Linux: NFS

[lihongjie0209]

A Network File System (NFS) allows remote hosts to mount file systems over a network and interact with those file systems as though they are mounted locally. This enables system administrators to consolidate resources onto centralized servers on the network.

nfs

systemctl start nfs starts the NFS server and the appropriate RPC processes to service requests for shared NFS file systems.

nfslock

systemctl start nfs-lock activates a mandatory service that starts the appropriate RPC processes allowing NFS clients to lock files on the server.

rpcbind

rpcbind accepts port reservations from local RPC services. These ports are then made available (or advertised) so the corresponding remote RPC services can access them. rpcbind responds to requests for RPC services and sets up connections to the requested RPC service. This is not used with NFSv4. The following RPC processes facilitate NFS services:

rpc.mountd

This process is used by an NFS server to process MOUNT requests from NFSv3 clients. It checks that the requested NFS share is currently exported by the NFS server, and that the client is allowed to access it. If the mount request is allowed, the rpc.mountd server replies with a Success status and provides the File-Handle for this NFS share back to the NFS client.

rpc.nfsd

rpc.nfsd allows explicit NFS versions and protocols the server advertises to be defined. It works with the Linux kernel to meet the dynamic demands of NFS clients, such as providing server threads each time an NFS client connects. This process corresponds to the nfs service.

lockd

lockd is a kernel thread which runs on both clients and servers. It implements the Network Lock Manager (NLM) protocol, which allows NFSv3 clients to lock files on the server. It is started automatically whenever the NFS server is run and whenever an NFS file system is mounted.

rpc.statd

This process implements the Network Status Monitor (NSM) RPC protocol, which notifies NFS clients when an NFS server is restarted without being gracefully brought down. rpc.statd is started automatically by the nfslock service, and does not require user configuration. This is not used with NFSv4.

rpc.rquotad

This process provides user quota information for remote users. rpc.rquotad is started automatically by the nfs service and does not require user configuration.

rpc.idmapd

rpc.idmapd provides NFSv4 client and server upcalls, which map between on-the-wire NFSv4 names (strings in the form of user@domain) and local UIDs and GIDs. For idmapd to function with NFSv4, the /etc/idmapd.conf file must be configured. At a minimum, the "Domain" parameter should be specified, which defines the NFSv4 mapping domain. If the NFSv4 mapping domain is the same as the DNS domain name, this parameter can be skipped. The client and server must agree on the NFSv4 mapping domain for ID mapping to function properly.

[lihongjie0209]

配置客户端

The mount command mounts NFS shares on the client side. Its format is as follows:

# mount -t nfs -o _options_ _server_:_/remote/export_ _/local/directory_

This command uses the following variables: options A comma-delimited list of mount options; for more information on valid NFS mount options, see Section 8.4, “Common NFS Mount Options”.

server

The hostname, IP address, or fully qualified domain name of the server exporting the file system you wish to mount

/remote/export

The file system or directory being exported from the server, that is, the directory you wish to mount /### local/directory The client location where /remote/export is mounted

The NFS protocol version used in Red Hat Enterprise Linux 7 is identified by the mount options nfsvers or vers. By default, mount uses NFSv4 with mount -t nfs. If the server does not support NFSv4, the client automatically steps down to a version supported by the server. If the nfsvers/vers option is used to pass a particular version not supported by the server, the mount fails. The file system type nfs4 is also available for legacy reasons; this is equivalent to running mount -t nfs -o nfsvers=4 host:/remote/export /local/directory.

/etc/fstab

An alternate way to mount an NFS share from another machine is to add a line to the /etc/fstab file. The line must state the hostname of the NFS server, the directory on the server being exported, and the directory on the local machine where the NFS share is to be mounted. You must be root to modify the /etc/fstab file. Example 8.1. Syntax Example

The general syntax for the line in /etc/fstab is as follows:

server:/usr/local/pub    /pub   nfs    defaults 0 0

The mount point /pub must exist on the client machine before this command can be executed. After adding this line to /etc/fstab on the client system, use the command mount /pub, and the mount point /pub is mounted from the server. A valid /etc/fstab entry to mount an NFS export should contain the following information:

server:/remote/export /local/directory nfs options 0 0

[lihongjie0209]

服务端启动

Prerequisites

• For servers that support NFSv2 or NFSv3 connections, the rpcbind^[1] service must be running. To verify that rpcbind is active, use the following command:

  $ systemctl status rpcbind

  To configure an NFSv4-only server, which does not require rpcbind, see Section 8.6.7, “Configuring an NFSv4-only Server”.
• On Red Hat Enterprise Linux 7.0, if your NFS server exports NFSv3 and is enabled to start at boot, you need to manually start and enable the nfs-lock service:

  # systemctl start nfs-lock
  # systemctl enable nfs-lock

  On Red Hat Enterprise Linux 7.1 and later, nfs-lock starts automatically if needed, and an attempt to enable it manually fails.

