(removed the specific network interface from the iptables command) |
m (Duplicate parenthesis) |
||
(26 intermediate revisions by 3 users not shown) | |||
Line 4: | Line 4: | ||
== Description == | == Description == | ||
This HowTo explains how to set up the <code>Network File System version 4</code> on your ''LAN'' for multiple shares. It explains, also, how to mount the <code>exports</code> on your ''client''. | This HowTo explains how to set up the <code>Network File System version 4</code> on your ''LAN'' for multiple shares. It explains, also, how to mount the <code>exports</code> on your ''client(s)''. | ||
== Tested in Fedora Versions == | == Tested in Fedora Versions == | ||
Line 15: | Line 15: | ||
=== Server requirements (services) === | === Server requirements (services) === | ||
* <code>rpcbind</code> | |||
* <code>rpcidmapd</code> | |||
* <code>nfs</code> | * <code>nfs</code> | ||
=== Client requirements | === Client requirements (services) === | ||
* <code>rpcbind</code> | |||
* <code>rpcidmapd</code> | |||
* <code>nfs</code> | * <code>nfs</code> | ||
== Doing the Work == | |||
{{admon/note|Doing the work as root|Yes, this is administrative work so you can just issue <code>su -</code> and avoid so many <code>su -c '...'</code>. Just remember to <code>logout</code> after you're done.}} | |||
=== Configuring the server === | === Configuring the server === | ||
* Change your eth1 (internal) interface to the "internal" zone | |||
<pre> | |||
su -c 'firewall-cmd --zone=internal --change-interface=eth1' | |||
</pre> | |||
* Open up the necessary ''port'' on the ''firewall'' (<code>port: 2049 TCP</code>). | * Open up the necessary ''port'' on the ''firewall'' (<code>port: 2049 TCP</code>). | ||
<pre>su -c " | <pre> | ||
su -c "firewall-cmd --permanent --zone=internal --add-service=nfs" | |||
su -c "firewall-cmd --permanent --zone=internal --add-service=rpc-bind" | |||
su -c "firewall-cmd --permanent --zone=internal --add-service=mountd" | |||
su -c "firewall-cmd --reload" | |||
</pre> | |||
{{admon/important|Disallow unnecessary services from the firewall| I would totally recommend removing all unnecessary services from the '''internal''' zone. For example, I do not need printers nor samba here so: <code><nowiki>su -c "for s in samba-client ipp-client; do firewall-cmd --permanent --zone=internal --remove-service=$s; done"</nowiki></code>}} | |||
* Edit <code>/etc/idmapd.conf</code>. Enter your <code>root</code> password when prompted: | * Edit <code>/etc/idmapd.conf</code>. Enter your <code>root</code> password when prompted: | ||
Line 39: | Line 50: | ||
<pre> | <pre> | ||
[General] | [General] | ||
Domain = | Domain = domain.tld | ||
[Mapping] | [Mapping] | ||
Line 46: | Line 57: | ||
</pre> | </pre> | ||
* | * Enable <code>rpcbind</code>, <code>rpcidmapd</code>, and <code>nfs</code> services to start at boot: | ||
<pre> | <pre> | ||
su -c " | su -c "systemctl enable rpcbind.service nfs-idmap.service nfs-server.service" | ||
</pre> | </pre> | ||
* | * Start those services: | ||
<pre> | <pre> | ||
su -c "systemctl start rpcbind.service nfs-idmap.service nfs-server.service" | |||
</pre> | </pre> | ||
* Edit <code>/etc/exports</code>. Enter your <code>root</code> password when prompted: | * Edit <code>/etc/exports</code>. Enter your <code>root</code> password when prompted: | ||
Line 83: | Line 72: | ||
* Add your shares here (available to your home network) If you want your shares to be ''read only'', change <code>rw</code> to <code>ro</code> from these statements: | * Add your shares here (available to your home network) If you want your shares to be ''read only'', change <code>rw</code> to <code>ro</code> from these statements: | ||
<pre> | <pre> | ||
/srv/nfs/share1 192.168.1.0/255.255.255.0(rw,sync) | |||
/srv/nfs/share1 | /srv/nfs/share2 192.168.1.0/255.255.255.0(ro) | ||
