Sun Microsystems’ Network File System (NFS) is an RPC-based distributed file system framework that allows networked devices to use servers running NFS on a network as local drives.
Here is a step-by-step guide to installing and configuring an NFS server on a Linux machine.
What is the Network File System?
The NFS file system has four protocols. When the server is ready, it notifies portmap (the server that converts the protocol to port numbers) which port to use and provides the checked RPC program number.
When using an embedded Linux system, it is very convenient to boot your device via an NFS file share on the network instead of booting it directly from the storage device (NAND flash, eMMC, MMC, etc.).
Although rarer, you can also mount an NFS share and perform file shares using it after system boot, even if you don’t boot your system directly from the NFS share. For both scenarios to work, you must first install an NFS server on the computer you are developing on.
How to Install NFS on Linux
If you are using a Debian-based system such as Ubuntu or Linux Mint, you must install the nfs-kernel-server package as follows:
sudo apt install nfs-kernel-server
On Arch Linux:
sudo pacman -S nfs-utils
On Fedora, CentOS and RHEL:
sudo dnf -y install nfs-utils
At the end of the process, your NFS server will run automatically. However, at this point, it doesn’t yet know which directories on your computer you want to share over the network. Therefore, it does not provide any default shares.
You can open multiple directories on the same server to allow network sharing with different permissions and restrictions.
Configuring the NFS Server on Linux
To share a directory on the NFS server, it is necessary to configure a parameter related to the directory in the /etc/exports case. Open the file with any text editor of your choice. Make sure to add the sudo prefix to the command.
sudo vim /etc/exports
You might be wondering what the mapping options you see here mean:
- root_squash: Mark sudo authorized client users as user and person group on NFS
- no_root_squash: Disables root crushing
- all_squash: Unlike root_squash, it allows all users to be mapped as user and group person. It is generally used for public access.
- no_all_squash: The opposite of all_squash; this option is the default
When a system outside of the IP address ranges that you allow in the /etc/exports file on the NFS server attempts to access the appropriate resource, the NFS server rejects the request.
You may receive “access denied by server” messages when mounting on your embedded system. Error messages similar to the following will appear at the end of the /var/log/syslog file on the computer where the NFS server is running:
rpc.mountd: refused mount request from 192.168.2.2 for /home/example/casper/target (/home/example/casper/target): unmatched host
When you see an unmatched host log message like the one above, you should expand the IP/Netmask section of the relevant rule in the /etc/exports file or use the asterisk (*) special character if you want to grant access to all IP addresses.
You must restart the NFS service after making changes to the /etc/exports case:
sudo service nfs-kernel-server restart
Or, if your distro comes with systemctl, run the following command:
sudo systemctl restart nfs-server.service
You can also give the -r parameter to exportfs so that it re-shares the directories that changed the sharing-related settings:
sudo exportfs -r
Resolve mount latency issue
When using the NFS version 4 and higher protocol on your server, there can be delays of up to 15 seconds during the client-side mount process in traditional operating scenarios with default NFS server configurations. This problem can appear on some versions of Debian, Fedora and Ubuntu.
If you experience a similar mount lag, you can check the server-side log files (/var/log/syslog, /var/log/messages) for a log message similar to the following:
RPC: AUTH_GSS upcall timed out
This message indicates that Kerberos authentication failed and timed out. You probably won’t need the Kerberos protocol for network security authentication in your environment. Even if you’re on a network configured this way, at least with your embedded Linux systems, you won’t need to enable Kerberos authentication.
Although alternatives to running the GSSD service with NFS to solve the problem have been proposed, these approaches do not have the same impact in all distributions and package versions, and therefore it is more rational to tackle this problem from the root.
You must block (or blacklist) the rpcsec_gss_krb5 kernel module to load on the Linux system where the NFS server is running.
To make this option take effect every time your computer restarts, create a new file called /etc/modprobe.d/nfs-gss-blacklist.conf and add the following lines to it:
Once you save the file and reboot the system, the mount latency issue will go away.
Why use an NFS server?
NFS is simple and affordable to set up. It allows for centralized management, reducing the need for additional software and storage space on an individual user’s PC. On the same machine, several users can share the same disk space. They can place these disks on top of their file system to expand storage space.
NFS sharing makes it possible to group together on the same server programs requiring a lot of storage space. This can result in huge disk space savings. While previous versions of NFS are vulnerable, newer versions have introduced additional layers of protection, including Kerberos authentication.
However, there are also some disadvantages. NFS has been found to slow down in some cases during heavy network traffic. Sharing with Windows is possible, but may require some third-party apps. But this is not a very sensible practice in terms of security. If the configuration is not correct, unauthorized access may occur.
Simplified file system sharing on Linux using NFS
Knowing about security issues and finding solutions is one of the most critical tasks of a system administrator. Knowledge of security procedures is necessary for all file sharing systems and management tools, not just NFS.