8.6. Configuring the NFS Server
There are two ways to configure exports on an NFS server:
- Manually editing the NFS configuration file, that is,
/etc/exports
, and - Through the command line, that is, by using the command
exportfs
8.6.1. The /etc/exports
Configuration File
The
/etc/exports
file controls which file systems are exported to remote hosts and specifies options. It follows the following syntax rules:
- Blank lines are ignored.
- To add a comment, start a line with the hash mark (
#
). - You can wrap long lines with a backslash (
\
). - Each exported file system should be on its own individual line.
- Any lists of authorized hosts placed after an exported file system must be separated by space characters.
- Options for each of the hosts must be placed in parentheses directly after the host identifier, without any spaces separating the host and the first parenthesis.
Each entry for an exported file system has the following structure:
export host(options)
The aforementioned structure uses the following variables:
- export
- The directory being exported
- host
- The host or network to which the export is being shared
- options
- The options to be used for host
It is possible to specify multiple hosts, along with specific options for each host. To do so, list them on the same line as a space-delimited list, with each hostname followed by its respective options (in parentheses), as in:
export host1(options1) host2(options2) host3(options3)
For information on different methods for specifying hostnames, see Section 8.6.5, “Hostname Formats”.
In its simplest form, the
/etc/exports
file only specifies the exported directory and the hosts permitted to access it, as in the following example:
Example 8.6. The /etc/exports
File
/exported/directory bob.example.com
Here,
bob.example.com
can mount /exported/directory/
from the NFS server. Because no options are specified in this example, NFS uses default settings.
The default settings are:
- ro
- The exported file system is read-only. Remote hosts cannot change the data shared on the file system. To allow hosts to make changes to the file system (that is, read and write), specify the
rw
option. - sync
- The NFS server will not reply to requests before changes made by previous requests are written to disk. To enable asynchronous writes instead, specify the option
async
. - wdelay
- The NFS server will delay writing to the disk if it suspects another write request is imminent. This can improve performance as it reduces the number of times the disk must be accessed by separate write commands, thereby reducing write overhead. To disable this, specify the
no_wdelay
.no_wdelay
is only available if the defaultsync
option is also specified. - root_squash
- This prevents root users connected remotely (as opposed to locally) from having root privileges; instead, the NFS server assigns them the user ID
nfsnobody
. This effectively "squashes" the power of the remote root user to the lowest local user, preventing possible unauthorized writes on the remote server. To disable root squashing, specifyno_root_squash
.
To squash every remote user (including root), use
all_squash
. To specify the user and group IDs that the NFS server should assign to remote users from a particular host, use the anonuid
and anongid
options, respectively, as in:
export host(anonuid=uid,anongid=gid)
Here, uid and gid are user ID number and group ID number, respectively. The
anonuid
and anongid
options allow you to create a special user and group account for remote NFS users to share.
By default, access control lists (ACLs) are supported by NFS under Red Hat Enterprise Linux. To disable this feature, specify the
no_acl
option when exporting the file system.
Each default for every exported file system must be explicitly overridden. For example, if the
rw
option is not specified, then the exported file system is shared as read-only. The following is a sample line from /etc/exports
which overrides two default options:
/another/exported/directory 192.168.0.3(rw,async)
In this example
192.168.0.3
can mount /another/exported/directory/
read and write and all writes to disk are asynchronous. For more information on exporting options, see man exportfs
.
Other options are available where no default value is specified. These include the ability to disable sub-tree checking, allow access from insecure ports, and allow insecure file locks (necessary for certain early NFS client implementations). For more information on these less-used options, see
man exports
.
Important
The format of the
/etc/exports
file is very precise, particularly in regards to use of the space character. Remember to always separate exported file systems from hosts and hosts from one another with a space character. However, there should be no other space characters in the file except on comment lines.
For example, the following two lines do not mean the same thing:
/home bob.example.com(rw) /home bob.example.com (rw)
The first line allows only users from
bob.example.com
read and write access to the /home
directory. The second line allows users from bob.example.com
to mount the directory as read-only (the default), while the rest of the world can mount it read/write.
