Monday, February 20, 2012

Installing NFS on CentOS 6.2

This is a how to install the NFS service on a Linux CentOS 6.2 box and making it accessible to others. The scenario is the following:
  • Grant read-only access to the /home/public directory to all networks
  • Grant read/write access to the /home/common directory to all networks 
At the end of this guide you will get:
  • A running NFS server with various LAN shared directories
  • A active set of firewall rules allowing the access to NFS ports
  • A permanently mounted NFS shared on a CentOS / Ubuntu client     
I assume you already have:

  • a fresh running Linux CentOS 6.2 server 
  • a sudoer user, named bozz on this guide
  • an accessible RPM repository / mirror
  • a Linux client with CentOS / Ubuntu

Steps

  1. Login as bozz user on the server
  2. Check if rpcbind is installed:
  3. $ rpm -q rpcbind
    rpcbind-0.2.0-8.el6.x86_64
    
    if not, install it:
    $ sudo yum install rpcbind
    
  4. Install NFS-related packages:
  5. $ sudo yum install nfs-utils nfs-utils-lib
    
  6. Once installed, configure the nfs, nfslock and rpcbind to run as daemons:
  7. $ sudo chkconfig --level 35 nfs on
    $ sudo chkconfig --level 35 nfslock on 
    $ sudo chkconfig --level 35 rpcbind on
    
    then start the rpcbind and nfs daemons:
    $ sudo service rpcbind start
    $ sudo service nfslock start 
    $ sudo service nfs start 
    
    NFS daemons
    • rpcbind: (portmap in older versions of Linux) the primary daemon upon which all the others rely, rpcbind manages connections for applications that use the RPC specification. By default, rpcbind listens to TCP port 111 on which an initial connection is made. This is then used to negotiate a range of TCP ports, usually above port 1024, to be used for subsequent data transfers. You need to run rpcbind on both the NFS server and client. 
    • nfs: starts the RPC processes needed to serve shared NFS file systems. The nfs daemon needs to be run on the NFS server only. 
    • nfslock: Used to allow NFS clients to lock files on the server via RPC processes. The nfslock daemon needs to be run on both the NFS server and client.

  8. Test whether NFS is running correctly with the rpcinfo command. You should get a listing of running RPC programs that must include mountd, portmapper, nfs, and nlockmgr:

  9. $ rpcinfo -p localhost
       program vers proto   port  service
        100000    4   tcp    111  portmapper
        100000    3   tcp    111  portmapper
        100000    2   tcp    111  portmapper
        100000    4   udp    111  portmapper
        100000    3   udp    111  portmapper
        100000    2   udp    111  portmapper
        100024    1   udp  40481  status
        100024    1   tcp  49796  status
        100011    1   udp    875  rquotad
        100011    2   udp    875  rquotad
        100011    1   tcp    875  rquotad
        100011    2   tcp    875  rquotad
        100003    2   tcp   2049  nfs
        100003    3   tcp   2049  nfs
        100003    4   tcp   2049  nfs
        100227    2   tcp   2049  nfs_acl
        100227    3   tcp   2049  nfs_acl
        100003    2   udp   2049  nfs
        100003    3   udp   2049  nfs
        100003    4   udp   2049  nfs
        100227    2   udp   2049  nfs_acl
        100227    3   udp   2049  nfs_acl
        100021    1   udp  32769  nlockmgr
        100021    3   udp  32769  nlockmgr
        100021    4   udp  32769  nlockmgr
        100021    1   tcp  32803  nlockmgr
        100021    3   tcp  32803  nlockmgr
        100021    4   tcp  32803  nlockmgr
        100005    1   udp    892  mountd
        100005    1   tcp    892  mountd
        100005    2   udp    892  mountd
        100005    2   tcp    892  mountd
        100005    3   udp    892  mountd
        100005    3   tcp    892  mountd
    

  10. The /etc/exports file is the main NFS configuration file, and it consists of two columns. The first column lists the directories you want to make available to the network. The second column has two parts. The first part lists the networks or DNS domains that can get access to the directory, and the second part lists NFS options in brackets. Edit /etc/exports and append the desired shares:
  11. $ sudo nano /etc/exports
    
    then append:
    /home/public *(ro,sync,all_squash)
    /home/common *(rw,sync,all_squash)
    
    • /home/public: directory to share  with read-only access to all networks
    • /home/common: directory to share with read/write access to all networks
    • *: allow access from all networks
    • ro: read-only access
    • rw: read/write access 
    • sync: synchronous access 
    • root_squash: prevents root users connected remotely from having root privileges and assigns them the user ID for the user nfsnobody. This effectively "squashes" the power of the remote root user to the lowest local user, preventing unauthorized alteration of files on the remote server. Alternatively, the no_root_squash option turns off root squashing. To squash every remote user, including root, use the all_squash option. To specify the user and group IDs to use with remote users from a particular host, use the anonuid and anongid options, respectively. In this case, a special user account can be created for remote NFS users to share and specify (anonuid=,anongid=), where is the user ID number and is the group ID number.

