Linux NFS Installation: Difference between revisions
(30 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
=External= | |||
* https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Storage_Administration_Guide/nfs-serverconfig.html | |||
=Internal= | =Internal= | ||
Line 9: | Line 13: | ||
=Server Installation= | =Server Installation= | ||
==Install Packages== | ==Install Server Packages== | ||
<pre> | <pre> | ||
Line 18: | Line 22: | ||
On some system we also need to install "nfs-utils-lib". | On some system we also need to install "nfs-utils-lib". | ||
==Setup | ==Security Setup== | ||
===iptables=== | ===iptables=== | ||
Add the following rules above the INPUT chain rule that rejects traffic: | |||
<pre> | <pre> | ||
-A INPUT -s 172.23.0.0/16 -p udp -m multiport --dports 10053,111,2049,32769,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT | |||
-A | -A INPUT -s 172.23.0.0/16 -p tcp -m multiport --dports 10053,111,2049,32803,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT | ||
-A | |||
</pre> | </pre> | ||
where "172.23.0.0/16" should be replaced with the actual subnet value. | |||
For more details on what services are using what ports, see [[Linux Ports]]. | |||
A more permissive rule allows everything that comes from the specified subnet. | |||
<pre> | <pre> | ||
-A INPUT -s 172.23.0.0/16 -j ACCEPT | |||
-A | |||
</pre> | </pre> | ||
Restart iptables for changes to take effect. | |||
systemctl restart iptables | |||
===Amazon EC2=== | ===Amazon EC2=== | ||
Line 65: | Line 57: | ||
1. Create the directory: | 1. Create the directory: | ||
mkdir /opt/shared | |||
mkdir /opt/shared | |||
If the storage is on a dedicated block device, mount it in [[/etc/fstab]]: | |||
/dev/vdb1 /nfs xfs defaults 0 0 | |||
2. Give it the right permissions that make sense across your entire client set. | 2. Give it the right permissions that make sense across your entire client set. | ||
3. Share it | 3. Share it [[/etc/exports]]. | ||
Best if you specify only the subnet that must have access to it: | Best if you specify only the subnet that must have access to it: | ||
Line 99: | Line 94: | ||
<pre> | <pre> | ||
systemctl start nfs-server | |||
</pre> | </pre> | ||
Line 132: | Line 127: | ||
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;"> | <blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;"> | ||
:[[systemd]] | :[[systemd]] | ||
</blockquote> | |||
==List Filesystems Exported by a NFS Server== | |||
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;"> | |||
:[[Exportfs#List_Filesystems_Exported_by_a_NFS_Sever|<tt>exportfs</tt>: list filesystems exported by a NFS server]] | |||
</blockquote> | </blockquote> | ||
=Client Installation= | =Client Installation= | ||
==Install Client Packages== | |||
===Centos=== | |||
sudo su - | |||
yum install nfs-utils | |||
===Ubuntu=== | |||
sudo apt-get install nfs-common | |||
==Security Setup== | |||
===iptables=== | |||
<tt>iptables</tt> should allow outgoing connections. | |||
===SELinux=== | |||
==Authentication against the NFS Server== | |||
For context, see: | |||
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;"> | |||
:[[Linux_NFS_Concepts#NFS_Security|NFS Concepts - Security]] | |||
</blockquote> | |||
==Mount "on-the-fly"== | |||
Mount "on-the-fly" the directory from another machine: | |||
<pre> | |||
mount [-v] -t nfs 192.168.0.145:/shared /mnt/tmp | |||
</pre> | |||
==Mount the directory at boot== | |||
In <tt>/etc/fstab</tt> add: | |||
<pre> | |||
192.168.1.4:/volume3/test3 /rackstation/test3/ nfs nolock,_netdev,bg 0 0 | |||
</pre> | |||
After mount, the client will report the NFS version, as described below: | |||
<pre> | |||
f01:/opt/shared on /opt/shared type nfs4 (rw,relatime,vers=4.0,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=172.31.21.22,local_lock=none,addr=172.31.20.184,_netdev) | |||
</pre> | |||
More about fstab: | |||
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;"> | |||
:<tt>[[/etc/fstab]]</tt> | |||
</blockquote> | |||
More details on mount options can be found here: | |||
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;"> | |||
:[[Linux_NFS_Configuration#Mount_Options|Linux NFS Configuration - Mount Options]] | |||
</blockquote> | |||
==List Filesystems Mounted by a NFS Client== | |||
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;"> | |||
:[[Mount#List_Filesystems_Mounted_by_a_NFS_Client|<tt>mount</tt>: list filesystems mounted by a NFS client]] | |||
</blockquote> | |||
=NFS Troubleshooting= | |||
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;"> | |||
:[[Linux NFS Troubleshooting]] | |||
</blockquote> |
Latest revision as of 03:36, 13 December 2019
External
Internal
Relevance
- Updated for Amazon EC2
Server Installation
Install Server Packages
sudo su - yum install rpcbind nfs-utils
On some system we also need to install "nfs-utils-lib".
Security Setup
iptables
Add the following rules above the INPUT chain rule that rejects traffic:
-A INPUT -s 172.23.0.0/16 -p udp -m multiport --dports 10053,111,2049,32769,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -s 172.23.0.0/16 -p tcp -m multiport --dports 10053,111,2049,32803,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT
where "172.23.0.0/16" should be replaced with the actual subnet value.
For more details on what services are using what ports, see Linux Ports.
A more permissive rule allows everything that comes from the specified subnet.
-A INPUT -s 172.23.0.0/16 -j ACCEPT
Restart iptables for changes to take effect.
systemctl restart iptables
Amazon EC2
1. Create the directory:
mkdir /opt/shared
If the storage is on a dedicated block device, mount it in /etc/fstab:
/dev/vdb1 /nfs xfs defaults 0 0
2. Give it the right permissions that make sense across your entire client set.
3. Share it /etc/exports.
Best if you specify only the subnet that must have access to it:
... /opt/shared 192.168.0.0/255.255.255.0(rw,sync,no_root_squash,no_subtree_check) ...
More details on export options can be found here:
Start NFS
RHEL 6
service rpcbind start service nfs start
RHEL 7
systemctl start nfs-server
Start at Boot
init.d
Also add these to chkconfig if needed on reboot.:
chkconfig --add rpcbind chkconfig --add nfs chkconfig --level 2345 rpcbind on chkconfig --level 2345 nfs on
More details on chkconfig:
systemd
systemctl enable nfs-server.service systemctl list-unit-files | grep nfs-server
More details on systemd:
List Filesystems Exported by a NFS Server
Client Installation
Install Client Packages
Centos
sudo su - yum install nfs-utils
Ubuntu
sudo apt-get install nfs-common
Security Setup
iptables
iptables should allow outgoing connections.
SELinux
Authentication against the NFS Server
For context, see:
Mount "on-the-fly"
Mount "on-the-fly" the directory from another machine:
mount [-v] -t nfs 192.168.0.145:/shared /mnt/tmp
Mount the directory at boot
In /etc/fstab add:
192.168.1.4:/volume3/test3 /rackstation/test3/ nfs nolock,_netdev,bg 0 0
After mount, the client will report the NFS version, as described below:
f01:/opt/shared on /opt/shared type nfs4 (rw,relatime,vers=4.0,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=172.31.21.22,local_lock=none,addr=172.31.20.184,_netdev)
More about fstab:
More details on mount options can be found here: