thelinuxvault guide

Configuring Network File Systems (NFS) in Linux

Network File System (NFS) is a distributed file system protocol that allows a user on a client computer to access files over a network as if they were on the local filesystem. Developed by Sun Microsystems in the 1980s, NFS has become a staple in Linux and Unix environments for sharing files between systems efficiently. It operates on a client-server model, where an NFS server exports specific directories, and clients mount these directories to access the shared files. NFS is widely used in home labs, enterprise networks, and data centers for scenarios like centralized file storage, application data sharing, and backup systems. Its simplicity, low overhead, and seamless integration with Linux make it a popular choice for cross-system file access. In this blog, we’ll walk through **step-by-step instructions** to set up an NFS server, configure shared directories (exports), mount these shares on client machines, and secure the setup. We’ll also cover troubleshooting common issues to ensure a smooth deployment.

Table of Contents

  1. Understanding NFS
    • 1.1 NFS Versions
    • 1.2 How NFS Works
  2. Prerequisites
  3. Setting Up the NFS Server
    • 3.1 Install NFS Server Packages
    • 3.2 Start and Enable the NFS Service
  4. Configuring NFS Exports
    • 4.1 The /etc/exports File
    • 4.2 Export Options Explained
    • 4.3 Applying Export Configurations
  5. Setting Up the NFS Client
    • 5.1 Install NFS Client Packages
    • 5.2 Create a Mount Point
  6. Mounting NFS Shares
    • 6.1 Temporary Mount (Manual)
    • 6.2 Permanent Mount (via /etc/fstab)
  7. Verifying NFS Configuration
  8. Securing NFS
    • 8.1 Firewall Configuration
    • 8.2 Root Squashing
    • 8.3 NFSv4 Security (Kerberos)
  9. Troubleshooting Common NFS Issues
  10. Conclusion
  11. References

Understanding NFS

1.1 NFS Versions

NFS has evolved through several versions, each improving performance, security, and features:

  • NFSv2: Legacy (1989), limited to 32-bit file sizes, insecure (no authentication). Rarely used today.
  • NFSv3: Introduced in 1995, supports 64-bit files, asynchronous writes, and improved error handling. Still common but lacks strong security.
  • NFSv4: Current standard (2003), unified protocol (no separate RPC services like mountd or portmap), supports Kerberos authentication, and encrypts data. NFSv4.1 (2010) adds parallel access for clustered storage, and NFSv4.2 (2016) includes sparse files and space reservation.

For most modern setups, NFSv4 is recommended due to its security and simplicity.

1.2 How NFS Works

NFS uses a client-server architecture:

  • Server: Exports (shares) directories via the nfsd daemon. Configuration is stored in /etc/exports.
  • Client: Mounts exported directories from the server to a local directory, accessing files as if they were local.

NFSv3 relies on auxiliary RPC (Remote Procedure Call) services like portmap (to map ports), mountd (to handle mount requests), and nfsd (the main NFS daemon). NFSv4 simplifies this by using a single port (2049) and integrating RPC into the main protocol.

Prerequisites

Before starting, ensure the following:

  • Two Linux Machines: One will act as the NFS server, and the other as the client. We’ll use Ubuntu 22.04 LTS and CentOS Stream 9 for examples (adjust commands for your distro).
  • Network Connectivity: Both machines must be on the same network (e.g., 192.168.1.0/24 subnet). Test with ping server_ip from the client.
  • Root Access: Use sudo or log in as root to install packages and modify system files.
  • Firewall: Temporarily disable or configure firewalls to allow NFS traffic (we’ll secure this later).

