Linux NFS Installation: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
 
(34 intermediate revisions by the same user not shown)
Line 1: Line 1:
=External=
* https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Storage_Administration_Guide/nfs-serverconfig.html
=Internal=
=Internal=


Line 9: Line 13:
=Server Installation=
=Server Installation=


==Install Packages==
==Install Server Packages==


<pre>
<pre>
Line 18: Line 22:
On some system we also need to install "nfs-utils-lib".
On some system we also need to install "nfs-utils-lib".


==Setup Security==
==Security Setup==


===iptables===
===iptables===


Normally, a specific list of ports should be provided to iptables. <font color=red>I tried the following, but it did not work</font>:
Add the following rules above the INPUT chain rule that rejects traffic:
 
<pre>
-A INPUT -s 172.23.0.0/16 -p udp -m multiport --dports 10053,111,2049,32769,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 172.23.0.0/16 -p tcp -m multiport --dports 10053,111,2049,32803,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT
</pre>
 
where "172.23.0.0/16" should be replaced with the actual subnet value.
 
For more details on what services are using what ports, see [[Linux Ports]].
 
A more permissive rule allows everything that comes from the specified subnet.
 
<pre>
-A INPUT -s 172.23.0.0/16 -j ACCEPT
</pre>
 
Restart iptables for changes to take effect.
systemctl restart iptables
 
===Amazon EC2===
 
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;">
:[[Amazon EC2 NFS Server Security Group]]
</blockquote>
 
==Define the Directories to Share==
 
1. Create the directory:
 
mkdir /opt/shared
 
If the storage is on a dedicated block device, mount it in [[/etc/fstab]]:
/dev/vdb1                                /nfs                    xfs  defaults        0 0
 
 
2. Give it the right permissions that make sense across your entire client set.
 
3. Share it [[/etc/exports]].
 
Best if you specify only the subnet that must have access to it:


<pre>
<pre>
...
...
-A RH-Firewall-1-INPUT -s 192.168.0.0/255.255.0.0 -m state --state NEW -p udp --dport 111 -j ACCEPT
/opt/shared 192.168.0.0/255.255.255.0(rw,sync,no_root_squash,no_subtree_check)
-A RH-Firewall-1-INPUT -s 192.168.0.0/255.255.0.0 -m state --state NEW -p tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/255.255.0.0 -m state --state NEW -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/255.255.0.0  -m state --state NEW -p tcp --dport 32803 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/255.255.0.0  -m state --state NEW -p udp --dport 32769 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/255.255.0.0  -m state --state NEW -p tcp --dport 892 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/255.255.0.0  -m state --state NEW -p udp --dport 892 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/255.255.0.0  -m state --state NEW -p tcp --dport 875 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/255.255.0.0  -m state --state NEW -p udp --dport 875 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/255.255.0.0  -m state --state NEW -p tcp --dport 662 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/255.255.0.0 -m state --state NEW -p udp --dport 662 -j ACCEPT
-A SSH -s 192.168.0.0/255.255.0.0 -j ACCEPT
...
...
</pre>
</pre>


then
More details on export options can be found here:
 
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;">
:[[Linux_NFS_Configuration#Export_Options|Linux NFS Configuration - Export Options]]
</blockquote>
 
==Start NFS==
 
===RHEL 6===
 
<pre>
service rpcbind start
service nfs start
</pre>
 
===RHEL 7===
 
<pre>
systemctl start nfs-server
</pre>
 
==Start at Boot==
 
===init.d===
 
Also add these to <tt>chkconfig</tt> if needed on reboot.:


<pre>
<pre>
service iptables restart
chkconfig --add rpcbind
chkconfig --add nfs
chkconfig --level 2345 rpcbind on
chkconfig --level 2345 nfs on
</pre>
</pre>


I ended up allowing everything from 192.168.0.0/255.255.0.0 for the duration of using the NFS.
More details on chkconfig:
 
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;">
:[[chkconfig]]
</blockquote>
 
===systemd===


<pre>
<pre>
...
systemctl enable nfs-server.service
-A RH-Firewall-1-INPUT -s 192.168.0.0/255.255.0.0 -j ACCEPT
systemctl list-unit-files | grep nfs-server
...
</pre>
</pre>


===Amazon EC2===
More details on systemd:
 
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;">
:[[systemd]]
</blockquote>
 
==List Filesystems Exported by a NFS Server==
 
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;">
:[[Exportfs#List_Filesystems_Exported_by_a_NFS_Sever|<tt>exportfs</tt>: list filesystems exported by a NFS server]]
</blockquote>