/srv/nfs/share2 | /srv/nfs/share3 192.168.1.0/255.255.255.0(rw) | ||
/srv/nfs/share3 | |||
</pre> | </pre> | ||
* Reload your exports | * Reload your exports: | ||
<pre>su -c "/usr/sbin/exportfs -rv"</pre> | <pre>su -c "/usr/sbin/exportfs -rv"</pre> | ||
* Edit your <code>/etc/hosts.allow</code> file, so your clients are allowed to access your | * Edit your <code>/etc/hosts.allow</code> file, so your clients are allowed to access your shares: | ||
<pre>su -c "vim /etc/hosts.allow"</pre> | <pre>su -c "vim /etc/hosts.allow"</pre> | ||
* Allow your LAN to access your | * Allow your LAN to access your shares: | ||
<pre>rpcbind: 192.168.1.0/255.255.255.0</pre> | <pre>rpcbind: 192.168.1.0/255.255.255.0</pre> | ||
=== Configuring the clients === | === Configuring the clients === | ||
Line 108: | Line 93: | ||
<pre> | <pre> | ||
[General] | [General] | ||
Domain = | Domain = domain.tld | ||
[Mapping] | [Mapping] | ||
Line 115: | Line 100: | ||
</pre> | </pre> | ||
* Edit <code>/etc/fstab</code> | * Edit <code>/etc/fstab</code>: | ||
<pre>su -c "vim /etc/fstab"</pre> | <pre>su -c "vim /etc/fstab"</pre> | ||
* Add the desired shares: | * Add the desired shares: | ||
<pre> | <pre> | ||
<ip-address-to-server>:/ /mnt/ | <ip-address-to-server>:/srv/nfs/share1 /mnt/share1 nfs4 rsize=8192,wsize=8192,timeo=14,soft 0 0 | ||
<ip-address-to-server>:/ | <ip-address-to-server>:/srv/nfs/share2 /srv/www/somewebsite.tld/default/public/share2 nfs4 rsize=8192,wsize=8192,timeo=14,soft 0 0 | ||
<ip-address-to-server>:/srv/nfs/share3 /home/user/share3 nfs4 rsize=8192,wsize=8192,timeo=14,soft 0 0 | |||
<ip-address-to-server>:/share3 /home/ | |||
</pre> | </pre> | ||
{{admon/note|SELinux Booleans|You need to remember to activate a relevant boolean. There a few '''SELinux''' booleans for '''nfs''' in general. Make sure to check them out by using <code><nowiki>getsebool -a | grep -i nfs</nowiki></code> and enable them permanently with <code><nowiki>setsebool -P <someboolean>=1 <someotherbool>=1 ...</nowiki></code>}} | |||
* Remount everything: | * Remount everything: | ||
Line 133: | Line 116: | ||
== Common problems and fixes == | == Common problems and fixes == | ||
=== | === Can't write to a rw share === | ||
Nope, it's just that you're using <code>root</code> to try and write while not adding no_root_squash to your exports. This will map root to <code>nfsnobody</code> you on the other server so if <code>nfsnobody</code> doesn't have write permissions at your server, you're screwed. | |||
You should read <code>man exports</code> to get more info on this. | |||
=== Apache can't use the share === | |||
So, yeah; '''SELinux''' is preventing you from using the share. Just read the note about '''SELinux''' booleans... you might've missed it; it's up there. ;=) | |||
== More Information == | == More Information == | ||
It is hard to find since, it seems, '''NFSv4''' disapeard from updated docs. | |||
RedHat recommends, on RHEL5 Docs, that one should use automount instead of /etc/fstab; which saves resources when sharing to multiple workstations. Feel free to extend it if you know how ;=) | |||
== Added Reading == | == Added Reading == | ||
* | * https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/ch-nfs.html | ||
* http://www.brennan.id.au/19-Network_File_System.html | * http://www.brennan.id.au/19-Network_File_System.html | ||
* http://www.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA | |||
* http://doc.opensuse.org/documentation/html/openSUSE/opensuse-reference/cha.nfs.html | |||
[[Category: How_to]] | [[Category: How_to]] |
Latest revision as of 06:50, 8 December 2022
Sharing files with NFSv4 on Fedora (Server & Client configuration)
Description
This HowTo explains how to set up the Network File System version 4
on your LAN for multiple shares. It explains, also, how to mount the exports
on your client(s).