Procedures

• To start an NFS server, use the following command:

  # systemctl start nfs

• To enable NFS to start at boot, use the following command:

  # systemctl enable nfs

• To stop the server, use:

  # systemctl stop nfs

• The restart option is a shorthand way of stopping and then starting NFS. This is the most efficient way to make configuration changes take effect after editing the configuration file for NFS. To restart the server type:

  # systemctl restart nfs

• After you edit the /etc/sysconfig/nfs file, restart the nfs-config service by running the following command for the new values to take effect:

  # systemctl restart nfs-config

• The try-restart command only starts nfs if it is currently running. This command is the equivalent of condrestart (conditional restart) in Red Hat init scripts and is useful because it does not start the daemon if NFS is not running.
  To conditionally restart the server, type:

  # systemctl try-restart nfs

• To reload the NFS server configuration file without restarting the service type:

  # systemctl reload nfs

[lihongjie0209]

配置服务器

There are two ways to configure exports on an NFS server:

• Manually editing the NFS configuration file, that is, /etc/exports, and
• Through the command line, that is, by using the command exportfs

8.6.1. The /etc/exports Configuration File

The /etc/exports file controls which file systems are exported to remote hosts and specifies options. It follows the following syntax rules:

• Blank lines are ignored.
• To add a comment, start a line with the hash mark (#).
• You can wrap long lines with a backslash (\).
• Each exported file system should be on its own individual line.
• Any lists of authorized hosts placed after an exported file system must be separated by space characters.
• Options for each of the hosts must be placed in parentheses directly after the host identifier, without any spaces separating the host and the first parenthesis.

Each entry for an exported file system has the following structure:

export host(options)

The aforementioned structure uses the following variables:

export

The directory being exported

host

The host or network to which the export is being shared

options

The options to be used for host

It is possible to specify multiple hosts, along with specific options for each host. To do so, list them on the same line as a space-delimited list, with each hostname followed by its respective options (in parentheses), as in:

export host1(options1) host2(options2) host3(options3)

For information on different methods for specifying hostnames, see Section 8.6.5, “Hostname Formats”.

In its simplest form, the /etc/exports file only specifies the exported directory and the hosts permitted to access it, as in the following example:

Example 8.6. The /etc/exports File

/exported/directory bob.example.com

Here, bob.example.com can mount /exported/directory/ from the NFS server. Because no options are specified in this example, NFS uses default settings.

The default settings are:

ro

The exported file system is read-only. Remote hosts cannot change the data shared on the file system. To allow hosts to make changes to the file system (that is, read and write), specify the rw option.

sync

The NFS server will not reply to requests before changes made by previous requests are written to disk. To enable asynchronous writes instead, specify the option async.

wdelay

The NFS server will delay writing to the disk if it suspects another write request is imminent. This can improve performance as it reduces the number of times the disk must be accessed by separate write commands, thereby reducing write overhead. To disable this, specify the no_wdelay. no_wdelay is only available if the default sync option is also specified.

root_squash

This prevents root users connected remotely (as opposed to locally) from having root privileges; instead, the NFS server assigns them the user ID nfsnobody. This effectively "squashes" the power of the remote root user to the lowest local user, preventing possible unauthorized writes on the remote server. To disable root squashing, specify no_root_squash.

To squash every remote user (including root), use all_squash. To specify the user and group IDs that the NFS server should assign to remote users from a particular host, use the anonuid and anongid options, respectively, as in:

export host(anonuid=uid,anongid=gid)

Here, uid and gid are user ID number and group ID number, respectively. The anonuid and anongid options allow you to create a special user and group account for remote NFS users to share.

By default, access control lists (ACLs) are supported by NFS under Red Hat Enterprise Linux. To disable this feature, specify the no_acl option when exporting the file system.

Each default for every exported file system must be explicitly overridden. For example, if the rw option is not specified, then the exported file system is shared as read-only. The following is a sample line from /etc/exports which overrides two default options:

/another/exported/directory 192.168.0.3(rw,async)

In this example 192.168.0.3 can mount /another/exported/directory/ read and write and all writes to disk are asynchronous. For more information on exporting options, see man exportfs.

Other options are available where no default value is specified. These include the ability to disable sub-tree checking, allow access from insecure ports, and allow insecure file locks (necessary for certain early NFS client implementations). For more information on these less-used options, see man exports.

