Complete NFS Configuration Guide: Setup & Best Practices

Master Network File System configuration with this comprehensive guide covering installation, security, troubleshooting, and optimization techniques.

Author:

Published:

Category: System Administration

Reading Time: 13

Network File System (NFS) Configuration Guide

Table of Contents

1. [Introduction to NFS](#introduction-to-nfs) 2. [NFS Architecture](#nfs-architecture) 3. [Installation and Setup](#installation-and-setup) 4. [Server Configuration](#server-configuration) 5. [Client Configuration](#client-configuration) 6. [Security Considerations](#security-considerations) 7. [Troubleshooting](#troubleshooting) 8. [Performance Optimization](#performance-optimization) 9. [Best Practices](#best-practices)

Introduction to NFS

Network File System (NFS) is a distributed file system protocol that allows users to access files over a network in a manner similar to how local storage is accessed. Developed by Sun Microsystems in 1984, NFS enables file sharing between Unix-like systems and has become a standard for network-attached storage.

Key Features

| Feature | Description | |---------|-------------| | Platform Independence | Works across different Unix-like operating systems | | Transparency | Files appear as if they are stored locally | | Centralized Storage | Allows multiple clients to share the same files | | Scalability | Can handle multiple concurrent connections | | Stateless Protocol | Server doesn't maintain client state information |

NFS Versions Comparison

| Version | Release Year | Key Features | Status | |---------|-------------|--------------|--------| | NFSv2 | 1989 | Basic file sharing, UDP only | Deprecated | | NFSv3 | 1995 | TCP support, 64-bit file sizes | Legacy | | NFSv4 | 2003 | Stateful, integrated security, compound operations | Current | | NFSv4.1 | 2010 | Parallel NFS (pNFS), sessions | Current | | NFSv4.2 | 2016 | Server-side copy, sparse files | Latest |

NFS Architecture

Components Overview

NFS operates using a client-server architecture with several key components:

#### Server Components

| Component | Purpose | Default Port | |-----------|---------|-------------| | nfsd | Main NFS daemon | 2049 | | rpcbind | RPC port mapper | 111 | | rpc.mountd | Mount daemon | Variable | | rpc.statd | Status daemon | Variable | | rpc.lockd | Lock daemon | Variable |

#### Client Components

| Component | Purpose | Function | |-----------|---------|----------| | mount.nfs | Mount helper | Mounts NFS shares | | rpc.statd | Status monitoring | Handles file locking | | rpc.gssd | GSSAPI security | Manages Kerberos authentication |

Protocol Flow

` Client Request Flow: 1. Client sends RPC request to rpcbind (port 111) 2. rpcbind returns port number for requested service 3. Client connects to specific service port 4. Service processes request and returns response `

Installation and Setup

Red Hat/CentOS/Fedora Installation

`bash

Install NFS server packages

sudo yum install nfs-utils rpcbind

For newer systems using dnf

sudo dnf install nfs-utils rpcbind

Install additional utilities

sudo yum install nfs4-acl-tools `

Ubuntu/Debian Installation

`bash

Update package list

sudo apt update

Install NFS server

sudo apt install nfs-kernel-server nfs-common rpcbind

Install client tools

sudo apt install nfs-common `

Service Management

#### SystemD Commands

| Command | Purpose | Notes | |---------|---------|-------| | systemctl start nfs-server | Start NFS server | Required for sharing | | systemctl enable nfs-server | Enable at boot | Ensures automatic startup | | systemctl status nfs-server | Check service status | Shows current state | | systemctl restart nfs-server | Restart service | Apply configuration changes | | systemctl stop nfs-server | Stop NFS server | Stops all NFS services |

#### Service Dependencies

`bash

Start required services in order

sudo systemctl start rpcbind sudo systemctl start nfs-server sudo systemctl start rpc-statd

Enable services for automatic startup

sudo systemctl enable rpcbind nfs-server `

Server Configuration

Main Configuration File

The primary NFS server configuration file is /etc/exports. This file defines which directories are shared, with whom, and what permissions are granted.

#### Exports File Syntax

` /path/to/directory client1(options) client2(options) `

#### Basic Export Options

| Option | Description | Example | |--------|-------------|---------| | rw | Read-write access | rw | | ro | Read-only access | ro | | sync | Synchronous writes | sync | | async | Asynchronous writes | async | | no_root_squash | Allow root access | no_root_squash | | root_squash | Map root to anonymous | root_squash | | all_squash | Map all users to anonymous | all_squash | | no_subtree_check | Disable subtree checking | no_subtree_check | | subtree_check | Enable subtree checking | subtree_check |

