From Fedora Project Wiki
(first draft (editing))
 
m (Duplicate parenthesis)
 
(50 intermediate revisions by 4 users not shown)
Line 1: Line 1:
= Sharing files with NFSv4 on Fedora 7 (Server -> Multi) =
= Sharing files with NFSv4 on Fedora (Server & Client configuration) =
 
{{TOClimit|3}}


== Description ==
== Description ==
This HowTo explains how to set up the Network File System version 4 on your LAN for multiple shares. It explains, also, how to mount the "exports" on your client.
This HowTo explains how to set up the <code>Network File System version 4</code> on your ''LAN'' for multiple shares. It explains, also, how to mount the <code>exports</code> on your ''client(s)''.


== Applicable to Fedora Versions ==
== Tested in Fedora Versions ==
Fedora Core 6+
* Fedora 19
Fedora 7


== Requirements ==
== Requirements ==
Everything comes preinstalled on an "out-of-the-box" installation of Fedora Core. The following are only services.
The <code>nfs-utils</code> package provides what's need for both then client and the server. However, to make sure it's installed, run the following command. Enter your <code>root</code> password when prompted:


=== Server requirements ===
<pre>su -c "yum install nfs-utils"</pre>
nfs
rpc.idmapd


=== These are the client's requirements ===
=== Server requirements (services) ===
nfs
* <code>rpcbind</code>
nfslock
* <code>rpcidmapd</code>
rpc.idmapd
* <code>nfs</code>


'''Note''': The rpc.nfsd and rpc.rquotad services that are needed are started by the nfs service. Most of them don't need user configuration. rpc.lockd, rpc.statd and rpc.mountd are not used by NFSv4.
=== Client requirements (services) ===
* <code>rpcbind</code>
* <code>rpcidmapd</code>
* <code>nfs</code>


== Doing the Work ==


== Doing the Work ==
{{admon/note|Doing the work as root|Yes, this is administrative work so you can just issue <code>su -</code> and avoid so many <code>su -c '...'</code>. Just remember to <code>logout</code> after you're done.}}


=== Configuring the server ===
=== Configuring the server ===
* Change your eth1 (internal) interface to the "internal" zone
<pre>
su -c 'firewall-cmd --zone=internal --change-interface=eth1'
</pre>
* Open up the necessary ''port'' on the ''firewall'' (<code>port: 2049 TCP</code>).
<pre>
su -c "firewall-cmd --permanent --zone=internal --add-service=nfs"
su -c "firewall-cmd --permanent --zone=internal --add-service=rpc-bind"
su -c "firewall-cmd --permanent --zone=internal --add-service=mountd"
su -c "firewall-cmd --reload"
</pre>
{{admon/important|Disallow unnecessary services from the firewall| I would totally recommend removing all unnecessary services from the '''internal''' zone. For example, I do not need printers nor samba here so: <code><nowiki>su -c "for s in samba-client ipp-client; do firewall-cmd --permanent --zone=internal --remove-service=$s; done"</nowiki></code>}}
* Edit <code>/etc/idmapd.conf</code>. Enter your <code>root</code> password when prompted:
<pre>su -c "vim /etc/idmapd.conf"</pre>


Open up the necessary port on the firewall (port: 2049). Activate the "Security Level and Firewall" tool. You will be asked for your root password. Please enter it:
* Configure your ''domain'' name and change the users to <code>nfsnobody</code>:
su -c "system-config-securitylevel"
<pre>
Activate "NFS4" and click "OK".
Edit /etc/idmapd.conf. Enter your root password when prompted:
su -c "gedit /etc/idmapd.conf"
Configure your domain name and change the users to nfsnobody:
[General]
[General]
Domain = example.com
Domain = domain.tld


