Referrence:http://eduardo-lago.blogspot.de/2012/02/installing-nfs-on-centos-62.html
This is a how to install the NFS service on a Linux CentOS 6.2 box and making it accessible to others. The scenario is the following:
- Grant read-only access to the /home/public directory to all networks
- Grant read/write access to the /home/common directory to all networks
At the end of this guide you will get:
- A running NFS server with various LAN shared directories
- A active set of firewall rules allowing the access to NFS ports
- A permanently mounted NFS shared on a CentOS / Ubuntu client
I assume you already have:
- a fresh running Linux CentOS 6.2 server
- a sudoer user, named bozz on this guide
- an accessible RPM repository / mirror
- a Linux client with CentOS / Ubuntu
Steps
- Login as bozz user on the server
- Check if rpcbind is installed:
$ rpm -q rpcbind rpcbind-0.2.0-8.el6.x86_64
- if not, install it:
$ sudo yum install rpcbind
- Install NFS-related packages:
$ sudo yum install nfs-utils nfs-utils-lib
- Once installed, configure the nfs, nfslock and rpcbind to run as daemons:
$ sudo chkconfig --level 35 nfs on $ sudo chkconfig --level 35 nfslock on $ sudo chkconfig --level 35 rpcbind on
- then start the
rpcbind
- and
nfs
- daemons:
$ sudo service rpcbind start $ sudo service nfslock start $ sudo service nfs start
NFS daemons
- rpcbind: (portmap in older versions of Linux) the primary daemon upon which all the others rely, rpcbind manages connections for applications that use the RPC specification. By default, rpcbind listens to TCP port 111 on which an initial connection is made. This is then used to negotiate a range of TCP ports, usually above port 1024, to be used for subsequent data transfers. You need to run rpcbind on both the NFS server and client.
- nfs: starts the RPC processes needed to serve shared NFS file systems. The nfs daemon needs to be run on the NFS server only.
- nfslock: Used to allow NFS clients to lock files on the server via RPC processes. The nfslock daemon needs to be run on both the NFS server and client.
- Test whether NFS is running correctly with the rpcinfo command. You should get a listing of running RPC programs that must include mountd, portmapper, nfs, and nlockmgr:
$ rpcinfo -p localhost
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 40481 status
100024 1 tcp 49796 status
100011 1 udp 875 rquotad
100011 2 udp 875 rquotad
100011 1 tcp 875 rquotad
100011 2 tcp 875 rquotad
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100227 2 tcp 2049 nfs_acl
100227 3 tcp 2049 nfs_acl
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100227 2 udp 2049 nfs_acl
100227 3 udp 2049 nfs_acl
100021 1 udp 32769 nlockmgr
100021 3 udp 32769 nlockmgr
100021 4 udp 32769 nlockmgr
100021 1 tcp 32803 nlockmgr
100021 3 tcp 32803 nlockmgr
100021 4 tcp 32803 nlockmgr
100005 1 udp 892 mountd
100005 1 tcp 892 mountd
100005 2 udp 892 mountd
100005 2 tcp 892 mountd
100005 3 udp 892 mountd
100005 3 tcp 892 mountd
-
The /etc/exports file is the main NFS configuration file, and it consists of two columns. The first column lists the directories you want to make available to the network. The second column has two parts. The first part lists the networks or DNS domains that can get access to the directory, and the second part lists NFS options in brackets. Edit /etc/exports and append the desired shares:
$ sudo nano /etc/exports
- then append:
/home/public *(ro,sync,all_squash) /home/common *(rw,sync,all_squash)
- /home/public: directory to share with read-only access to all networks
- /home/common: directory to share with read/write access to all networks
- *: allow access from all networks
- ro: read-only access
- rw: read/write access
- sync: synchronous access
- root_squash: prevents root users connected remotely from having root privileges and assigns them the user ID for the user nfsnobody. This effectively "squashes" the power of the remote root user to the lowest local user, preventing unauthorized alteration of files on the remote server. Alternatively, the no_root_squash option turns off root squashing. To squash every remote user, including root, use the all_squash option. To specify the user and group IDs to use with remote users from a particular host, use the anonuid and anongid options, respectively. In this case, a special user account can be created for remote NFS users to share and specify (anonuid=,anongid=), where is the user ID number and is the group ID number.
