How to install and configure an NFS server on Ubuntu 20.04

s2 0

NFS, or Network File System, is a distributed file system protocol that allows you to share directories over a network. With NFS, you can mount remote directories on your system and work with the files on the remote machine as if they were local files.

By default, the NFS protocol is not encrypted and does not provide user authentication. Access to the server is restricted by the client’s IP addresses or host names.

This article explains how to set up an NFSv4 server on Ubuntu 20.04. We’ll also show you how to mount an NFS file system on the client machine.

requirements

We are using two computers, one with Ubuntu 20.04 that acts as an NFS server and another that is running another Linux distribution that we will mount the share on. The server and clients should be able to communicate with one another via a private network. You can use public IP addresses and configure the server firewall to allow traffic on port. is allowed 2049 only from trustworthy sources.

The machines in this example have the following IPs:

NFS Server IP: 192.168.33.10
NFS Clients IPs: From the 192.168.33.0/24 range

Set up the NFS server

The first step is to set up the NFS server. We install the necessary packages, create and export the NFS directories and configure the firewall.

Install the NFS server

The NFS server package provides userspace support that is required to run the NFS kernel server. To install the package, do the following:

sudo apt updatesudo apt install nfs-kernel-server

When the installation is complete, the NFS services will start automatically.

NFS version 2 is disabled on Ubuntu 20.04. Version 3 and 4 are activated. You can check this by running the following cat Command:

sudo cat /proc/fs/nfsd/versions
-2 +3 +4 +4.1 +4.2

NFSv2 is pretty old now and there is no need to enable it.

The configuration of the NFS server is defined in /etc/default/nfs-kernel-server and /etc/default/nfs-common Files. The default settings are sufficient for most situations.

Create the file systems

The NFSv4 server uses a global root directory and the exported directories are relative to that directory. You can link the share mount point to the directories that you want to export using bind mounts.

In this example we set the /srv/nfs4 Directory as NFS root. To better explain how the NFS mounts can be configured, we share two directories (/var/www and /opt/backups) with different configuration settings. the /var/www/ belongs to the user www-data, and /opt/backups heard root.

First create the root directory and share mount points:

sudo mkdir -p /srv/nfs4/backupssudo mkdir -p /srv/nfs4/www

Bind the directories to the share mount points:

sudo mount --bind /opt/backups /srv/nfs4/backupssudo mount --bind /var/www /srv/nfs4/www

To make the binding mounts permanent across reboots, open the /etc/fstab File:

sudo nano /etc/fstab

and add the following lines:

/ etc / fstab
/opt/backups /srv/nfs4/backups  none   bind   0   0
/var/www     /srv/nfs4/www      none   bind   0   0

Export the file systems

The next step is to add the file systems to be exported and the clients that will be allowed to access these shares to the file /etc/exports File.

Each line for an exported file system has the following form:

export host(options)

Where export is the exported directory, host is a host name or IP address / realm that can access the export, and options are the host options.

Open that /etc/exports File and add the following lines:

sudo nano /etc/exports
/ etc / export
/srv/nfs4         192.168.33.0/24(rw,sync,no_subtree_check,crossmnt,fsid=0)
/srv/nfs4/backups 192.168.33.0/24(ro,sync,no_subtree_check) 192.168.33.3(rw,sync,no_subtree_check)
/srv/nfs4/www     192.168.33.20(rw,sync,no_subtree_check)

The first line contains the fsid=0 Option that the NFS root directory (/srv/nfs4). Access to this NFS volume is only available to clients from the 192.168.33.0/24 Subnet. the crossmnt Option is required to share directories that are subdirectories of an exported directory.

The second line shows how to specify multiple export rules for a file system. Read access is allowed to the whole 192.168.33.0/24 Area and both read and write access to the 192.168.33.3 IP address. the sync -Option instructs NFS to write changes to disk before responding.

The last line is self-explanatory. For more information on all of the available type options man exports in your terminal.

Save the file and export the shares:

sudo exportfs -ar

You’ll have to run the above command every time you change those /etc/exports File. If there are errors or warnings, these are displayed on the terminal.

To view the currently active exports and their status, use:

sudo exportfs -v

The issue contains all shares with their options. As you can see, there are also options that we did not define in the /etc/exports File. These are the default options, and if you want to change them, you must set these options explicitly.

/srv/nfs4/backups
		192.168.33.3(rw,wdelay,root_squash,no_subtree_check,sec=sys,rw,secure,root_squash,no_all_squash)
/srv/nfs4/www 	192.168.33.20(rw,wdelay,root_squash,no_subtree_check,sec=sys,rw,secure,root_squash,no_all_squash)
/srv/nfs4     	192.168.33.0/24(rw,wdelay,crossmnt,root_squash,no_subtree_check,fsid=0,sec=sys,rw,secure,root_squash,no_all_squash)
/srv/nfs4/backups
		192.168.33.0/24(ro,wdelay,root_squash,no_subtree_check,sec=sys,ro,secure,root_squash,no_all_squash)

Under Ubuntu, root_squash is enabled by default. This is one of the most important options when it comes to NFS security. It prevents root users connected from the clients from having root rights on the mounted shares by assigning root UID and GID to nobody/nogroup UID/GID.

In order for the users on the client machines to have access, NFS expects the user and group IDs of the client to match those on the server. Another option is to use the NFSv4 idmapping feature which translates user and group IDs into names and vice versa.

That’s it. At this point, you’ve set up an NFS server on your Ubuntu server. You can now go to the next step and configure the clients and establish a connection to the NFS server.