[Mapping]
[Mapping]
Nobody-User = nfsnobody
Nobody-User = nfsnobody
Nobody-Group = nfsnobody
Nobody-Group = nfsnobody
Start the rpcidmapd and nfslock services, then start the nfs service. Alternatively, you can use System->Administration->Services or System->Administration->Server Settings->Services GUIs. Please enter the root password when prompted:
</pre>
su -c "/sbin/service rpcidmapd start"
 
su -c "/sbin/service nfslock start"
* Enable <code>rpcbind</code>, <code>rpcidmapd</code>, and <code>nfs</code> services to start at boot:
su -c "/sbin/service nfs start"
<pre>
Set rpcidmapd, nfslock, and nfs services to start on boot.Alternatively, you can use System->Administration->Services or System->Administration->Server Settings->Services GUIs. Please enter the root password when prompted:
su -c "systemctl enable rpcbind.service nfs-idmap.service nfs-server.service"
su -c "/sbin/chkconfig --level 345 rpcidmapd on"
</pre>
su -c "/sbin/chkconfig --level 345 nfslock on"
 
su -c "/sbin/chkconfig --level 345 nfs on"
* Start those services:
Create the dirs of the exports inside "/nfs4exports". Enter your root password when prompted:
<pre>
su -c "mkdir -p /nfs4exports/{share1,share2,share3}"
su -c "systemctl start rpcbind.service nfs-idmap.service nfs-server.service"
Edit /etc/fstab:
</pre>
su -c "gedit /etc/fstab"
 
Bind the desired shares to the, recently created, dirs at /nfs4exports:
* Edit <code>/etc/exports</code>. Enter your <code>root</code> password when prompted:
/path/to/share1 /nfs4exports/share1 none bind 0 0
<pre>su -c "vim /etc/exports"</pre>
/path/to/share2 /nfs4exports/share2 none bind 0 0
 
/path/to/share3 /nfs4exports/share3 none bind 0 0
* Add your shares here (available to your home network) If you want your shares to be ''read only'', change <code>rw</code> to <code>ro</code> from these statements:
Remount everything. Enter your root password when prompted:
<pre>
su -c "mount -a"
/srv/nfs/share1     192.168.1.0/255.255.255.0(rw,sync)
Edit /etc/exports. Enter your root password when prompted:
/srv/nfs/share2     192.168.1.0/255.255.255.0(ro)
su -c "gedit /etc/exports"
/srv/nfs/share3     192.168.1.0/255.255.255.0(rw)
Add your shares here (available to your home network) If you want your shares to be read only, change "rw" to "ro" from these statements:
</pre>
/nfs4exports 192.168.1.0/255.255.255.0(rw,insecure,no_subtree_check,nohide,fsid=0)
 
/nfs4exports/share1 192.168.1.0/255.255.255.0(rw,insecure,no_subtree_check,nohide)
* Reload your exports:
/nfs4exports/share2             192.168.1.0/255.255.255.0(rw,insecure,no_subtree_check,nohide)
<pre>su -c "/usr/sbin/exportfs -rv"</pre>
/nfs4exports/share3             192.168.1.0/255.255.255.0(rw,insecure,no_subtree_check,nohide)
 
Reload your exports. Please enter your root password when prompted:
* Edit your <code>/etc/hosts.allow</code> file, so your clients are allowed to access your shares:
su -c "/usr/sbin/exportfs -rv"
<pre>su -c "vim /etc/hosts.allow"</pre>
Edit your /etc/hosts.allow file, so your clients are allowed to access your nfs. Please enter your root password when prompted:
 
su -c "gedit /etc/hosts.allow"
* Allow your LAN to access your shares:
Allow your LAN to access your services:
<pre>rpcbind: 192.168.1.0/255.255.255.0</pre>
ALL: 192.168.1.0/255.255.255.0
Reboot:
su -c "/sbin/shutdown -r now"
Configuring the clients:


Edit /etc/idmapd.conf. Enter your root password when prompted:
=== Configuring the clients ===
su -c "gedit /etc/idmapd.conf"
* Edit <code>/etc/idmapd.conf</code>. Enter your <code>root</code> password when prompted:
Configure your domain name and change the users to nfsnobody:
<pre>su -c "vim /etc/idmapd.conf"</pre>
 
* Configure your domain name and change the users to <code>nfsnobody</code>:
<pre>
[General]
[General]
Domain = example.com
Domain = domain.tld


[Mapping]
[Mapping]
Nobody-User = nfsnobody
Nobody-User = nfsnobody
Nobody-Group = nfsnobody
Nobody-Group = nfsnobody
Edit /etc/fstab. Please enter your root password when prompted:
</pre>
su -c "gedit /etc/fstab"
 