8.6.2. The exportfs
Command
Every file system being exported to remote users with NFS, as well as the access level for those file systems, are listed in the
/etc/exports
file. When the nfs
service starts, the /usr/sbin/exportfs
command launches and reads this file, passes control to rpc.mountd
(if NFSv3) for the actual mounting process, then to rpc.nfsd
where the file systems are then available to remote users.
When issued manually, the
/usr/sbin/exportfs
command allows the root user to selectively export or unexport directories without restarting the NFS service. When given the proper options, the /usr/sbin/exportfs
command writes the exported file systems to /var/lib/nfs/xtab
. Since rpc.mountd
refers to the xtab
file when deciding access privileges to a file system, changes to the list of exported file systems take effect immediately.
The following is a list of commonly-used options available for
/usr/sbin/exportfs
:
- -r
- Causes all directories listed in
/etc/exports
to be exported by constructing a new export list in/var/lib/nfs/etab
. This option effectively refreshes the export list with any changes made to/etc/exports
. - -a
- Causes all directories to be exported or unexported, depending on what other options are passed to
/usr/sbin/exportfs
. If no other options are specified,/usr/sbin/exportfs
exports all file systems specified in/etc/exports
. - -o file-systems
- Specifies directories to be exported that are not listed in
/etc/exports
. Replace file-systems with additional file systems to be exported. These file systems must be formatted in the same way they are specified in/etc/exports
. This option is often used to test an exported file system before adding it permanently to the list of file systems to be exported. For more information on/etc/exports
syntax, see Section 8.6.1, “The/etc/exports
Configuration File”. - -i
- Ignores
/etc/exports
; only options given from the command line are used to define exported file systems. - -u
- Unexports all shared directories. The command
/usr/sbin/exportfs -ua
suspends NFS file sharing while keeping all NFS daemons up. To re-enable NFS sharing, useexportfs -r
. - -v
- Verbose operation, where the file systems being exported or unexported are displayed in greater detail when the
exportfs
command is executed.
If no options are passed to the
exportfs
command, it displays a list of currently exported file systems. For more information about the exportfs
command, see man exportfs
.
8.6.2.1. Using exportfs
with NFSv4
In Red Hat Enterprise Linux 7, no extra steps are required to configure NFSv4 exports as any filesystems mentioned are automatically available to NFSv3 and NFSv4 clients using the same path. This was not the case in previous versions.
To prevent clients from using NFSv4, turn it off by setting
RPCNFSDARGS= -N 4
in /etc/sysconfig/nfs
.
8.6.3. Running NFS Behind a Firewall
NFS requires
rpcbind
, which dynamically assigns ports for RPC services and can cause issues for configuring firewall rules. To allow clients to access NFS shares behind a firewall, edit the /etc/sysconfig/nfs
file to set which ports the RPC services run on. To allow clients to access RPC Quota through a firewall, see Section 8.6.4, “Accessing RPC Quota through a Firewall”.
The
/etc/sysconfig/nfs
file does not exist by default on all systems. If /etc/sysconfig/nfs
does not exist, create it and specify the following:
- RPCMOUNTDOPTS="-p port"
- This adds "-p port" to the rpc.mount command line:
rpc.mount -p port
.
To specify the ports to be used by the
nlockmgr
service, set the port number for the nlm_tcpport
and nlm_udpport
options in the /etc/modprobe.d/lockd.conf
file.
If NFS fails to start, check
/var/log/messages
. Commonly, NFS fails to start if you specify a port number that is already in use. After editing /etc/sysconfig/nfs
, you need to restart the nfs-config
service for the new values to take effect in Red Hat Enterprise Linux 7.2 and prior by running:
Then, restart the NFS server:#
systemctl restart nfs-config
Run#
systemctl restart nfs-server
rpcinfo -p
to confirm the changes have taken effect.
Note
To allow NFSv4.0 callbacks to pass through firewalls set
/proc/sys/fs/nfs/nfs_callback_tcpport
and allow the server to connect to that port on the client.
This process is not needed for NFSv4.1 or higher, and the other ports for
mountd
, statd
, and lockd
are not required in a pure NFSv4 environment.
8.6.3.1. Discovering NFS exports
There are two ways to discover which file systems an NFS server exports.
