There are three ways to configure an NFS server under Red Hat Enterprise Linux: using the
NFS Server Configuration Tool
(system-config-nfs), manually editing its
configuration file (/etc/exports), or using the
/usr/sbin/exportfs command.
For instructions on using NFS Server Configuration Tool, refer
to the chapter titled Network File System (NFS)
in the Red Hat Enterprise Linux System Administration Guide. The remainder of this section
discusses manually editing /etc/exports and using
the /usr/sbin/exportfs command to export NFS file
systems.
The /etc/exports file controls which file systems
are exported to remote hosts and specifies options. Blank lines
are ignored, comments can be made by starting a line with the hash
mark (#), and long lines can be wrapped with a
backslash (\). Each exported file system should be
on its own individual line, and any lists of authorized hosts placed
after an exported file system must be separated by space
characters. Options for each of the hosts must be placed in
parentheses directly after the host identifier, without any spaces
separating the host and the first parenthesis.
A line for an exported file system has the following structure:
<export><host1>(<options>) <hostN>(<options>)...
In this structure, replace <export>
with the directory being exported, replace
<host1> with the host or network to
which the export is being shared, and replace
<options> with the options for that
host or network. Additional hosts can be specified in a space
separated list.
The following methods can be used to specify host names:
single host — Where one particular
host is specified with a fully qualified domain name, hostname, or
IP address.
wildcards — Where a
* or ? character is used to take
into account a grouping of fully qualified domain names that match
a particular string of letters. Wildcards should not be used with
IP addresses; however, it is possible for them to work accidentally
if reverse DNS lookups fail.
Be careful when using wildcards with fully qualified domain
names, as they tend to be more exact than expected. For example,
the use of *.example.com as a wildcard allows
sales.example.com to access an exported file system, but not
bob.sales.example.com. To match both possibilities both
*.example.com and
*.*.example.com must be specified.
IP networks — Allows the matching
of hosts based on their IP addresses within a larger network. For
example, 192.168.0.0/28 allows the first 16 IP
addresses, from 192.168.0.0 to 192.168.0.15, to access the
exported file system, but not 192.168.0.16 and higher.
netgroups — Permits an NIS netgroup
name, written as
@<group-name>,
to be used. This effectively puts the NIS server in charge of
access control for this exported file system, where users can be
added and removed from an NIS group without affecting
/etc/exports.
In its simplest form, the /etc/exports file only
specifies the exported directory and the hosts permitted to access it,
as in the following example:
/exported/directory bob.example.com
In the example, bob.example.com can
mount /exported/directory/. Because no options are
specified in this example, the following default NFS options take
effect:
ro — Mounts of the exported file system
are read-only. Remote hosts are not able to make changes to the
data shared on the file system. To allow hosts to make changes to
the file system, the read/write (rw) option must
be specified.
wdelay — Causes the NFS server to delay
writing to the disk if it suspects another write request is
imminent. This can improve performance by reducing the number of
times the disk must be accessed by separate write commands,
reducing write overhead. The no_wdelay option
turns off this feature, but is only available when using the
sync option.
root_squash — Prevents root users
connected remotely from having root privileges and assigns them the
user ID for the user nfsnobody. This
effectively "squashes" the power of the remote root user to the
lowest local user, preventing unauthorized alteration of files on
the remote server. Alternatively, the
no_root_squash option turns off root squashing. To
squash every remote user, including root, use the
all_squash option. To specify the user and group
IDs to use with remote users from a particular host, use the
anonuid and anongid options,
respectively. In this case, a special user account can be created
for remote NFS users to share and specify
(anonuid=<uid-value>,anongid=<gid-value>),
where <uid-value>
is the user ID number and
<gid-value> is the
group ID number.
Important
By default, access control lists
(ACLs) are supported by NFS under Red Hat Enterprise Linux. To
disable this feature, specify the no_acl option
when exporting the file system. For more about this feature, refer
to the chapter titled Network File System
(NFS) in the Red Hat Enterprise Linux System Administration Guide.
