NFS - Notes
Exports File
Files:
/etc/exports or /etc/exports.d/<name>.exports
File is space separated share host1 host2 or ip1 ip2… or *.domain /path/to/share <hostname.fqd> or <ip_address>
Example:
/myshare host1.example.com
Export options
/myshare server1.example.com(ro) - read only
Options are put in () after the host or ip. There is no space. Some common options: rw, ro,
Apply changes to exports file with cmd:
exportfs -r
NFS Security
NFS has the following security typs:
| Type | Description |
|---|---|
| None: | None allows anonymous access to the file share to all hosts specified in the exports file. This options requires the SELinux boolean "nfsd_annon_write" to be enabled |
| Sys:: | File access is based on posix permissions. This is the default if not specified |
| Krb5: | Clients provide identity using kerberos and then posix permissions apply |
| Krb5i: | Adds a cryptographically strong guarantee that data in each request has not been tampered with |
| Krb5p: | Adds encryption to all requests between client and server. This is the most security but has a performance impact |
NFS services
nsf-server
If using kerberos:
nfs-secure-servermust also be running and enabled.Client requires nfs-secure to connect to kerberos export, as well as a /etc/krb5.keytab file
Server config (krb5)
Download keytab
wget -O /etc/krb5.keytab http://address.example.com/keytab
Enable nfs version 4.2 in /etc/sysconfig/nfs - to export SELinux labels
- Change
RPCNFSDARGS=""toRPCNFSDARGS="-V 4.2"
systemctl enable nfs-secure-server --now
Make exports directory
Add directory to /etc/exports file
- Example:
/myshare desktop1(sec=krb5p,rw) Exportfs -r
Open firewall ports
Firewall-cmd --permanent --add-service=nfs
Firewall-cmd --reload
Mount nfs filesystem on client
- Download keytab
wget -O /etc/krb5.keytab <url> systemctl start nfs-securesystemctl enable nfs-secure
Make directory to mount filesystem
Add share to fstab
server.fqdn:/path/to/share /path/to/mount nfs defaults,sec=krb5p,v4.2 0 0
Client config
Download keytab
systemctl start nfs-secure and enable
Client Fstab
server:/share /mount/point nfs defaults,v4.2,sec=krb5p 0 0
NFS firewall
sudo firewall-cmd --permanent --add-service=nfs
If you found this useful please consider supporting the blog.
I use Fastmail to host my email for the blog. If you follow the link from this page you'll get a 10% discount and I'll get a little bit of break on my costs as well. It's a win win.
Backblaze is a cloud backup solution for Mac and Windows desktops. I use it on my home computers, and if you sign up using the link on this page you get a free month of service through backblaze, and so do I. If you're looking for a good backup solution give them a try!
Thanks!
Luke