Accessing Network Storage With NFS

Network File System

It is an Internet standard protocol used by Linux, Unix, and similar operating systems. It is a way to share files between different systems, as if they were on your local hard drive. Linux can be both an NFS server and NFS client, which means that it can export file systems to other systems, and mount file systems exported from other machines.

By defaults, Centos 7 supports NFSv4 (version 4 of the protocol), and falls back automatically to NFSv3 and NFSv2 if that is not available. NFSv4 uses the TCP Protocol to communicate with the server, while older version of NFS may use either TCP or UDP.

Outline of NFS server

  • Package                      :          nfs-utils
  • Port number              :         2049 (NFSv4 uses only TCP Protocol)
  • Configuration file     :          /etc/exports

We use 2 machine, one as the NFS server and other as NFS client machine. Let look at below details for more understanding.

  • NFS server Hostname        :       server1 (centos 7)
  • NFS server Ip address        :       192.168.1.10
  • NFS client Hostname         :       client1 (centos 7)
  • NFS client Ip address         :       192.168.1.11

Steps to configure NFS server are:

1.) Install the NFS package using Yum.

Install the package of NFS using yum command. If you are not configured the YUM server, refer the link Configure the Yum Server in Centos7/RHEL7/Fedora22

#yum install yum-utils

[root@server1 ~]# yum install nfs-utils
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package nfs-utils.x86_64 1:1.3.0-0.21.el7 will be installed


. . . . . 
Transaction Summary
===============================================================
Install  1 Package (+17 Dependent packages)

Total download size: 1.5 M
Installed size: 4.3 M
Is this ok [y/d/N]: y
Downloading packages:

2.) Create a directory and add some data in it.

Create two directory and add some data in it.

[root@server1 ~]# mkdir /protected
[root@server1 ~]# mkdir /public
[root@server1 ~]# cd /protected/
[root@server1 protected]# touch protectedfile{1..5}
[root@server1 protected]# ls
protectedfile1  protectedfile2  protectedfile3  protectedfile4  protectedfile5
[root@server1 protected]# cd ../public/
[root@server1 public]# touch publicfile{1..5}
[root@server1 public]# ls
publicfile1  publicfile2  publicfile3  publicfile4  publicfile5
[root@server1 public]#

3.) Exports the directory by editing /etc/exports file.

#vim /etc/exports

/protected    192.168.1.0/24(ro,sync)
/public        192.168.1.0/24(rw,sync)

~
~
:wq

nfs-exports

(rw,sync)        :    Mount Options

Various mount options which can be used:

  • rw                                    :   Set read/write Permissions.
  • ro                                     :   Set read-only permissions.
  • sync                                :   It Specifies that all changes must be written to disk before a command completes.
  • sec = method              :   Using various method like, none, sys, krb5, krb5i and krb5p  NFS server provide the secure access to files.
  • root_squash               :   Prevent the root user.

Note: As shown above, “/protected” directory have read only access to 192.168.1.0 network range and “/public” directory have read write access to 192.168.1.0 network range.

Now run exports command to export the directory.

# exportfs -avr  (Where, “a” is used to exports or un-exports all directories.“v” shows verbose output.“r” is used to reexport all directories.)

[root@server1 ~]# exportfs -avr
exporting 192.168.1.0/24:/public
exporting 192.168.1.0/24:/protected
[root@server1 ~]#

4.) Allow NFS server on firewall of the server.

Permanently add the NFS service on Firewall and then reload the firewall configuration.

[root@server1 ~]# firewall-cmd --permanent --add-service=nfs
success
[root@server1 ~]# firewall-cmd --permanent --add-service=rpc-bind
success
[root@server1 ~]# firewall-cmd --permanent --add-service=mountd
success
[root@server1 ~]# firewall-cmd --reload
success
[root@server1 ~]# firewall-cmd --list-all
public (default, active)
  interfaces: enp0s3 enp0s8
  sources: 
  services: dhcpv6-client ftp mountd nfs rpc-bind ssh
  ports: 22/tcp
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
[root@server1 ~]# 

5.) Start the NFS services and make it permanent. 

Start the service of NFS.