Important

The format of the /etc/exports file is very precise, particularly in regards to use of the space character. Remember to always separate exported file systems from hosts and hosts from one another with a space character. However, there should be no other space characters in the file except on comment lines.

For example, the following two lines do not mean the same thing:

/home bob.example.com(rw)
/home bob.example.com (rw)

The first line allows only users from bob.example.com read and write access to the /home directory. The second line allows users from bob.example.com to mount the directory as read-only (the default), while the rest of the world can mount it read/write.

8.6.2. The exportfs Command

Every file system being exported to remote users with NFS, as well as the access level for those file systems, are listed in the /etc/exports file. When the nfs service starts, the /usr/sbin/exportfs command launches and reads this file, passes control to rpc.mountd (if NFSv3) for the actual mounting process, then to rpc.nfsd where the file systems are then available to remote users.

When issued manually, the /usr/sbin/exportfs command allows the root user to selectively export or unexport directories without restarting the NFS service. When given the proper options, the /usr/sbin/exportfs command writes the exported file systems to /var/lib/nfs/xtab. Since rpc.mountd refers to the xtab file when deciding access privileges to a file system, changes to the list of exported file systems take effect immediately.

The following is a list of commonly-used options available for /usr/sbin/exportfs:

-r

Causes all directories listed in /etc/exports to be exported by constructing a new export list in /etc/lib/nfs/xtab. This option effectively refreshes the export list with any changes made to /etc/exports.

-a

Causes all directories to be exported or unexported, depending on what other options are passed to /usr/sbin/exportfs. If no other options are specified, /usr/sbin/exportfs exports all file systems specified in /etc/exports.

-o file-systems

Specifies directories to be exported that are not listed in /etc/exports. Replace file-systems with additional file systems to be exported. These file systems must be formatted in the same way they are specified in /etc/exports. This option is often used to test an exported file system before adding it permanently to the list of file systems to be exported. For more information on /etc/exports syntax, see Section 8.6.1, “The /etc/exports Configuration File”.

-i

Ignores /etc/exports; only options given from the command line are used to define exported file systems.

-u

Unexports all shared directories. The command /usr/sbin/exportfs -ua suspends NFS file sharing while keeping all NFS daemons up. To re-enable NFS sharing, use exportfs -r.

-v

Verbose operation, where the file systems being exported or unexported are displayed in greater detail when the exportfs command is executed.

If no options are passed to the exportfs command, it displays a list of currently exported file systems. For more information about the exportfs command, see man exportfs.

8.6.2.1. Using exportfs with NFSv4

In Red Hat Enterprise Linux 7, no extra steps are required to configure NFSv4 exports as any filesystems mentioned are automatically available to NFSv3 and NFSv4 clients using the same path. This was not the case in previous versions.

To prevent clients from using NFSv4, turn it off by setting RPCNFSDARGS= -N 4 in /etc/sysconfig/nfs.

8.6.3. Running NFS Behind a Firewall

NFS requires rpcbind, which dynamically assigns ports for RPC services and can cause issues for configuring firewall rules. To allow clients to access NFS shares behind a firewall, edit the /etc/sysconfig/nfs file to set which ports the RPC services run on. To allow clients to access RPC Quota through a firewall, see Section 8.6.4, “Accessing RPC Quota through a Firewall”.

The /etc/sysconfig/nfs file does not exist by default on all systems. If /etc/sysconfig/nfs does not exist, create it and specify the following:

RPCMOUNTDOPTS="-p port"

This adds "-p port" to the rpc.mount command line: rpc.mount -p port.

To specify the ports to be used by the nlockmgr service, set the port number for the nlm_tcpport and nlm_udpport options in the /etc/modprobe.d/lockd.conf file.

If NFS fails to start, check /var/log/messages. Commonly, NFS fails to start if you specify a port number that is already in use. After editing /etc/sysconfig/nfs, you need to restart the nfs-config service for the new values to take effect in Red Hat Enterprise Linux 7.2 and prior by running:

#  systemctl restart nfs-config

Then, restart the NFS server:

#  systemctl restart nfs-server

Run rpcinfo -p to confirm the changes have taken effect.

Note

To allow NFSv4.0 callbacks to pass through firewalls set /proc/sys/fs/nfs/nfs_callback_tcpport and allow the server to connect to that port on the client.

This process is not needed for NFSv4.1 or higher, and the other ports for mountd, statd, and lockd are not required in a pure NFSv4 environment.

8.6.3.1. Discovering NFS exports

There are two ways to discover which file systems an NFS server exports.

