# vi /etc/exports /usr/share/doc client01(rw) client02(ro)
Note that there is a space between the client01 and client02 name/options, but no space between the hostname and its corresponding option.
What are the most commonly used NFS sharing options in /etc/exports
There are many different NFS sharing options, including these:
- rw: Share as read-write. Keep in mind that normal Linux permissions still apply. (Note that this is a default option.)
- ro: Share as read-only.
- sync: File data changes are made to disk immediately, which has an impact on performance, but is less likely to result in data loss. On some distributions this is the default.
- async: The opposite of sync; file data changes are made initially to memory. This speeds up performance but is more likely to result in data loss. On some distributions this is the default.
- root_squash: Map the root user and group account from the NFS client to the anonymous accounts, typically either the nobody account or the nfsnobody account. See the next section, “User ID Mapping,” for more details. (Note that this is a default option.)
- no_root_squash: Map the root user and group account from the NFS client to the local root and group accounts.
How to get the information about performance of NFS shares?
The nfsiostat command works like the iostat command except only for the NFS mount points. The nfsiostat gets input from /proc/self/mountstats and provides information about the input/output performance of NFS shares mounted in the system. The nfsiostat command is provided by the nfs-utils package.
Below is a sample output from the nfsiostat command.
The below table displays a short description of each column in the about output.
|op/s||This is the number of operations per second.|
|rpc bklog||This is the length of the backlog queue.|
|kB/s||This is the number of kB written/read per second.|
|kB/op||This is the number of kB written/read per each operation.|
|retrans||This is the number of retransmissions.|
|avg RTT (ms)||This is the duration from the time that client’s kernel sends the RPC request until the time it receives the reply.|
|avg exe (ms)||This is the duration from the time that NFS client does the RPC request to its kernel until the RPC request is completed, this includes the RTT time above.|
Below is a syntax to use the nfsiostat command.
# nfsiostat --help Usage: nfsiostat [interval] [count] [options] [mount point] Options: --version show program's version number and exit -h, --help show this help message and exit Statistics Options: File I/O is displayed unless one of the following is specified: -a, --attr displays statistics related to the attribute cache -d, --dir displays statistics related to directory operations -p, --page displays statistics related to the page cache Display Options: Options affecting display format: -s, --sort Sort NFS mount points by ops/second -l LIST, --list=LIST only print stats for first LIST mount points
interval – time in seconds between each report.
count – number of reports to be generated at [interval] seconds apart. If you do not specify the count here, the report will be generated countinuously at the specified interval.
options – The various options are explained in the examples below.
mount_point – you can specify a specific NFS mount point for which the stats to be displayed. In this case report only for the specified mount point is generated.
How to view currently shared NFS shares?
The exportfs command can be used on the NFS server to display what is currently shared:
# exportfs /share [world]
How to share a NFS resource using command line?
The exportfs command can also be used to temporarily share a resource, assuming the NFS services have already been started:
# exportfs -o ro 192.168.1.100:/usr/share/doc # exportfs /usr/share/doc 192.168.1.100 /share [world]
The -o option is used to specify the share options. The argument includes the name of the systems to share with, as well as the directory to share, separated by a colon (:) character.
If you make changes to the /etc/exports file, any newly added share will be enabled after a reboot. If you want to enable these changes immediately, execute the following command:
# exportfs –a
How to mount NFS share on the client systems?
Once the NFS share is exported from the NFS server, it can be mounted on the eligible clients using the below command syntax:
# mount [NFS server IP or hostname]:/share/path /client/path
For example if /exports/downloads is shared from NFS server 10.10.10.100, we cn mount it on the client server as directory /mnt/downloads using the below command:
# mount 10.10.10.100:/exports/downloads /mnt/downloads
How to umount a NFS filesystem?
After an NFS filesystem is mounted, unmounting it is simple. You use the umount command with either the local mount point or the remote filesystem name. For example:
# umount /mnt/nfs_mnt
# umount 10.10.10.100:/nfs_share
How to get a list of clients connected to the NFS server?
To get a list of clients connected to the NFS server, use the showmount command from a terminal prompt. To also show the directories the clients are connected to, use:
# showmount -a
What is the default port used by NFS server?
By default NFS server uses the port 2049.
What ports must be open in firewall for NFS to work?
TCP and UDP ports 2049 (nfs) and 111 (rpcbind) must be open for an NFS server to perform properly. The server must also open TCP and UDP ports 20048 for the showmount command to be able to query available NFS shared directories from rpc.mountd on the server.
How to view NFS shares from client systems?
From a client Linux system, you can use the showmount command to see what shared directories are available from a selected computer, such as in this example:
$ showmount -e server.example.com /export/myshare client.example.com /mnt/public *
The showmount output shows that the shared directory named /export/myshare is available only to the host client.example.com. The /mnt/public shared directory, however, is available to anyone.
How to view Mounted NFS mount points on NFS client?
Use the below command to view the mounted NFS mount points on a NFS client server:
# mount -t nfs4
# mount -t nfs4 10.10.10.100:/mnt on /mnt/fed type nfs4 (rw,relatime,vers=4.2,rsize=262144,wsize=262144,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=10.10.20.200,local_lock=none,addr=10.10.20.200)
The output from the mount -t nfs4 command shows only those filesystems mounted from NFS file servers.
How to mount NFS filesystems at the Boot time?
To set up an NFS filesystem to mount automatically on a specified mount point each time you start your Linux system, you need to add an entry for that NFS filesystem to the /etc/fstab file.
Here’s the format for adding an NFS filesystem to your local system:
host:directory mountpoint nfs options 0 0
The first item (host:directory) identifies the NFS server computer and shared directory. mountpoint is the local mount point on which the NFS directory is mounted. It is followed by the filesystem type (nfs). Any options related to the mount appear next in a comma-separated list. (The last two zeros configure the system not to dump the contents of the filesystem and not to run fsck on the filesystem.)
The following are examples of NFS entries in /etc/fstab:
# vi /etc/fstab nfs_server01:/data /mnt/data nfs bg,rsize=8192,wsize=8192 0 0
How to use autofs to mount NFS filesystems on demand?
The autofs facility mounts network filesystems on demand when someone tries to use the filesystems. With the autofs facility configured and turned on, you can cause any available NFS shared directories to mount on demand. To use the autofs facility, you need to have the autofs package installed.
With autofs enabled, if you know the hostname and directory being shared by another host computer, simply change (cd) to the autofs mount directory (/net or /var/autofs by default). This causes the shared resource to be automatically mounted and made accessible to you. The following steps explain how to turn on the autofs facility in Fedora or RHEL:
1. As root user open the /etc/auto.master file and look for the following line:
# vi /etc/auto.master /net -hosts
This causes the /net directory to act as the mount point for the NFS shared directories that you want to access on the network.
2. To start the autofs service in CentOS/RHEL 7, or later system, type the following as root user:
# systemctl start autofs.service
3. On CentOS/RHEL 7, or later system, set up the autofs service to restart every time you boot your system:
# systemctl enable autofs
How to configure firewalld on NFS server?
For the NFS server to work, enable the nfs, mountd, and rpc-bind services in the relevant zone in the firewall-config application or using firewall-cmd :
# firewall-cmd --add-service=nfs --zone=internal --permanent # firewall-cmd --add-service=mountd --zone=internal --permanent # firewall-cmd --add-service=rpc-bind --zone=internal --permanent