Tags Archives: nfs4

Installing and Configuring NFS

How to Install NFS on Ubuntu

 

t@len:/#
root@len:/#
root@len:/# apt install nfs-kernel-server
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following NEW packages will be installed
nfs-kernel-server
0 to upgrade, 1 to newly install, 0 to remove and 0 not to upgrade.
Need to get 98.9 kB of archives.
After this operation, 420 kB of additional disk space will be used.
Get:1 http://gb.archive.ubuntu.com/ubuntu focal-updates/main amd64 nfs-kernel-server amd64 1:1.3.4-2.5ubuntu3.4 [98.9 kB]
Fetched 98.9 kB in 0s (871 kB/s)
Selecting previously unselected package nfs-kernel-server.
(Reading database … 213177 files and directories currently installed.)
Preparing to unpack …/nfs-kernel-server_1%3a1.3.4-2.5ubuntu3.4_amd64.deb …
Unpacking nfs-kernel-server (1:1.3.4-2.5ubuntu3.4) …
Setting up nfs-kernel-server (1:1.3.4-2.5ubuntu3.4) …
Created symlink /etc/systemd/system/multi-user.target.wants/nfs-server.service → /lib/systemd/system/nfs-server.service.
Job for nfs-server.service canceled.

Creating config file /etc/exports with new version

Creating config file /etc/default/nfs-kernel-server with new version
Processing triggers for man-db (2.9.1-1) …
Processing triggers for systemd (245.4-4ubuntu3.16) …
root@len:/#

 

 

On Ubuntu 20.04, NFS version 2 is disabled. Versions 3 and 4 are enabled.

Verify by running:

 

sudo cat /proc/fs/nfsd/versions

 

root@len:~# cat /proc/fs/nfsd/versions
-2 +3 +4 +4.1 +4.2
root@len:~#

 

NFS server configuration is defined in /etc/default/nfs-kernel-server and /etc/default/nfs-common files.

The default settings are adequate for most environments.

 

NFS Version 4 uses a global root directory, where exported directories are relative to this directory.

 

You link the share mountpoint to the directories you want to export by using bind mounts.

 

For example:

 

first set the /srv/nfs4 directory as NFS root.

 

We will share two directories (/var/www and /opt/backups) with different settings.

 

/var/www/ is owned by user www-data,

 

while /opt/backups is owned by root.

 

First we create the root directory and the share mountpoints:

 

sudo mkdir -p /srv/nfs4/backups
sudo mkdir -p /srv/nfs4/www

 

Bind the NFS Mount Points

 

 

 

MAKE SURE YOU INCLUDE THE BIND COMMAND – AND – ADD THIS TO THE /etc/fstab if it should be automatically activated on reboots!

 

Next we bind mount the directories to the share mountpoints:

 

sudo mount –bind /opt/backups /srv/nfs4/backups
sudo mount –bind /var/www /srv/nfs4/www

 

 

To make the bind mounts permanent across reboots, add the following to the /etc/fstab file:

 

/etc/fstab
/opt/backups /srv/nfs4/backups none bind 0 0
/var/www /srv/nfs4/www none bind 0 0

 

This is important – otherwise the NFS mounts will not be connected from /srv/nfs4 to their respective server mounts!

 

 

then export the file systems

 

We do this by adding the file systems to be exported and the clients to be permitted access to those shares to the /etc/exports file:

 

Each line for an exported file system looks like this:

 

export host(options)

 

for our example, we could have something like this, for various networks and client machines:

/srv/nfs4 192.168.10.0/24(rw,sync,no_subtree_check,crossmnt,fsid=0)
/srv/nfs4/backups 192.168.10.0/24(ro,sync,no_subtree_check) 192.168.20.5(rw,sync,no_subtree_check)
/srv/nfs4/www 192.168.10.30(rw,sync,no_subtree_check)

 

The first line contains the fsid=0 option to define the NFS root directory (here it is /srv/nfs4).

 

Access to this NFS volume is permitted solely to the clients from subnet 192.168.10.0/24.

 

The crossmnt option allows us to share directories that are sub-directories of an exported directory.

 

The second line demonstrates how to specify multiple export rules for one specific filesystem. Read access is granted to subnet 192.168.10.0/24 range, and both read and write access only for the 192.168.20.5 client machine.

 

Finally the sync option tells NFS to write changes to the disk before responding.

 

After saving the file, export the shares by running:

 

exportfs -ar

 

Whenever you modify the /etc/exports file this command must be executed so that the file is re-read by the NFS server.

