Setup NFS Server on CentOS 7 Guide
Uploaded by
Huy TaxuanSetup NFS Server on CentOS 7 Guide
Uploaded by
Huy TaxuanCommon questions
Powered by AIThe root_squash option maps requests from the root user (uid/gid 0) to the nfsnobody user, effectively reducing root access on the NFS volume to ordinary user privileges, enhancing security. The all_squash option further maps all user and group IDs to nfsnobody, which standardizes access rights for all users, simplifying the management of permissions across different clients .
Logical volumes provide a flexible storage solution for NFS servers, enabling the efficient allocation and management of disk space for shared files. In the described setup, a 5GB logical volume named lv_nfs is created, formatted, and mounted, allowing the NFS server to manage storage more dynamically and adjust to changing needs without reformatting .
For an NFS server setup, firewall rules should allow inbound traffic from the LAN, specifically permitting ports used by NFS and related services: 111 (rpcbind), 2049 (NFS), and 20048 (mountd). This can be achieved using iptables with rules such as: `iptables -A INPUT -s 10.8.8.0/24 -p tcp -m multiport --dport 111,2049,20048 -j ACCEPT` for TCP and a similar rule for UDP .
On the client side, install both autofs and nfs-utils. Append a line to /etc/auto.master specifying the mount point, here '/nfs', and an associated map file described in /etc/auto.nfs. This map file should define the mount behavior, e.g., 'public -rw spacewalk.hl.local:/mnt/nfs/public'. Enable and restart the autofs service to begin automatically managing these mounts as needed .
Iptables rules secure access to an NFS server by restricting incoming traffic to specifically allowed IP address ranges, protocols, and ports. By allowing only trusted subnets and necessary service ports like 111 (rpcbind), 2049 (NFS), and 20048 (mountd), these rules prevent unauthorized access and mitigate risks of external attacks or data breaches .
Adding the NFS logical volume to the fstab file ensures that the volume is automatically mounted at boot time. This configuration is critical for maintaining persistent storage access across reboots, ensuring the NFS share remains available without requiring manual intervention .
Improperly configured NFS exports can lead to unauthorized access, where sensitive data might be exposed. Without options like root_squash, a malicious root user on a client could gain root access on the NFS server. Failing to restrict access to specific IP ranges or subnets can also allow unwanted connections. Using the all_squash option helps mitigate these risks by minimizing privilege levels .
The sync option ensures that changes are written to stable storage before a request is acknowledged, which improves reliability and data integrity but may reduce performance. In contrast, asynchronous operation allows quicker responses by buffering writes, which can improve performance at the cost of potential data loss or inconsistency in the event of a failure .
To set up an NFS server on CentOS 7, first install the necessary software 'nfs-utils'. Enable and start the rpcbind and nfs-server services using systemctl. Next, create a logical volume under the vg_centos7 group, format it with ext4, and mount it to /mnt/nfs. Modify /etc/exports to configure NFS exports with appropriate options such as rw, sync, no_subtree_check, root_squash, and all_squash. Use exportfs to export the share. Finally, update firewall settings to allow necessary traffic from the LAN .
The no_subtree_check option disables subtree checking, which normally verifies if the requested file is within the exported file system, improving performance. However, it can expose security risks since it doesn't confirm whether a file is part of a subtree within the indicated directory structure, potentially allowing access to adjacent non-exported files if symlinked .