• On any server that supports NFSv3, use the showmount command:

  $ showmount -e myserver
  Export list for mysever
  /exports/foo
  /exports/bar

• On any server that supports NFSv4, mount the root directory and look around.

  # mount myserver:/ /mnt/
  # cd /mnt/
  exports
  # ls exports
  foo
  bar

On servers that support both NFSv4 and NFSv3, both methods work and give the same results.

Note

Before Red Hat Enterprise Linux 6 on older NFS servers, depending on how they are configured, it is possible to export filesystems to NFSv4 clients at different paths. Because these servers do not enable NFSv4 by default, this should not be a problem.

8.6.4. Accessing RPC Quota through a Firewall

If you export a file system that uses disk quotas, you can use the quota Remote Procedure Call (RPC) service to provide disk quota data to NFS clients.

Procedure 8.1. Making RPC Quota Accessible Behind a Firewall

1. To enable the rpc-rquotad service, use the following command:

   # systemctl enable rpc-rquotad 

2. To start the rpc-rquotad service, use the following command:

   # systemctl start rpc-rquotad 

   Note that rpc-rquotad is, if enabled, started automatically after starting the nfs-server service.
3. To make the quota RPC service accessible behind a firewall, UDP or TCP port 875 need to be open. The default port number is defined in the /etc/services file.
   You can override the default port number by appending -p port-number to the RPCRQUOTADOPTS variable in the /etc/sysconfig/rpc-rquotad file.
4. Restart rpc-rquotad for changes in the /etc/sysconfig/rpc-rquotad file to take effect:

   # systemctl restart rpc-rquotad

Setting Quotas from Remote Hosts

By default, quotas can only be read by remote hosts. To allow setting quotas, append the -S option to the RPCRQUOTADOPTS variable in the /etc/sysconfig/rpc-rquotad file.

Restart rpc-rquotad for changes in the /etc/sysconfig/rpc-rquotad file to take effect:

# systemctl restart rpc-rquotad

8.6.5. Hostname Formats

The host(s) can be in the following forms:

Single machine

A fully-qualified domain name (that can be resolved by the server), hostname (that can be resolved by the server), or an IP address.

Series of machines specified with wildcards

Use the * or ? character to specify a string match. Wildcards are not to be used with IP addresses; however, they may accidentally work if reverse DNS lookups fail. When specifying wildcards in fully qualified domain names, dots (.) are not included in the wildcard. For example, *.example.com includes one.example.com but does not include one.two.example.com.

IP networks

Use a.b.c.d/z, where a.b.c.d is the network and z is the number of bits in the netmask (for example 192.168.0.0/24). Another acceptable format is a.b.c.d/netmask, where a.b.c.d is the network and netmask is the netmask (for example, 192.168.100.8/255.255.255.0).

Netgroups

Use the format @group-name, where group-name is the NIS netgroup name.

8.6.6. Enabling NFS over RDMA (NFSoRDMA)

The remote direct memory access (RDMA) service works automatically in Red Hat Enterprise Linux 7 if there is RDMA-capable hardware present.

To enable NFS over RDMA:

1. Install the rdma and rdma-core packages.
   The /etc/rdma/rdma.conf file contains a line that sets XPRTRDMA_LOAD=yes by default, which requests the rdma service to load the NFSoRDMA client module.
2. To enable automatic loading of NFSoRDMA server modules, add SVCRDMA_LOAD=yes on a new line in /etc/rdma/rdma.conf.
   RPCNFSDARGS="--rdma=20049" in the /etc/sysconfig/nfs file specifies the port number on which the NFSoRDMA service listens for clients. RFC 5667 specifies that servers must listen on port 20049 when providing NFSv4 services over RDMA.
3. Restart the nfs service after editing the /etc/rdma/rdma.conf file:

   # systemctl restart nfs

   Note that with earlier kernel versions, a system reboot is needed after editing /etc/rdma/rdma.conf for the changes to take effect.

8.6.7. Configuring an NFSv4-only Server

By default, the NFS server supports NFSv2, NFSv3, and NFSv4 connections in Red Hat Enterprise Linux 7. However, you can also configure NFS to support only NFS version 4.0 and later. This minimizes the number of open ports and running services on the system, because NFSv4 does not require the rpcbind service to listen on the network.

When your NFS server is configured as NFSv4-only, clients attempting to mount shares using NFSv2 or NFSv3 fail with an error like the following:

Requested NFS version or transport protocol is not supported.

