Setup and mount NFS on Linux
NFS (Network File System), is the standard open protocol used by Linux, Windows, or similar OS as their native network file system. lt is an open standard under active extension which supports native Linux permissions and file system features.
CentOS 8 and Ubuntu 20 supports NFSv4 (version 4 of the protocol) by default, and falls back automatically to NFSv3 and NFSv2 if that is not available. Version 4 uses the TCP protocol to communicate with the server, while older versions of NFS may use either TCP or UDP.
NFS servers export folders and NFS clients mount an exported share to a local folder. The local folder or mount point must exist.
NFS network shares could be linked a number of ways:
a) manually mounting an NFS share using the mount command
b) automatically mounting an NFS share at boot time using /etc/fstab
c) mounting an NFS share on demand through a process known as automounting
Securing file access on NFS shares
NFS servers secure access to files using a number of methods: none, sys, krb5, krb5i, and krb5p. The NFS server could choose to offer a single method or multiple methods for each exported link. NFS clients should connect to the exported link using one of the methods mandated for that share, specified as a mount option sec=method.
Security NFS methods
a) none – anonymous access to the files, writes to the server is going to be allocated UID and GID of nfsnobody
b) sys – file access based on regular Linux file permissions for UID and GID values. lf not specified, it will be default
c) krb5 – Clients should prove identity using Kerberos and then standard Linux file permissions apply
d) krb5i – adds a cryptographically strong guarantee that the data in each request has not been tampered with
e) krb5p – adds encryption to all requests between the client and the server, preventing data exposure on the network. The performance will be impacted
NFS uses the nfs-secure service to help negotiate and manage communication with the server when connecting to Kerberos-secured shares. lt should be running to use the secured NFS shares; start and enable it to ensure it is always available.
The nfs-secure service is part of the nfs-utils package, which should be available by default. If it is not installed, please run:
How to mount the NFS share
There are 3 general steps to mounting the remote NFS folder:
1) Identify: The user for the NFS server can provide export details, including system requirements. Alternatively:
NFSv4 shares could be identified by mounting the root folder of the NFS server and exploring the exported directories. Use root permissions. Access to shares that are using Kerberos security will be rejected, but the remote folder name will be visible. Other share folders will be browsable.
[[email protected]] mkdir /mount
[[email protected]] mount srv:/ /mount
[[email protected]] ls /mount
2) Mount point: Use tool mkdir to create a mount folder in a suitable location.
[[email protected]] mkdir -p /mount
3) Mount: There are 2 choices here: manually or permanent in the /etc/fstab file. Switch to root or use sudo for these operation.
You can use the mount command manually.
[[email protected]] mount -t nfs -o sync srv:/share /mount
The -t nfs option is the file system type for NFS shares (not strictly required, shown for completeness). The -o sync option tells mm.mt to immediately synchronize write operations with the NFS server (by default is asynchronous). The default system method is going to be used to try mounting the NFS share, using regular Linux file permissions.
Use the text editor to edit the /etc/fstab file and add the mount entry to the bottom of the file. The NFS share will be mounted automatically.
Use umount, using root privileges, to manually unmount the share.
[[email protected]] umount /mount