Linux NFS Installation: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
 
(30 intermediate revisions by the same user not shown)
Line 1: Line 1:
=External=
* https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Storage_Administration_Guide/nfs-serverconfig.html
=Internal=
=Internal=


Line 9: Line 13:
=Server Installation=
=Server Installation=


==Install Packages==
==Install Server Packages==


<pre>
<pre>
Line 18: Line 22:
On some system we also need to install "nfs-utils-lib".
On some system we also need to install "nfs-utils-lib".


==Setup Security==
==Security Setup==


===iptables===
===iptables===


Normally, a specific list of ports should be provided to iptables. <font color=red>I tried the following, but it did not work</font>:
Add the following rules above the INPUT chain rule that rejects traffic:


<pre>
<pre>
...
-A INPUT -s 172.23.0.0/16 -p udp -m multiport --dports 10053,111,2049,32769,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/255.255.0.0 -m state --state NEW -p udp --dport 111 -j ACCEPT
-A INPUT -s 172.23.0.0/16 -p tcp -m multiport --dports 10053,111,2049,32803,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/255.255.0.0 -m state --state NEW -p tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/255.255.0.0 -m state --state NEW -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/255.255.0.0  -m state --state NEW -p tcp --dport 32803 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/255.255.0.0  -m state --state NEW -p udp --dport 32769 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/255.255.0.0  -m state --state NEW -p tcp --dport 892 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/255.255.0.0  -m state --state NEW -p udp --dport 892 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/255.255.0.0  -m state --state NEW -p tcp --dport 875 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/255.255.0.0  -m state --state NEW -p udp --dport 875 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/255.255.0.0  -m state --state NEW -p tcp --dport 662 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/255.255.0.0 -m state --state NEW -p udp --dport 662 -j ACCEPT
-A SSH -s 192.168.0.0/255.255.0.0 -j ACCEPT
...
</pre>
</pre>


then
where "172.23.0.0/16" should be replaced with the actual subnet value.


<pre>
For more details on what services are using what ports, see [[Linux Ports]].
service iptables restart
</pre>


I ended up allowing everything from 192.168.0.0/255.255.0.0 for the duration of using the NFS.
A more permissive rule allows everything that comes from the specified subnet.


<pre>
<pre>
...
-A INPUT -s 172.23.0.0/16 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/255.255.0.0 -j ACCEPT
...
</pre>
</pre>
Restart iptables for changes to take effect.
systemctl restart iptables


===Amazon EC2===
===Amazon EC2===
Line 65: Line 57:
1. Create the directory:
1. Create the directory:


<pre>
mkdir /opt/shared
mkdir /opt/shared
 
</pre>
If the storage is on a dedicated block device, mount it in [[/etc/fstab]]:
/dev/vdb1                                /nfs                    xfs  defaults        0 0
 


2. Give it the right permissions that make sense across your entire client set.
2. Give it the right permissions that make sense across your entire client set.


3. Share it <tt>/etc/exports</tt>.
3. Share it [[/etc/exports]].


Best if you specify only the subnet that must have access to it:
Best if you specify only the subnet that must have access to it:
Line 99: Line 94:


<pre>
<pre>
service nfs-server start
systemctl start nfs-server
</pre>
</pre>


Line 132: Line 127:
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;">
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;">
:[[systemd]]
:[[systemd]]
</blockquote>
==List Filesystems Exported by a NFS Server==
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;">
:[[Exportfs#List_Filesystems_Exported_by_a_NFS_Sever|<tt>exportfs</tt>: list filesystems exported by a NFS server]]
</blockquote>
</blockquote>