Tested in Fedora Versions
- Fedora 19
Requirements
The nfs-utils
package provides what's need for both then client and the server. However, to make sure it's installed, run the following command. Enter your root
password when prompted:
su -c "yum install nfs-utils"
Server requirements (services)
rpcbind
rpcidmapd
nfs
Client requirements (services)
rpcbind
rpcidmapd
nfs
Doing the Work
Configuring the server
- Change your eth1 (internal) interface to the "internal" zone
su -c 'firewall-cmd --zone=internal --change-interface=eth1'
- Open up the necessary port on the firewall (
port: 2049 TCP
).
su -c "firewall-cmd --permanent --zone=internal --add-service=nfs" su -c "firewall-cmd --permanent --zone=internal --add-service=rpc-bind" su -c "firewall-cmd --permanent --zone=internal --add-service=mountd" su -c "firewall-cmd --reload"
- Edit
/etc/idmapd.conf
. Enter yourroot
password when prompted:
su -c "vim /etc/idmapd.conf"
- Configure your domain name and change the users to
nfsnobody
:
[General] Domain = domain.tld [Mapping] Nobody-User = nfsnobody Nobody-Group = nfsnobody
- Enable
rpcbind
,rpcidmapd
, andnfs
services to start at boot:
su -c "systemctl enable rpcbind.service nfs-idmap.service nfs-server.service"
- Start those services:
su -c "systemctl start rpcbind.service nfs-idmap.service nfs-server.service"
- Edit
/etc/exports
. Enter yourroot
password when prompted:
su -c "vim /etc/exports"
- Add your shares here (available to your home network) If you want your shares to be read only, change
rw
toro
from these statements:
/srv/nfs/share1 192.168.1.0/255.255.255.0(rw,sync) /srv/nfs/share2 192.168.1.0/255.255.255.0(ro) /srv/nfs/share3 192.168.1.0/255.255.255.0(rw)
- Reload your exports:
su -c "/usr/sbin/exportfs -rv"
- Edit your
/etc/hosts.allow
file, so your clients are allowed to access your shares:
su -c "vim /etc/hosts.allow"
- Allow your LAN to access your shares:
rpcbind: 192.168.1.0/255.255.255.0
Configuring the clients
- Edit
/etc/idmapd.conf
. Enter yourroot
password when prompted:
su -c "vim /etc/idmapd.conf"
- Configure your domain name and change the users to
nfsnobody
:
[General] Domain = domain.tld [Mapping] Nobody-User = nfsnobody Nobody-Group = nfsnobody
- Edit
/etc/fstab
:
su -c "vim /etc/fstab"
- Add the desired shares:
<ip-address-to-server>:/srv/nfs/share1 /mnt/share1 nfs4 rsize=8192,wsize=8192,timeo=14,soft 0 0 <ip-address-to-server>:/srv/nfs/share2 /srv/www/somewebsite.tld/default/public/share2 nfs4 rsize=8192,wsize=8192,timeo=14,soft 0 0 <ip-address-to-server>:/srv/nfs/share3 /home/user/share3 nfs4 rsize=8192,wsize=8192,timeo=14,soft 0 0
- Remount everything:
su -c "mount -a"
Common problems and fixes
Nope, it's just that you're using root
to try and write while not adding no_root_squash to your exports. This will map root to nfsnobody
you on the other server so if nfsnobody
doesn't have write permissions at your server, you're screwed.
You should read man exports
to get more info on this.
So, yeah; SELinux is preventing you from using the share. Just read the note about SELinux booleans... you might've missed it; it's up there. ;=)
More Information
It is hard to find since, it seems, NFSv4 disapeard from updated docs.
RedHat recommends, on RHEL5 Docs, that one should use automount instead of /etc/fstab; which saves resources when sharing to multiple workstations. Feel free to extend it if you know how ;=)
Added Reading
- https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/ch-nfs.html
- http://www.brennan.id.au/19-Network_File_System.html
- http://www.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA
- http://doc.opensuse.org/documentation/html/openSUSE/opensuse-reference/cha.nfs.html