=Client Installation=
=Client Installation=
==Install Client Packages==
===Centos===
sudo su -
yum install nfs-utils
===Ubuntu===
sudo apt-get install nfs-common
==Security Setup==
===iptables===
<tt>iptables</tt> should allow outgoing connections.
===SELinux===
==Authentication against the NFS Server==
For context, see:
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;">
:[[Linux_NFS_Concepts#NFS_Security|NFS Concepts - Security]]
</blockquote>
==Mount "on-the-fly"==
Mount "on-the-fly"  the directory from another machine:
<pre>
mount [-v] -t nfs 192.168.0.145:/shared /mnt/tmp
</pre>
==Mount the directory at boot==
In <tt>/etc/fstab</tt> add:
<pre>
192.168.1.4:/volume3/test3 /rackstation/test3/ nfs nolock,_netdev,bg 0 0
</pre>
After mount, the client will report the NFS version, as described below:
<pre>
f01:/opt/shared on /opt/shared type nfs4 (rw,relatime,vers=4.0,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=172.31.21.22,local_lock=none,addr=172.31.20.184,_netdev)
</pre>
More about fstab:
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;">
:<tt>[[/etc/fstab]]</tt>
</blockquote>
More details on mount options can be found here:
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;">
:[[Linux_NFS_Configuration#Mount_Options|Linux NFS Configuration - Mount Options]]
</blockquote>
==List Filesystems Mounted by a NFS Client==
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;">
:[[Mount#List_Filesystems_Mounted_by_a_NFS_Client|<tt>mount</tt>: list filesystems mounted by a NFS client]]
</blockquote>
=NFS Troubleshooting=
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;">
:[[Linux NFS Troubleshooting]]
</blockquote>

Latest revision as of 03:36, 13 December 2019

External

Internal

Relevance

  • Updated for Amazon EC2

Server Installation

Install Server Packages

sudo su -
yum install rpcbind nfs-utils

On some system we also need to install "nfs-utils-lib".

Security Setup

iptables

Add the following rules above the INPUT chain rule that rejects traffic: 

-A INPUT -s 172.23.0.0/16 -p udp -m multiport --dports 10053,111,2049,32769,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 172.23.0.0/16 -p tcp -m multiport --dports 10053,111,2049,32803,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT

where "172.23.0.0/16" should be replaced with the actual subnet value.

For more details on what services are using what ports, see Linux Ports.

A more permissive rule allows everything that comes from the specified subnet. 

-A INPUT -s 172.23.0.0/16 -j ACCEPT

Restart iptables for changes to take effect. 

systemctl restart iptables

Amazon EC2

Amazon EC2 NFS Server Security Group

Define the Directories to Share

1. Create the directory: 

mkdir /opt/shared

If the storage is on a dedicated block device, mount it in /etc/fstab: 

/dev/vdb1                                 /nfs                    xfs   defaults        0 0


2. Give it the right permissions that make sense across your entire client set.

3. Share it /etc/exports.

Best if you specify only the subnet that must have access to it: 

...
/opt/shared 192.168.0.0/255.255.255.0(rw,sync,no_root_squash,no_subtree_check)
...

More details on export options can be found here:

Linux NFS Configuration - Export Options

Start NFS

RHEL 6

service rpcbind start
service nfs start

RHEL 7

systemctl start nfs-server

Start at Boot

init.d

Also add these to chkconfig if needed on reboot.: 

chkconfig --add rpcbind
chkconfig --add nfs
chkconfig --level 2345 rpcbind on
chkconfig --level 2345 nfs on

More details on chkconfig:

chkconfig

systemd

systemctl enable nfs-server.service
systemctl list-unit-files | grep nfs-server

More details on systemd:

systemd

List Filesystems Exported by a NFS Server

exportfs: list filesystems exported by a NFS server

Client Installation

Install Client Packages

Centos

sudo su -
yum install nfs-utils

Ubuntu

sudo apt-get install nfs-common

Security Setup

iptables

iptables should allow outgoing connections.

SELinux

Authentication against the NFS Server

For context, see:

NFS Concepts - Security

Mount "on-the-fly"

Mount "on-the-fly" the directory from another machine: 

mount [-v] -t nfs 192.168.0.145:/shared /mnt/tmp

Mount the directory at boot

In /etc/fstab add: 

192.168.1.4:/volume3/test3 /rackstation/test3/ nfs nolock,_netdev,bg 0 0

After mount, the client will report the NFS version, as described below: 

f01:/opt/shared on /opt/shared type nfs4 (rw,relatime,vers=4.0,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=172.31.21.22,local_lock=none,addr=172.31.20.184,_netdev)

More about fstab:

/etc/fstab

More details on mount options can be found here:

Linux NFS Configuration - Mount Options

List Filesystems Mounted by a NFS Client

mount: list filesystems mounted by a NFS client

NFS Troubleshooting

Linux NFS Troubleshooting
Retrieved from "https://kb.novaordis.com/index.php?title=Linux_NFS_Installation&oldid=64916"