Create the mounting dirs:
* Edit <code>/etc/fstab</code>:
su -c "mkdir /mnt/shares /home/me/share1 /home/he/share2 /home/it/share3"
<pre>su -c "vim /etc/fstab"</pre>
Add the desired shares:
 
<ip-address-to-server>:/ /mnt/shares nfs4 rsize=8192,wsize=8192,timeo=14,intr
* Add the desired shares:
<ip-address-to-server>:/ /home/me/share1 nfs4 rsize=8192,wsize=8192,timeo=14,intr
<pre>
<ip-address-to-server>:/ /home/he/share2 nfs4 rsize=8192,wsize=8192,timeo=14,intr
<ip-address-to-server>:/srv/nfs/share1  /mnt/share1                                        nfs4   rsize=8192,wsize=8192,timeo=14,soft    0 0
<ip-address-to-server>:/ /home/it/share3 nfs4 rsize=8192,wsize=8192,timeo=14,intr
<ip-address-to-server>:/srv/nfs/share2  /srv/www/somewebsite.tld/default/public/share2      nfs4   rsize=8192,wsize=8192,timeo=14,soft    0 0
Remount everything:
<ip-address-to-server>:/srv/nfs/share3  /home/user/share3                                  nfs4   rsize=8192,wsize=8192,timeo=14,soft    0 0
su -c "mount -a"
</pre>
Troubleshooting
 
How to test
{{admon/note|SELinux Booleans|You need to remember to activate a relevant boolean. There a few '''SELinux''' booleans for '''nfs''' in general. Make sure to check them out by using <code><nowiki>getsebool -a | grep -i nfs</nowiki></code> and enable them permanently with <code><nowiki>setsebool -P <someboolean>=1 <someotherbool>=1 ...</nowiki></code>}}
Next time...
 
Common problems and fixes
* Remount everything:
Later...
<pre>su -c "mount -a"</pre>
More Information
 
RedHat recommends, on RHEL5 Docs, that one should use automount instead of /etc/fstab; which saves resources when sharing to multiple workstations. I haven't had the time to try this configuration. This document will be modified/augmented once I've got the hang of it.
== Common problems and fixes ==
Disclaimer
=== Can't write to a rw share ===
I haven't had te opportunity to test this HowTo since I lack of a networked PC to do it, so you may run into problems, if you do, come to #fedora on irc.freenode.net or leave me messages so I know what's up. Feel free to propose changes and stuff.
Nope, it's just that you're using <code>root</code> to try and write while not adding no_root_squash to your exports. This will map root to <code>nfsnobody</code> you  on the other server so if <code>nfsnobody</code> doesn't have write permissions at your server, you're screwed.
 
You should read <code>man exports</code> to get more info on this.
 
=== Apache can't use the share ===
So, yeah; '''SELinux''' is preventing you from using the share. Just read the note about '''SELinux''' booleans... you might've missed it; it's up there. ;=)
 
== More Information ==
It is hard to find since, it seems, '''NFSv4''' disapeard from updated docs.
 
RedHat recommends, on RHEL5 Docs, that one should use automount instead of /etc/fstab; which saves resources when sharing to multiple workstations. Feel free to extend it if you know how ;=)
 
== Added Reading ==
* https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/ch-nfs.html
* http://www.brennan.id.au/19-Network_File_System.html
* http://www.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA
* http://doc.opensuse.org/documentation/html/openSUSE/opensuse-reference/cha.nfs.html


Added Reading
[[Category: How_to]]
http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/Network_Related_Configuration/ch-nfs.html
http://www.brennan.id.au/19-Network_File_System.html

Latest revision as of 06:50, 8 December 2022

Sharing files with NFSv4 on Fedora (Server & Client configuration)

Description

This HowTo explains how to set up the Network File System version 4 on your LAN for multiple shares. It explains, also, how to mount the exports on your client(s).

Tested in Fedora Versions

  • Fedora 19

Requirements

The nfs-utils package provides what's need for both then client and the server. However, to make sure it's installed, run the following command. Enter your root password when prompted:

su -c "yum install nfs-utils"

Server requirements (services)

  • rpcbind
  • rpcidmapd
  • nfs

Client requirements (services)

  • rpcbind
  • rpcidmapd
  • nfs

Doing the Work

Doing the work as root
Yes, this is administrative work so you can just issue su - and avoid so many su -c '...'. Just remember to logout after you're done.

