Section 29.2. Objective 2: Configuring an NFS Server

29.2. Objective 2: Configuring an NFS Server

The Network File System (NFS) is the standard method for sharing files between Unix (and Unix-like) systems. Linux can be both an NFS server (offering its directories to other systems) and an NFS client (offering its own users access to directories on other systems).

29.2.1. The NFS Server

The NFS server can be installed by default during your distribution's installation process, but if NFS was not installed, you can install it from your distribution's installation media or FTP site. In addition to the NFS packages, you will need the following daemons and utilities.

Portmap

The NFS server system must be running the portmap daemon, a server for the RPC service directory.

The NFS-related RPC daemons

These are typically started automatically at boot time through /etc/init.d/nfs start and consist of:

rpc.nfsd

Handles file serving

rpc.statd and rpc.lockd

Handle lock management

rpc.rpquotad

Manages quotas

rpc.mountd

Checks mount requests and hands out access handles

29.2.2. Configuring NFS Server Exports

The server uses /etc/exports to configure NFS filesystems that it offers to remote systems. The format of the file entries is typically:

 /path/to/export [host](options) 

The first field, /path/to/export, is the path that you want to make available via NFS. An example would be /mnt/cdrom. The second field, host, is the hostname, specified by name or IP address (with an optional netmask), to which you want the filesystem to be made available. If nothing is supplied for host, the filesystem is exported to everyone. The last field, options, is a comma-separated list of export options. Some standard examples are ro for read-only and rw for read/write.

The following is an example of an /etc/exports file:

 /mnt/cdrom              (ro) /tmp                    (rw) /home                   192.168.0.0/255.255.255.0(rw) 

The first line exports /mnt/cdrom read-only to the world. The second line exports /tmp read-write to the world. The third line exports /home read/write to only the 192.168.0.0 network.

Be very careful to not have any spaces between the host specification and the export options. The following are very different:

 host (options) host(options) 

For more information about the format and options of /etc/exports, view the exports manpage (man 5 exports).

Directories can also be exported based on hostname, wildcarded domain name (*.example.com), or NIS netgroups. If you use NIS, you can use @netgroup to specify the hosts defined in the given netgroup.

To initially add all your entries in /etc/exports to the list of exported filesystems (assuming mountd is already running), run exportfs -av. The -a option tells exportfs to add the entries and the -v option to print the output verbosely.

After you make any change to /etc/exports, you must update the NFS server using exportfs -rv. This command reexports all directories in /etc/exports, syncing the server's list of exports (maintained by mountd in /var/lib/nfs/xtab) with /etc/exports.

To remove a filesystem from mountd's list of exportable filesystems, use exportfs -u. More information about exportfs may be found in the exportfs(8) manpage.

29.2.3. NFS Server Security

NFS was ingenious when it was created, but it has been plagued by many security problems. Therefore, the Linux implementation has integrated TCP wrappers support. TCP wrappers is a somewhat paranoid IP access control mechanism that is more fully documented in Chapter 40. Suffice it to say here that all hosts that should be able to access your NFS server must be allowed to do so. To secure your NFS server, put a statement like the following in your /etc/hosts.deny file:

 portmap,lockd,mountd,rquotad,statd: ALL 

This disables access to all the NFS-related services altogether. To reenable NFS for your legitimate clients, put lines like the following in your /etc/hosts.allow file:

 portmap,lockd,mountd,rquotad,statd: 192.168.0.0/255.255.0.0 

This means that, even if your /etc/exports file exports your /mnt/cdrom and /tmp directories to the world, no one outside the 192.168.0.0/255.255.0.0 network will be able to contact the servers.

This mechanism does not allow netgroups to be used, but it does allow hostnames and domains (.example.com).

Even though the portmapper is, strictly speaking, not an NFS service, it too has been subject to security problems and access to it should also be restricted.

The /etc/hosts.allow and /etc/hosts.deny files also apply to your NFS client . It should be secured in the same way.

A server may not want to trust the remote root users. Trusting a remote root user would mean that the remote root can read all files, create device files with unhealthy permissions, and create setuid root scripts on the server. All these are bad things unless you are sure that the clients are all as secure as the server. Otherwise, add root_squash to the export option list in order to deny root accessor, more accurately, to change the UID of root requests to the nobody user before they go to the filesystem. The opposite of root_squash is no_root_squash. If you trust no one on the client, but still want them to have some access, you can use all_squash to squash all users down to nobodies. There are also the two options anonuid=n and anongid=n, which control exactly which account the squash options apply to. They used to be useful for PC/NFS, but that is obsolete now. They are perhaps useful if you want to share a public disk, such as an FTP server disk. If the FTP server user has UID 95 and GID 95, you can export relatively safely to the world through:

 /home/ftp        (ro,all_squash,anonuid=95,anongid=95) 

29.2.4. The NFS Client

The NFS client software on Linux consists of several parts: portmap, rpc.statd, and rpc.lockd. Commands such as mount, showmount, and rpcinfo are the tools you use.

The NFS client requires a specific set of kernel modules: nfs, lockd, and sunrpc. These kernel modules will be automatically loaded by the kernel module loader when you mount a remote filesystem.

The NFS client (as well as the server) require the system to be running the portmapper, the portmap daemon. To start it, run /etc/init.d/portmap start (or on some systems, /etc/rc.d/init.d/portmap start).

The utility required to get access to an NFS filesystem is mount. It is used to mount remote NFS filesystems as well as local filesystems. Generally, mount is used like this:

 mount -o options remotehost:/remote/path /local/path 

Table 29-2 lists the most common mount options used on NFS.

When mounting NFS shares, always include the options hard,intr. It is absolutely reckless to use soft. A good example mount command for mounting the filesystem /export on the NFS server linux.example.com with an 8-K block size on /mnt/nfs is the following:

 mount -o rsize=8192,wsize=8192,hard,intr linux.example.com:/export /mnt/nfs 

29.2.5. NFS Tools

In addition to using the mount command to mount NFS filesystems, a few other useful NFS tools can help you use and administer them. In particular, the showmount and rpcinfo commands are regularly used.

Syntax

 nfsstat [options] 

Description

Display NFS server and client statistics. This command displays the number of times each RPC procedure in the NFS servers and clients have been called. This is mostly uninteresting, although the counters can be used to graph loads and in some situations to do troubleshooting. By default, the command displays both server and client statistics and both NFS and RPC statistics.

Options

-c

Show client-side statistics only, not server-side statistics

-n

Show NFS statistics only, not RPC statistics

-r

Show RPC statistics only, not NFS statistics

-s

Show server-side statistics only, not client-side statistics

Syntax

 rpcinfo -p [host] rpcinfo -n [portnum] [-t | -tu] [host] program [version] 

Description

Show RPC services for host.

Options

-p [host]

Probe the portmapper on host and list registered RPC programs. If no host is specified, the system's hostname is used.

-n [portnum]

Use portnum as the port number for the -t or -u option instead of the port number supplied by portmapper.

-t [host] program [version]

-u [host] program [version]

Make an RPC call to program on host and report the response. The version of the service can optionally be specified. If the -t option is used, the call is done by TCP, whereas the -u option does it by UDP. This can be used as a RPC ping command. Thus, the following command pings the NFS service, all versions:

 # rpcinfo -u fileserver nfs program 100003 version 2 ready and waiting program 100003 version 3 ready and waiting 

Syntax

 showmount [options] host 

Description

Show export mount information for host.

Options

-a, all

List the client hostname and the mounted directory in host:dir format.

-d, directories

List only the directories mounted by a client.

-e, exports

Show the NFS server's export list.

--no-headers

Suppress the descriptive headings from the output.