Thursday, September 3, 2015



How to configure NFS Server in RHEL 6

  • Print
Network File System (NFS) protocol allow Linux client to mount remote file systems and interact with those file systems as they are mounted locally.
  • NFS was developed by Sun Microsystems in 1980
  • NFS stand for Network File System
  • NFS is used to share files and printer between Linux / Unix systems
  • Red Hat Enterprise Linux 6 supports NFSv2, NFSv3, and NFSv4 clients.
  • By default RHEL6 use NFSv4 if the server supports it.

NFSv1

NFSv1 was the development stage of NFS protocol. It was used only for in house experimental purpose. When a stable version of NFS was ready, Developers decided to release it as the new version of NFS known as NFSv2.

NFSv2

  • NFSv2 supports only 32 bit.
  • NFSv2 only allowed the first 2 GB of a file to be read
  • NFSv2 operated only over UDP

NFSv3

  • NFSv3 supports 64 bit file system.
  • NFSv3 can handle files larger than 2 GB.
  • NFSv3 supports asynchronous writes on the server. asynchronous writes improve write performance.
  • NFSv3 supports additional file attributes in many replies, to avoid the need to re-fetch them.
  • NFSv3 supports READDIRPLUS operation. READDIRPLUS operation get file handles and attributes along with file names when scanning a directory.
  • NFSv3 supports TCP. Using TCP as a transport made NFS over a WAN more feasible.

NFSv4

  • NFSv4 retains all NFSv3 advantages.
  • NFSv4 supports ACLs.
  • NFSv4 uses the virtual file system to present the server's export.
  • NFSv4 supports Pseudo file system. Pseudo File System provide maximum flexibility. Exports Pathname on servers can be changed transparently to clients.
  • NFSv4 have locking operations as the part of protocol which keep track of open files and delegations.
  • NFSv4 works through firewalls and on the Internet.
RHCE 6 Exam objectives cover in this article
  • Provide network shares to specific clients
  • Provide network shares suitable for group collaboration
In this tutorial I will use two systems Server and linuxclient from our LAB environment. I will configure NFS Server on Server system and NFS client on linuxclient system. If you want to check the network topology used in this article please check following article. Lab set up for RHCE 6 practice

Configure NFS Server in RHEL6

Our first task is to install the necessary RPM. Two RPM are required for NFS server
  • nfs-utils
  • rpcbind

nfs-utils

This is the main RPM which provide nfs service.

rpcbind

NFS depends on Remote Procedure Calls(RPC) service which is controlled by rpcbind service. In earlier version of RHEL portmap service was used to map RPC program numbers to IP address port number combinations. This service is now replaced by rpcbind to enable IPv6 support.
If you do not have above RPM installed, than first install them. You can use any method to install RPM.
"NFS file server" is the primary group associated with NFS. So if you have configured yum repository than following command will install the mandatory packages[nfs-utils and nfs4-acl-tools] from that group.
#yum groupinstall " NFS file server"
yum-group-install
Or alternatively you can use
# yum install nfs* -y
yum-nfs-install
If you do not have yum repository use RPM command to install these packages. Go in the folder which contain RPM (In installation disk of RHEL6, Package folder contains all RPM ) and run following command.
#rpm -ivh nfs* --nodeps --force
#rpm -ivh rpcbind* --nodeps --force
rpm-nfs-install
Our second task is to verify that the NFS services are installed. This can be done form following command.
rpm –qa nfs-utils
Verify that rpcbind package is installed.
rpm –qa rpcbind
rpm-qa-nfs
For this article I assume that you have both packages installed.
Following services are associated with NFS daemons. Each service have its script file stored in init.d directory.
/etc/init.d/nfsMain control script for NFS Daemons which control NFS services.
/etc/init.d/nfslockScript for lock files and the statd daemon, which locks and provides status of files those are currently in use.
/etc/init.d/portreserveReplacement script for the portmap which used to set up ports for RPC services.
/etc/init.d/rpcbindRPC program number converter.
/etc/init.d/rpcgssdScript for RPC-related security services.
/etc/init.d/rpcidmapdConfiguration script used for mapping of NFS user ID to LDAP and Kerberos systems.
/etc/init.d/rpcsvcgssdControl script for the server side of RPC-related general security services.
You can start each script directly by following command
#/etc/init.d/[script name]
For example to start nfs service
#/etc/init.d/nfs
Or you can use service command to start / stop /restart the service
#service nfs start
nfs and rpcbind are the compulsory services for nfs daemons.
Make sure nfs and rpcbind scripts are active before you configure NFS server.
Start the services
service-nfs-start
Make sure that services remain on after reboot
chkconfig-nfs-start
Check the status to services it must be running
service-nfs-status
How to configure NFS client on RHEL6
Check necessary RPM
linuxclient-rpm-qa
Install if you are missing them
Start the necessary services and Verify the status of services it must be running
linuxclient-nfs-status
Make sure service remain on after reboot
linuxclient-chkconfig-nfs
Check connectivity form server
linuxclient-ping-server

