Installing NFS on CentOS 6.2

This is a how to install the NFS service on a Linux CentOS 6.2 box and making it accessible to others. The scenario is the following:

• Grant read-only access to the /home/public directory to all networks
• Grant read/write access to the /home/common directory to all networks 

At the end of this guide you will get:

• A running NFS server with various LAN shared directories
• A active set of firewall rules allowing the access to NFS ports
• A permanently mounted NFS shared on a CentOS / Ubuntu client     

I assume you already have:

• a fresh running Linux CentOS 6.2 server 
• a sudoer user, named bozz on this guide
• an accessible RPM repository / mirror
• a Linux client with CentOS / Ubuntu

Steps

1. Login as bozz user on the server
2. Check if rpcbind is installed:

$ rpm -q rpcbind
rpcbind-0.2.0-8.el6.x86_64

if not, install it:

$ sudo yum install rpcbind

3. Install NFS-related packages:

$ sudo yum install nfs-utils nfs-utils-lib

4. Once installed, configure the nfs, nfslock and rpcbind to run as daemons:

$ sudo chkconfig --level 35 nfs on
$ sudo chkconfig --level 35 nfslock on 
$ sudo chkconfig --level 35 rpcbind on

then start the rpcbind and nfs daemons:

$ sudo service rpcbind start
$ sudo service nfslock start 
$ sudo service nfs start 

NFS daemons
• rpcbind: (portmap in older versions of Linux) the primary daemon upon which all the others rely, rpcbind manages connections for applications that use the RPC specification. By default, rpcbind listens to TCP port 111 on which an initial connection is made. This is then used to negotiate a range of TCP ports, usually above port 1024, to be used for subsequent data transfers. You need to run rpcbind on both the NFS server and client. 
• nfs: starts the RPC processes needed to serve shared NFS file systems. The nfs daemon needs to be run on the NFS server only. 
• nfslock: Used to allow NFS clients to lock files on the server via RPC processes. The nfslock daemon needs to be run on both the NFS server and client.


5. Test whether NFS is running correctly with the rpcinfo command. You should get a listing of running RPC programs that must include mountd, portmapper, nfs, and nlockmgr:



$ rpcinfo -p localhost
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  40481  status
    100024    1   tcp  49796  status
    100011    1   udp    875  rquotad
    100011    2   udp    875  rquotad
    100011    1   tcp    875  rquotad
    100011    2   tcp    875  rquotad
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100227    2   tcp   2049  nfs_acl
    100227    3   tcp   2049  nfs_acl
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100227    2   udp   2049  nfs_acl
    100227    3   udp   2049  nfs_acl
    100021    1   udp  32769  nlockmgr
    100021    3   udp  32769  nlockmgr
    100021    4   udp  32769  nlockmgr
    100021    1   tcp  32803  nlockmgr
    100021    3   tcp  32803  nlockmgr
    100021    4   tcp  32803  nlockmgr
    100005    1   udp    892  mountd
    100005    1   tcp    892  mountd
    100005    2   udp    892  mountd
    100005    2   tcp    892  mountd
    100005    3   udp    892  mountd
    100005    3   tcp    892  mountd




6. The /etc/exports file is the main NFS configuration file, and it consists of two columns. The first column lists the directories you want to make available to the network. The second column has two parts. The first part lists the networks or DNS domains that can get access to the directory, and the second part lists NFS options in brackets. Edit /etc/exports and append the desired shares:

$ sudo nano /etc/exports

then append:


/home/public *(ro,sync,all_squash)
/home/common *(rw,sync,all_squash)

• /home/public: directory to share  with read-only access to all networks
• /home/common: directory to share with read/write access to all networks
• *: allow access from all networks
• ro: read-only access
• rw: read/write access 
• sync: synchronous access 
• root_squash: prevents root users connected remotely from having root privileges and assigns them the user ID for the user nfsnobody. This effectively "squashes" the power of the remote root user to the lowest local user, preventing unauthorized alteration of files on the remote server. Alternatively, the no_root_squash option turns off root squashing. To squash every remote user, including root, use the all_squash option. To specify the user and group IDs to use with remote users from a particular host, use the anonuid and anongid options, respectively. In this case, a special user account can be created for remote NFS users to share and specify (anonuid=,anongid=), where is the user ID number and is the group ID number.


