8.6. Configuring the NFS Server | Red Hat Product Documentation (2024)

• Blank lines are ignored.

• To add a comment, start a line with the hash mark (#).

• You can wrap long lines with a backslash (\).

• Each exported file system should be on its own individual line.

• Any lists of authorized hosts placed after an exported file system must be separated by space characters.

• Options for each of the hosts must be placed in parentheses directly after the host identifier, without any spaces separating the host and the first parenthesis.

export

The directory being exported

host

The host or network to which the export is being shared

options

The options to be used for host

For information on different methods for specifying hostnames, see Section8.6.5, “Hostname Formats”.

Example8.6.The /etc/exports File

/exported/directory bob.example.com

ro

The exported file system is read-only. Remote hosts cannot change the data shared on the file system. To allow hosts to make changes to the file system (that is, read and write), specify the rw option.

sync

The NFS server will not reply to requests before changes made by previous requests are written to disk. To enable asynchronous writes instead, specify the option async.

wdelay

The NFS server will delay writing to the disk if it suspects another write request is imminent. This can improve performance as it reduces the number of times the disk must be accessed by separate write commands, thereby reducing write overhead. To disable this, specify the no_wdelay. no_wdelay is only available if the default sync option is also specified.

root_squash

This prevents root users connected remotely (as opposed to locally) from having root privileges; instead, the NFS server assigns them the user ID nfsnobody. This effectively "squashes" the power of the remote root user to the lowest local user, preventing possible unauthorized writes on the remote server. To disable root squashing, specify no_root_squash.

Important

/home bob.example.com(rw)/home bob.example.com (rw)

-r

Causes all directories listed in /etc/exports to be exported by constructing a new export list in /var/lib/nfs/etab. This option effectively refreshes the export list with any changes made to /etc/exports.

-a

Causes all directories to be exported or unexported, depending on what other options are passed to /usr/sbin/exportfs. If no other options are specified, /usr/sbin/exportfs exports all file systems specified in /etc/exports.

-o file-systems

Specifies directories to be exported that are not listed in /etc/exports. Replace file-systems with additional file systems to be exported. These file systems must be formatted in the same way they are specified in /etc/exports. This option is often used to test an exported file system before adding it permanently to the list of file systems to be exported. For more information on /etc/exports syntax, see Section8.6.1, “The /etc/exports Configuration File”.

-i

Ignores /etc/exports; only options given from the command line are used to define exported file systems.

-u

Unexports all shared directories. The command /usr/sbin/exportfs -ua suspends NFS file sharing while keeping all NFS daemons up. To re-enable NFS sharing, use exportfs -r.

-v

Verbose operation, where the file systems being exported or unexported are displayed in greater detail when the exportfs command is executed.

In RedHat EnterpriseLinux7, no extra steps are required to configure NFSv4 exports as any filesystems mentioned are automatically available to NFSv3 and NFSv4 clients using the same path. This was not the case in previous versions.

To prevent clients from using NFSv4, turn it off by setting RPCNFSDARGS= -N 4 in /etc/sysconfig/nfs.

RPCMOUNTDOPTS="-p port"

This adds "-p port" to the rpc.mount command line: rpc.mount -p port.

If NFS fails to start, check /var/log/messages. Commonly, NFS fails to start if you specify a port number that is already in use. After editing /etc/sysconfig/nfs, you need to restart the nfs-config service for the new values to take effect in RedHat EnterpriseLinux7.2 and prior by running:

#  systemctl restart nfs-config

Then, restart the NFS server:

#  systemctl restart nfs-server

Run rpcinfo -p to confirm the changes have taken effect.

Note

There are two ways to discover which file systems an NFS server exports.

On servers that support both NFSv4 and NFSv3, both methods work and give the same results.

Procedure8.1.Making RPC Quota Accessible Behind a Firewall

1. To enable the rpc-rquotad service, use the following command:

   # systemctl enable rpc-rquotad 

2. To start the rpc-rquotad service, use the following command:

   # systemctl start rpc-rquotad 

   Note that rpc-rquotad is, if enabled, started automatically after starting the nfs-server service.

3. To make the quota RPC service accessible behind a firewall, UDP or TCP port 875 need to be open. The default port number is defined in the /etc/services file.

   You can override the default port number by appending -p port-number to the RPCRQUOTADOPTS variable in the /etc/sysconfig/rpc-rquotad file.

4. Restart rpc-rquotad for changes in the /etc/sysconfig/rpc-rquotad file to take effect:

   # systemctl restart rpc-rquotad

Restart rpc-rquotad for changes in the /etc/sysconfig/rpc-rquotad file to take effect:

# systemctl restart rpc-rquotad

Single machine

A fully-qualified domain name (that can be resolved by the server), hostname (that can be resolved by the server), or an IP address.

Series of machines specified with wildcards

Use the * or ? character to specify a string match. Wildcards are not to be used with IP addresses; however, they may accidentally work if reverse DNS lookups fail. When specifying wildcards in fully qualified domain names, dots (.) are not included in the wildcard. For example, *.example.com includes one.example.com but does not include one.two.example.com.

IP networks

Use a.b.c.d/z, where a.b.c.d is the network and z is the number of bits in the netmask (for example 192.168.0.0/24). Another acceptable format is a.b.c.d/netmask, where a.b.c.d is the network and netmask is the netmask (for example, 192.168.100.8/255.255.255.0).

Netgroups

Use the format @group-name, where group-name is the NIS netgroup name.

1. Install the rdma and rdma-core packages.

   The /etc/rdma/rdma.conf file contains a line that sets XPRTRDMA_LOAD=yes by default, which requests the rdma service to load the NFSoRDMA client module.

2. To enable automatic loading of NFSoRDMA server modules, add SVCRDMA_LOAD=yes on a new line in /etc/rdma/rdma.conf.

   RPCNFSDARGS="--rdma=20049" in the /etc/sysconfig/nfs file specifies the port number on which the NFSoRDMA service listens for clients. RFC 5667 specifies that servers must listen on port 20049 when providing NFSv4 services over RDMA.

3. Restart the nfs service after editing the /etc/rdma/rdma.conf file:

   # systemctl restart nfs

   Note that with earlier kernel versions, a system reboot is needed after editing /etc/rdma/rdma.conf for the changes to take effect.

Procedure8.2.Configuring an NFSv4-only Server

To configure your NFS server to support only NFS version 4.0 and later:

1. Disable NFSv2, NFSv3, and UDP by adding the following line to the /etc/sysconfig/nfs configuration file:

   RPCNFSDARGS="-N 2 -N 3 -U"

2. Optionally, disable listening for the RPCBIND, MOUNT, and NSM protocol calls, which are not necessary in the NFSv4-only case.

   The effects of disabling these options are:

   • Clients that attempt to mount shares from your server using NFSv2 or NFSv3 become unresponsive.

   • The NFS server itself is unable to mount NFSv2 and NFSv3 file systems.

   To disable these options:

   • Add the following to the /etc/sysconfig/nfs file:

     RPCMOUNTDOPTS="-N 2 -N 3"

   • Disable related services:

     # systemctl mask --now rpc-statd.service rpcbind.service rpcbind.socket

3. Restart the NFS server:

   # systemctl restart nfs

   The changes take effect as soon as you start or restart the NFS server.

You can verify that your NFS server is configured in the NFSv4-only mode by using the netstat utility.