Setting Up the NFS Server

3.1 Install NFS Server Packages

NFS server packages vary by Linux distribution:

On Ubuntu/Debian:

sudo apt update && sudo apt install -y nfs-kernel-server

On RHEL/CentOS/Rocky Linux:

sudo dnf install -y nfs-utils

3.2 Start and Enable the NFS Service

Start the NFS server service and ensure it runs on boot:

On Ubuntu/Debian (systemd):

sudo systemctl start nfs-kernel-server
sudo systemctl enable nfs-kernel-server  # Start on boot
sudo systemctl status nfs-kernel-server  # Verify status (should show "active")

On RHEL/CentOS (systemd):

sudo systemctl start nfs-server
sudo systemctl enable nfs-server
sudo systemctl status nfs-server  # Verify status

Configuring NFS Exports

The NFS server “exports” directories to clients via the /etc/exports file. This file defines which directories to share, which clients can access them, and under what conditions.

4.1 The /etc/exports File

The syntax for /etc/exports is:

/exported/directory  client1(options)  client2(options) ...
  • /exported/directory: The local directory on the server to share (e.g., /mnt/nfs_share).
  • client: The client(s) allowed to access the share (e.g., IP address 192.168.1.101, subnet 192.168.1.0/24, or hostname client.example.com). Use * to allow all clients (not recommended for production).
  • options: Rules for accessing the share (e.g., read/write permissions, security restrictions).

4.2 Export Options Explained

Common options to secure and control access:

OptionDescription
rwAllow read/write access (default: ro for read-only).
roRead-only access.
syncEnsure data is written to disk before acknowledging client (slower, safer).
asyncAcknowledge client before writing data (faster, risk of data loss on crash).
root_squashMap client root user to nobody/nogroup (default, security-critical).
no_root_squashAllow client root to access files as server root (insecure!).
no_subtree_checkDisable subtree checking (speeds up NFS; use if exporting an entire filesystem).
insecureAllow clients to use non-privileged ports (avoid unless required).

4.3 Example Exports

Let’s create a shared directory and configure /etc/exports.

Step 1: Create a Shared Directory

First, create a directory to export (e.g., /mnt/nfs_share) and set permissions:

sudo mkdir -p /mnt/nfs_share
sudo chown -R nobody:nogroup /mnt/nfs_share  # Let "nobody" own it (matches root_squash)
sudo chmod 777 /mnt/nfs_share  # Give read/write/execute to all (adjust for production)

Step 2: Edit /etc/exports

Open /etc/exports with a text editor (e.g., nano):

sudo nano /etc/exports

Add a line to export /mnt/nfs_share to a client with IP 192.168.1.101 (replace with your client’s IP):

/mnt/nfs_share 192.168.1.101(rw,sync,no_subtree_check)

Other Examples:

  • Export to a subnet: /mnt/nfs_share 192.168.1.0/24(rw,sync,no_subtree_check)
  • Read-only to all clients: /mnt/nfs_share *(ro,sync,no_subtree_check)

Step 3: Apply Export Configurations

After editing /etc/exports, apply changes with exportfs:

sudo exportfs -a  # Reload all exports
sudo exportfs -v  # Verify exports (shows details like client, options)

Example output of exportfs -v:

/mnt/nfs_share  192.168.1.101(sync,wdelay,hide,no_subtree_check,sec=sys,rw,secure,root_squash,no_all_squash)

Setting Up the NFS Client

5.1 Install NFS Client Packages

Clients need NFS utilities to mount shares:

On Ubuntu/Debian:

sudo apt install -y nfs-common

On RHEL/CentOS:

sudo dnf install -y nfs-utils

5.2 Create a Mount Point

On the client, create a local directory to mount the NFS share (e.g., /mnt/nfs_client):

sudo mkdir -p /mnt/nfs_client

Mounting NFS Shares

6.1 Temporary Mount (Manual)

To mount the NFS share temporarily (until reboot), use the mount command:

sudo mount -t nfs server_ip:/exported/directory /local/mount/point

Example: If the server IP is 192.168.1.100 and the exported directory is /mnt/nfs_share:

sudo mount -t nfs 192.168.1.100:/mnt/nfs_share /mnt/nfs_client
  • -t nfs: Specify the filesystem type (NFS).
  • server_ip:/exported/directory: The server’s IP and exported path.
  • /local/mount/point: The client’s directory to mount the share.

