How to Install NFS on Ubuntu
t@len:/#
root@len:/#
root@len:/# apt install nfs-kernel-server
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following NEW packages will be installed
nfs-kernel-server
0 to upgrade, 1 to newly install, 0 to remove and 0 not to upgrade.
Need to get 98.9 kB of archives.
After this operation, 420 kB of additional disk space will be used.
Get:1 http://gb.archive.ubuntu.com/ubuntu focal-updates/main amd64 nfs-kernel-server amd64 1:1.3.4-2.5ubuntu3.4 [98.9 kB]
Fetched 98.9 kB in 0s (871 kB/s)
Selecting previously unselected package nfs-kernel-server.
(Reading database … 213177 files and directories currently installed.)
Preparing to unpack …/nfs-kernel-server_1%3a1.3.4-2.5ubuntu3.4_amd64.deb …
Unpacking nfs-kernel-server (1:1.3.4-2.5ubuntu3.4) …
Setting up nfs-kernel-server (1:1.3.4-2.5ubuntu3.4) …
Created symlink /etc/systemd/system/multi-user.target.wants/nfs-server.service → /lib/systemd/system/nfs-server.service.
Job for nfs-server.service canceled.
Creating config file /etc/exports with new version
Creating config file /etc/default/nfs-kernel-server with new version
Processing triggers for man-db (2.9.1-1) …
Processing triggers for systemd (245.4-4ubuntu3.16) …
root@len:/#
On Ubuntu 20.04, NFS version 2 is disabled. Versions 3 and 4 are enabled.
Verify by running:
sudo cat /proc/fs/nfsd/versions
root@len:~# cat /proc/fs/nfsd/versions
-2 +3 +4 +4.1 +4.2
root@len:~#
NFS server configuration is defined in /etc/default/nfs-kernel-server and /etc/default/nfs-common files.
The default settings are adequate for most environments.
NFS Version 4 uses a global root directory, where exported directories are relative to this directory.
You link the share mountpoint to the directories you want to export by using bind mounts.
For example:
first set the /srv/nfs4 directory as NFS root.
We will share two directories (/var/www and /opt/backups) with different settings.
/var/www/ is owned by user www-data,
while /opt/backups is owned by root.
First we create the root directory and the share mountpoints:
sudo mkdir -p /srv/nfs4/backups
sudo mkdir -p /srv/nfs4/www
Bind the NFS Mount Points
MAKE SURE YOU INCLUDE THE BIND COMMAND – AND – ADD THIS TO THE /etc/fstab if it should be automatically activated on reboots!
Next we bind mount the directories to the share mountpoints:
sudo mount –bind /opt/backups /srv/nfs4/backups
sudo mount –bind /var/www /srv/nfs4/www
To make the bind mounts permanent across reboots, add the following to the /etc/fstab file:
/etc/fstab
/opt/backups /srv/nfs4/backups none bind 0 0
/var/www /srv/nfs4/www none bind 0 0
This is important – otherwise the NFS mounts will not be connected from /srv/nfs4 to their respective server mounts!
then export the file systems
We do this by adding the file systems to be exported and the clients to be permitted access to those shares to the /etc/exports file:
Each line for an exported file system looks like this:
export host(options)
for our example, we could have something like this, for various networks and client machines:
/srv/nfs4 192.168.10.0/24(rw,sync,no_subtree_check,crossmnt,fsid=0)
/srv/nfs4/backups 192.168.10.0/24(ro,sync,no_subtree_check) 192.168.20.5(rw,sync,no_subtree_check)
/srv/nfs4/www 192.168.10.30(rw,sync,no_subtree_check)
The first line contains the fsid=0 option to define the NFS root directory (here it is /srv/nfs4).
Access to this NFS volume is permitted solely to the clients from subnet 192.168.10.0/24.
The crossmnt option allows us to share directories that are sub-directories of an exported directory.
The second line demonstrates how to specify multiple export rules for one specific filesystem. Read access is granted to subnet 192.168.10.0/24 range, and both read and write access only for the 192.168.20.5 client machine.
Finally the sync option tells NFS to write changes to the disk before responding.
After saving the file, export the shares by running:
exportfs -ar
Whenever you modify the /etc/exports file this command must be executed so that the file is re-read by the NFS server.