How to create NFS Share

So far we have setup NFS Server and NFS client with basic configurations. Now create a NFS Share on NFS Server and mount it from NFS Client.
On Server system make a directory /nfs_share and create a test file in it
mkdir-nfs
On Server /etc/exportfs defines what resources will be available for clients. /etc/exports file use following syntax to share resources
[mountpoint] [host][permissions/options]
Remember there is no space between the [host] field and the [permissions/options] field. If you include a space, you receive a syntax error.
Common Mount permission options
rwread/write permissions
roSread-only permissions
insecureAllows the use of ports over 1024
syncSpecifies that all changes must be written to disk before a command completes
no_wdelayForces the writing of changes immediately
root_squashPrevents root users

NFS Host Entries

/etc/exportfs supports conventional wildcards which provide flexibility when specifying hosts.
  • you can use the hostname for hosts within your domain.
  • you need fully qualified domain name for outside hosts.
  • you can reference all the hosts within a specific domain.
  • You can use the * for the host segment, followed by the domain name for the network, such as *.example.com for all the hosts in the example.com network.
  • Instead of host name, You can also use single host's ip address.
  • you can use IP network addresses with a CNDR format
  • You can also use an NIS netgroup name to reference a collection of hosts. The NIS netgroup name is preceded by an @ sign.
For example following are the valid example for hosts entries
directory   host(options)
/nfs_share  *(rw,sync)
/nfs_share  *.example.com(rw,sync)
/nfs_share  192.168.1.10(rw,sync)
/nfs_share  192.168.1.0/255.255.255.0(rw,sync)
/nfs_share  192.168.1.0/24(rw,sync)
/nfs_share  @netgroup(rw,sync)
We will share it globally with read / write options. Open /etc/exports file
vi-exports
add following line and save the file
exports-entry
Restart the NFS service
service-nfs-restart

showmount

showmount command with -e option will display shared NFS directories locally and remotely. To review the export list for a NFS server, add the name / IP address of NFS server. If this command doesn't work, communication may be blocked with a firewall.
During the exam you may face two common errors as the output of showmount -e command
on NfS server
clnt_create: RPC: Program not registered
on NFS client
clnt_create: RPC: Port mapper failure - Unable to receive: errno 113 (No route to host)
On server this is generated due to order of services. In exam always start /restart rpcbind service before nfs.
rpc-sloution-on-server
On client this is generated due to firewall configured on NFS server. On linuxclient system use showmount to list all NFS Share
linuxclient-showmount-error
clnt_create: RPC: Port mapper failure - Unable to receive: errno 113 (No route to host)
showmount -e command returns above error on NFS client if firewall is not properly configured on NFS Server.

Configure IPTABLES rules for NFS Server.

During the RHCE6 exam you may have a iptable firewall enabled system. You should know how to allow nfs through firewall.

