NFS(Network File System) is a file system that can be imported by clients, allowing directories to be shared over a network between different machines.
The client or server part must be enabled in the kernel as appropriate:
Server:
NOTE: In version 4, UDP is replaced by TCP.
The configuration of the directories to be exported is in the file:
DIR IP(OPTIONS):
/data/AAA IP/32(rw,no_root_squash,no_subtree_check,insecure)
The available options are:
- rw –> Allows read and write
- sync/async –> Allows the server to respond to the client confirming the execution of a write when it has not yet been written to the HD
- no_wdelay –> The server will normally wait to accumulate a certain number of writes to dump to the HD, with this option we force it to write immediately. If async is active, this option cannot be enabled.
- nohide –> If a directory is imported that has another directory mounted inside it and the lower-level one resides on another partition, the client will only be able to see the content of the parent.
With this option enabled, the content of SDB1 mounted on SDA1 will be displayed. But in exports, both entries must be defined, the parent and the child, indicating in the parent the nohide option.
- crossmnt –> It is equivalent to nohide but it is not necessary to make entries in exports of the child directory.
- no_subtree_check –> In addition to checking if the requested file is in an exported file system, it also checks that the directory is in an exported file system (it can cause problems if a file is accessed and another client renames it).
- insecure –> Allows access to clients that do not use a reserved port for NFS
- insecure_locks, no_auth_nlm –> In each file lock (so that there is no inconsistency when two clients access it), credentials are requested (the user-id with which the NFS was connected), there are old clients that do not support this, so they can only lock files that have read permissions for everyone, if we enable this option, they can lock other files.
- no_acl –> A file system with support for ACLs and the kernel prepared for it can be configured so that NFS does not reveal the ACLs to the client, it only passes a sub-set of the permissions. For versions 2 and 3 (old) of NFS, enabling this parameter is safe since these clients make the decisions of what to request from the server locally (the server then in its part I suppose it will also check it), in more modern versions of NFSv3 this is done through RPC.
- mp –> Let’s imagine that we have a partition for boot in /boot, we export /boot but the mount failed for whatever reason, the directory of the root partition would be exported, indicating the mount point to be exported in this way the export would fail ;)
- fsid=num|root|uuid –> We tell NFS how to identify each file system to be exported. By UUID (partition identifier, new fstab style), by number the equivalent of UUID in kernels <2.6.20, since these do not support UUID and root to indicate to NFSv4 that this exported directory is root.
- refer=path@host[+host][:path@host[+host]] –> This option is used to link an exported directory with another that is exporting a second NFS server (export chain). Only V4 is supported by the server, clients are indifferent since it is presented to them as a symbolic link ;)
If SERVER1 exports /exports/doc on SERVER2 we can configure an export like this:
exportnfs_docs * (rw,async,insecure,no_root_squash,no_subtree_check,refer=/docs@SERVER1)
- replicas=path@host[+host][:path@host[+host]] –> If the client asks for an alternative location of the exported directory, a list will be presented (useful when there are replicas of the data on different servers)
- root_squash –> Access control to exported directories is controlled based on the UID of the client, for the case of root this behavior may not be convenient, therefore when the client connects to the NFS its UID is mapped to anonymous or nobody.
- no_root_squash –> The UID of root is preserved
- all_squash –> ALL UIDs are remapped to anonymous.
- anonuid –> Maps ALL UIDs to the indicated ID
- anongid –> Maps ALL GUIDs to the indicated ID
Starting the service:
rc-update add nfs default
We can reload the config without restarting the NFS service:
To see if there are connected clients:
We can force the client to use a specific version of NFS:
OPTS_RPC_MOUNTD="-V 4 -N 3 -N 2"
We have forced version 4 and disabled 3 and 2.
Client:
/etc/init.d/rpc.statd start
mkdir /mnt/nfs
mount -t nfs IP:DIR /mnt/nfs
If desired, it can be configured in fstab:
IP:DIR /mnt/nfs nfs rw,vers=4,async,noatime,nodiratime,soft,timeo=3,intr 0 0 0 0
NOTE: The Soft parameter will prevent many problems when the NFS is inaccessible, as it will try to access the resource and if it fails, it will throw an error, it will not keep trying indefinitely until it completely collapses the server, XDD. We lower the Timeout in half and allow interrupt calls, very useful to avoid ls hung by inaccessible NFSs.
rc-update add nfsmount default
If the NFS is going to be used from Apache:
If the pages are served from a remote file system (NFS, Samba), it is necessary to disable the use of mmap and sendfile.
<Directory "/var/www/data">
EnableMMAP off
EnableSendfile off
</Directory>
Troubleshooting:
Client:
df -h, mount –> Mounted directories
There are times when due to problems in the NFS network, the steps to recover it would be:
- Kill all processes using the imported path
- umount -l PATH
- mount PATH
Server:
rpcinfo -p –> Started services
exportfs -v –> Exported directories
netstat -tn | egrep ‘2049|Active|Proto’ –> Connections