Procedure 8.2. Configuring an NFSv4-only Server

To configure your NFS server to support only NFS version 4.0 and later:

1. Disable NFSv2, NFSv3, and UDP by adding the following line to the /etc/sysconfig/nfs configuration file:

   RPCNFSDARGS="-N 2 -N 3 -U"
   

2. Optionally, disable listening for the RPCBIND, MOUNT, and NSM protocol calls, which are not necessary in the NFSv4-only case.
   The effects of disabling these options are:
   • Clients that attempt to mount shares from your server using NFSv2 or NFSv3 become unresponsive.
   • The NFS server itself is unable to mount NFSv2 and NFSv3 file systems.
   To disable these options:
   • Add the following to the /etc/sysconfig/nfs file:

     RPCMOUNTDOPTS="-N 2 -N 3"
     

   • Disable related services:

     # systemctl mask --now rpc-statd.service rpcbind.service rpcbind.socket

3. Restart the NFS server:

   # systemctl restart nfs

   The changes take effect as soon as you start or restart the NFS server.

Verifying the NFSv4-only Configuration

You can verify that your NFS server is configured in the NFSv4-only mode by using the netstat utility.

• The following is an example netstat output on an NFSv4-only server; listening for RPCBIND, MOUNT, and NSM is also disabled. Here, nfs is the only listening NFS service:

  # netstat -ltu
  
  Active Internet connections (only servers)
  Proto Recv-Q Send-Q Local Address           Foreign Address         State      
  tcp        0      0 0.0.0.0:nfs             0.0.0.0:*               LISTEN     
  tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN     
  tcp        0      0 localhost:smtp          0.0.0.0:*               LISTEN     
  tcp6       0      0 [::]:nfs                [::]:*                  LISTEN     
  tcp6       0      0 [::]:12432              [::]:*                  LISTEN     
  tcp6       0      0 [::]:12434              [::]:*                  LISTEN     
  tcp6       0      0 localhost:7092          [::]:*                  LISTEN     
  tcp6       0      0 [::]:ssh                [::]:*                  LISTEN     
  udp        0      0 localhost:323           0.0.0.0:*                          
  udp        0      0 0.0.0.0:bootpc          0.0.0.0:*                          
  udp6       0      0 localhost:323           [::]:*
  

• In comparison, the netstat output before configuring an NFSv4-only server includes the sunrpc and mountd services:

  # netstat -ltu
  
  Active Internet connections (only servers)
  Proto Recv-Q Send-Q Local Address           Foreign Address         State      
  tcp        0      0 0.0.0.0:nfs             0.0.0.0:*               LISTEN     
  tcp        0      0 0.0.0.0:36069           0.0.0.0:*               LISTEN     
  tcp        0      0 0.0.0.0:52364           0.0.0.0:*               LISTEN     
  tcp        0      0 0.0.0.0:sunrpc          0.0.0.0:*               LISTEN     
  tcp        0      0 0.0.0.0:mountd          0.0.0.0:*               LISTEN     
  tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN     
  tcp        0      0 localhost:smtp          0.0.0.0:*               LISTEN     
  tcp6       0      0 [::]:34941              [::]:*                  LISTEN     
  tcp6       0      0 [::]:nfs                [::]:*                  LISTEN     
  tcp6       0      0 [::]:sunrpc             [::]:*                  LISTEN     
  tcp6       0      0 [::]:mountd             [::]:*                  LISTEN     
  tcp6       0      0 [::]:12432              [::]:*                  LISTEN     
  tcp6       0      0 [::]:56881              [::]:*                  LISTEN     
  tcp6       0      0 [::]:12434              [::]:*                  LISTEN     
  tcp6       0      0 localhost:7092          [::]:*                  LISTEN     
  tcp6       0      0 [::]:ssh                [::]:*                  LISTEN     
  udp        0      0 localhost:323           0.0.0.0:*                          
  udp        0      0 0.0.0.0:37190           0.0.0.0:*                          
  udp        0      0 0.0.0.0:876             0.0.0.0:*                          
  udp        0      0 localhost:877           0.0.0.0:*                          
  udp        0      0 0.0.0.0:mountd          0.0.0.0:*                          
  udp        0      0 0.0.0.0:38588           0.0.0.0:*                          
  udp        0      0 0.0.0.0:nfs             0.0.0.0:*                          
  udp        0      0 0.0.0.0:bootpc          0.0.0.0:*                          
  udp        0      0 0.0.0.0:sunrpc          0.0.0.0:*                          
  udp6       0      0 localhost:323           [::]:*                             
  udp6       0      0 [::]:57683              [::]:*                             
  udp6       0      0 [::]:876                [::]:*                             
  udp6       0      0 [::]:mountd             [::]:*                             
  udp6       0      0 [::]:40874              [::]:*                             
  udp6       0      0 [::]:nfs                [::]:*                             
  udp6       0      0 [::]:sunrpc             [::]:*