Practical example:
root@len:/srv#
root@len:/srv#
root@len:/srv# mkdir nfs4
root@len:/srv# cd nfs4/
root@len:/srv/nfs4# ls
root@len:/srv/nfs4# mkdir PRIMARY_MEDIA
root@len:/srv/nfs4# mkdir PRIMARY_BACKUP
mount –bind /media/kevin/PRIMARY_MEDIA /srv/nfs4/PRIMARY_MEDIA
mount –bind /media/kevin/PRIMARY_BACKUP /srv/nfs4/PRIMARY_BACKUP
root@len:/srv/nfs4# mount –bind /media/kevin/PRIMARY_MEDIA /srv/nfs4/PRIMARY_MEDIA
root@len:/srv/nfs4# mount –bind /media/kevin/PRIMARY_BACKUP /srv/nfs4/PRIMARY_BACKUP
verify with:
df
/dev/sdb1 2063187344 1504043404 454269956 77% /srv/nfs4/PRIMARY_MEDIA
/dev/sdb2 1031069848 326633048 651991616 34% /srv/nfs4/PRIMARY_BACKUP
root@len:/srv/nfs4#
then enter in the /etc/exports:
root@len:/srv/nfs4# cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
# allow only asusvpn to mount:
/srv/nfs4 10.147.18.14(rw,sync,fsid=0,crossmnt,no_subtree_check)
/srv/nfs4/PRIMARY_MEDIA 10.147.18.14(rw,sync,no_subtree_check)
/srv/nfs4/PRIMARY_BACKUP 10.147.18.14(rw,sync,no_subtree_check)
root@len:/srv/nfs4#
root@len:/srv/nfs4# exportfs -va
exporting 10.147.18.14:/srv/nfs4/PRIMARY_BACKUP
exporting 10.147.18.14:/srv/nfs4/PRIMARY_MEDIA
exporting 10.147.18.14:/srv/nfs4
root@len:/srv/nfs4#
systemd service nfs-kernel-server has to be running:
root@len:/srv/nfs4# systemctl status nfs-kernel-server
● nfs-server.service – NFS server and services
Loaded: loaded (/lib/systemd/system/nfs-server.service; enabled; vendor preset: enabled)
Active: active (exited) since Fri 2022-04-29 23:43:12 BST; 10min ago
Process: 272163 ExecStartPre=/usr/sbin/exportfs -r (code=exited, status=0/SUCCESS)
Process: 272164 ExecStart=/usr/sbin/rpc.nfsd $RPCNFSDARGS (code=exited, status=0/SUCCESS)
Main PID: 272164 (code=exited, status=0/SUCCESS)
Apr 29 23:43:11 len systemd[1]: Starting NFS server and services…
Apr 29 23:43:12 len systemd[1]: Finished NFS server and services.
root@len:/srv/nfs4#
you can then mount on the client
How To Display NFS Version
NFS Server version:
nfsstat -s
NFS Client version:
nfsstat -c
root@len:/srv/nfs4# nfsstat –help
Usage: nfsstat [OPTION]…
-m, –mounts Show statistics on mounted NFS filesystems
-c, –client Show NFS client statistics
-s, –server Show NFS server statistics
-2 Show NFS version 2 statistics
-3 Show NFS version 3 statistics
-4 Show NFS version 4 statistics
-o [facility] Show statistics on particular facilities.
nfs NFS protocol information
rpc General RPC information
net Network layer statistics
fh Usage information on the server’s file handle cache
io Usage information on the server’s io statistics
ra Usage information on the server’s read ahead cache
rc Usage information on the server’s request reply cache
all Select all of the above
-v, –verbose, –all Same as ‘-o all’
-r, –rpc Show RPC statistics
-n, –nfs Show NFS statistics
-Z[#], –sleep[=#] Collects stats until interrupted.
Cumulative stats are then printed
If # is provided, stats will be output every
# seconds.
-S, –since file Shows difference between current stats and those in ‘file’
-l, –list Prints stats in list format
–version Show program version
–help What you just did
root@len:/srv/nfs4#
Firewalling for NFS
rpcinfo -p | grep nfs
Port 111 (TCP and UDP) and 2049 (TCP and UDP) for the NFS server.
