-
Notifications
You must be signed in to change notification settings - Fork 303
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Create nfsserver.md (#1335) * Create nfsserver.md Documentation about nfsserver * Apply suggestions from code review Thx @serge Co-authored-by: Serge Croisé <SergeCroise@users.noreply.github.com> * Update docs/guides/file_sharing/nfsserver.md Those darn spaces! Co-authored-by: Serge Croisé <SergeCroise@users.noreply.github.com> * Update docs/guides/file_sharing/nfsserver.md Co-authored-by: Serge Croisé <SergeCroise@users.noreply.github.com> * Update docs/guides/file_sharing/nfsserver.md wording change Co-authored-by: Serge Croisé <SergeCroise@users.noreply.github.com> * Update nfsserver.md --------- Co-authored-by: Serge Croisé <SergeCroise@users.noreply.github.com> Co-authored-by: sspencerwire <sspencerwire@gmail.com> Co-authored-by: wale soyinka <wsoyinka@gmail.com> * NFS server edits: * remove most (not all) passive voice * remove punctuation on bullet points except those under "Case studies" which are a command parameters with a qualifying sentence. * some minor wording changes for better understanding (for instance "conserved" becomes "preserves") * added Serge to contributors * Update nfsserver.md Some changes not saved... edited to put them back in. * Update docs/guides/file_sharing/nfsserver.md Co-authored-by: Serge Croisé <SergeCroise@users.noreply.github.com> --------- Co-authored-by: Antoine Le Morvan <antoine@le-morvan.com> Co-authored-by: Serge Croisé <SergeCroise@users.noreply.github.com> Co-authored-by: wale soyinka <wsoyinka@gmail.com>
- Loading branch information
1 parent
f9376d4
commit dd95a28
Showing
1 changed file
with
185 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,185 @@ | ||
--- | ||
title: Network File System | ||
author: Antoine Le Morvan | ||
contributors: Steven Spencer, Serge | ||
--- | ||
# Network File System | ||
|
||
**Knowledge**: :star: :star: | ||
**Complexity**: :star: :star: | ||
|
||
**Reading time**: 15 minutes | ||
|
||
**N**etwork **F**ile **S**ystem (**NFS**) is a network-mounted file-sharing system. | ||
|
||
## Generalities | ||
|
||
NFS is a client/server protocol: the server provides file system resources for all or part of the network (clients). | ||
|
||
The communication between clients and server takes place by way of **R**emote **P**rocedure **C**all (**RPC**) services. | ||
|
||
Remote files are mounted in a directory and appear as a local file system. Client users seamlessly access files shared by the server, browsing directories as if they were local. | ||
|
||
## Installation | ||
|
||
NFS requires two services to function: | ||
|
||
* The `network` service (of course) | ||
* The `rpcbind` service | ||
|
||
View the status of the services with the command: | ||
|
||
``` | ||
systemctl status rpcbind | ||
``` | ||
|
||
If the `nfs-utils` package is not installed: | ||
|
||
``` | ||
sudo dnf install nfs-utils | ||
``` | ||
|
||
The `nfs-utils` package requires the installation of several dependencies, including `rpcbind`. | ||
|
||
Start the NFS service with: | ||
|
||
``` | ||
sudo systemctl enable --now nfs-server rpcbind | ||
``` | ||
|
||
Installing the NFS service creates two users: | ||
|
||
* `nobody`: used for anonymous connections | ||
* `rpcuser`: for RPC protocol operation | ||
|
||
Configuring the firewall is necessary: | ||
|
||
``` | ||
sudo firewall-cmd --add-service={nfs,nfs3,mountd,rpc-bind} --permanent | ||
sudo firewall-cmd --reload | ||
``` | ||
|
||
## Server configuration | ||
|
||
!!! warning "warning" | ||
|
||
Directory rights and NFS rights must be consistent. | ||
|
||
### The `/etc/exports` file | ||
|
||
Set up resource shares with the `/etc/exports` file. Each line in this file corresponds to an NFS share. | ||
|
||
``` | ||
/share_name client1(permissions) client2(permissions) | ||
``` | ||
|
||
* **/share_name**: Absolute path of shared directory | ||
