NFS, or Network File System, is a distributed file system protocol that allows you to share directories over a network. With NFS, you can mount remote directories on your system and work with the files on the remote machine as if they were local files.
By default, the NFS protocol is not encrypted and does not provide user authentication. Access to the server is restricted by the client’s IP addresses or host names.
This article explains how to set up an NFSv4 server on Ubuntu 20.04. We’ll also show you how to mount an NFS file system on the client machine.
We are using two computers, one with Ubuntu 20.04 that acts as an NFS server and another that is running another Linux distribution that we will mount the share on. The server and clients should be able to communicate with one another via a private network. You can use public IP addresses and configure the server firewall to allow traffic on port. is allowed
2049 only from trustworthy sources.
The machines in this example have the following IPs:
NFS Server IP: 192.168.33.10 NFS Clients IPs: From the 192.168.33.0/24 range
Set up the NFS server
The first step is to set up the NFS server. We install the necessary packages, create and export the NFS directories and configure the firewall.
Install the NFS server
The NFS server package provides userspace support that is required to run the NFS kernel server. To install the package, do the following:
sudo apt update
sudo apt install nfs-kernel-server
When the installation is complete, the NFS services will start automatically.
NFS version 2 is disabled on Ubuntu 20.04. Version 3 and 4 are activated. You can check this by running the following
sudo cat /proc/fs/nfsd/versions
-2 +3 +4 +4.1 +4.2
NFSv2 is pretty old now and there is no need to enable it.
The configuration of the NFS server is defined in
/etc/default/nfs-common Files. The default settings are sufficient for most situations.
Create the file systems
The NFSv4 server uses a global root directory and the exported directories are relative to that directory. You can link the share mount point to the directories that you want to export using bind mounts.
In this example we set the
/srv/nfs4 Directory as NFS root. To better explain how the NFS mounts can be configured, we share two directories (
/opt/backups) with different configuration settings. the
/var/www/ belongs to the user
First create the root directory and share mount points:
sudo mkdir -p /srv/nfs4/backups
sudo mkdir -p /srv/nfs4/www
Bind the directories to the share mount points:
sudo mount --bind /opt/backups /srv/nfs4/backups
sudo mount --bind /var/www /srv/nfs4/www
To make the binding mounts permanent across reboots, open the
sudo nano /etc/fstab
and add the following lines:
/opt/backups /srv/nfs4/backups none bind 0 0 /var/www /srv/nfs4/www none bind 0 0
Export the file systems
The next step is to add the file systems to be exported and the clients that will be allowed to access these shares to the file
Each line for an exported file system has the following form:
export is the exported directory,
host is a host name or IP address / realm that can access the export, and
options are the host options.
/etc/exports File and add the following lines:
sudo nano /etc/exports
/srv/nfs4 192.168.33.0/24(rw,sync,no_subtree_check,crossmnt,fsid=0) /srv/nfs4/backups 192.168.33.0/24(ro,sync,no_subtree_check) 192.168.33.3(rw,sync,no_subtree_check) /srv/nfs4/www 192.168.33.20(rw,sync,no_subtree_check)
The first line contains the
fsid=0 Option that the NFS root directory (
/srv/nfs4). Access to this NFS volume is only available to clients from the
192.168.33.0/24 Subnet. the
crossmnt Option is required to share directories that are subdirectories of an exported directory.
The second line shows how to specify multiple export rules for a file system. Read access is allowed to the whole
192.168.33.0/24 Area and both read and write access to the
192.168.33.3 IP address. the
sync -Option instructs NFS to write changes to disk before responding.
The last line is self-explanatory. For more information on all of the available type options
man exports in your terminal.
Save the file and export the shares:
sudo exportfs -ar
You’ll have to run the above command every time you change those
/etc/exports File. If there are errors or warnings, these are displayed on the terminal.
To view the currently active exports and their status, use:
sudo exportfs -v
The issue contains all shares with their options. As you can see, there are also options that we did not define in the
/etc/exports File. These are the default options, and if you want to change them, you must set these options explicitly.
/srv/nfs4/backups 192.168.33.3(rw,wdelay,root_squash,no_subtree_check,sec=sys,rw,secure,root_squash,no_all_squash) /srv/nfs4/www 192.168.33.20(rw,wdelay,root_squash,no_subtree_check,sec=sys,rw,secure,root_squash,no_all_squash) /srv/nfs4 192.168.33.0/24(rw,wdelay,crossmnt,root_squash,no_subtree_check,fsid=0,sec=sys,rw,secure,root_squash,no_all_squash) /srv/nfs4/backups 192.168.33.0/24(ro,wdelay,root_squash,no_subtree_check,sec=sys,ro,secure,root_squash,no_all_squash)
root_squash is enabled by default. This is one of the most important options when it comes to NFS security. It prevents root users connected from the clients from having root rights on the mounted shares by assigning root
In order for the users on the client machines to have access, NFS expects the user and group IDs of the client to match those on the server. Another option is to use the NFSv4 idmapping feature which translates user and group IDs into names and vice versa.
That’s it. At this point, you’ve set up an NFS server on your Ubuntu server. You can now go to the next step and configure the clients and establish a connection to the NFS server.