This will give a list of all ports used by all NFS-related program:
rpcinfo -p | awk ‘{print $3″ “$4}’ | sort -k2n | uniq
root@intel:/media/kevin# rpcinfo -p | awk '{print $3" "$4}' | sort -k2n | uniq proto port tcp 111 udp 111 tcp 2049 udp 2049 tcp 36705 tcp 39599 udp 39774 udp 40836 tcp 44743 udp 48795 tcp 49095 udp 58224 root@intel:/media/kevin#
NFS Ports
need to open following ports:
ufw allow in from 10.147.18.0/24 to any port 111
ufw allow in from 10.147.18.0/24 to any port 2049
ufw allow in from 10.147.18.0/24 to any port 33333
root@intel:/home/kevin# ufw allow in from 10.147.18.0/24 to any port 111 Rule added root@intel:/home/kevin# root@intel:/home/kevin# ufw allow in from 10.147.18.0/24 to any port 2049 Rule added root@intel:/home/kevin# ufw allow in from 10.147.18.0/24 to any port 33333 Rule added root@intel:/home/kevin#
then do:
root@intel:/home/kevin# iptables-save > /etc/iptables.rules
root@intel:/home/kevin#
also make sure the exportfs -ra is run else there wont be any nfs volumes to export!
root@intel:/# cat /etc/exports
/media/kevin/PRIMARY_MEDIA 10.147.18.0/24(rw,insecure,sync,no_subtree_check,no_root_squash) /media/kevin/PRIMARY_BACKUP 10.147.18.0/24(rw,insecure,sync,no_subtree_check,no_root_squash)
and restart nfs-kernel-server:
systemctl restart nfs-kernel-server
root@intel:~# systemctl status nfs-kernel-server ● nfs-server.service - NFS server and services Loaded: loaded (/lib/systemd/system/nfs-server.service; enabled; vendor preset: enabled) Drop-In: /run/systemd/generator/nfs-server.service.d └─order-with-mounts.conf Active: active (exited) since Fri 2021-06-04 20:08:31 CEST; 1h 11min ago Process: 25565 ExecStartPre=/usr/sbin/exportfs -r (code=exited, status=0/SUCCESS) Process: 25566 ExecStart=/usr/sbin/rpc.nfsd $RPCNFSDARGS (code=exited, status=0/SUCCESS) Main PID: 25566 (code=exited, status=0/SUCCESS) Jun 04 20:08:30 intel systemd[1]: Starting NFS server and services... Jun 04 20:08:31 intel systemd[1]: Finished NFS server and services. root@intel:~#
Error Message: chown: operation not permitted
By default the root_squash export option is set, this means NFS does not allow a root user from a connecting nfs client to perform operations as root on the nfs server.
rsync: [receiver] chown "/home/kevin/file.txt" failed: Operation not permitted (1)
To resolve this, set the no_root_squash option for the share in the /etc/exports file
(rw,insecure,sync,no_subtree_check,no_root_squash)
root@intel:/# cat /etc/exports /media/kevin/PRIMARY_MEDIA 10.147.18.0/24(rw,insecure,sync,no_subtree_check,no_root_squash) /media/kevin/PRIMARY_BACKUP 10.147.18.0/24(rw,insecure,sync,no_subtree_check,no_root_squash)
Showmount -e
root@len:/srv/nfs4# showmount -e
Export list for len:
/srv/nfs4/PRIMARY_BACKUP 10.147.18.14
/srv/nfs4/PRIMARY_MEDIA 10.147.18.14
/srv/nfs4 10.147.18.14
root@len:/srv/nfs4#
root@gemini:~#
root@gemini:~# rpcinfo | egrep “service|nfs”
program version netid address service owner
100003 3 tcp 0.0.0.0.8.1 nfs superuser
100003 4 tcp 0.0.0.0.8.1 nfs superuser
100003 3 udp 0.0.0.0.8.1 nfs superuser
100003 3 tcp6 ::.8.1 nfs superuser
100003 4 tcp6 ::.8.1 nfs superuser
100003 3 udp6 ::.8.1 nfs superuser
root@gemini:~#
To export the Root NFS tree
For security reasons, NFS shares should be defined using the NFS root directory definition.
For example with the following definitions in /etc/exports:
/srv/nfs4 10.147.18.0/24(rw,fsid=0,insecure,no_subtree_check,async)
/srv/nfs4/Downloads 10.147.18.0/24(rw,nohide,insecure,no_subtree_check,async)
/srv/nfs4/DATA 10.147.18.0/24(rw,sync,no_subtree_check)
/srv/nfs4/NEXTCLOUD 10.147.18.0/24(rw,sync,no_subtree_check)
In this case the first line defines /srv/nfs4 as the NFS root
remember to run exportfs -ra after editing the /etc/exports file so that the directives are read by the NFS server.
Then, to mount the NFS root directory from client do:
mount -v -t nfs4 geminivpn:/ /media/kevin/nfs4
You can then access the shares under /media/kevin/nfs4 by simply cd’ing to the desired directory share.
eg
cd Downloads