 

 

Practical example:

 

 

root@len:/srv#
root@len:/srv#
root@len:/srv# mkdir nfs4
root@len:/srv# cd nfs4/
root@len:/srv/nfs4# ls
root@len:/srv/nfs4# mkdir PRIMARY_MEDIA
root@len:/srv/nfs4# mkdir PRIMARY_BACKUP

 

mount –bind /media/kevin/PRIMARY_MEDIA /srv/nfs4/PRIMARY_MEDIA

 

mount –bind /media/kevin/PRIMARY_BACKUP /srv/nfs4/PRIMARY_BACKUP

 

root@len:/srv/nfs4# mount –bind /media/kevin/PRIMARY_MEDIA /srv/nfs4/PRIMARY_MEDIA
root@len:/srv/nfs4# mount –bind /media/kevin/PRIMARY_BACKUP /srv/nfs4/PRIMARY_BACKUP

 

 

verify with:

 

df

 

/dev/sdb1 2063187344 1504043404 454269956 77% /srv/nfs4/PRIMARY_MEDIA
/dev/sdb2 1031069848 326633048 651991616 34% /srv/nfs4/PRIMARY_BACKUP
root@len:/srv/nfs4#

 

 

then enter in the /etc/exports:

 

 

root@len:/srv/nfs4# cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#

 

# allow only asusvpn to mount:

 

/srv/nfs4 10.147.18.14(rw,sync,fsid=0,crossmnt,no_subtree_check)
/srv/nfs4/PRIMARY_MEDIA 10.147.18.14(rw,sync,no_subtree_check)

/srv/nfs4/PRIMARY_BACKUP 10.147.18.14(rw,sync,no_subtree_check)

root@len:/srv/nfs4#

 

 

root@len:/srv/nfs4# exportfs -va
exporting 10.147.18.14:/srv/nfs4/PRIMARY_BACKUP
exporting 10.147.18.14:/srv/nfs4/PRIMARY_MEDIA
exporting 10.147.18.14:/srv/nfs4
root@len:/srv/nfs4#

 

systemd service nfs-kernel-server has to be running:

 

root@len:/srv/nfs4# systemctl status nfs-kernel-server
● nfs-server.service – NFS server and services
Loaded: loaded (/lib/systemd/system/nfs-server.service; enabled; vendor preset: enabled)
Active: active (exited) since Fri 2022-04-29 23:43:12 BST; 10min ago
Process: 272163 ExecStartPre=/usr/sbin/exportfs -r (code=exited, status=0/SUCCESS)
Process: 272164 ExecStart=/usr/sbin/rpc.nfsd $RPCNFSDARGS (code=exited, status=0/SUCCESS)
Main PID: 272164 (code=exited, status=0/SUCCESS)

Apr 29 23:43:11 len systemd[1]: Starting NFS server and services…
Apr 29 23:43:12 len systemd[1]: Finished NFS server and services.
root@len:/srv/nfs4#

 

 

you can then mount on the client

 

 

 

How To Display NFS Version

 

 

NFS Server version:

nfsstat -s

 

NFS Client version:

nfsstat -c

 

 

 

root@len:/srv/nfs4# nfsstat –help
Usage: nfsstat [OPTION]…

 

-m, –mounts Show statistics on mounted NFS filesystems
-c, –client Show NFS client statistics
-s, –server Show NFS server statistics
-2 Show NFS version 2 statistics
-3 Show NFS version 3 statistics
-4 Show NFS version 4 statistics
-o [facility] Show statistics on particular facilities.
nfs NFS protocol information
rpc General RPC information
net Network layer statistics
fh Usage information on the server’s file handle cache
io Usage information on the server’s io statistics
ra Usage information on the server’s read ahead cache
rc Usage information on the server’s request reply cache
all Select all of the above
-v, –verbose, –all Same as ‘-o all’
-r, –rpc Show RPC statistics
-n, –nfs Show NFS statistics
-Z[#], –sleep[=#] Collects stats until interrupted.
Cumulative stats are then printed
If # is provided, stats will be output every
# seconds.
-S, –since file Shows difference between current stats and those in ‘file’
-l, –list Prints stats in list format
–version Show program version
–help What you just did

 

root@len:/srv/nfs4#

 

 

Firewalling for NFS

 

rpcinfo -p | grep nfs

 

Port 111 (TCP and UDP) and 2049 (TCP and UDP) for the NFS server.

