56 lines
3.4 KiB
Markdown
56 lines
3.4 KiB
Markdown
---
|
|
obj: filesystem
|
|
arch-wiki: https://wiki.archlinux.org/title/NFS
|
|
wiki: https://en.wikipedia.org/wiki/Network_File_System
|
|
rfc: https://datatracker.ietf.org/doc/html/rfc3530
|
|
rev: 2024-10-21
|
|
---
|
|
|
|
# NFS
|
|
**Network File System (NFS)** is a distributed file system protocol that allows a user to access files over a network much like accessing local storage. **NFSv4**, the latest version of the protocol, offers several improvements over its predecessors, including better performance, security, and management features.
|
|
|
|
## Server Setup
|
|
Install `nfs-utils` package and activate the `nfs-server.service` unit.
|
|
|
|
### Configuration
|
|
To export a filesystem, add it to `/etc/exports`:
|
|
```
|
|
/directory client_ip(options,...)
|
|
```
|
|
|
|
Example:
|
|
```
|
|
/srv/nfs 192.168.1.0/24(rw,sync,no_subtree_check)
|
|
```
|
|
|
|
Then reexport everything in `/etc/exports`
|
|
```bash
|
|
sudo exportfs -ra
|
|
```
|
|
|
|
#### Export Options
|
|
In `/etc/exports`, various options can be specified to control access permissions and behavior for the exported filesystems. Here are some of the most common options:
|
|
|
|
- `rw`: Allows the client to read and write to the shared directory.
|
|
- `ro`: Read-only access. The client can only read data from the shared directory.
|
|
- `sync`: Ensures data is written to disk before replying to the client. This option improves data safety at the cost of performance.
|
|
- `async`: Opposite of sync. The server does not wait for data to be written to disk before responding to the client. This improves performance but may lead to data loss in case of a crash.
|
|
- `no_root_squash`: By default, NFS maps requests from the root user (uid=0) on the client to the nobody user (uid=65534) on the server for security reasons. With `no_root_squash`, root on the client retains its root privileges on the server.
|
|
- `root_squash`: This is the default behavior. It maps requests from root users to the nobody user, which helps to avoid security risks.
|
|
- `all_squash`: Maps all user requests to the nobody user, regardless of their identity on the client. This can be useful for environments where access control is strictly managed.
|
|
- `anonuid`: Sets the UID of the anonymous user. This option is used with all_squash or root_squash to specify a different UID than nobody.
|
|
- `anongid`: Sets the GID of the anonymous user, similar to `anonuid`.
|
|
- `no_subtree_check`: Disables subtree checking. NFS verifies whether the file resides within the exported tree. Disabling this option can improve performance, but at a potential security cost.
|
|
- `subtree_check`: Ensures that the client only accesses the files within the exact subtree they are allowed to. This is the default behavior.
|
|
- `insecure`: Allows clients to connect from non-privileged ports (i.e., ports higher than 1024).
|
|
- `secure`: Ensures clients use privileged ports to connect (ports below 1024). This is the default option.
|
|
- `crossmnt`: Allows the NFS server to cross mount points when a filesystem is exported. Useful for when the exported directory has multiple submounts (e.g., logical volumes).
|
|
- `fsid`: Useful when exporting multiple filesystems. Assigns a unique filesystem identifier to the export.
|
|
- `nohide`: This option allows clients to access filesystems that are mounted on subdirectories of an exported directory.
|
|
- `hide`: This option hides filesystems mounted under the export directory. This is the default behavior.
|
|
|
|
## Usage
|
|
**Mount the NFS Share**:
|
|
```bash
|
|
mount -t nfs4 192.168.1.10:/srv/nfs /mnt
|
|
```
|