Setup Linux NFS Server

The information provided in this guide was provided by DigitalOcean. You can view the original tutorial here: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nfs-mount-on-ubuntu-16-04

If you are running a newer version of Ubuntu, please see the link above. From their dropdown menu, select the version you have.

Getting Started

There are some basic initial requirements:

You have the access to SSH into the Ubuntu host/server
You have the admin password for the NFS server

The tutorial indicates the use of two servers (one will share part of its filesystem with the other). In our case, we just need one, Host. Before you get started, note the below:

System	Role
Rayfin	Acts as the client looking to connect to the server’s network share.
Ubuntu Host/Server	Provides a network location to store files.

Downloading and Installing Components

What is an NFS server?
The NFS kernel server is currently the recommended NFS server for use with Linux, with features such as NFSv3 and NFSv4, Kerberos support via GSS, and more.

It is also significantly faster and usually more reliable than the user-space NFS servers (from the unfs3 and nfs-user-server packages). However, it is more difficult to debug than the user-space servers, and has a slightly different feature set.

Source: https://packages.debian.org/sid/nfs-kernel-server

We will install the nfs-kernel-server package, which will allow us to share our directories. Since this is the first operation that we’re performing with apt in this session, we’ll refresh our local package index before the installation:

CODE

sudo apt-get update
sudo apt-get install nfs-kernel-server

Creating the Share Directories on the Host

Superusers can do anything anywhere on their system. However, NFS-mounted directories are not part of the system on which they are mounted, so by default, the NFS server refuses to perform operations that require superuser privileges. This default restriction means that superusers on the client cannot write files as root, re-assign ownership, or perform any other superuser tasks on the NFS mount.

You can run commands directly as the superuser by typing the command sudo su or sudo -i. If you run directly in superuser mode, be careful and only use commands you are ok with.

The online tutorial will talk about two methods of creating a mounting point. The method we are walking through allows you to select anywhere on the disk to make a share.

General Purpose Mount

To create a general-purpose NFS mount that uses default NFS behavior to makes it difficult for a user with root privileges on the client machine to interact with the host using those client superuser privileges. You might use something like this to store the files uploaded using a content management system or to create space for users to easily share project files.

First, make a share directory called nfs:

CODE

sudo mkdir /var/nfs/general -p

The above example shows nfs as the folder name but you can rename it to whatever you want.

For command reference, you can type mkdir --help.
The -p in the command is for “-p, --parents.. no error if existing, make parent directories as needed”

Since we’re creating it with sudo, the directory is owned by root here on the host.

CODE

ls -la /var/nfs/general
Output4 drwxr-xr-x  2 root   root    4096 Jul 25 15:26 .

NFS will translate any root operations on the client to the nobody:nogroup credentials as a security measure. Therefore, we need to change the directory ownership to match those credentials.

CODE

sudo chown nobody:nogroup /var/nfs/general

This directory is now ready for export.

Configuring the NFS Exports on the Host Server

Next, we’ll dive into the NFS configuration file to set up the sharing of these resources.

Open the /etc/exports file in your text editor with root privileges:

CODE

sudo nano /etc/exports

The file has comments showing the general structure of each configuration line. The syntax is basically:

/etc/exports

CODE

directory_to_share    client(share_option1,...,share_optionN)

We’ll need to create a line for each of the directories that we plan to share. If our example client has an IP of 203.0.113.256, our lines will look like the following. Be sure to change the IPs to match your client:

/etc/exports

CODE

/var/nfs/general    203.0.113.256(rw,sync,no_subtree_check)
/home       203.0.113.256(rw,sync,no_root_squash,no_subtree_check)

A static IP is being typed into a config file above. A client with IP 203.0.113.256 will be the only one allowed to access the nfs/general folder. If you wish to grant access to everyone on the local network (LAN), specify the subnet of the network.

Example: /var/nfs/general 192.168.0.0/24(rw,sync,no_subtree_check)

We’re using the same configuration options for both directories with the exception of no_root_squash. Let’s take a look at what each one means.

rw: This option gives the client computer both read and write access to the volume.
sync: This option forces NFS to write changes to disk before replying. This results in a more stable and consistent environment since the reply reflects the actual state of the remote volume. However, it also reduces the speed of file operations.
no_subtree_check: This option prevents subtree checking, which is a process where the host must check whether the file is actually still available in the exported tree for every request. This can cause many problems when a file is renamed while the client has it opened. In almost all cases, it is better to disable subtree checking.
no_root_squash: By default, NFS translates requests from a root user remotely into a non-privileged user on the server. This was intended as a security feature to prevent a root account on the client from using the file system of the host as root. no_root_squash disables this behavior for certain shares.

When you are finished making your changes, save and close the file. Then, to make the shares available to the clients that you configured, restart the NFS server with the following command:

CODE

sudo systemctl restart nfs-kernel-server

Before you can actually use the new shares, you’ll need to make sure that traffic to the shares is permitted by firewall rules.

Adjusting the Firewall on the Host

First, let’s check the firewall status to see if it’s enabled and if so, what’s currently permitted:

CODE

sudo ufw status

OutputStatus: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)

On our system, only SSH traffic is allowed, so we’ll need to add a rule for NFS traffic.

With many applications, you can use sudo ufw app list and enable them by name, but nfs is not one of those. Because ufw also checks /etc/services for the port and protocol of a service, we can still add NFS by name. Best practice recommends that you enable the most restrictive rule that will still allow the traffic you want to permit, so rather than enabling traffic from just anywhere, we’ll be specific.

Use the following command to open port 2049 on the host, being sure to substitute your client’s IP address:

CODE

sudo ufw allow from 203.0.113.256 to any port nfs

You can verify the change by typing:

CODE

sudo ufw status

You should see traffic allowed from port 2049 in the output:

CODE

OutputStatus: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                 
2049                       ALLOW       203.0.113.256        
OpenSSH (v6)               ALLOW       Anywhere (v6)

This confirms that UFW will only allow NFS traffic on port 2049 from our client machine.

Conclusion

Always check with your network administrator on what is already configured and what ports are available. Treat the above as a general guide on how to set up an NFS share in Linux. You may already have a system running another firewall and need to adjust how it is updated and managed.