NFS Server Configuration part 2

The following methods can be used to specify host names in NFS server.

  • single host — Where one particular host is specified with a fully qualified domain name, hostname, or IP address.
  • wildcards — Where a * or ? character is used to take into account a grouping of fully qualified domain names that match a particular string of letters. Wildcards are not to be used with IP addresses; however, it is possible for them to work accidentally if reverse DNS lookups fail.Be careful when using wildcards with fully qualified domain names, as they tend to be more exact than expected. For example, the use of *.example.com as wildcard allows sales.example.com to access an exported file system, but not bob.sales.example.com. To match both possibilities both *.example.com and *.*.example.com must be specified.
  • IP networks — Allows the matching of hosts based on their IP addresses within a larger network. For example, 192.168.0.0/28 allows the first 16 IP addresses, from 192.168.0.0 to 192.168.0.15, to access the exported file system, but not 192.168.0.16 and higher.
  • netgroups — Permits an NIS netgroup name, written as @<group-name>, to be used. This effectively puts the NIS server in charge of access control for this exported file system, where users can be added and removed from an NIS group without affecting /etc/exports.

In its simplest form, /etc/exports need only specify the exported directory and the hosts permitted to access it, as in the following example:

/exported/directory gunjan.example.com

In the example, gunjan.example.com can mount /exported/directory/. Because no options are specified in this example, the following default NFS options take effect:

  • ro — Mounts of the exported file system are read-only. Remote hosts are not able to make changes to the data shared on the file system. To allow hosts to make changes to the file system, the read/write (rw) option must be specified.
  • async — Allows the server to write data at non-regular intervals. This setting works best if the exported file system is read-only. If the exported file system is read/write and hosts are making changes to the file system when the server crashes, data can be lost. By specifying the sync option, all file writes are committed to the disk before the write request by the client is completed. The sync option, however, can lower performance.
  • wdelay — Causes the NFS server to delay writing to the disk if it suspects another write request is imminent. This can improve performance by reducing the number of times the disk must be accessed by separate write commands, reducing write overhead. The no_wdelay option turns off this feature, but is only available when using the sync option.
  • root_squash — Prevents root users connected remotely from having root privileges and assigns them the user ID for the user nfsnobody. This effectively “squashes” the power of the remote root user to the lowest local user, preventing unauthorized alteration of files on the remote server. Alternatively, the no_root_squash option turns off root squashing. To squash every remote user, including root, use the all_squash option. To specify the user and group IDs to use with remote users from a particular host, use the anonuid and anongid options, respectively. In this case, a special user account can be created for remote NFS users to share and specify (anonuid=<uid-value>,anongid=<gid-value>), where <uid-value> is the user ID number and <gid-value> is the group ID number.

Each default for every exported file system must be explicitly overridden. For example, if the rw option is not specified, then the exported file system is shared as read-only. The following is a sample line from /etc/exports which overrides two default options:

/another/exported/directory 192.168.0.3(rw,sync)

In this example 192.168.0.3 can mount /another/exported/directory/ read/write and all transfers to disk are committed to the disk before the write request by the client is completed.

Additionally, other options are available where no default value is specified. These include the ability to disable sub-tree checking, allow access from insecure ports, and allow insecure file locks (necessary for certain early NFS client implementations). Refer to the exports man page for details on these lesser used options.

For further configuration refer NFS Server Configuration part 3

About Anant 384 Articles
Senior technical writer

1 Trackbacks & Pingbacks

  1. NFS Server Configuration part 1

Comments are closed.