NFS for Beginners

= What is "NFS"? = For a full-blown explanation look here:

NFS stands for "Network File System". It is used to mount a filesystem on a remote machine to let it look like a local directory. A popular "successor" is "iSCSI" (it is just a successor in the meaning of "mounting a filesystem as if it is local").

One can distinguish between kernel based NFS and userland NFS.

Although userland NFS could be as good as kernel based NFS (maybe except of some percentages of performance), there is currently NO full-blown NFS implementation for userland (at least I know none). Some have the drawback to not support files bigger than 4GB, others do not support some other options, etc..

For kernel based NFS you need a kernel with NFS build into the kernel (either fixed or as a loadable module). You can NOT run kernel based NFS with a kernel, which was not enabled for NFS during compilation time.

If you have a kernel with NFS build into, you are NOT ready to go. You also need some userland executables for a working setup.

This userland executables are called the "nfs-utils" paket and consist of a bunch of applications (one time called) and daemons (background tasks). In addition to this paket you also need a startup script which starts the daemons with respect to the right order.

Last but not least, you have to do some configuration to allow access to the local filesystem via NFS.

portmap
This executable is not really part of the "nfs-utils", but essential to get anything working.

NFS uses a method called "RPC" (Remot Procedure Call) to communicate between machines. The portmap executable is a kind of broker which provides the port numbers of specific services if called via RPC remotely.

Without a running portmap, NFS will NOT work.

nfsd
This is the daemon which provides the access to the filesystem. It depends on the existance of the NFS filesystem mounted as "nfsd". If your kernel does not provide /proc/fs/nfsd you do not have a NFS kernel running (the opposite is not necessarily true).

Without a running nfsd, NFS will NOT work.

mountd
This is the daemon which checks if a client, which requests access to a directory, is allowed to access.

If mountd is not running, you will get an error message which tells you, that you have no permission to access.

Without a running mountd, NFS will NOT work.

statd
This is the daemon which provides fucntionality for file locking (together with the lockd daemon) and crash recovery.

In current implementations of the "nfs-utils", statd starts the lockd daemon when needed.

Without a running statd, NFS will NOT work.

exportfs
This executable is used to administrate the directories which are exported via NFS during runtime.

If you change anything in /etc/exports you have to call exportfs to make the changes recognised by the running daemons.

showmount
This executable is used to query the exported directories of a NFS server. Use IP address 127.0.0.1 to query the local NFS server.

/etc/exports
This file contains the information which directory is available for remote clients.

Each line has an identical structure.

First you specify the directory you want to export (Note: this means ALWAYS also ALL subdirectories). Then you specify the clients and their export options. If you have more than one client, you separate them with a space.

/etc/hosts.deny
This file specifies which hosts you do not want to have access to your exports. (Note: this file is NOT for NFS only, but also used for all other services with the ability to provide remote access)

From a security point of view, you should deny access to ALL machines and explicitly allow access for the machines you trust via /etc/hosts.allow. The hosts.allow is evaluated first and whatever got allowance in hosts.allow can NOT be denied in hosts.deny later on.

Example /etc/hosts.deny with everything denied: ALL : ALL

/etc/hosts.allow
This file specifies which hosts you want to allow access to your exports. (Note: this file is NOT for NFS only, but also used for all other services with the ability to provide remote access)

Example /etc/hosts.allow with a special handling of telnetd and sshd: ALL EXCEPT in.telnetd in.sshd : 192.168.1.0/255.255.255.0 in.telnetd in.sshd : 192.168.1.11

This means that all machines having an IP address starting with 192.168.1. can access all services of the local machine except incoming telnetd and sshd.

Telnetd and sshd is remotely only available for the machine with IP address 192.168.1.11.

One directory for one machine
/etc/hosts.deny ALL : ALL

/etc/hosts.allow ALL : 192.168.1.11

/etc/exports /mnt/mymusic 192.168.1.11(ro)

Mount command on clients side: mount -t nfs -o ro 192.168.1.139:/mnt/mymusic /mnt/LS-music

Three directories for one machine each
/etc/hosts.deny ALL : ALL

/etc/hosts.allow ALL : 192.168.1.11 192.168.1.12 192.168.1.13

/etc/exports /mnt/mymusic 192.168.1.11(ro) /mnt/backup.12 192.168.1.12(rw) /mnt/backup.13 192.168.1.13(rw)

Mount command on clients side: mount -t nfs -o ro 192.168.1.139:/mnt/mymusic /mnt/LS-music

One directory for three machines
/etc/hosts.deny ALL : ALL

/etc/hosts.allow ALL : 192.168.1.11 192.168.1.12 192.168.1.13

/etc/exports /mnt/mymusic 192.168.1.11(ro) 192.168.1.12(ro) 192.168.1.13(rw)

Mount command on clients side: mount -t nfs -o ro 192.168.1.139:/mnt/mymusic /mnt/LS-music

One directory for all machines in a specific subnet and one directory for one machine only
/etc/hosts.deny ALL : ALL

/etc/hosts.allow ALL : 192.168.0.0/255.255.0.0

/etc/exports /mnt/mymusic 192.168.0.0/255.255.0.0(ro) /mnt/mymovies 192.168.1.13(rw)

Note: The configuration of /etc/hosts.allow and /etc/exports does NOT depend on each other. You can allow host access to machines which are not mentioned in /etc/exports and vice versa! It is YOUR duty to make a configuration which makes sense! Hosts not allowed to access services do NOT get access because of an entry within /etc/exports!

Mount command on clients side: mount -t nfs -o ro 192.168.1.139:/mnt/mymusic /mnt/LS-music mount -t nfs -o rw 192.168.1.139:/mnt/mymovies /mnt/LS-movies

Fully open to everyone (no security at all)
Allow everyone to access any service.

/etc/hosts.deny ALL : ALL

/etc/hosts.allow ALL : ALL

Export the directory to everyone.

/etc/exports /mnt/mymusic 0.0.0.0/0.0.0.0(rw)

Most common usage
Allow the complete local network to access services.

/etc/hosts.deny ALL : ALL

/etc/hosts.allow ALL : 192.168.0.0/255.255.0.0

Export two directories for the PVR.

/etc/exports /mnt/mymusic 192.168.0.0/255.255.0.0(rw,sync,no_root_squash,no_subtree_check,insecure) /mnt/mymovies 192.168.0.0/255.255.0.0(rw,sync,no_root_squash,no_subtree_check,insecure)

Mount command on clients side: mount -t nfs -o rw,soft,nolock,udp,rsize=8192,wsize=8192 192.168.1.139:/mnt/mymusic /mnt/LS-music mount -t nfs -o rw,soft,nolock,udp,rsize=8192,wsize=8192 192.168.1.139:/mnt/mymovies /mnt/LS-movies

Some experiences
I had problems connecting from a Ubuntu 8.04 machine via NFS to a LS. The Ubuntu machine sometimes saw the NFS service of the LS and sometimes not.

I "solved" the problem by specifying the port as option of the mount command: mount -t nfs -o port=2049,rw 192.168.1.1:/mnt/disk1/share /mnt/LS-share