  12. Create the directories to be published with the correct permissions:
  13. $ sudo mkdir -p /home/public
    $ sudo chown nfsnobody:nfsnobody /home/public
    $ sudo mkdir -p /home/common
    $ sudo chown nfsnobody:nfsnobody /home/common
    
    it should end like this:
    $ ls -l /home/
    ...
    drwxr-xr-x. 2 nfsnobody nfsnobody  4096 Feb 20 12:55 common
    drwxr-xr-x. 7 nfsnobody nfsnobody  4096 Feb 17 14:44 public
    
  14. [OPTIONAL] Allow bozz user to locally write on the created directories by appending it  to nfsnobody group and granting write permissions to the group:
  15. $ sudo usermod -a -G nfsnobody bozz
    $ sudo chmod g+w /home/public
    $ sudo chmod g+w /home/common
    
    it should end like this:
    $ ls -l /home/
    ...
    drwxrwxr-x. 2 nfsnobody nfsnobody  4096 Feb 20 12:40 common
    drwxrwxr-x. 7 nfsnobody nfsnobody  4096 Feb 17 14:44 public
    
  16. Security issues. To allow remote access some firewall rules and other NFS settings must be changed. You need to open the following ports:
    • TCP/UDP 111 - RPC 4.0 portmapper
    • TCP/UDP 2049 - NFSD (nfs server)
    • Portmap static ports, Various TCP/UDP ports defined in /etc/sysconfig/nfs file.
    the portmapper assigns each NFS service to a port dynamically at service startup time, but dynamic ports cannot be protected by iptables. First, you need to configure NFS services to use fixed ports. Edit /etc/sysconfig/nfs, enter:
    $ sudo nano /etc/sysconfig/nfs
    
    and set:
    LOCKD_TCPPORT=32803
    LOCKD_UDPPORT=32769
    MOUNTD_PORT=892
    RQUOTAD_PORT=875
    STATD_PORT=662
    STATD_OUTGOING_PORT=2020
    
    then restart nfs daemons:
    $ sudo service rpcbind restart
    $ sudo service nfs restart
    
    update iptables rules by editing /etc/sysconfig/iptables, enter:
    $ sudo nano /etc/sysconfig/iptables
    and append the following rules:
    -A INPUT -s 0.0.0.0/0 -m state --state NEW -p udp --dport 111 -j ACCEPT
    -A INPUT -s 0.0.0.0/0 -m state --state NEW -p tcp --dport 111 -j ACCEPT
    -A INPUT -s 0.0.0.0/0 -m state --state NEW -p tcp --dport 2049 -j ACCEPT
    -A INPUT -s 0.0.0.0/0  -m state --state NEW -p tcp --dport 32803 -j ACCEPT
    -A INPUT -s 0.0.0.0/0  -m state --state NEW -p udp --dport 32769 -j ACCEPT
    -A INPUT -s 0.0.0.0/0  -m state --state NEW -p tcp --dport 892 -j ACCEPT
    -A INPUT -s 0.0.0.0/0  -m state --state NEW -p udp --dport 892 -j ACCEPT
    -A INPUT -s 0.0.0.0/0  -m state --state NEW -p tcp --dport 875 -j ACCEPT
    -A INPUT -s 0.0.0.0/0  -m state --state NEW -p udp --dport 875 -j ACCEPT
    -A INPUT -s 0.0.0.0/0  -m state --state NEW -p tcp --dport 662 -j ACCEPT
    -A INPUT -s 0.0.0.0/0 -m state --state NEW -p udp --dport 662 -j ACCEPT
    
    restart iptables daemon:
    $ sudo service iptables restart
    
  17. Mount NFS shared directories: Install client NFS packages first:
  18.   on Ubuntu client:
    $ sudo apt-get install nfs-common
    
    on CentOS client:
    $ sudo yum install nfs-utils nfs-utils-lib
    
    inquiry for the list of all shared directories:
    $ showmount -e SERVERADDRESS
    
    mount server's /home/public on client's /public:
    $ sudo mkdir -p /public
    $ sudo mount SERVERADDRESS:/home/public /public
    $ df -h
    
    mount server's /home/common on client's /common:
    $ sudo mkdir -p /common
    $ sudo mount SERVERADDRESS:/home/common /common
    $ df -h
    
  19. Mount NFS automatically after reboot on the client. Edit /etc/fstab, enter:
  20. $ sudo nano /etc/fstab
    
    append the following line:
    #Directory                   Mount Point    Type   Options       Dump   FSCK
    SERVER_IP_ADDRESS:/home/public /public nfs hard 0 0
    SERVER_IP_ADDRESS:/home/common /common nfs hard 0 0
    
    to test the correctness of /etc/fstab before restarting, you can try to manually mount /public and /common:
    $ sudo mount /public
    $ sudo mount /common

References

22 comments:

  1. Great guide. I wish I had this around the first time I had to setup NFS 2 years ago. Saved me tonight needed to migrate to a new server!