 

 

This will give a list of all ports used by all NFS-related program:

 

rpcinfo -p | awk ‘{print $3″ “$4}’ | sort -k2n | uniq

root@intel:/media/kevin# rpcinfo -p | awk '{print $3" "$4}' | sort -k2n | uniq
proto port
tcp 111
udp 111
tcp 2049
udp 2049
tcp 36705
tcp 39599
udp 39774
udp 40836
tcp 44743
udp 48795
tcp 49095
udp 58224
root@intel:/media/kevin#

 

NFS Ports

 

need to open following ports:

 

ufw allow in from 10.147.18.0/24 to any port 111
ufw allow in from 10.147.18.0/24 to any port 2049
ufw allow in from 10.147.18.0/24 to any port 33333

 

root@intel:/home/kevin# ufw allow in from 10.147.18.0/24 to any port 111 
Rule added
root@intel:/home/kevin# 
root@intel:/home/kevin# ufw allow in from 10.147.18.0/24 to any port 2049
Rule added
root@intel:/home/kevin# ufw allow in from 10.147.18.0/24 to any port 33333
Rule added
root@intel:/home/kevin#

 

then do:

 

root@intel:/home/kevin# iptables-save > /etc/iptables.rules
root@intel:/home/kevin#

 

 

also make sure the exportfs -ra is run else there wont be any nfs volumes to export!

 

root@intel:/# cat /etc/exports

 

/media/kevin/PRIMARY_MEDIA 10.147.18.0/24(rw,insecure,sync,no_subtree_check,no_root_squash) 
/media/kevin/PRIMARY_BACKUP 10.147.18.0/24(rw,insecure,sync,no_subtree_check,no_root_squash)

 

and restart nfs-kernel-server:

 

systemctl restart nfs-kernel-server

 

root@intel:~# systemctl status nfs-kernel-server
● nfs-server.service - NFS server and services
Loaded: loaded (/lib/systemd/system/nfs-server.service; enabled; vendor preset: enabled)
Drop-In: /run/systemd/generator/nfs-server.service.d
└─order-with-mounts.conf
Active: active (exited) since Fri 2021-06-04 20:08:31 CEST; 1h 11min ago
Process: 25565 ExecStartPre=/usr/sbin/exportfs -r (code=exited, status=0/SUCCESS)
Process: 25566 ExecStart=/usr/sbin/rpc.nfsd $RPCNFSDARGS (code=exited, status=0/SUCCESS)
Main PID: 25566 (code=exited, status=0/SUCCESS)

Jun 04 20:08:30 intel systemd[1]: Starting NFS server and services...
Jun 04 20:08:31 intel systemd[1]: Finished NFS server and services.
root@intel:~#



 

Error Message: chown: operation not permitted

 

By default the root_squash export option is set, this means NFS does not allow a root user from a connecting nfs client to perform operations as root on the nfs server.

 

rsync: [receiver] chown "/home/kevin/file.txt" failed: Operation not permitted (1)

To resolve this, set the no_root_squash option for the share in the /etc/exports file

 

(rw,insecure,sync,no_subtree_check,no_root_squash)

 

root@intel:/# cat /etc/exports



/media/kevin/PRIMARY_MEDIA 10.147.18.0/24(rw,insecure,sync,no_subtree_check,no_root_squash) 
/media/kevin/PRIMARY_BACKUP 10.147.18.0/24(rw,insecure,sync,no_subtree_check,no_root_squash)

 

 

 

Showmount -e 

 

root@len:/srv/nfs4# showmount -e
Export list for len:
/srv/nfs4/PRIMARY_BACKUP 10.147.18.14
/srv/nfs4/PRIMARY_MEDIA 10.147.18.14
/srv/nfs4 10.147.18.14
root@len:/srv/nfs4#

 

 

 

root@gemini:~#
root@gemini:~# rpcinfo | egrep “service|nfs”
program version netid address service owner
100003 3 tcp 0.0.0.0.8.1 nfs superuser
100003 4 tcp 0.0.0.0.8.1 nfs superuser
100003 3 udp 0.0.0.0.8.1 nfs superuser
100003 3 tcp6 ::.8.1 nfs superuser
100003 4 tcp6 ::.8.1 nfs superuser
100003 3 udp6 ::.8.1 nfs superuser
root@gemini:~#

 

 

To export the Root NFS tree

 

For security reasons, NFS shares should be defined using the NFS root directory definition.

 

 

For example with the following definitions in /etc/exports:

 

 

/srv/nfs4 10.147.18.0/24(rw,fsid=0,insecure,no_subtree_check,async)
/srv/nfs4/Downloads 10.147.18.0/24(rw,nohide,insecure,no_subtree_check,async)

/srv/nfs4/DATA 10.147.18.0/24(rw,sync,no_subtree_check)
/srv/nfs4/NEXTCLOUD 10.147.18.0/24(rw,sync,no_subtree_check)

 

In this case the first line defines /srv/nfs4 as the NFS root

 

remember to run exportfs  -ra after editing the /etc/exports file so that the directives are read by the NFS server.

 

 

Then, to mount the NFS root directory from client do:

 

mount -v -t nfs4 geminivpn:/ /media/kevin/nfs4

 

You can then access the shares under /media/kevin/nfs4 by simply cd’ing to the desired directory share.

 

eg

 

cd Downloads

 

 

 

Continue Reading