#### Advanced Export Options

| Option | Description | Usage | |--------|-------------|-------| | anonuid=UID | Set anonymous user ID | anonuid=65534 | | anongid=GID | Set anonymous group ID | anongid=65534 | | fsid=NUM | Set filesystem ID | fsid=0 | | crossmnt | Allow cross-mount access | crossmnt | | hide | Hide directory | hide | | nohide | Don't hide directory | nohide | | secure | Require privileged ports | secure | | insecure | Allow unprivileged ports | insecure |

Configuration Examples

#### Example 1: Basic Home Directory Share

`bash

/etc/exports

/home/shared 192.168.1.0/24(rw,sync,no_subtree_check) `

This configuration: - Shares /home/shared directory - Allows access from entire 192.168.1.0/24 subnet - Grants read-write access - Uses synchronous writes - Disables subtree checking for performance

#### Example 2: Multiple Client Configuration

`bash

/etc/exports

/var/nfs/general 192.168.1.10(rw,sync,no_subtree_check) 192.168.1.20(ro,sync,no_subtree_check) /var/nfs/public *(ro,sync,no_subtree_check,all_squash,anonuid=65534,anongid=65534) `

This configuration: - First share allows RW access to specific IP, RO to another - Second share allows read-only access to everyone - Maps all users to anonymous user/group

#### Example 3: Advanced Security Configuration

`bash

/etc/exports

/secure/data 192.168.1.0/24(rw,sync,no_subtree_check,root_squash,secure) /backup client1.domain.com(rw,sync,no_root_squash) client2.domain.com(ro,sync) `

Directory Preparation

`bash

Create shared directories

sudo mkdir -p /var/nfs/general sudo mkdir -p /var/nfs/public sudo mkdir -p /home/shared

Set appropriate permissions

sudo chown nobody:nogroup /var/nfs/general sudo chown nobody:nogroup /var/nfs/public sudo chmod 755 /var/nfs/general sudo chmod 755 /var/nfs/public

Create test files

sudo touch /var/nfs/general/test.txt sudo touch /var/nfs/public/readme.txt `

Applying Configuration Changes

`bash

Method 1: Restart NFS server

sudo systemctl restart nfs-server

Method 2: Reload exports without restart

sudo exportfs -ra

Method 3: Export specific directory

sudo exportfs -o rw,sync,no_subtree_check 192.168.1.0/24:/var/nfs/general `

#### Export Management Commands

| Command | Purpose | Example | |---------|---------|---------| | exportfs -a | Export all directories | sudo exportfs -a | | exportfs -r | Re-export directories | sudo exportfs -r | | exportfs -u | Unexport directory | sudo exportfs -u /var/nfs/general | | exportfs -v | Verbose export list | sudo exportfs -v | | exportfs -s | Show current exports | sudo exportfs -s |

Client Configuration

Mounting NFS Shares

#### Manual Mount Commands

`bash

Basic mount command

sudo mount -t nfs server_ip:/path/to/share /local/mount/point

Mount with specific NFS version

sudo mount -t nfs -o nfsvers=4 server_ip:/path/to/share /local/mount/point

Mount with additional options

sudo mount -t nfs -o nfsvers=4,rsize=8192,wsize=8192 server_ip:/share /mnt/nfs `

#### Mount Options

| Option | Description | Recommended Use | |--------|-------------|-----------------| | nfsvers=4 | Force NFSv4 | Modern installations | | proto=tcp | Use TCP protocol | Reliable connections | | rsize=8192 | Read buffer size | Performance tuning | | wsize=8192 | Write buffer size | Performance tuning | | hard | Hard mount | Critical data | | soft | Soft mount | Non-critical data | | intr | Interruptible | Allow interruption | | timeo=30 | Timeout value | Network reliability | | retrans=3 | Retry attempts | Network reliability |

Permanent Mounts with fstab

#### fstab Entry Format

` server:/path/to/share /local/mount/point nfs options 0 0 `

#### Example fstab Entries

`bash

/etc/fstab

192.168.1.100:/var/nfs/general /mnt/nfs/general nfs defaults,_netdev 0 0 192.168.1.100:/var/nfs/public /mnt/nfs/public nfs ro,_netdev 0 0 nfs-server:/home/shared /mnt/shared nfs nfsvers=4,rsize=8192,wsize=8192,hard,intr,_netdev 0 0 `

#### fstab Options Explanation

| Option | Purpose | Notes | |--------|---------|-------| | _netdev | Network device | Wait for network before mounting | | defaults | Default options | rw,suid,dev,exec,auto,nouser,async | | auto | Mount at boot | Default behavior | | noauto | Don't mount at boot | Manual mount required | | user | Allow user mounting | Security consideration | | nouser | Root only mounting | Default, more secure |

Client Directory Preparation

`bash

Create mount points

sudo mkdir -p /mnt/nfs/general sudo mkdir -p /mnt/nfs/public sudo mkdir -p /mnt/shared