NFS port range

In order to allow NFS through iptable firewall we need to open following ports
  • TCP and UDP port 2049 for NFS.
  • TCP and UDP port 111 (rpcbind/sunrpc).
  • TCP and UDP port specified with MOUNTD_PORT="port"
  • TCP and UDP port specified with STATD_PORT="port"
  • TCP port specified with LOCKD_TCPPORT="port"
  • UDP port specified with LOCKD_UDPPORT="port"
NFS requires rpcbind, which dynamically assigns ports for RPC services at startup time. Dynamic ports could not be protected by iptables as these ports might change on reboot and make changes obsolete.
So you need to configure NFS services to use fixed ports.
Open /etc/sysconfig/nfs
vi-sysconfig-nfs
Uncomment following directives to use default port, Or change them with desired TCP / UDP unused ports and save the file.
# TCP port rpc.lockd should listen on.
LOCKD_TCPPORT=[port-number]
# UDP port rpc.lockd should listen on.
LOCKD_UDPPORT=[port-number]
# Port rpc.mountd should listen on.
MOUNTD_PORT=[port-number]
# Port rquotad should listen on.
RQUOTAD_PORT=[port-number]
# Port rpc.statd should listen on.
STATD_PORT=[port-number]
# Outgoing port statd should used. The default is port is random
STATD_OUTGOING_PORT=[port-number]
Here is the sample listing with default port number
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
RQUOTAD_PORT=875
STATD_PORT=662
STATD_OUTGOING_PORT=2020
sysconfig-open-port
So far we have configured fix port for nfs server now let's configure firewall to allow nfs traffic.
Run setup command
setup
Select firewall configuration
firewall-config
Select Customize [Make sure firewall option remain selected ]
customize
Select NFS4
firewall-nfs-selected
Select Forward and press enter
other-ports
Select eth+ and press enter on close button
firewall-tursted-int
Select ok and press enter
firewall-done-ok
Select Yes and press enter
firewall-warning-yes
Select Quit and press enter
firewall-quit
Now open /etc/sysconfig/iptables file
etc-sysconfig-iptables
Add following iptable rules
-A INPUT -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 32803 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 32769 -j ACCEPT
-A INPUT  -m state --state NEW -m tcp -p tcp --dport 892 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 892 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 875 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 875 -j ACCEPT
-A INPUT  -m state --state NEW -m tcp -p tcp --dport 662 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 662 -j ACCEPT
iptables-before-entry
under the rule for port 2049 and save file
iptables-after-entry

NFS and SELinux

SELinux is the integral part of RHEL6 and directories shared via NFS would not work without proper changes to SELinux.
Important SELinux Booleans for NFS
nfs_export_all_roAllows NFS to share files and directories as read-only
nfs_export_all_rwAllows NFS to share files and directories as read/write
httpd_use_nfsAllows httpd to access NFS file systems
use_nfs_home_dirsSupports NFS home directories
samba_share_nfsAllows Samba to export NFS volumes
allow_nfsd_anon_writeAllows NFS servers to modify public files
allow_ftpd_usr_nfsAllows FTP servers to use NFS for public file transfer services
During the exam Make sure the SELinux booleans are compatible, specifically nfs_export_all_ro and nfs_export_all_rw are set to on
If nfs_export_all_ro and nfs_export_all_rw Booleans are set to off change the value
set-bool
Verify that the Booleans have been changed:
verfiy-bool
Restart the iptables , rpcbind, and nfs service
restart-iptables-server
Now try again to run showmount -e command on NFS client
linuxclient-showmount
Create a /nfs_tmp directory to mount NFS share locally
linuxclient-mkdir-nfstmp
Mount /nfs_share to local /nfs_tmp directory
linuxclient-mount nfs
Perform read and write operations, You can read but write will be denied.
linuxclient-nfs-write-error
We shared with write permission still we are getting permission denied message because default Linux file permission always over ride NFS share permission. To fix it
On Server system change file permission
chmod-nfs-share
On client try again to write this time it will be permitted
linuxclient-allowed-write
Now we have full file permission on nfs_share directory open /etc/exportfs file
vi-exports
Change rw [Read, Write] share option to ro[Read only] and save the file
nfs-share-ro
Restart the nfs service
Or use the exportfs command to manually export any new resources added to the /etc/exports file.
-aExports directories
-rReexports directories
-uUnexports directories
-vShow verbose output
In real world I would recommended to use exportfs to manually export the directories rather than restart the service because while you restart the nfs service, you also disconnect your nfs clients as well.
nfs-restart-exportfs
On client remount the nfs_share
linuxclient-remount
Try to perform write operation, This time you will get NFS share error message.
linuxclient-read-only-filesystem
NFS Tools
During the exam following commands could be helpful for troubleshooting
mountstatsShows information about mounted NFS shares
nfsstatShows statistics of exported resources
nfsiostatShows statistics of NFS mounted shares
source : http://computernetworkingnotes.com/network-administration/how-to-configure-nfs-server-in-rhel-6.html
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)