[root@server1 ~]# systemctl start nfs-server
[root@server1 ~]# systemctl status nfs-server.service
● nfs-server.service - NFS server and services
   Loaded: loaded (/usr/lib/systemd/system/nfs-server.service; disabled; vendor preset: disabled)
   Active: active (exited) since Sun 2016-09-25 03:01:30 EDT; 2s ago
  Process: 3372 ExecStart=/usr/sbin/rpc.nfsd $RPCNFSDARGS (code=exited, status=0/SUCCESS)
  Process: 3371 ExecStartPre=/usr/sbin/exportfs -r (code=exited, status=0/SUCCESS)
 Main PID: 3372 (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/nfs-server.service

Sep 25 03:01:30 server1 systemd[1]: Starting NFS server and services...
Sep 25 03:01:30 server1 systemd[1]: Started NFS server and services.
[root@server1 ~]# systemctl enable nfs-server
Created symlink from /etc/systemd/system/multi-user.target.wants/nfs-server.service to /usr/lib/systemd/system/nfs-server.service.
[root@server1 ~]#

Note: If you got any error related to “failed to register nfsdv3 RPC service”, then start and enable the service of rpcbind.

Client side configuration for NFS mounting

1.) Check and Install the NFS package if not installed.

#yum install yum-utils -y

[root@client1 ~]# yum install nfs-utils
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package nfs-utils.x86_64 1:1.3.0-0.21.el7 will be installed


. . . . . 
Transaction Summary
===============================================================
Install  1 Package (+17 Dependent packages)
Total download size: 1.5 M
Installed size: 4.3 M
Is this ok [y/d/N]: y
Downloading packages:

2.) Export the directories.

To check the exported directories from server the syntax is,

# showmount -e <server Ip address> (Where, “e” is used for exports)

[root@client1 ~]# showmount -e 192.168.1.10
Export list for 192.168.1.10:
/public    192.168.1.0/24
/protected 192.168.1.0/24
[root@client1 ~]#

2.) Start the NFS services.

#systemctl start nfs

[root@client1 ~]# systemctl start nfs.service
[root@client1 ~]#

4.) Make a directories and mount NFS over it.

[root@client1 ~]# mkdir /mnt/data
[root@client1 ~]# mkdir /protected
[root@client1 ~]# mount -t nfs 192.168.1.10:/public /mnt/data
[root@client1 ~]# mount -t nfs 192.168.1.10:/protected /protected
[root@client1 ~]# df -h /mnt/data/ /protected/
Filesystem               Size  Used Avail Use% Mounted on
192.168.1.10:/public     7.0G  928M  6.1G  13% /mnt/data
192.168.1.10:/protected  7.0G  928M  6.1G  13% /protected
[root@client1 ~]#

5.) Check read and write access for both  directories.

Now try to add some content to it.

[root@client1 ~]# cd /mnt/data/
[root@client1 data]# ls
publicfile1  publicfile2  publicfile3  publicfile4  publicfile5
[root@client1 data]# echo "NFS server" > publicfile1
-bash: publicfile1: Permission denied
[root@client1 data]#

Note: It is showing permission denied because on server side the directory does not have write permission neither for group and nor for others.

6.) Login into NFS server and write permission to NFS directory.

Give the write permission to group and others.

[root@server1 ~]# ls -ld /public/
drwxr-xr-x. 2 root root 96 Sep 25 02:47 /public/
[root@server1 ~]# chmod -R 777 /public/
[root@server1 ~]# ls -ld /public/
drwxrwxrwx. 2 root root 96 Sep 25 02:47 /public/
[root@server1 ~]# ls -ld /protected/
drwxr-xr-x. 2 root root 4096 Sep 25 02:47 /protected/
[root@server1 /]# chmod -R 777 /protected/
[root@server1 /]#

7.) Login into client machine and try to edit some files.

[root@client1 ~]# cd /mnt/data
[root@client1 data]# ls
publicfile1  publicfile2  publicfile3  publicfile4  publicfile5
[root@client1 data]# echo "NFS server" > publicfile1
[root@client1 data]# cat publicfile1
NFS server
[root@client1 data]#

Now check for “/protected” directory.

[root@client1 ~]# cd /protected/
[root@client1 protected]# touch protectedfile{6..10}
touch: cannot touch ‘protectedfile6’: Read-only file system
touch: cannot touch ‘protectedfile7’: Read-only file system
touch: cannot touch ‘protectedfile8’: Read-only file system
touch: cannot touch ‘protectedfile9’: Read-only file system
touch: cannot touch ‘protectedfile10’: Read-only file system
[root@client1 protected]# echo "Data protected" > protectedfile1
-bash: protectedfile1: Permission denied
[root@client1 protected]#

Note: On server export file we configured the read only access to “/protected” directory.