7. Create the directories to be published with the correct permissions:

$ sudo mkdir -p /home/public
$ sudo chown nfsnobody:nfsnobody /home/public
$ sudo mkdir -p /home/common
$ sudo chown nfsnobody:nfsnobody /home/common

it should end like this:

$ ls -l /home/
...
drwxr-xr-x. 2 nfsnobody nfsnobody  4096 Feb 20 12:55 common
drwxr-xr-x. 7 nfsnobody nfsnobody  4096 Feb 17 14:44 public

8. [OPTIONAL] Allow bozz user to locally write on the created directories by appending it  to nfsnobody group and granting write permissions to the group:

$ sudo usermod -a -G nfsnobody bozz
$ sudo chmod g+w /home/public
$ sudo chmod g+w /home/common

it should end like this:

$ ls -l /home/
...
drwxrwxr-x. 2 nfsnobody nfsnobody  4096 Feb 20 12:40 common
drwxrwxr-x. 7 nfsnobody nfsnobody  4096 Feb 17 14:44 public

9. Security issues. To allow remote access some firewall rules and other NFS settings must be changed. You need to open the following ports:
• TCP/UDP 111 - RPC 4.0 portmapper
• TCP/UDP 2049 - NFSD (nfs server)
• Portmap static ports, Various TCP/UDP ports defined in /etc/sysconfig/nfs file.
the portmapper assigns each NFS service to a port dynamically at service startup time, but dynamic ports cannot be protected by iptables. First, you need to configure NFS services to use fixed ports. Edit /etc/sysconfig/nfs, enter:

$ sudo nano /etc/sysconfig/nfs

and set:

LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
RQUOTAD_PORT=875
STATD_PORT=662
STATD_OUTGOING_PORT=2020

then restart nfs daemons:

$ sudo service rpcbind restart
$ sudo service nfs restart

update iptables rules by editing /etc/sysconfig/iptables, enter:

$ sudo nano /etc/sysconfig/iptables

and append the following rules:

-A INPUT -s 0.0.0.0/0 -m state --state NEW -p udp --dport 111 -j ACCEPT
-A INPUT -s 0.0.0.0/0 -m state --state NEW -p tcp --dport 111 -j ACCEPT
-A INPUT -s 0.0.0.0/0 -m state --state NEW -p tcp --dport 2049 -j ACCEPT
-A INPUT -s 0.0.0.0/0  -m state --state NEW -p tcp --dport 32803 -j ACCEPT
-A INPUT -s 0.0.0.0/0  -m state --state NEW -p udp --dport 32769 -j ACCEPT
-A INPUT -s 0.0.0.0/0  -m state --state NEW -p tcp --dport 892 -j ACCEPT
-A INPUT -s 0.0.0.0/0  -m state --state NEW -p udp --dport 892 -j ACCEPT
-A INPUT -s 0.0.0.0/0  -m state --state NEW -p tcp --dport 875 -j ACCEPT
-A INPUT -s 0.0.0.0/0  -m state --state NEW -p udp --dport 875 -j ACCEPT
-A INPUT -s 0.0.0.0/0  -m state --state NEW -p tcp --dport 662 -j ACCEPT
-A INPUT -s 0.0.0.0/0 -m state --state NEW -p udp --dport 662 -j ACCEPT

restart iptables daemon:

$ sudo service iptables restart

10. Mount NFS shared directories: Install client NFS packages first:
  on Ubuntu client:

$ sudo apt-get install nfs-common

on CentOS client:

$ sudo yum install nfs-utils nfs-utils-lib

inquiry for the list of all shared directories:

$ showmount -e SERVERADDRESS

mount server's /home/public on client's /public:

$ sudo mkdir -p /public
$ sudo mount SERVERADDRESS:/home/public /public
$ df -h

mount server's /home/common on client's /common:

$ sudo mkdir -p /common
$ sudo mount SERVERADDRESS:/home/common /common
$ df -h

11. Mount NFS automatically after reboot on the client. Edit /etc/fstab, enter:

$ sudo nano /etc/fstab

append the following line:

#Directory                   Mount Point    Type   Options       Dump   FSCK
SERVER_IP_ADDRESS:/home/public /public nfs hard 0 0
SERVER_IP_ADDRESS:/home/common /common nfs hard 0 0

to test the correctness of /etc/fstab before restarting, you can try to manually mount /public and /common:

$ sudo mount /public
$ sudo mount /common

References

• Linux Iptables Allow NFS Clients to Access the NFS Server 
• Remote disk access with NFS
• NFS Client configuration