The general syntax which you must use to create a NFS share using /etc/exports
will be:
/PATH/TO/DIR HOST([OPTIONS])
Each line in the file specifies one remote mount point. The first field contains the mount-point directory path, followed optionally by a list of options and/or a list of specific hosts separated by white space. If no specific hosts are specified, the mount point is exported to all hosts.
If you are new to NFS server then I recommend you to first read Overview on NFS and difference between NFSv2 vs NFSv3 and NFSv4
To export /dump/backups
to single client 10.43.138.2
using NFS, I will add below to /etc/exports
:
# cat /etc/exports /dump/backups 10.43.138.2
To refresh the share
# exportfs -r
exportfs: No options for /dump/backups 10.43.138.2: suggest 10.43.138.2(sync) to avoid warning
Since we have not provided any OPTIONS to the NFS share we get this warning. It will work but it is recommended to add atleast "sync
" in the OPTIONS
section to avoid this warning
So I have updated my /etc/exports
/dump/backups 10.43.138.2(sync)
Net refresh the share
# exportfs -r
Now we don't get any warning, verify the existing share
# exportfs -v /dump/backups 10.43.138.2(sync,wdelay,hide,no_subtree_check,sec=sys,ro,secure,root_squash,no_all_squash)
To export a NFS share to whole world (this is a dangerous term in production but actually that is what this means). We will use "*
" to enable NFS access to the share to all the networks out there which has access to your NFS server
# cat /etc/exports /dump/backups *(sync)
So here we have added no restriction in the exports file for the NFS Share for any of the hosts
Now instead of single host, we will create a exportfs
share to be accessed by all the hosts from a network IP range i.e. 10.43.138.1/27
# cat /etc/exports /dump/backups 10.43.138.2/27(sync)
Or alternatively if you don't have a prefix value, you can provide the netmask
value of the subnet
# cat /etc/exports /dump/backups 10.43.138.2/255.255.255.224(sync)
To export a share to multiple hosts across different network range you must create individual entry of respective hosts.
# cat /etc/exports /dump/backups 10.43.138.0/255.255.255.224(sync) /dump/backups 192.168.0.1/255.255.255.0(sync) /dump/backups 192.168.100.10(sync) /dump/backups 10.10.10.0/24(sync)
In this example I am exporting the same path to multiple hosts across different networks.
You can also add them in single line but to make the file content look clean I am using different entries for the same share. To add all these in the single line, the syntax would be:
/PATH/TO/DIR HOST1([OPTIONS]) HOST2([OPTIONS]) HOST3([OPTIONS])
To use single line share for our last example, we can use:
/dump/backups 10.43.138.0/255.255.255.224(sync) 192.168.0.1/255.255.255.0(sync) 192.168.100.10(sync) 10.10.10.0/24(sync)
We can restrict a share in /etc/exports
itself by providing only those list of hosts who should be allowed to access the share. But sometimes when you have provided an entire network in the allow list of /etc/exports
for example
/dump/backups 10.43.138.0/255.255.255.224(sync)
But you only wish to restrict the share to 10.43.138.2
host. In such case this can be tricky.
With NFSv3 we can use hosts.deny to restrict access to such hosts by using rpcbind, mountd, nfsd, statd, lockd, rquotad
to define an access rule but the same is not possible with NFSv4 as it does not use these daemons any more.
To restrict a host with NFSv3 we will add below entry for 10.43.138.2
# echo "rpcbind: 10.43.138.2" >> /etc/hosts.deny
Now if you try to access the NFS share using this hosts:
# mount -o nfsvers=3 10.43.138.1:/dump/backups /mnt
mount.nfs: access denied by server while mounting 10.43.138.1:/dump/backups
But if I try to access the same share using NFSv4
# mount -o nfsvers=4 10.43.138.1:/dump/backups /mnt
It works. So hosts.deny was unable to block this request.
To overcome this you may rely on firewall to block the respective host from accessing your NFS server
5.1 Restrict NFS shares using iptables
# iptables -I INPUT -s 10.43.138.2 -p tcp --dport nfs -j DROP # iptables -I INPUT -s 10.43.138.2 -p udp --dport nfs -j DROP
5.2 Restrict NFS shares using firewalld rich rules
# firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='10.10.10.4' service name='nfs' reject" # firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='10.10.10.4' service name='mountd' reject" # firewall-cmd --reload
However with wildcards we can have more control over the hosts we wish to allow the access for NFS share which we will learn next.
6. How to use wildcard with NFS exports
Machine names may contain the wildcard characters *
and ?