Firewall configuration

If you are installing Jenkins on a remote Ubuntu server that is protected by a firewall, you need to enable traffic on the NFS port:

sudo ufw allow from 192.168.33.0/24 to any port nfs

Check the change:

sudo ufw status

The output should show that the traffic is on port 2049 is allowed:

To                         Action      From
--                         ------      ----
2049                       ALLOW       192.168.33.0/24           
22/tcp                     ALLOW       Anywhere                  
22/tcp (v6)                ALLOW       Anywhere (v6)  

Setting up the NFS clients

After the NFS server has been set up and the shares exported, the next step is to configure the clients and mount the remote file systems.

We’ll focus on Linux systems, but you can mount the NFS share on macOS and Windows computers too.

Install the NFS client

On the client machines we only need to install the tools necessary to mount a remote NFS file system.

  • Install the NFS client on Debian and Ubuntu

    The name of the package, which contains programs for mounting NFS file systems on Debian-based distributions, is nfs-common. To install it, do the following:

    sudo apt updatesudo apt install nfs-common
  • Install the NFS client on CentOS and Fedora

    On Red Hat and its derivatives, install the nfs-utils Package:

    sudo yum install nfs-utils

Mount filesystems

We work with IP on the client computer 192.168.33.20who have favourited read and write access to the /srv/nfs4/www File system and read-only access to the /srv/nfs4/backups File system.

Create two new directories for the mount points:

sudo mkdir -p /backupssudo mkdir -p /srv/www

You can create the directories anywhere you want.

Mount the exported file systems with the mount
Command:

sudo mount -t nfs -o vers=4 192.168.33.10:/backups /backupssudo mount -t nfs -o vers=4 192.168.33.10:/www /srv/www

Where 192.168.33.10 is the IP of the NFS server. You can also use the host name instead of the IP address, but this must be resolvable by the client computer. This is usually done by assigning the host name to the IP in the /etc/hosts
File.

When mounting an NFSv4 file system, omit the NFS root directory. Use /backups, Instead of /srv/nfs4/backups.

Make sure the remote file systems have been successfully mounted by using either mount or df
Command:

df -h

The command prints all mounted file systems. The last two lines are the mounted shares:

Filesystem              Size  Used Avail Use% Mounted on
udev                    951M     0  951M   0% /dev
tmpfs                   199M  676K  199M   1% /run
/dev/sda3               124G  2.8G  115G   3% /
tmpfs                   994M     0  994M   0% /dev/shm
tmpfs                   5.0M     0  5.0M   0% /run/lock
tmpfs                   994M     0  994M   0% /sys/fs/cgroup
/dev/sda1               456M  197M  226M  47% /boot
tmpfs                   199M     0  199M   0% /run/user/1000
192.168.33.10:/backups  124G  2.8G  115G   3% /backups
192.168.33.10:/www      124G  2.8G  115G   3% /srv/www

To make the mounts permanent on reboot, open that /etc/fstab File and add the following lines:

sudo nano /etc/fstab
/ etc / fstab
192.168.33.10:/backups /backups   nfs   defaults,timeo=900,retrans=5,_netdev	0 0
192.168.33.10:/www /srv/www       nfs   defaults,timeo=900,retrans=5,_netdev	0 0

For information about the options available when mounting an NFS file system, type man nfs in your terminal.

Another way to mount remote filesystems is to either use the autofs Tool or to create a systemd unit.

Testing NFS Access

Let’s test access to the shares by creating a new file on each of them.

First, try creating a test file for the /backups Directory with the touch
Command:

sudo touch /backups/test.txt

the /backup File system is exported as read-only and as expected you will see a Permission denied Error message:

touch: cannot touch ‘/backups/test’: Permission denied

Next, try creating a test file for the /srv/www Directory as root with the sudo
Command:

sudo touch /srv/www/test.txt

You will see again Permission denied Message.

touch: cannot touch ‘/srv/www’: Permission denied

If you remember that /var/www Directory is owned by the www-data User, and this share has root_squash Option set that assigns the root user to the nobody User and nogroup Group that does not have write permissions for the remote share.

Suppose you have one www-data use on the client machine with the same UID and GID like on the remote server (which should be the case for example if you have nginx installed on both machines) you can try to create a file as a user www-data:

sudo -u www-data touch /srv/www/test.txt

The command shows no output, which means the file was created successfully.

To check this, list the files in the /srv/www Directory:

ls -la /srv/www

The output should show the newly created file:

drwxr-xr-x 3 www-data www-data 4096 Apr 10 22:18 .
drwxr-xr-x 3 root     root     4096 Apr 10 22:29 ..
-rw-r--r-- 1 www-data www-data    0 Apr 10 21:58 index.html
-rw-r--r-- 1 www-data www-data    0 Apr 10 22:18 test.txt

Unmount the NFS file system

When the remote NFS share is no longer needed, you can use the umount Command.

To hang up the /backup share, you would run:

sudo umount /backups

If the mount point is in /etc/fstab make sure to remove or comment out the line by adding # at the beginning of the line.

diploma

We showed you how to set up an NFS server and mount the remote file systems on the client machines. If you are implementing NFS in production and sharing sensitive data, it is recommended that you enable Kerberos authentication.

As an alternative to NFS, you can use SSHFS to mount remote directories over an SSH connection. SSHFS is encrypted by default and is much easier to configure and use.

Feel free to leave a comment if you have any questions.