    ReplyDelete
  2. I really appreciate all the feedback. Feel free to send any suggestion and/or improvement.
    Regards
    Ed

    ReplyDelete
  3. Eduardo, your guide is great but it does not work in my CentOS 6.2 machine. When I run sudo service nfs start I get "FATAL: Could not load /lib/modules/3.2.13-grsec-xxxx-grs-ipv6-64/modules.dep" I have been told that my kernel is not modular, but I don't know how to fix this, any advise?

    ReplyDelete
  4. It seems to be that your modules.dep archive is missing or corrupted, you should first try to rebuild it using depmod, login as root and try:

    $ depmod -a

    WRT non modular Kernel. It sounds strange indeed at least you had modified it (recompiled) forgetting some features. There is featured called "[ ] Enable loadable module support " that needs to be marked in Kernel compilation if you want to support dynamic loading of modules. Verify it!

    ReplyDelete
  5. Thank you very much: very good guide!

    ReplyDelete
  6. Hello Ed, I could mount exported file system, but when I tried to copy some files using midnight commander receiver error message:"Cannot change owner target directory /dir_name"
    Also using cp command some files could copy, but for some directories received message "cp: ommiting directory dir_name"
    Could you please help me with this?
    Thanks in advance..
    Nebojsa

    ReplyDelete
    Replies
    1. Hi:

      What's your client environment WRT your server environment? Sometimes the numerical ids of users and groups differs between different Linux distributions, and this fact matters.

      For example:

      - On my CentOS NFS Server:

      $ id nfsnobody
      uid=65534(nfsnobody) gid=65534(nfsnobody) groups=65534(nfsnobody)

      - On my Ubuntu client:

      $ id nobody
      uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)

      when /home/common gets mounted via :

      $ sudo mount biobox:/home/common /mnt

      if I issue:

      $ touch /mnt/sample

      and then list:

      $ ls -lh /mnt/
      total 0
      -rw-rw-r-- 1 nobody nogroup 0 Jul 13 12:15 sample

      - But in my CentOS server its using a different name even with the same numerical id:

      $ ls -lh /home/common/
      total 0
      -rw-rw-r--. 1 nfsnobody nfsnobody 0 Jul 13 12:15 sample

      Therefore my conclusion is: Ensure that you have permissions in the client and server sides on theses paths using the corresponding ids. Remember that NFS is just another filesystem.

      Also notice that NFS using "all_squash" tries to operate in the shared paths with the "nfsnobody" credentials.

      Thanks for the feedback...

      Delete
  7. Hi,

    I am a totally new to this. This guide is good and helpful.
    But I got stuck at this one place. My client is centos 5.8 and host is centos 6.2. 192.168.74.132(Host) 192.168.74.138(Client). I followed the exact steps as u mentioned in this blog post.

    ## mount command gives this error
    $ sudo mount 192.168.1.32:/home/public /home/public
    mount.nfs: Input/output error

    ## My Log at Host shows:
    Jul 12 15:38:54 localhost rpc.mountd[2546]: authenticated mount request from 192.168.74.138:851 for /home/public (/home/public)

    ## showmount output at clients side is as follows
    $ showmount -e 192.168.74.132
    Export list for 192.168.74.132:
    /home/common *
    /home/public *

    Can you help me ?

    ReplyDelete
  8. Well Thanks, I found it on my own. iptables was creating the issue. I just stopped it. Will configure iptables later. :)

    ReplyDelete
    Replies
    1. I did reproduce the same steps in similar environment (CentOS 5.8) without any errors. Then I did Google a little without but any clue at all.

      So, as you say, It's something you miss for sure (iptables, ...).

      Anyway...

      You are welcome!

      Delete
  9. This helped a lot! I am mounting NFS shares(behind NAT) shared by my Centos running on Oracle VirtualBox on my Windows 7 :)

    I am mounting from my Windows 7.

    Thanks a lot!!!

    ReplyDelete
  10. awesome tutorial ! all doubts cleared after reading this.
    didn't get this clarity in official Centos 6.2 Doc

    ReplyDelete
    Replies
    1. I really appreciate all the feedback. Feel free to send any suggestion and/or improvement.
      Regards
      Ed

      Delete
  11. This comment has been removed by the author.

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
  12. Whenever I try to mount it I get this error:

    mount.nfs4: access denied by server while mounting IP:/home/adam/cse/load_data

    This is the command I'm running:

    mount -t nfs4 IP:/home/adam/cse/load_data /home/adam/cse/load_data

    It works whenever I do the command like this:

    mount -t nfs -o vers=3 IP:/home/adam/cse/load_data /home/adam/cse/load_data

    Any idea what the issue is? I'd really like to use NFS 4 and not 3.

    ReplyDelete
  13. Hi, excellent tutorial.

    I am trying to setup nfs between to Cento 6.4 servers. I ran into trouble on the client side at the following step in your procedure:

    showmount -e "nfs-server-IP"

    the Error I get is

    'clnt_create: RPC: Port mapper failure - Unable to receive: errno 113 (no route to host)'

    I can ping the address of the nfs server that I used.. do I also need to work on the iptables on the nfs client?

    any help would be appreciated thanks

    ReplyDelete