=Client Installation=
=Client Installation=
==Install Client Packages==
===Centos===
sudo su -
yum install nfs-utils
===Ubuntu===
sudo apt-get install nfs-common
==Security Setup==
===iptables===
<tt>iptables</tt> should allow outgoing connections.
===SELinux===
==Authentication against the NFS Server==
For context, see:
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;">
:[[Linux_NFS_Concepts#NFS_Security|NFS Concepts - Security]]
</blockquote>
==Mount "on-the-fly"==
Mount "on-the-fly"  the directory from another machine:
<pre>
mount [-v] -t nfs 192.168.0.145:/shared /mnt/tmp
</pre>
==Mount the directory at boot==
In <tt>/etc/fstab</tt> add:
<pre>
192.168.1.4:/volume3/test3 /rackstation/test3/ nfs nolock,_netdev,bg 0 0
</pre>
After mount, the client will report the NFS version, as described below:
<pre>
f01:/opt/shared on /opt/shared type nfs4 (rw,relatime,vers=4.0,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=172.31.21.22,local_lock=none,addr=172.31.20.184,_netdev)
</pre>
More about fstab:
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;">
:<tt>[[/etc/fstab]]</tt>
</blockquote>
More details on mount options can be found here:
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;">
:[[Linux_NFS_Configuration#Mount_Options|Linux NFS Configuration - Mount Options]]
</blockquote>
==List Filesystems Mounted by a NFS Client==
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;">
:[[Mount#List_Filesystems_Mounted_by_a_NFS_Client|<tt>mount</tt>: list filesystems mounted by a NFS client]]
</blockquote>
=NFS Troubleshooting=
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;">
:[[Linux NFS Troubleshooting]]
</blockquote>

Latest revision as of 03:36, 13 December 2019

External

Internal

Relevance

  • Updated for Amazon EC2

Server Installation

Install Server Packages

sudo su -
yum install rpcbind nfs-utils 

On some system we also need to install "nfs-utils-lib".

Security Setup

iptables

Add the following rules above the INPUT chain rule that rejects traffic:

-A INPUT -s 172.23.0.0/16 -p udp -m multiport --dports 10053,111,2049,32769,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 172.23.0.0/16 -p tcp -m multiport --dports 10053,111,2049,32803,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT

where "172.23.0.0/16" should be replaced with the actual subnet value.

For more details on what services are using what ports, see Linux Ports.

A more permissive rule allows everything that comes from the specified subnet.

-A INPUT -s 172.23.0.0/16 -j ACCEPT

Restart iptables for changes to take effect.

systemctl restart iptables

Amazon EC2

Amazon EC2 NFS Server Security Group

Define the Directories to Share

1. Create the directory:

mkdir /opt/shared

If the storage is on a dedicated block device, mount it in /etc/fstab:

/dev/vdb1                                 /nfs                    xfs   defaults        0 0


2. Give it the right permissions that make sense across your entire client set.

3. Share it /etc/exports.

Best if you specify only the subnet that must have access to it:

...
/opt/shared 192.168.0.0/255.255.255.0(rw,sync,no_root_squash,no_subtree_check)
...

More details on export options can be found here:

Linux NFS Configuration - Export Options

Start NFS

RHEL 6

service rpcbind start
service nfs start

RHEL 7

systemctl start nfs-server

Start at Boot

init.d

Also add these to chkconfig if needed on reboot.:

chkconfig --add rpcbind
chkconfig --add nfs
chkconfig --level 2345 rpcbind on
chkconfig --level 2345 nfs on

More details on chkconfig:

chkconfig

systemd

systemctl enable nfs-server.service
systemctl list-unit-files | grep nfs-server

More details on systemd:

systemd

List Filesystems Exported by a NFS Server

exportfs: list filesystems exported by a NFS server

Client Installation

Install Client Packages

Centos

sudo su -
yum install nfs-utils

Ubuntu

sudo apt-get install nfs-common

Security Setup

iptables

iptables should allow outgoing connections.

SELinux

Authentication against the NFS Server

For context, see:

NFS Concepts - Security

Mount "on-the-fly"

Mount "on-the-fly" the directory from another machine:

mount [-v] -t nfs 192.168.0.145:/shared /mnt/tmp

Mount the directory at boot

In /etc/fstab add:

192.168.1.4:/volume3/test3 /rackstation/test3/ nfs nolock,_netdev,bg 0 0

After mount, the client will report the NFS version, as described below:

f01:/opt/shared on /opt/shared type nfs4 (rw,relatime,vers=4.0,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=172.31.21.22,local_lock=none,addr=172.31.20.184,_netdev)

More about fstab:

/etc/fstab

More details on mount options can be found here:

Linux NFS Configuration - Mount Options

List Filesystems Mounted by a NFS Client

mount: list filesystems mounted by a NFS client

NFS Troubleshooting

Linux NFS Troubleshooting