Linux NFS Configuration
This article provides an introduction to NFS configuration on Linux, with specific reference to the information needed for the RHCE EX300 certification exam.
Remember, the exams are hands-on, so it doesn't matter which method you use to achieve the result, so long as the end product is correct.
- Create Network Shares
- Create Network Shares for Group Collaboration
- Mounting NFS Shares
The NFS service is installed from a Yum repository using the following command.
# yum install nfs-utils -y
Turn on the NFS server and make sure it starts automatically on reboot.
# # Using service command. # service nfs start # chkconfig nfs on # # Using systemctl command (RHEL7/OL7/CentOS7). # systemctl start nfs # systemctl enable nfs
NFS shares are configured by altering the contents of the "/etc/exports" file. Configuration changes have to be followed by a restart of the NFS service or a reload.
# service nfs restart # # or on (RHEL7/OL7/CentOS7) # systemctl restart nfs # # or # exportfs -ra
The ports used by NFS are assigned dynamically, which can present a problem if you are using the Linux firewall. To simplify matters, edit the "/etc/sysconfig/nfs" file, uncommenting the
STATD_PORT entries. This will fix the port numbers to those values specified by the entries, which in my case were the following.
LOCKD_TCPPORT=32803 LOCKD_UDPPORT=32769 MOUNTD_PORT=892 STATD_PORT=662
Once the service is restarted, we can now open these ports along with the 2049 and 111 ports for NFS and rpcbind respectively. Assuming you are using a firewall setup file, as described here, you can include the following additions to the INPUT chain.
# Open ports for NFS. iptables -A INPUT -p tcp --dport 2049 -j ACCEPT iptables -A INPUT -p udp --dport 2049 -j ACCEPT iptables -A INPUT -p tcp --dport 111 -j ACCEPT iptables -A INPUT -p udp --dport 111 -j ACCEPT iptables -A INPUT -p tcp --dport 32803 -j ACCEPT iptables -A INPUT -p udp --dport 32769 -j ACCEPT iptables -A INPUT -p tcp --dport 892 -j ACCEPT iptables -A INPUT -p udp --dport 892 -j ACCEPT iptables -A INPUT -p tcp --dport 662 -j ACCEPT iptables -A INPUT -p udp --dport 662 -j ACCEPT
If you are using SELinux, you will need to consider the following points.
The SELinux booleans associated with the NFS service are displayed using the
# getsebool -a | grep nfs allow_ftpd_use_nfs --> off cobbler_use_nfs --> off git_system_use_nfs --> off httpd_use_nfs --> off qemu_use_nfs --> on rsync_use_nfs --> off samba_share_nfs --> off sanlock_use_nfs --> off sge_use_nfs --> off use_nfs_home_dirs --> on virt_use_nfs --> off xen_use_nfs --> off #
setsebool command is used to set a specific boolean value.
# setsebool virt_use_nfs on # setsebool virt_use_nfs off
You probably don't need to set file contexts. The
public_content_rw_t contexts, amongst others, be assigned to the relevant content if required.
# semanage fcontext -a -t public_content_t "/u01(/.*)?" # restorecon -F -R -v /u01
You can check the current context setting on files and directories using the "ls -alZ" command.
More information on SELinux can be found here.
Create Network Shares
Shares are created by editing the "/etc/exports" file. In RHEL5 and Fedora distributions you can use a GUI tool called
system-config-nfs, but this has been removed from RHEL6.
If the "/etc/exports" file does not exist already, create it to define your shares. The shares can specify individual host names, IP addresses, subnets or wildcards, along with the read-only/read-write nature of the share.
/mount-point-1 host1(ro) /mount-point-2 192.168.0.190(rw) /mount-point-3 *(ro) /mount-point-4 192.168.0.0/24(ro) /mount-point-5 host1(ro) host2(rw) 192.168.0.0/24(ro)
There are lots of potential share and mount options. You can see the recommended options for mount points used by Oracle here.
Remember to reload the configuration, or restart the NFS service for the changes to take effect.
The next section shows a worked example, so this should make things a little clearer.
Create Network Shares for Group Collaboration
This section describes the steps necessary to create NFS shares suitable for group collaboration.
Create a group that will act as the owner of the shared files.
# groupadd -g 1000 developers
Create a directory to own the shared files, making sure its group is set correctly. The permissions are set to "+rwx" (0777)
# mkdir /developers_dir # chgrp developers /developers_dir # chmod g+s /developers_dir # chmod -R 777 /developers_dir
Add the following share into the "/etc/exports" file, adjusted correctly for your network.
Reload the NFS configuration.
# exportfs -ra # showmount -e Export list for rhce1.localdomain: /developers_dir 192.168.0.0/24 #
From another machine on the network, mount the share.
# mkdir -p /u01/dev1 # mount -t nfs -o rw rhce1:/developers_dir /u01/dev1 # echo "apples" >> /u01/dev1/test.txt
From another machine on the network, mount the share.
# mkdir -p /u01/dev2 # mount -t nfs -o rw rhce1:/developers_dir /u01/dev2 # echo "oranges" >> /u01/dev2/test.txt # cat /u01/dev2/test.txt apples oranges #
Host-level security can be controlled using the Linux Firewall or in the share definition itself, as shown previously.
Regular file system permissions apply to NFS shares.
Mounting NFS Shares
The following links point to articles on this site about mounting NFS shares:
For more information see:
- RHEL6 Managing Confined Services : Network File System (NFS)
- Linux man pages
- RHCSA and RHCE
- Linux File Systems (mkfs, mount, fstab)
- Linux Samba Configuration
Hope this helps. Regards Tim...