- On any server that supports NFSv3, use the
showmount
command:$
showmount -e myserver
Export list for mysever /exports/foo /exports/bar - On any server that supports NFSv4,
mount
the root directory and look around.#
mount myserver:/ /mnt/
#
cd /mnt/
exports#
ls exports
foo bar
On servers that support both NFSv4 and NFSv3, both methods work and give the same results.
Note
Before Red Hat Enterprise Linux 6 on older NFS servers, depending on how they are configured, it is possible to export filesystems to NFSv4 clients at different paths. Because these servers do not enable NFSv4 by default, this should not be a problem.
8.6.4. Accessing RPC Quota through a Firewall
If you export a file system that uses disk quotas, you can use the quota Remote Procedure Call (RPC) service to provide disk quota data to NFS clients.
Procedure 8.1. Making RPC Quota Accessible Behind a Firewall
- To enable the
rpc-rquotad
service, use the following command:#
systemctl enable rpc-rquotad
- To start the
rpc-rquotad
service, use the following command:#
systemctl start rpc-rquotad
rpc-rquotad
is, if enabled, started automatically after starting thenfs-server
service. - To make the quota RPC service accessible behind a firewall, UDP or TCP port
875
need to be open. The default port number is defined in the/etc/services
file.You can override the default port number by appending-p port-number
to theRPCRQUOTADOPTS
variable in the/etc/sysconfig/rpc-rquotad
file. - Restart
rpc-rquotad
for changes in the/etc/sysconfig/rpc-rquotad
file to take effect:#
systemctl restart rpc-rquotad
Setting Quotas from Remote Hosts
By default, quotas can only be read by remote hosts. To allow setting quotas, append the
-S
option to the RPCRQUOTADOPTS
variable in the /etc/sysconfig/rpc-rquotad
file.
Restart
rpc-rquotad
for changes in the /etc/sysconfig/rpc-rquotad
file to take effect:
#
systemctl restart rpc-rquotad
8.6.5. Hostname Formats
The host(s) can be in the following forms:
- Single machine
- A fully-qualified domain name (that can be resolved by the server), hostname (that can be resolved by the server), or an IP address.
- Series of machines specified with wildcards
- Use the
*
or?
character to specify a string match. Wildcards are not to be used with IP addresses; however, they may accidentally work if reverse DNS lookups fail. When specifying wildcards in fully qualified domain names, dots (.
) are not included in the wildcard. For example,*.example.com
includesone.example.com
but does notinclude one.two.example.com
. - IP networks
- Use a.b.c.d/z, where a.b.c.d is the network and z is the number of bits in the netmask (for example 192.168.0.0/24). Another acceptable format is a.b.c.d/netmask, where a.b.c.d is the network and netmask is the netmask (for example, 192.168.100.8/255.255.255.0).
- Netgroups
- Use the format @group-name, where group-name is the NIS netgroup name.
8.6.6. Enabling NFS over RDMA (NFSoRDMA)
The remote direct memory access (RDMA) service works automatically in Red Hat Enterprise Linux 7 if there is RDMA-capable hardware present.
To enable NFS over RDMA:
- Install the rdma and rdma-core packages.The
/etc/rdma/rdma.conf
file contains a line that setsXPRTRDMA_LOAD=yes
by default, which requests therdma
service to load the NFSoRDMA client module. - To enable automatic loading of NFSoRDMA server modules, add
SVCRDMA_LOAD=yes
on a new line in/etc/rdma/rdma.conf
.RPCNFSDARGS="--rdma=20049"
in the/etc/sysconfig/nfs
file specifies the port number on which the NFSoRDMA service listens for clients. RFC 5667 specifies that servers must listen on port20049
when providing NFSv4 services over RDMA. - Restart the
nfs
service after editing the/etc/rdma/rdma.conf
file:#
systemctl restart nfs
Note that with earlier kernel versions, a system reboot is needed after editing/etc/rdma/rdma.conf
for the changes to take effect.
