How to Use an NFS Server on Ubuntu 20.04
Traducciones al EspañolEstamos traduciendo nuestros guías y tutoriales al Español. Es posible que usted esté viendo una traducción generada automáticamente. Estamos trabajando con traductores profesionales para verificar las traducciones de nuestro sitio web. Este proyecto es un trabajo en curso.
Network File System (NFS) is a distributed file system that allows users to access files over a network like files on their own system. The current version of NFS, which was originally developed by Sun Microsystems, is NFS Version 4. NFS is an open standard that builds on the Open Network Computing Remote Procedure Call (ONC RPC) system. This guide provides a brief introduction to NFS and explains how to configure and use NFS on both server and client systems.
An Introduction to NFS
NFS is most commonly used with Linux distributions or macOS but is available for other operating systems. It uses an asynchronous client/server computing model for its distributed file system mechanism. NFS originally used User Datagram Protocol (UDP) for its transport mechanism, but can now also use Transmission Control Protocol (TCP). TCP improves the performance of NFS because it allows for larger read and write operations. Port 2049
is used for both protocols. Over the years, NFS has been updated to offer performance improvements, stronger security, locking mechanisms, more efficient caching, and a stateful protocol. It oversees the authentication, authorization, and management of clients.
The server administrator makes directories accessible to remote users through a configuration file, which defines access privileges for each file or directory. Clients can mount these directories and read, create, or edit files like those on their own computers. After the client sends a mount request to access the system, the server validates whether the client is authorized to mount the directory.
NFS uses a Remote Procedure Call (RPC) to assemble and process a request. Client system calls, such as read, write, open, and close, are translated into RPC function calls. These requests are sent to the server, where they are validated and directed to the correct handler. The appropriate file or metadata is then either updated or transmitted to the client. The entire process is transparent to the client.
NFS uses file handlers to identify each file. File handlers are defined in relation to the root directory of the system. The file handler uses a volume identifier and an inode number to identify the file partition and locate the file within the partition. NFS also tracks the file attributes, which contain metadata about the file. This metadata includes the creation and modification dates, file size, owner, and permissions. All clients must use the same locking and caching options to avoid inconsistency in files. This allows access to the NFS server from different clients.
More detailed information about the operational details of NFS can be found on the Linux NFS site.
Advantages and Disadvantages of NFS
NFS has been widely adopted due to its positive cost-benefit ratio. Some of its advantages include:
- It is an open-source, low-cost solution.
- A low-level of effort is needed to set it up and requires minimal knowledge for both administrators and clients to use. NFS has a low administrative overhead after the initial configuration has been completed.
- Network administrators can centralize data and save on storage and network devices when using NFS.
- It permits easy sharing of data. Multiple users can access the same files.
- Files are kept up to date. There are no conflicts or uncertainties between different versions of a file. The possibility of an out-of-date version being accidentally used is greatly reduced.
- NFS is interoperable with different vendors and implementations.
- It provides for quick recovery from crashes.
Due to its flexibility, openness, and simple mechanisms, there are also some drawbacks to using NFS.
- It is somewhat insecure, and should only be used in an internal network. Shared files should be shielded from general internet access. Organizations might want to consider whether to make highly sensitive documents available through NFS.
- NFS can slow down during heavy use.
- Data access is somewhat inefficient due to the amount of protocol overhead.
- The block size of a transfer is currently capped at 1MB. This is inefficient for very large files. The transfer limit of 1.5GB/s is also on the low side.
- The configuration parameters for locking and caching can be complex and difficult to configure.
Before You Begin
Familiarize yourself with Linode’s Getting Started with Linode guide and complete the steps for setting your Linode’s hostname and timezone.
This guide uses
sudo
wherever possible. Complete the sections of Linode’s guide on How to Secure Your Server to create a standard user account, harden SSH access and remove unnecessary network services. Do not follow the Configure a Firewall section yet. This guide includes firewall rules specifically for an OpenVPN server.Update your system:
sudo apt-get update && sudo apt-get upgrade
To complete the server and client configuration, two Linodes are required. One Linode serves as the NFS host and server, while the other acts as a client. Note the IP addresses of both Linodes. Throughout the following sections, replace
server_ip_addr
with the IP address of the NFS server, andclient_ip_addr
with the address of the client.