* **clients**: Clients authorized to access resources | ||
* **(permissions)**: Permissions on resources | ||
|
||
Declare machines authorized to access resources with: | ||
|
||
* **IP address**: `192.168.1.2` | ||
* **Network address**: `192.168.1.0/255.255.255.0` or CIDR format `192.168.1.0/24` | ||
* **FQDN**: client_*.rockylinux.org: allows FQDNs starting with client_ from the rockylinux.org domain | ||
* `*` for everybody | ||
|
||
Specification of multiple clients is possible on the same line separated by a space. | ||
|
||
### Permissions on resources | ||
|
||
There are two types of permissions: | ||
|
||
* `ro`: read-only | ||
* `rw`: read-write | ||
|
||
If no right is specified, then the right applied will be read-only. | ||
|
||
By default, the NFS server preserves the client user UIDs and GIDs (except for `root`). | ||
|
||
To force the use of a UID or GID other than that of the user writing the resource, specify the `anonuid=UID` and `anongid=GID` options, or give `anonymous` access to the data with the `all_squash` option. | ||
|
||
!!! warning "warning" | ||
|
||
There is a parameter, `no_root_squash`, which identifies the client root user as the server root user. This parameter can be dangerous from a system security point of view. | ||
|
||
Activation of the `root_squash` parameter is a default (even if not specified), identifying `root` as an `anonymous` user. | ||
|
||
### Case studies | ||
|
||
* `/share client(ro,all_squash)` | ||
Client users have read-only access to resources and are identified as anonymous on the server. | ||
|
||
* `/share client(rw)` | ||
Client users can modify resources and keep their UID on the server. Only `root` is identified as `anonymous`. | ||
|
||
* `/share client1(rw) client2(ro)` | ||
Users on client workstation 1 can modify resources, while those on client workstation 2 have read-only access. | ||
UIDs are kept on the server, and only `root` is identified as `anonymous`. | ||
|
||
* `/share client(rw,all_squash,anonuid=1001,anongid=100)` | ||
Client1 users can modify resources. Their UID is changed to `1001` and their GID to `100` on the server. | ||
|
||
### The `exportfs` command | ||
|
||
The `exportfs` (exported file systems) command is used to manage the table of local files shared with NFS clients. | ||
|
||
``` | ||
exportfs [-a] [-r] [-u share_name] [-v] | ||
``` | ||
|
||
| Options | Description | | ||
| --------------- | ----------------------------------------- | | ||
| `-a` | Enables NFS shares | | ||
| `-r` | Applies shares from the `/etc/exports` file | | ||
| `-u share_name` | Disables a given share | | ||
| `-v` | Displays the list of shares | | ||
|
||
### The `showmount` command | ||
|
||
Use the `showmount` command to monitor clients. | ||
|
||
``` | ||
showmount [-a] [-e] [host] | ||
``` | ||
|
||
| Options | Description | | ||
| ------- | ----------------------------------------- | | ||
| `-e` | Displays shares on the designated server | | ||
| `-a` | Displays all current shares on the server | | ||
|
||
This command also determines whether the client workstation has authorization to mount shared resources. | ||
|
||
!!! note "note" | ||
|
||
`showmount` sorts and hides duplicates in the results, so it's impossible to determine whether a client has made multiple mounts of the same directory or not. | ||
|
||
## Client configuration | ||
|
||
Shared resources on an NFS server are accessible through a mount point on the client. | ||
|
||
If required, create a local folder for mounting: | ||
|
||
``` | ||
$ sudo mkdir /mnt/nfs | ||
``` | ||
|
||
List available NFS shares on the server: | ||
|
||
``` | ||
$ showmount –e 172.16.1.10 | ||
/share * | ||
``` | ||
|
||
Mount the server's NFS share: | ||
|
||
``` | ||
$ mount –t nfs 172.16.1.10:/share /mnt/nfs | ||
``` | ||
|
||
Automation of the mount can happen at system startup with the `/etc/fstab` file: | ||
|
||
``` | ||
$ sudo vim /etc/fstab | ||
172.16.1.10:/share /mnt/nfs nfs defaults 0 0 | ||
``` |