- Create the directories to be published with the correct permissions:
$ sudo mkdir -p /home/public $ sudo chown nfsnobody:nfsnobody /home/public $ sudo mkdir -p /home/common $ sudo chown nfsnobody:nfsnobody /home/common
- it should end like this:
$ ls -l /home/ ... drwxr-xr-x. 2 nfsnobody nfsnobody 4096 Feb 20 12:55 common drwxr-xr-x. 7 nfsnobody nfsnobody 4096 Feb 17 14:44 public
- [OPTIONAL] Allow bozz user to locally write on the created directories by appending it to nfsnobody group and granting write permissions to the group:
$ sudo usermod -a -G nfsnobody bozz $ sudo chmod g+w /home/public $ sudo chmod g+w /home/common
- it should end like this:
$ ls -l /home/ ... drwxrwxr-x. 2 nfsnobody nfsnobody 4096 Feb 20 12:40 common drwxrwxr-x. 7 nfsnobody nfsnobody 4096 Feb 17 14:44 public
- Security issues. To allow remote access some firewall rules and other NFS settings must be changed. You need to open the following ports:
- TCP/UDP 111 - RPC 4.0 portmapper
- TCP/UDP 2049 - NFSD (nfs server)
- Portmap static ports, Various TCP/UDP ports defined in /etc/sysconfig/nfs file.
iptables
- . First, you need to configure NFS services to use fixed ports. Edit
/etc/sysconfig/nfs
- , enter:
$ sudo nano /etc/sysconfig/nfs
- and set:
LOCKD_TCPPORT=32803 LOCKD_UDPPORT=32769 MOUNTD_PORT=892 RQUOTAD_PORT=875 STATD_PORT=662 STATD_OUTGOING_PORT=2020
- then restart nfs daemons:
$ sudo service rpcbind restart $ sudo service nfs restart
- update iptables rules by editing
/etc/sysconfig/iptables
- , enter:
$ sudo nano /etc/sysconfig/iptables
- and append the following rules:
-A INPUT -s 0.0.0.0/0 -m state --state NEW -p udp --dport 111 -j ACCEPT -A INPUT -s 0.0.0.0/0 -m state --state NEW -p tcp --dport 111 -j ACCEPT -A INPUT -s 0.0.0.0/0 -m state --state NEW -p tcp --dport 2049 -j ACCEPT -A INPUT -s 0.0.0.0/0 -m state --state NEW -p tcp --dport 32803 -j ACCEPT -A INPUT -s 0.0.0.0/0 -m state --state NEW -p udp --dport 32769 -j ACCEPT -A INPUT -s 0.0.0.0/0 -m state --state NEW -p tcp --dport 892 -j ACCEPT -A INPUT -s 0.0.0.0/0 -m state --state NEW -p udp --dport 892 -j ACCEPT -A INPUT -s 0.0.0.0/0 -m state --state NEW -p tcp --dport 875 -j ACCEPT -A INPUT -s 0.0.0.0/0 -m state --state NEW -p udp --dport 875 -j ACCEPT -A INPUT -s 0.0.0.0/0 -m state --state NEW -p tcp --dport 662 -j ACCEPT -A INPUT -s 0.0.0.0/0 -m state --state NEW -p udp --dport 662 -j ACCEPT
- restart iptables daemon:
$ sudo service iptables restart
- Mount NFS shared directories: Install client NFS packages first: on Ubuntu client:
$ sudo apt-get install nfs-common
- on CentOS client:
$ sudo yum install nfs-utils nfs-utils-lib
- inquiry for the list of all shared directories:
$ showmount -e SERVERADDRESS
- mount server's
/home/public
- on client's
/public
- :
$ sudo mkdir -p /public $ sudo mount SERVERADDRESS:/home/public /public $ df -h
- mount server's
/home/common
- on client's
/common
- :
$ sudo mkdir -p /common $ sudo mount SERVERADDRESS:/home/common /common $ df -h
- Mount NFS automatically after reboot on the client. Edit /etc/fstab, enter:
$ sudo nano /etc/fstab
- append the following line:
#Directory Mount Point Type Options Dump FSCK SERVER_IP_ADDRESS:/home/public /public nfs hard 0 0 SERVER_IP_ADDRESS:/home/common /common nfs hard 0 0
- to test the correctness of /etc/fstab before restarting, you can try to manually mount /public and /common:
$ sudo mount /public $ sudo mount /common