sudoedit.com!
Posts Notebook Blogroll Luke's Resume Support the Blog Privacy Policy
sudoedit.com!

Contents

NFS - Notes

   399 words   2 minutes 

Exports File

Files:

/etc/exports or /etc/exports.d/<name>.exports

File is space separated share host1 host2 or ip1 ip2… or *.domain /path/to/share <hostname.fqd> or <ip_address>

Example:

/myshare host1.example.com

Export options

/myshare server1.example.com(ro) - read only

Options are put in () after the host or ip. There is no space. Some common options: rw, ro,

Apply changes to exports file with cmd:

exportfs -r

NFS Security

NFS has the following security typs:

Type Description
None None allows anonymous access to the file share to all hosts specified in the exports file. This options requires the SELinux boolean “nfsd_annon_write” to be enabled
Sys File access is based on posix permissions. This is the default if not specified
Krb5 Clients provide identity using kerberos and then posix permissions apply
Krb5i Adds a cryptographically strong guarantee that data in each request has not been tampered with
Krb5p Adds encryption to all requests between client and server. This is the most security but has a performance impact

NFS services

nsf-server

  • If using kerberos: nfs-secure-server must also be running and enabled.

  • Client requires nfs-secure to connect to kerberos export, as well as a /etc/krb5.keytab file

Server config (krb5)

Download keytab

wget -O /etc/krb5.keytab http://address.example.com/keytab

Enable nfs version 4.2 in /etc/sysconfig/nfs - to export SELinux labels

  • Change RPCNFSDARGS="" to RPCNFSDARGS="-V 4.2"
systemctl enable nfs-secure-server --now

Make exports directory

Add directory to /etc/exports file

  • Example: /myshare desktop1(sec=krb5p,rw)
  • Exportfs -r

Open firewall ports

Firewall-cmd --permanent --add-service=nfs
Firewall-cmd --reload

Mount nfs filesystem on client

  • Download keytab wget -O /etc/krb5.keytab <url>
  • systemctl start nfs-secure
  • systemctl enable nfs-secure

Make directory to mount filesystem

Add share to fstab server.fqdn:/path/to/share /path/to/mount nfs defaults,sec=krb5p,v4.2 0 0

Client config

Download keytab systemctl start nfs-secure and enable

Client Fstab

server:/share /mount/point nfs defaults,v4.2,sec=krb5p 0 0

NFS firewall

sudo firewall-cmd --permanent --add-service=nfs

If you found this useful please consider supporting the blog.

Fastmail

I use Fastmail to host my email for the blog. If you follow the link from this page you’ll get a 10% discount and I’ll get a little bit of break on my costs as well. It’s a win win.

Backblaze

Backblaze is a cloud backup solution for Mac and Windows desktops. I use it on my home computers, and if you sign up using the link on this page you get a free month of service through backblaze, and so do I. If you’re looking for a good backup solution give them a try!

Thanks!

Luke

Updated on 2022-01-29
 LinuxNotesNFS
Back | Home