To make permanent mount of “/protected” and “/mnt/data” directories edit “/etc/fstab” file as follows.

# vim /etc/fstab

192.168.1.10:/public    /mnt/data       nfs     defaults        0       0
192.168.1.10:/protected /protected      nfs     defaults        0       0

~
~
:wq

Some Tips and Tricks on NFS server

Suppose we have “/HR” directory on the server and provide the read write access on “/HR” directory only for “HR” persons(In our care only for one user).

1.)  Create /HR directory and exports the directory by editing /etc/exports file.

#mkdir /HR

[root@server1 /]# mkdir /HR
[root@server1 /]#

Now editing the exports file.

#vim /etc/exports

/protected      192.168.1.0/24(ro,sync)
/public         192.168.1.0/24(rw,sync)
/HR             192.168.1.0/24(rw,sync)

~                                                                                                                                                 
~                                               
:wq

To export the directory using “exportfs” command

[root@server1 /]# exportfs -avr
exporting 192.168.1.0/24:/HR
exporting 192.168.1.0/24:/public
exporting 192.168.1.0/24:/protected
[root@server1 /]#

2.) Create Two Users on server and client machines.

Let’s Create two users on server and client machines with same UID. Suppose One user (i.e smith) is from HR department and other user (i.e jack) is from Finance department.

[root@server1 ~]# useradd -u 1010  smith
[root@server1 ~]# passwd smith
Changing password for user smith.
New password: 
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: 
passwd: all authentication tokens updated successfully.
[root@server1 ~]# useradd -u 1011  jack
[root@server1 ~]# passwd jack
Changing password for user jack.
New password: 
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: 
passwd: all authentication tokens updated successfully.
[root@server1 ~]#

Same commands is used to create the users in the clients machines.

Note: If you Using a “ldap” services then there is no need to create users.

3.) Set ACL for /HR directory and restart the services.

Set acl for “smith” user for /HR directory.

[root@server1 ~]# setfacl -m u:smith:rwx /HR
[root@server1 ~]# chown smith:smith /HR
[root@server1 ~]# systemctl restart nfs-server.service

4.) Make the mount directory on client side and add the entry on fstab file.

[root@client1 ~]# mkdir /HR

# vim /etc/fstab

192.168.1.10:/public    /mnt/data       nfs     defaults        0       0
192.168.1.10:/protected /protected      nfs     defaults        0       0
192.168.1.10:/HR        /HR             nfs     defaults        0       0

~
~
:wq

Enter a “mount -a” command. For mount the “/HR” directory.

[root@client1 ~]# mount -a
[root@client1 ~]# df -h /HR/
Filesystem        Size  Used Avail Use% Mounted on
192.168.1.10:/HR  7.0G  928M  6.1G  13% /HR
[root@client1 ~]#

5.) Try to upload some files using smith and jack users from client machine.

First Login with “jack” user and try to upload some files on NFS server.

[root@client1 ~]# su - jack
[jack@client1 ~]$ cd /HR
[jack@client1 HR]$ touch file{1..5}
touch: cannot touch ‘file1’: Permission denied
touch: cannot touch ‘file2’: Permission denied
touch: cannot touch ‘file3’: Permission denied
touch: cannot touch ‘file4’: Permission denied
touch: cannot touch ‘file5’: Permission denied
[jack@client1 HR]$ 

Now, try with “smith” user.

[root@client1 ~]# su - smith
Last login: Sun Sep 25 05:39:31 EDT 2016 on pts/1
[smith@client1 ~]$ cd /HR
[smith@client1 HR]$ ls
[smith@client1 HR]$ touch  file{1..5}
[smith@client1 HR]$ ls
file1  file2  file3  file4  file5
[smith@client1 HR]$ echo "Smith Can execute these files" > file1
[smith@client1 HR]$ cat file1
Smith Can execute these files
[smith@client1 HR]$

As show above, “jack” user (i.e finance person) don’t have the permission to edit “/HR” directory. !!!

Leave a Reply

Be the First to Comment!

Notify of
avatar
wpDiscuz