8.6.7. Configuring an NFSv4-only Server
By default, the NFS server supports NFSv2, NFSv3, and NFSv4 connections in Red Hat Enterprise Linux 7. However, you can also configure NFS to support only NFS version 4.0 and later. This minimizes the number of open ports and running services on the system, because NFSv4 does not require the
rpcbind
service to listen on the network.
When your NFS server is configured as NFSv4-only, clients attempting to mount shares using NFSv2 or NFSv3 fail with an error like the following:
Requested NFS version or transport protocol is not supported.
Procedure 8.2. Configuring an NFSv4-only Server
To configure your NFS server to support only NFS version 4.0 and later:
- Disable NFSv2, NFSv3, and UDP by adding the following line to the
/etc/sysconfig/nfs
configuration file:RPCNFSDARGS="-N 2 -N 3 -U"
- Optionally, disable listening for the
RPCBIND
,MOUNT
, andNSM
protocol calls, which are not necessary in the NFSv4-only case.The effects of disabling these options are:- Clients that attempt to mount shares from your server using NFSv2 or NFSv3 become unresponsive.
- The NFS server itself is unable to mount NFSv2 and NFSv3 file systems.
To disable these options:- Add the following to the
/etc/sysconfig/nfs
file:RPCMOUNTDOPTS="-N 2 -N 3"
- Disable related services:
#
systemctl mask --now rpc-statd.service rpcbind.service rpcbind.socket
- Restart the NFS server:
#
systemctl restart nfs
The changes take effect as soon as you start or restart the NFS server.
Verifying the NFSv4-only Configuration
You can verify that your NFS server is configured in the NFSv4-only mode by using the
netstat
utility.
- The following is an example
netstat
output on an NFSv4-only server; listening forRPCBIND
,MOUNT
, andNSM
is also disabled. Here,nfs
is the only listening NFS service:#
netstat -ltu
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:nfs 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN tcp 0 0 localhost:smtp 0.0.0.0:* LISTEN tcp6 0 0 [::]:nfs [::]:* LISTEN tcp6 0 0 [::]:12432 [::]:* LISTEN tcp6 0 0 [::]:12434 [::]:* LISTEN tcp6 0 0 localhost:7092 [::]:* LISTEN tcp6 0 0 [::]:ssh [::]:* LISTEN udp 0 0 localhost:323 0.0.0.0:* udp 0 0 0.0.0.0:bootpc 0.0.0.0:* udp6 0 0 localhost:323 [::]:* - In comparison, the
netstat
output before configuring an NFSv4-only server includes thesunrpc
andmountd
services:#
netstat -ltu
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:nfs 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:36069 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:52364 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:sunrpc 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:mountd 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN tcp 0 0 localhost:smtp 0.0.0.0:* LISTEN tcp6 0 0 [::]:34941 [::]:* LISTEN tcp6 0 0 [::]:nfs [::]:* LISTEN tcp6 0 0 [::]:sunrpc [::]:* LISTEN tcp6 0 0 [::]:mountd [::]:* LISTEN tcp6 0 0 [::]:12432 [::]:* LISTEN tcp6 0 0 [::]:56881 [::]:* LISTEN tcp6 0 0 [::]:12434 [::]:* LISTEN tcp6 0 0 localhost:7092 [::]:* LISTEN tcp6 0 0 [::]:ssh [::]:* LISTEN udp 0 0 localhost:323 0.0.0.0:* udp 0 0 0.0.0.0:37190 0.0.0.0:* udp 0 0 0.0.0.0:876 0.0.0.0:* udp 0 0 localhost:877 0.0.0.0:* udp 0 0 0.0.0.0:mountd 0.0.0.0:* udp 0 0 0.0.0.0:38588 0.0.0.0:* udp 0 0 0.0.0.0:nfs 0.0.0.0:* udp 0 0 0.0.0.0:bootpc 0.0.0.0:* udp 0 0 0.0.0.0:sunrpc 0.0.0.0:* udp6 0 0 localhost:323 [::]:* udp6 0 0 [::]:57683 [::]:* udp6 0 0 [::]:876 [::]:* udp6 0 0 [::]:mountd [::]:* udp6 0 0 [::]:40874 [::]:* udp6 0 0 [::]:nfs [::]:* udp6 0 0 [::]:sunrpc [::]:*