Set appropriate permissions

sudo chmod 755 /mnt/nfs/general sudo chmod 755 /mnt/nfs/public sudo chmod 755 /mnt/shared `

Testing Mounts

`bash

Test mount manually first

sudo mount -t nfs 192.168.1.100:/var/nfs/general /mnt/nfs/general

Verify mount

df -h | grep nfs mount | grep nfs

Test read/write access

touch /mnt/nfs/general/test_file ls -la /mnt/nfs/general/

Test fstab entry without rebooting

sudo mount -a `

Security Considerations

Firewall Configuration

#### Required Ports

| Service | Port | Protocol | Purpose | |---------|------|----------|---------| | rpcbind | 111 | TCP/UDP | RPC port mapper | | nfsd | 2049 | TCP/UDP | Main NFS service | | mountd | Variable | TCP/UDP | Mount daemon | | statd | Variable | TCP/UDP | Status daemon | | lockd | Variable | TCP/UDP | Lock daemon |

#### Firewall Rules (iptables)

`bash

Allow NFS traffic from specific subnet

sudo iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 111 -j ACCEPT sudo iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 2049 -j ACCEPT sudo iptables -A INPUT -s 192.168.1.0/24 -p udp --dport 111 -j ACCEPT sudo iptables -A INPUT -s 192.168.1.0/24 -p udp --dport 2049 -j ACCEPT

Save rules

sudo iptables-save > /etc/iptables/rules.v4 `

#### Firewall Rules (firewalld)

`bash

Add NFS service to firewall

sudo firewall-cmd --permanent --add-service=nfs sudo firewall-cmd --permanent --add-service=rpc-bind sudo firewall-cmd --permanent --add-service=mountd

Reload firewall

sudo firewall-cmd --reload

Add specific source subnet

sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="nfs" accept' `

Authentication and Authorization

#### User ID Mapping

| Mapping Type | Description | Security Level | |-------------|-------------|----------------| | root_squash | Map root to anonymous | High | | no_root_squash | Allow root access | Low | | all_squash | Map all users to anonymous | Highest | | anonuid/anongid | Set anonymous user/group | Configurable |

#### Example Security Configurations

`bash

High security - all users mapped to anonymous

/secure/data 192.168.1.0/24(rw,sync,all_squash,anonuid=65534,anongid=65534,secure)

Medium security - root squashed, specific users allowed

/shared/docs 192.168.1.0/24(rw,sync,root_squash,secure)

Low security - full access (not recommended for production)

/public/temp 192.168.1.0/24(rw,sync,no_root_squash,insecure) `

Network Security

#### TCP Wrappers Configuration

`bash

/etc/hosts.allow

rpcbind: 192.168.1.0/24 mountd: 192.168.1.0/24 nfsd: 192.168.1.0/24

/etc/hosts.deny

rpcbind: ALL mountd: ALL nfsd: ALL `

#### SSL/TLS Considerations

NFSv4 supports Kerberos authentication for enhanced security:

`bash

Install Kerberos support

sudo yum install nfs4-acl-tools krb5-workstation

Configure for Kerberos (requires Kerberos infrastructure)

/etc/exports

/secure/krb 192.168.1.0/24(rw,sync,sec=krb5p) `

Troubleshooting

Common Issues and Solutions

#### Issue 1: Permission Denied

Symptoms: - Cannot access mounted share - Permission denied errors

Diagnosis Commands: `bash

Check mount status

mount | grep nfs

Verify exports on server

sudo exportfs -v

Check file permissions

ls -la /mnt/nfs/share/ `

Solutions: `bash

Fix ownership on server

sudo chown -R nobody:nogroup /var/nfs/share

Adjust export options

Add to /etc/exports:

/var/nfs/share 192.168.1.0/24(rw,sync,no_subtree_check,all_squash,anonuid=1000,anongid=1000)

Re-export

sudo exportfs -ra `

#### Issue 2: Stale File Handle

Symptoms: - "Stale file handle" errors - Cannot access previously working files

Solutions: `bash

Unmount and remount

sudo umount /mnt/nfs/share sudo mount -t nfs server:/path /mnt/nfs/share

Force unmount if necessary

sudo umount -f /mnt/nfs/share

Check for processes using the mount

sudo lsof +D /mnt/nfs/share `

#### Issue 3: Service Won't Start

Diagnosis Commands: `bash

Check service status

sudo systemctl status nfs-server

Check logs

sudo journalctl -u nfs-server sudo tail -f /var/log/messages

Verify configuration

sudo exportfs -s `

Common Solutions: `bash

Fix exports syntax errors

sudo exportfs -a

Restart dependencies

sudo systemctl restart rpcbind sudo systemctl restart nfs-server

Check port availability

sudo netstat -tulpn | grep :2049 `

Diagnostic Commands

| Command | Purpose | Example Output | |---------|---------|----------------| | showmount -e server | Show server exports | /var/nfs/general 192.168.1.0/24 | | nfsstat -s | Server statistics | RPC call statistics | | nfsstat -c | Client statistics | Client RPC statistics | | rpcinfo -p server | RPC services | Service port mappings | | exportfs -v | Verbose export list | Detailed export options |