NoteThe steps in this guide are written for a non-root user. Commands that require elevated privileges are prefixed withsudo
. If you are not familiar with thesudo
command, see the Linux Users and Groups guide.
Configure the NFS Server and Client
The steps involved in configuring the NFS server and the client are as follows:
- Install the NFS server and client Software
- Configure the firewall on the NFS server
- Create an export directory on the NFS server
- Configure the NFS export settings on the server
- Create an NFS mount point on the client
Install the NFS Server and Client Software
The NFS package must be installed on both the server and the client. The server requires the full NFS kernel, while clients only have to install the nfs-common
package.
On the NFS server, update all packages.
sudo apt update
Install the
nfs-kernel-server
package on the server.sudo apt install nfs-kernel-server
Note
By default, the NFS server supports versions 3 and 4. Verify the versions that are enabled using thesudo cat /proc/fs/nfsd/versions
command.Verify the status of the NFS server using the
systemctl
utility. It should display a status ofactive
.sudo systemctl status nfs-kernel-server.service
nfs-server.service - NFS server and services Loaded: loaded (/lib/systemd/system/nfs-server.service; enabled; vendor preset: enabled) Active: active (exited) since Tue 2021-07-06 12:57:35 UTC; 1h 18min ago Main PID: 2588 (code=exited, status=0/SUCCESS) Tasks: 0 (limit: 4615) Memory: 0B CGroup: /system.slice/nfs-server.service
Update all packages on the Linode serving as the client.
sudo apt update
On the client, install the
nfs-common
package.sudo apt install nfs-common
Configure the Firewall on the NFS Server
NFS has an inherent security risk because it allows external servers to access some of its directories and files. Configure the ufw
firewall to enforce strict NFS access based on the IP address of the client. NFS allows access through port 2049
. Verified users require access to this port to use NFS.
On the server, verify the current
ufw
settings and verify whether a rule exists for NFS yet.sudo ufw status
Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere Apache Full ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Apache Full (v6) ALLOW Anywhere (v6)
Add a rule to allow port
2049
to accept traffic from the client’s IP address. Replaceclient_ip_addr
with the address of the client Linode.sudo ufw allow from client_ip_addr to any port nfs
Run
ufw status
again and confirm the rule has been added.sudo ufw status
Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere Apache Full ALLOW Anywhere 2049 ALLOW client_ip_addr OpenSSH (v6) ALLOW Anywhere (v6) Apache Full (v6) ALLOW Anywhere (v6)
Create an Export Directory on the NFS Server
NFS client access is granted on a case-by-case basis. A directory that is shared with clients using NFS is called an export directory. Non-empty directories can be shared with NFS, but it is more typical to create an empty export directory for sharing files.
Create a directory on the NFS server to contain the shared files. It is best to create a separate export directory for each project to better control user access. Because the directory is created using
sudo
, the root user account owns this directory.sudo mkdir -p /nfs/share/project1
For security reasons, NFS translates any root credentials from a client to
nobody:nogroup
. This restricts the ability of remote root users to invoke root privileges on the server. To grant client root users access to the export directory, change the directory ownership tonobody:nogroup
.sudo chown nobody:nogroup /nfs/share/project1
Adjust the file permissions for the directory. The following command grants NFS clients full read, write and execute privileges to the directory files.
sudo chmod 777 /nfs/share/project1
Configure the NFS Export Settings on the Server
The NFS component maintains a configuration file containing the Access Control Lists (ACL) for each export directory. Each entry indicates the name of the export directory, the clients who are authorized to access it, and the file-sharing options. The format of each line is export_directory_name client1(sharing_options) client2(sharing_options_2)
. Access can be provided to several clients in the same entry. A client can be identified either through a specific IP address, an entire subnet, or a domain name.
A detailed explanation of all the export options can be found in the Setting Up an NFS Server documentation. Some of the main sharing options include the following:
- rw/ro: The
rw
option grants read and write access to the share, butro
only allows read access. - sync: The
sync
option guarantees changes are committed on the server before any further requests for the file are answered. Theasync
option provides better performance but data loss or corruption might occur under certain circumstances. - subtree_check: The
subtree_check
option verifies a user can mount subdirectories within a system. It also validates whether a given file exists within the sub-tree. This choice is more secure, but it could present some performance issues in a deep directory with frequent changes. Theno_subtree_check
option turns this checkoff. - noexec: This prevents any files in the export directory from being executed.