6.2 Permanent Mount (via /etc/fstab)

To mount the share automatically at boot, add it to /etc/fstab (filesystem table).

Step 1: Edit /etc/fstab

Open /etc/fstab with a text editor:

sudo nano /etc/fstab

Add a line at the end with the following format:

server_ip:/exported/directory /local/mount/point nfs defaults 0 0

Example:

192.168.1.100:/mnt/nfs_share /mnt/nfs_client nfs defaults 0 0

Step 2: Verify /etc/fstab

Test the fstab configuration to avoid boot issues:

sudo mount -a  # Mount all entries in /etc/fstab

If no errors, the share will mount automatically on reboot.

Verifying NFS Configuration

On the Server:

Check exported shares with showmount (lists exports):

showmount -e localhost  # Show exports on the server

Example output:

Export list for localhost:
/mnt/nfs_share 192.168.1.101

On the Client:

  • List available shares on the server: 
    showmount -e 192.168.1.100  # Replace with server IP
  • Verify the mount: 
    mount | grep nfs  # Show all mounted NFS shares
df -h /mnt/nfs_client  # Check disk usage of the mounted share

Securing NFS

NFS historically lacks strong security, so hardening is critical.

8.1 Firewall Configuration

Restrict NFS traffic to trusted clients using a firewall.

On Ubuntu (ufw):

Allow NFS traffic from a specific client IP (e.g., 192.168.1.101):

sudo ufw allow from 192.168.1.101 to any port nfs
sudo ufw reload

On RHEL/CentOS (firewalld):

sudo firewall-cmd --add-source=192.168.1.101 --permanent  # Allow client IP
sudo firewall-cmd --add-service=nfs --permanent  # Allow NFS service
sudo firewall-cmd --reload

8.2 Root Squashing

By default, NFS uses root_squash, which maps the client’s root user to the server’s nobody user (prevents client root from modifying files as root on the server). Never use no_root_squash unless absolutely necessary (e.g., legacy applications).

8.3 NFSv4 Security (Kerberos)

NFSv4 supports Kerberos for authentication and encryption. To enable:

  1. Set up a Kerberos Key Distribution Center (KDC).
  2. Configure NFS server and clients to use Kerberos.
  3. Encrypt traffic with sec=krb5p in /etc/exports.

For detailed steps, see the Red Hat NFS Security Guide.

Troubleshooting Common NFS Issues

Issue 1: mount: Operation not permitted

  • Cause: Firewall blocking NFS ports, incorrect export permissions, or server not exporting the directory.
  • Fix:
    • Check server firewall: sudo ufw status (Ubuntu) or sudo firewall-cmd --list-all (RHEL).
    • Verify exports: sudo exportfs -v on the server.
    • Ensure client IP is allowed in /etc/exports.

Issue 2: mount.nfs: No such file or directory

  • Cause: The exported directory on the server does not exist, or the path is misspelled.
  • Fix: On the server, confirm the directory exists: ls -ld /mnt/nfs_share.

Issue 3: Share Not Mounting at Boot

  • Cause: Incorrect /etc/fstab syntax or network not ready when fstab mounts run.
  • Fix: Add _netdev to fstab options to delay mounting until the network is up: 
    192.168.1.100:/mnt/nfs_share /mnt/nfs_client nfs defaults,_netdev 0 0

Check Logs

  • Server logs: /var/log/syslog (Ubuntu) or /var/log/messages (RHEL).
  • Client logs: Use dmesg | grep nfs to debug mount issues.

Conclusion

NFS is a powerful tool for sharing files across Linux systems, but it requires careful configuration to ensure security and reliability. By following this guide, you’ve learned to set up an NFS server, export directories, mount shares on clients, and secure the setup with firewalls and root squashing. For enterprise environments, use NFSv4 with Kerberos to encrypt traffic and authenticate clients.

References