Performance Monitoring

`bash

Monitor NFS performance

nfsiostat 1

Check network statistics

ss -tuln | grep :2049

Monitor file system usage

df -h | grep nfs

Check for locks

cat /proc/locks | grep nfs `

Performance Optimization

Mount Options for Performance

| Option | Impact | Recommended For | |--------|--------|-----------------| | rsize=32768 | Larger read buffer | High-bandwidth networks | | wsize=32768 | Larger write buffer | High-bandwidth networks | | proto=tcp | Reliable transport | All connections | | nfsvers=4 | Latest protocol | Modern systems | | async | Asynchronous writes | Non-critical data | | noatime | Skip access time updates | Performance critical |

Optimal Configuration Examples

#### High-Performance Configuration

`bash

/etc/fstab entry for high performance

server:/data /mnt/data nfs nfsvers=4,proto=tcp,rsize=32768,wsize=32768,hard,intr,noatime,_netdev 0 0 `

#### Network-Optimized Configuration

`bash

For slow or unreliable networks

server:/data /mnt/data nfs nfsvers=4,proto=tcp,soft,timeo=30,retrans=3,_netdev 0 0 `

Server Optimization

#### NFS Daemon Configuration

`bash

/etc/nfs.conf

[nfsd] threads=16 port=2049 udp=n tcp=y vers2=n vers3=y vers4=y vers4.0=y vers4.1=y vers4.2=y `

#### Kernel Parameters

`bash

/etc/sysctl.conf

Increase network buffers

net.core.rmem_default = 262144 net.core.rmem_max = 16777216 net.core.wmem_default = 262144 net.core.wmem_max = 16777216

Apply changes

sudo sysctl -p `

Monitoring Performance

`bash

Real-time NFS I/O statistics

nfsiostat -h 1

Network interface statistics

sar -n DEV 1

File system performance

iostat -x 1

NFS-specific statistics

cat /proc/net/rpc/nfsd `

Best Practices

Security Best Practices

1. Network Segmentation - Use dedicated network segments for NFS traffic - Implement VLANs where possible - Restrict access using firewalls

2. Authentication - Always use root_squash unless specifically needed - Consider all_squash for public shares - Implement Kerberos for sensitive data

3. Access Control - Specify exact IP addresses or small subnets - Avoid wildcard exports when possible - Use secure option to require privileged ports

Operational Best Practices

#### Backup Considerations

`bash

Backup exports configuration

sudo cp /etc/exports /etc/exports.backup.$(date +%Y%m%d)

Document mount points and options

cat /etc/fstab | grep nfs > nfs_mounts.txt `

#### Monitoring Setup

`bash

Create monitoring script

cat << 'EOF' > /usr/local/bin/nfs_monitor.sh #!/bin/bash

NFS monitoring script

echo "=== NFS Server Status ===" systemctl status nfs-server --no-pager

echo "=== Active Exports ===" exportfs -s

echo "=== Connected Clients ===" ss -tn | grep :2049

echo "=== NFS Statistics ===" nfsstat -s | head -10 EOF

chmod +x /usr/local/bin/nfs_monitor.sh `

Maintenance Procedures

#### Regular Maintenance Tasks

| Task | Frequency | Command | |------|-----------|---------| | Check service status | Daily | systemctl status nfs-server | | Review logs | Weekly | journalctl -u nfs-server | | Update exports | As needed | exportfs -ra | | Monitor performance | Weekly | nfsstat -s | | Check disk space | Daily | df -h |

#### Backup and Recovery

`bash

Backup critical NFS configuration files

tar -czf nfs-config-backup-$(date +%Y%m%d).tar.gz \ /etc/exports \ /etc/fstab \ /etc/nfs.conf \ /etc/idmapd.conf

Restore procedure

sudo tar -xzf nfs-config-backup-YYYYMMDD.tar.gz -C / sudo systemctl restart nfs-server `

This comprehensive guide provides the foundation for successfully implementing and maintaining NFS shares in enterprise environments. Regular monitoring, proper security configuration, and adherence to best practices ensure reliable and secure file sharing across network infrastructure.

Tags

  • NFS
  • file sharing
  • network-storage
  • server-configuration
  • unix-systems

Related Articles

Popular Technical Articles & Tutorials

Explore our comprehensive collection of technical articles, programming tutorials, and IT guides written by industry experts:

Browse all 8+ technical articles | Read our IT blog

Complete NFS Configuration Guide: Setup &amp; Best Practices