, or may contain character class lists within [square brackets]
. This can be used to make the exports file more compact
6.1 Using ? with hostnames
We can use ?
wildcard to match a single character in the hostname, for example to match server1
, server2
, serverA
, serverX
we can use:
/dump/backups server?(sync)
If you wish to match for more than one character then you can use ?
more than one times. For example to match server12
, server23
, serverAB
, serverXY
we can use:
/dump/backups server??(sync)
6.2 Using square brackets with hostnames
You can use square brackets to define a range of numbers or characters. Below example will match all machines with hostname between server00.example.com
to server99.example.com
/dump/backups server[0-9][0-9].example.com(sync)
To map server1
to server5
we can use
/dump/backups server[1-5](sync)
To map character with square brackets for example match serverA
till serverE
, in such case use:
/dump/backups server[A-E](sync)
6.3 Using * with hostnames
As you can assume, *
means match everything. So assuming you have multiple subdomains under example.com then you can simply use *.example.com
to match for all the sub-domains
/dump/backups *.example.com(sync)
So this will match
mail.example.com cdn.example.com host.example.com
But this will not match
ab.cd.example.com
So to match this you must use:
/dump/backups *.*.example.com(sync)
So I hope you got the idea.
To assign a share with read only permission:
# cat /etc/exports
/dump/backups 10.43.138.2(ro,sync)
Refresh the shares
# exportfs -r
Verify the exported shares and the options:
# exportfs -v
/dump/backups 10.43.138.2(sync,wdelay,hide,no_subtree_check,sec=sys,ro,secure,root_squash,no_all_squash)
To export a share with read write permission use:
# cat /etc/exports
/dump/backups 10.43.138.2(rw,sync)
Refresh and verify the shares and applied options:
# exportfs -r
# exportfs -v
/dump/backups 10.43.138.2(sync,wdelay,hide,no_subtree_check,sec=sys,rw,secure,root_squash,no_all_squash)
Now if someone creates a file in these share on the client nodes:
[root@nfs-client ~]# mount -o nfsvers=4 10.43.138.1:/dump/backups /mnt
Create a new file as root user
[root@nfs-client ~]# touch /mnt/file
Verify the permission
[root@nfs-client ~]# ls -l
total 0
-rw-r----- 1 nfsnobody nfsnobody 0 Aug 20 13:31 file
As you see the new file is created with nobody
permission. By default when NFS share is exported with root_squash
permission so any file access and modification from root user will be performed under anonymous account so called nobody
user.
Although if you create a file using normal user then the same will be reflected as user and owner of the file:
[deepak@nfs-client ~]$ ls -l /mnt/
total 0
-rw-r----- 1 nfsnobody nfsnobody 0 Aug 20 13:31 file
-rw-r----- 1 deepak users 0 Aug 20 13:36 file1
If you wish create a share which can be accessed over NFSv4 only then you ust modify /etc/nfs.conf
[root@nfs-server ~]# vim /etc/nfs.conf [nfsd] vers2=n vers3=n vers4=y vers4.0=y vers4.1=y vers4.2=y
Make sure you disable vers2
and vers3
to only allow connection over NFSv4
Optionally, disable listening for the RPCBIND, MOUNT, and NSM protocol calls, which are not necessary in the NFSv4-only case. Disable related services:
[root@nfs-server ~]# systemctl mask --now rpc-statd.service rpcbind.service rpcbind.socket Created symlink /etc/systemd/system/rpc-statd.service → /dev/null. Created symlink /etc/systemd/system/rpcbind.service → /dev/null. Created symlink /etc/systemd/system/rpcbind.socket → /dev/null.
After you configure NFS server, restart the NFS server to activate the changes and enable it start automatically post reboot. You can also check nfs status using systemctl status nfs-server
[root@nfs-server ~]# systemctl restart nfs-server [root@nfs-server ~]# systemctl enable nfs-server
Use the netstat
utility to list services listening on the TCP and UDP protocols:
The following is an example netstat
output on an NFSv4-only server; listening for RPCBIND, MOUNT, and NSM is also disabled. Here, nfs is the only listening NFS service:
[root@nfs-server ~]# netstat --listening --tcp --udp | grep nfs tcp 0 0 0.0.0.0:nfs 0.0.0.0:* LISTEN tcp6 0 0 [::]:nfs [::]:* LISTEN
Next you can create a share using /etc/exports
. We don't need to define any additional permission here:
/dump/backups 10.43.138.2(rw,sync)
Now this share will be accessible only over NFSv4.
nfs.conf
As informed earlier, by default root_squash
permission is added to the NFS share which means this permission prevents remote root users from having superuser (root) privileges on remote NFS-mounted volumes. Here, squash literally means to squash the power of the remote root user
So to enable root access we will use no_root_squash
which allows root user on the NFS client host to access the NFS-mounted directory with the same rights and privileges that the superuser would normally have.
To disable root squash we use:
# cat /etc/exports
/dump/backups 10.43.138.2(rw,sync,no_root_squash)
To refresh the shares
# exportfs -v
/dump/backups 10.43.138.2(sync,wdelay,hide,no_subtree_check,sec=sys,rw,secure,no_root_squash,no_all_squash)
Recommended Read
To learn more about different supported NFS exports options for NFS server and client I would recommend you to read:
Beginners guide to different NFS mount and exports options with examples
Conclusion
In this tutorial I shared multiple examples with different scenarios to export NFS share with and without restrictions. It is important that with NFS we also consider the security of these shares so that it is not accessed by unauthorized users over the network so you must assign the NFS options properly.
Lastly I hope the steps from the article to configure NFS exports share on Linux was helpful. So, let me know your suggestions and feedback using the comment section.