NFS
— print (last updated: Jun 23, 2009) print

Select font size:
Personalize this online document by providing values relevant to you.
  1. Replace the generic LOGIN by the actual login:
       
  2. Replace the generic MACHINE name by its actual name:
       
NFS stands for Network File System. It is one means by which directories on a remote system (nfs server) can be mounted and made accessible to the local system (nfs client) Both client and server must install relevant software packages.

This document gives a brief tutorial on using NFS. Illustrating NFS usage is pointless unless you have client and server as separate systems so that you have root access on both. For this purpose we will assume that you have established the virtual machine, vm0, as described in the Virtualization with KVM document. The virtual machine will be the NFS server and your real machine will be the NFS client.

Experiment with the virtual guest

Start the virtual machine: 
$ sudo virsh start vm0
Access vm0 by virt-viewer or ssh. As usual, commands in vm0 are denoted by: 
[vm0] $ ...
Here are the steps:
  1. Install the server packages in vm0: 
    [vm0] $ sudo apt-get install nfs-kernel-server
  2. Export the entire file system. Edit the file /etc/exports in vm0, adding this line: 
    / *(rw,sync,no_subtree_check)
  3. Restart the server: 
    [vm0] $ sudo /etc/init.d/nfs-kernel-server restart
  4. Install the client software in MACHINE: 
    $ sudo apt-get install nfs-common
  5. Create a suitable directory onto which we will mount vm0's root: 
    $ sudo mkdir /vm0
    Feel free to choose some other directory.
  6. Mount vm0's root onto /vm0 
    $ sudo mount vm0:/  /vm0
$ ls /vm0
    You're seeing vm0's file system.
  7. Try some accesses: 
    $ ls /vm0/home/LOGIN
$ sudo ls /vm0/root
    The latter says "permission denied," but I thought I was root! No, sir!. You're not root on the nfs server. This effect is called root squash. It's a security measure so that root on a client system does not translate into root on the server by default. If you want this feature, the server has to mention it explicitly in the /etc/exports line.
  8. Get out and try again. First, on client 
    $ sudo umount /vm0
    Then, on vm0, edit /etc/exports, changing the line to this: 
    / *(rw,sync,no_subtree_check,no_root_squash)
    and restart the server: 
    [vm0] $ sudo /etc/init.d/nfs-kernel-server restart
  9. Try again 
    $ sudo mount vm0:/  /vm0
$ sudo ls /vm0/root

Practical Usage: NFS & LDAP

A practical usage of NFS is to allow users to access their home directories from multiple NFS client systems. There are a variety of ways to achieve this outcome. Perhaps the simplest way is to have the NFS server create an /etc/exports line like this: 
/home *(rw,sync,no_subtree_check)
The client machine wants to be able to mount its /home directory from the NFS server's /home export at boot time. To do so, the client creates an entry in its /etc/fstab file like this: 
nfs_server:/home  /home   nfs   defaults  0   0
You will have to look at this file to see what these entries mean, but this creates the desired effect.

Acquiring network-based user information

The client also needs to be able to acquire the user login information normally provided in a local system by the files /etc/{passwd,shadow,group}. Providing such network-based user-information can be solved by making the NFS client, the client of an LDAP server. The LDAP document describes this concept. The LDAP server and NFS server can be the same machine or different hosts.

NFS firewall issues

First, unmount the file system: 
$ sudo umount /vm0
We want to establish the firewall on vm0. If you're logged into vm0 by ssh, close out and go in by virt-viewer.

Install ufw on vm0. The firewall on MACHINE will be blocking vm0's access to the internet, so either figure out how to unblock the access or else disable ufw temporarily.

Install ufw, start the firewall, and enable secure shell access: 
[vm0] $ sudo apt-get install ufw
[vm0] $ sudo ufw enable
[vm0] $ sudo ufw allow OpenSSH
Now you can ssh into vm0, so you can close out of virt-viewer if you like.

Exercise!!

Try mounting from the client: 
$ sudo mount vm0:/  /vm0
It doesn't work! Using the techniques in the Firewall basics document,
  1. figure out which port/protocol pairs need to be opened up minimally to all this mount operation
  2. Now try unmounting it: 
    $ sudo umount /vm0
    It doesn't work either. Figure out what port/protocol combinations you need to achieve this.

© Robert M. Kline