NFS - Notes
Exports File
Files:
/etc/exports or /etc/exports.d/<name>.exports
File is space separated share host1 host2 or ip1 ip2… or *.domain /path/to/share <hostname.fqd> or <ip_address>
Example:
/myshare host1.example.com
Export options
/myshare server1.example.com(ro)
- read only
Options are put in () after the host or ip. There is no space. Some common options: rw, ro,
Apply changes to exports file with cmd:
exportfs -r
NFS Security
NFS has the following security typs:
Type | Description |
---|---|
None | None allows anonymous access to the file share to all hosts specified in the exports file. This options requires the SELinux boolean “nfsd_annon_write” to be enabled |
Sys | File access is based on posix permissions. This is the default if not specified |
Krb5 | Clients provide identity using kerberos and then posix permissions apply |
Krb5i | Adds a cryptographically strong guarantee that data in each request has not been tampered with |
Krb5p | Adds encryption to all requests between client and server. This is the most security but has a performance impact |
NFS services
nsf-server
-
If using kerberos:
nfs-secure-server
must also be running and enabled. -
Client requires nfs-secure to connect to kerberos export, as well as a /etc/krb5.keytab file
Server config (krb5)
Download keytab
wget -O /etc/krb5.keytab http://address.example.com/keytab
Enable nfs version 4.2 in /etc/sysconfig/nfs - to export SELinux labels
- Change
RPCNFSDARGS=""
toRPCNFSDARGS="-V 4.2"
systemctl enable nfs-secure-server --now
Make exports directory
Add directory to /etc/exports file
- Example:
/myshare desktop1(sec=krb5p,rw)
Exportfs -r
Open firewall ports
Firewall-cmd --permanent --add-service=nfs
Firewall-cmd --reload
Mount nfs filesystem on client
- Download keytab
wget -O /etc/krb5.keytab <url>
systemctl start nfs-secure
systemctl enable nfs-secure
Make directory to mount filesystem
Add share to fstab
server.fqdn:/path/to/share /path/to/mount nfs defaults,sec=krb5p,v4.2 0 0
Client config
Download keytab
systemctl start nfs-secure
and enable
Client Fstab
server:/share /mount/point nfs defaults,v4.2,sec=krb5p 0 0
NFS firewall
sudo firewall-cmd --permanent --add-service=nfs
If you found this useful please consider supporting the blog.
I use Fastmail to host my email for the blog. If you follow the link from this page you’ll get a 10% discount and I’ll get a little bit of break on my costs as well. It’s a win win.
Backblaze is a cloud backup solution for Mac and Windows desktops. I use it on my home computers, and if you sign up using the link on this page you get a free month of service through backblaze, and so do I. If you’re looking for a good backup solution give them a try!
Thanks!
Luke