Configuring the server

  • Change your eth1 (internal) interface to the "internal" zone
su -c 'firewall-cmd --zone=internal --change-interface=eth1'
  • Open up the necessary port on the firewall (port: 2049 TCP).
su -c "firewall-cmd --permanent --zone=internal --add-service=nfs"
su -c "firewall-cmd --permanent --zone=internal --add-service=rpc-bind"
su -c "firewall-cmd --permanent --zone=internal --add-service=mountd"
su -c "firewall-cmd --reload"
Disallow unnecessary services from the firewall
I would totally recommend removing all unnecessary services from the internal zone. For example, I do not need printers nor samba here so: su -c "for s in samba-client ipp-client; do firewall-cmd --permanent --zone=internal --remove-service=$s; done"
  • Edit /etc/idmapd.conf. Enter your root password when prompted:
su -c "vim /etc/idmapd.conf"
  • Configure your domain name and change the users to nfsnobody:
[General]
Domain = domain.tld

[Mapping]
Nobody-User = nfsnobody
Nobody-Group = nfsnobody
  • Enable rpcbind, rpcidmapd, and nfs services to start at boot:
su -c "systemctl enable rpcbind.service nfs-idmap.service nfs-server.service"
  • Start those services:
su -c "systemctl start rpcbind.service nfs-idmap.service nfs-server.service"
  • Edit /etc/exports. Enter your root password when prompted:
su -c "vim /etc/exports"
  • Add your shares here (available to your home network) If you want your shares to be read only, change rw to ro from these statements:
/srv/nfs/share1     192.168.1.0/255.255.255.0(rw,sync)
/srv/nfs/share2     192.168.1.0/255.255.255.0(ro)
/srv/nfs/share3     192.168.1.0/255.255.255.0(rw)
  • Reload your exports:
su -c "/usr/sbin/exportfs -rv"
  • Edit your /etc/hosts.allow file, so your clients are allowed to access your shares:
su -c "vim /etc/hosts.allow"
  • Allow your LAN to access your shares:
rpcbind: 192.168.1.0/255.255.255.0

Configuring the clients

  • Edit /etc/idmapd.conf. Enter your root password when prompted:
su -c "vim /etc/idmapd.conf"
  • Configure your domain name and change the users to nfsnobody:
[General]
Domain = domain.tld

[Mapping]
Nobody-User = nfsnobody
Nobody-Group = nfsnobody
  • Edit /etc/fstab:
su -c "vim /etc/fstab"
  • Add the desired shares:
<ip-address-to-server>:/srv/nfs/share1  /mnt/share1                                         nfs4    rsize=8192,wsize=8192,timeo=14,soft     0 0
<ip-address-to-server>:/srv/nfs/share2  /srv/www/somewebsite.tld/default/public/share2      nfs4    rsize=8192,wsize=8192,timeo=14,soft     0 0
<ip-address-to-server>:/srv/nfs/share3  /home/user/share3                                   nfs4    rsize=8192,wsize=8192,timeo=14,soft     0 0
SELinux Booleans
You need to remember to activate a relevant boolean. There a few SELinux booleans for nfs in general. Make sure to check them out by using getsebool -a | grep -i nfs and enable them permanently with setsebool -P <someboolean>=1 <someotherbool>=1 ...
  • Remount everything:
su -c "mount -a"

Common problems and fixes

Can't write to a rw share

Nope, it's just that you're using root to try and write while not adding no_root_squash to your exports. This will map root to nfsnobody you on the other server so if nfsnobody doesn't have write permissions at your server, you're screwed.

You should read man exports to get more info on this.

Apache can't use the share

So, yeah; SELinux is preventing you from using the share. Just read the note about SELinux booleans... you might've missed it; it's up there. ;=)

More Information

It is hard to find since, it seems, NFSv4 disapeard from updated docs.

RedHat recommends, on RHEL5 Docs, that one should use automount instead of /etc/fstab; which saves resources when sharing to multiple workstations. Feel free to extend it if you know how ;=)

Added Reading