- no_root_squash: This permits client root users to maintain their root privileges on the server. This overrides the default settings and permits them to modify root-owned files on the server. This option has serious security implications on a multi-user system.
To add the new export directory to NFS, execute the following commands on the server.
Edit the
/etc/exports
file.vi /etc/exports
Add the following line and save the file. Replace
client_ip_addr
with the actual IP address or subnet of the client.- File: /etc/exports
1 2
/nfs/share/project1 client_ip_addr(rw,sync,no_subtree_check)
Apply the configuration changes using the
exportfs
command.sudo exportfs -a
View all the active exports and verify the
/nfs/share/project1
directory has export status.sudo exportfs -v
/nfs/share/project1 client_ip_addr(rw,wdelay,root_squash,no_subtree_check,sec=sys,rw,secure,root_squash,no_all_squash)
Restart the NFS utility using
systemctl
.sudo systemctl restart nfs-kernel-server
Create an NFS Mount Point on the Client
To access the export directory on the server, the client must first map the drive to a local directory. This directory is called a mount point. To create a mount point, create a new directory on the client and bind the server’s export directory to it. Execute the following commands on the client to mount the server’s export directory.
CautionUse an empty directory for the mount point. Any pre-existing files or subdirectories in the mounted directory are hidden while the mount point is in use.
Create a new directory on the client to serve as the mount point.
sudo mkdir -p /nfs/mnt/project1
Mount the export directory to the new directory using the
mount
command. As the first argument, specify the IP address of the NFS server, a:
symbol, and the path to the export directory. The second parameter is the local mount point directory on the client.sudo mount -t nfs server_ip_addr:/nfs/share/project1 /nfs/mnt/project1
Use the
df
command to confirm the export directory is mounted correctly. The remote directory should be listed somewhere in the list of drives.df -h
Filesystem Size Used Avail Use% Mounted on ... server_ip_addr:/nfs/share/project1 79G 13G 63G 17% /nfs/mnt/project1
The mount only persists until the system reboots. To automatically mount the directory when the system activates, add the mount point to the
/etc/fstab
file. The entry should consist of the export directory, the local mount point, a list of options, and two0
’s. To see all the available options for this file, runman nfs
on the client.sudo vi /etc/fstab
- File: /etc/fstab
1 2
server_ip_addr:/nfs/share/project1 /nfs/mnt/project1 nfs timeo=900,intr,actimeo=1800 0 0
To confirm the export directory is mounted properly upon system bootup, reboot the system and run the
df
command again. The export directory should appear in the output.
Verify the NFS Service
To validate NFS is working, make changes to the file on the server and confirm they are reflected on the client. Then edit the file on the client and verify the changes on the server.
Log in to the server and create a new file within the export directory.
cd /nfs/share/project1 "Test data for testfile.text" > testfile.text
Change to a console on the client, and
cd
to the mounted directory. Run thels
command, and ensure thetestfile.text
file appears.cd /nfs/mnt/project1 ls -l
-rw-rw-r-- 1 user1 user1 27 Jul 7 13:06 testfile.text
Remain on the client, and use a text editor to add some additional text to the
testfile.text
file.vi testfile.text
Return to the server console and ensure the
testfile.text
file in the export directory reflects the changes that were made on the client.cd /nfs/share/project1 cat testfile.text
Test data for testfile.text New test data for testfile.text
Unmount an NFS Share on the Client
A mount point can be removed when it is no longer required. Any unmounted directories must also be removed from the /etc/fstab
file.
On the client, remove the mount point using the
umount
command. Note the spelling of this command. Specify the name of the local mount point, not the name of the export directory on the server.sudo umount /nfs/mnt/project1
Use the
df
command to confirm the mount point has been removed.df -h
Edit the
/etc/fstab
file and either remove the line referring to the export directory or comment it out with the#
symbol.sudo vi /etc/fstab
- File: /etc/fstab
1 2 3
# server_ip_addr:/nfs/share/project1 /nfs/mnt/project1 nfs timeo=900,intr,actimeo=1800 0 0
More Information
You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.
This page was originally published on