If you are installing Jenkins on a remote Ubuntu server that is protected by a firewall, you need to enable traffic on the NFS port:
sudo ufw allow from 192.168.33.0/24 to any port nfs
Check the change:
sudo ufw status
The output should show that the traffic is on port
2049 is allowed:
To Action From -- ------ ---- 2049 ALLOW 192.168.33.0/24 22/tcp ALLOW Anywhere 22/tcp (v6) ALLOW Anywhere (v6)
Setting up the NFS clients
After the NFS server has been set up and the shares exported, the next step is to configure the clients and mount the remote file systems.
We’ll focus on Linux systems, but you can mount the NFS share on macOS and Windows computers too.
Install the NFS client
On the client machines we only need to install the tools necessary to mount a remote NFS file system.
Install the NFS client on Debian and Ubuntu
The name of the package, which contains programs for mounting NFS file systems on Debian-based distributions, is
nfs-common. To install it, do the following:
sudo apt update
sudo apt install nfs-common
Install the NFS client on CentOS and Fedora
On Red Hat and its derivatives, install the
sudo yum install nfs-utils
We work with IP on the client computer
192.168.33.20who have favourited read and write access to the
/srv/nfs4/www File system and read-only access to the
/srv/nfs4/backups File system.
Create two new directories for the mount points:
sudo mkdir -p /backups
sudo mkdir -p /srv/www
You can create the directories anywhere you want.
Mount the exported file systems with the
sudo mount -t nfs -o vers=4 192.168.33.10:/backups /backups
sudo mount -t nfs -o vers=4 192.168.33.10:/www /srv/www
192.168.33.10 is the IP of the NFS server. You can also use the host name instead of the IP address, but this must be resolvable by the client computer. This is usually done by assigning the host name to the IP in the
When mounting an NFSv4 file system, omit the NFS root directory. Use
/backups, Instead of
Make sure the remote file systems have been successfully mounted by using either mount or
The command prints all mounted file systems. The last two lines are the mounted shares:
Filesystem Size Used Avail Use% Mounted on udev 951M 0 951M 0% /dev tmpfs 199M 676K 199M 1% /run /dev/sda3 124G 2.8G 115G 3% / tmpfs 994M 0 994M 0% /dev/shm tmpfs 5.0M 0 5.0M 0% /run/lock tmpfs 994M 0 994M 0% /sys/fs/cgroup /dev/sda1 456M 197M 226M 47% /boot tmpfs 199M 0 199M 0% /run/user/1000 192.168.33.10:/backups 124G 2.8G 115G 3% /backups 192.168.33.10:/www 124G 2.8G 115G 3% /srv/www
To make the mounts permanent on reboot, open that
/etc/fstab File and add the following lines:
sudo nano /etc/fstab
192.168.33.10:/backups /backups nfs defaults,timeo=900,retrans=5,_netdev 0 0 192.168.33.10:/www /srv/www nfs defaults,timeo=900,retrans=5,_netdev 0 0
For information about the options available when mounting an NFS file system, type
man nfs in your terminal.
Another way to mount remote filesystems is to either use the
autofs Tool or to create a systemd unit.
Testing NFS Access
Let’s test access to the shares by creating a new file on each of them.
First, try creating a test file for the
/backups Directory with the
sudo touch /backups/test.txt
/backup File system is exported as read-only and as expected you will see a
Permission denied Error message:
touch: cannot touch ‘/backups/test’: Permission denied
Next, try creating a test file for the
/srv/www Directory as root with the
sudo touch /srv/www/test.txt
You will see again
Permission denied Message.
touch: cannot touch ‘/srv/www’: Permission denied
If you remember that
/var/www Directory is owned by the
www-data User, and this share has
root_squash Option set that assigns the root user to the
nobody User and
nogroup Group that does not have write permissions for the remote share.
Suppose you have one
www-data use on the client machine with the same
GID like on the remote server (which should be the case for example if you have nginx installed on both machines) you can try to create a file as a user
sudo -u www-data touch /srv/www/test.txt
The command shows no output, which means the file was created successfully.
To check this, list the files in the
ls -la /srv/www
The output should show the newly created file:
drwxr-xr-x 3 www-data www-data 4096 Apr 10 22:18 . drwxr-xr-x 3 root root 4096 Apr 10 22:29 .. -rw-r--r-- 1 www-data www-data 0 Apr 10 21:58 index.html -rw-r--r-- 1 www-data www-data 0 Apr 10 22:18 test.txt
Unmount the NFS file system
When the remote NFS share is no longer needed, you can use the
To hang up the
/backup share, you would run:
sudo umount /backups
If the mount point is in
/etc/fstab make sure to remove or comment out the line by adding
# at the beginning of the line.
We showed you how to set up an NFS server and mount the remote file systems on the client machines. If you are implementing NFS in production and sharing sensitive data, it is recommended that you enable Kerberos authentication.
As an alternative to NFS, you can use SSHFS to mount remote directories over an SSH connection. SSHFS is encrypted by default and is much easier to configure and use.
Feel free to leave a comment if you have any questions.