Each default for every exported file system must be explicitly
overridden. For example, if the rw option is not
specified, then the exported file system is shared as read-only. The
following is a sample line from /etc/exports
which overrides two default options:
/another/exported/directory 192.168.0.3(rw,sync)
In this example 192.168.0.3 can mount
/another/exported/directory/ read/write and all
transfers to disk are committed to the disk before the write request
by the client is completed.
Additionally, other options are available where no default value is
specified. These include the ability to disable sub-tree checking,
allow access from insecure ports, and allow insecure file locks
(necessary for certain early NFS client implementations). Refer to the
exports man page for details on these lesser used
options.
Warning
The format of the /etc/exports file is
very precise, particularly in regards to use of the
space character. Remember to always separate exported file systems
from hosts and hosts from one another with a space
character. However, there should be no other space characters in the
file except on comment lines.
For example, the following two lines do not mean the same thing:
The first line allows only users from
bob.example.com read/write access to the
/home directory. The second line allows users
from bob.example.com to mount the directory as
read-only (the default), while the rest of the world can mount it
read/write.
For detailed instructions on configuring an NFS server by editing
/etc/exports, refer to the chapter titled
Network File System (NFS) in the
Red Hat Enterprise Linux System Administration Guide.
Every file system being exported to remote users via NFS, as well as the
access level for those file systems, are listed in the
/etc/exports file. When the nfs
service starts, the /usr/sbin/exportfs command
launches and reads this file, passes control to
rpc.mountd (if NFSv2 or NFSv3) for the actual
mounting process, then to rpc.nfsd where the file
systems are then available to remote users.
When issued manually, the /usr/sbin/exportfs command
allows the root user to selectively export or unexport directories
without restarting the NFS service. When given the proper options, the
/usr/sbin/exportfs command writes the exported file
systems to /var/lib/nfs/xtab. Since
rpc.mountd refers to the xtab
file when deciding access privileges to a file system, changes to the
list of exported file systems take effect immediately.
The following is a list of commonly used options available for
/usr/sbin/exportfs:
-r — Causes all directories listed in
/etc/exports to be exported by constructing a
new export list in /etc/lib/nfs/xtab. This
option effectively refreshes the export list with any changes that
have been made to /etc/exports.
-a — Causes all directories to be
exported or unexported, depending on what other options are passed
to /usr/sbin/exportfs. If no other options are
specified, /usr/sbin/exportfs exports all file
systems specified in /etc/exports.
-o file-systems
— Specifies directories to be exported that are not listed in
/etc/exports. Replace
file-systems with additional file systems
to be exported. These file systems must be formatted in the same way they
are specified in /etc/exports. Refer to Section 9.3.1 The /etc/exports Configuration File for more information on
/etc/exports syntax. This option is often used
to test an exported file system before adding it permanently to the
list of file systems to be exported.
-i — Ignores
/etc/exports; only options given from the
command line are used to define exported file systems.
-u — Unexports all shared
directories. The command /usr/sbin/exportfs -ua
suspends NFS file sharing while keeping all NFS daemons up. To
re-enable NFS sharing, type exportfs -r.
-v — Verbose operation, where the file systems
being exported or unexported are displayed in greater detail when the
exportfs command is executed.
If no options are passed to the /usr/sbin/exportfs command, it
displays a list of currently exported file systems.
For more information about the /usr/sbin/exportfs
command, refer to the exportfs man page.
Since NFSv4 no longer utilizes the rpc.mountd
protocol as was used in NFSv2 and NFSv3, the mounting of file
systems has changed.
An NFSv4 client now has the ability to see all of the exports served
by the NFSv4 server as a single file system, called the NFSv4
pseudo-file system. On Red Hat Enterprise Linux, the pseudo-file system is identified
as a single, real file system, identified at export with the
fsid=0 option.
For example, the following commands could be executed on an NFSv4
server:
