10 practical examples to export NFS shares in Linux | GoLinuxCloud (2023)

General Syntax to export NFS share

The general syntax which you must use to create a NFS share using/etc/exportswill be:

/PATH/TO/DIR HOST([OPTIONS])

Each line in the file specifies one remote mount point. The first field contains the mount-point directory path, followed optionally by a list of options and/or a list of specific hosts separated by white space. If no specific hosts are specified, the mount point is exported to all hosts.

If you arenew to NFS serverthen I recommend you to first readOverview on NFS and difference between NFSv2 vs NFSv3 and NFSv4

1. Export NFS Share to single host

To export/dump/backupsto single client10.43.138.2using NFS, I will add below to/etc/exports:

# cat /etc/exports/dump/backups 10.43.138.2

To refresh the share

# exportfs -rexportfs: No options for /dump/backups 10.43.138.2: suggest 10.43.138.2(sync) to avoid warning

Since we have not provided any OPTIONS to the NFS share we get this warning. It will work but it is recommended to add atleast "sync" in theOPTIONSsection to avoid this warning

So I have updated my/etc/exports

/dump/backups 10.43.138.2(sync)

Net refresh the share

# exportfs -r

Now we don't get any warning, verify the existing share

# exportfs -v/dump/backups 10.43.138.2(sync,wdelay,hide,no_subtree_check,sec=sys,ro,secure,root_squash,no_all_squash)

2. Export NFS Share to all hosts

To export a NFS share to whole world (this is adangerousterm in production but actually that is what this means). We will use "*" to enable NFS access to the share to all the networks out there which has access to your NFS server

# cat /etc/exports/dump/backups *(sync)

So here we have added no restriction in the exports file for the NFS Share for any of the hosts

3. Export NFS Share to IP Range

Now instead of single host, we will create aexportfsshare to be accessed by all the hosts from a network IP range i.e.10.43.138.1/27

# cat /etc/exports/dump/backups 10.43.138.2/27(sync)

Or alternatively if you don't have a prefix value, you can provide thenetmaskvalue of the subnet

# cat /etc/exports/dump/backups 10.43.138.2/255.255.255.224(sync)

4. Export NFS share to multiple hosts

To export a share to multiple hosts across different network range you must create individual entry of respective hosts.

# cat /etc/exports/dump/backups 10.43.138.0/255.255.255.224(sync)/dump/backups 192.168.0.1/255.255.255.0(sync)/dump/backups 192.168.100.10(sync)/dump/backups 10.10.10.0/24(sync)

In this example I am exporting the same path to multiple hosts across different networks.

You can alsoadd them in single linebut to make the file content look clean I am using different entries for the same share. To add all these in the single line, thesyntaxwould be:

/PATH/TO/DIR HOST1([OPTIONS]) HOST2([OPTIONS]) HOST3([OPTIONS])

To use single line share for our last example, we can use:

/dump/backups 10.43.138.0/255.255.255.224(sync) 192.168.0.1/255.255.255.0(sync) 192.168.100.10(sync) 10.10.10.0/24(sync)

5. Restrict a NFS share for specified hosts

We can restrict a share in/etc/exportsitself by providing only those list of hosts who should be allowed to access the share. But sometimes when you have provided an entire network in the allow list of/etc/exportsfor example

/dump/backups 10.43.138.0/255.255.255.224(sync)

But you only wish to restrict the share to10.43.138.2host. In such case this can be tricky.

With NFSv3 we can use hosts.deny to restrict access to such hosts by usingrpcbind, mountd, nfsd, statd, lockd, rquotadto define an access rule but the same is not possible withNFSv4 as it does not use these daemons any more.

To restrict a host with NFSv3 we will add below entry for10.43.138.2

# echo "rpcbind: 10.43.138.2" >> /etc/hosts.deny

Now if you try to access the NFS share using this hosts:

# mount -o nfsvers=3 10.43.138.1:/dump/backups /mntmount.nfs: access denied by server while mounting 10.43.138.1:/dump/backups

But if I try to access the same share using NFSv4

# mount -o nfsvers=4 10.43.138.1:/dump/backups /mnt

It works. So hosts.denywas unableto block this request.
To overcome this you may rely on firewall to block the respective host from accessing your NFS server

5.1 Restrict NFS shares using iptables

# iptables -I INPUT -s 10.43.138.2 -p tcp --dport nfs -j DROP# iptables -I INPUT -s 10.43.138.2 -p udp --dport nfs -j DROP

5.2 Restrict NFS shares using firewalld rich rules

# firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='10.10.10.4' service name='nfs' reject"# firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='10.10.10.4' service name='mountd' reject"# firewall-cmd --reload

However with wildcards we can have more control over the hosts we wish to allow the access for NFS sharewhich we will learn next.

6. How to use wildcard with NFS exports

Machine names may contain the wildcard characters*and?, or may contain character class lists within[square brackets]. This can be used to make the exports file more compact

6.1 Using ? with hostnames

We can use?wildcard to match a single character in the hostname, for example to matchserver1,server2,serve,serverXwe can use:

/dump/backups server?(sync)

If you wish to match for more than one character then you can use?more than one times. For example to matchserver12,server23,serverAB,serverXYwe can use:

/dump/backups server??(sync)

6.2 Using square brackets with hostnames

You can use square brackets to define a range of numbers or characters. Below example will match all machines with hostname betweenserver00.example.comtoserver99.example.com

/dump/backups server[0-9][0-9].example.com(sync)

To mapserver1toserver5we can use

/dump/backups server[1-5](sync)

To map character with square brackets for example matchservetillserverE, in such case use:

/dump/backups server[A-E](sync)

6.3 Using * with hostnames

As you can assume,*means match everything. So assuming you have multiple subdomains under example.com then you can simply use*.example.comto match for all the sub-domains

/dump/backups *.example.com(sync)

So this willmatch

mail.example.comcdn.example.comhost.example.com

But this willnot match

ab.cd.example.com

So to match this you must use:

/dump/backups *.*.example.com(sync)

So I hope you got the idea.

7. Export NFS Share as Read Only Mode

To assign a share with read only permission:

# cat /etc/exports/dump/backups 10.43.138.2(ro,sync)

Refresh the shares

# exportfs -r

Verify the exported shares and the options:

# exportfs -v/dump/backups 10.43.138.2(sync,wdelay,hide,no_subtree_check,sec=sys,ro,secure,root_squash,no_all_squash)

8. Export NFS share as Read Write Mode

To export a share with read write permission use:

# cat /etc/exports/dump/backups 10.43.138.2(rw,sync)

Refresh and verify the shares and applied options:

# exportfs -r# exportfs -v/dump/backups 10.43.138.2(sync,wdelay,hide,no_subtree_check,sec=sys,rw,secure,root_squash,no_all_squash)

Now if someone creates a file in these share on the client nodes:

[root@nfs-client ~]# mount -o nfsvers=4 10.43.138.1:/dump/backups /mnt

Create a new file as root user

[root@nfs-client ~]# touch /mnt/file

Verify the permission

[root@nfs-client ~]# ls -ltotal 0-rw-r----- 1nfsnobody nfsnobody0 Aug 20 13:31 file

As you see the new file is created withnobodypermission. By default when NFS share is exported withroot_squashpermission so any file access and modification from root user will be performed under anonymous account so callednobodyuser.

Although if you create a file using normal user then the same will be reflected as user and owner of the file:

[deepak@nfs-client ~]$ ls -l /mnt/total 0-rw-r----- 1 nfsnobody nfsnobody 0 Aug 20 13:31 file-rw-r----- 1deepak users0 Aug 20 13:36 file1

9. Export a share with NFSv4 only

If you wish create a share which can be accessed over NFSv4 only then you ust modify/etc/nfs.conf

[root@nfs-server ~]# vim /etc/nfs.conf[nfsd] vers2=nto3=nvers4=yvers4.0=yvers4.1=yvers4.2=y

Make sure you disablevers2andto3to only allow connection over NFSv4

Optionally, disable listening for the RPCBIND, MOUNT, and NSM protocol calls, which are not necessary in the NFSv4-only case. Disable related services:

[root@nfs-server ~]# systemctl mask --now rpc-statd.service rpcbind.service rpcbind.socketCreated symlink /etc/systemd/system/rpc-statd.service → /dev/null.Created symlink /etc/systemd/system/rpcbind.service → /dev/null.Created symlink /etc/systemd/system/rpcbind.socket → /dev/null.

After you configure NFS server, restart the NFS server to activate the changes and enable it start automatically post reboot. You can also check nfs status usingsystemctl status nfs-server

[root@nfs-server ~]# systemctl restart nfs-server[root@nfs-server ~]# systemctl enable nfs-server

Use thenetstatutility to list services listening on the TCP and UDP protocols:

The following is an examplenetstatoutput on an NFSv4-only server; listening for RPCBIND, MOUNT, and NSM is also disabled. Here, nfs is the only listening NFS service:

[root@nfs-server ~]# netstat --listening --tcp --udp | grep nfstcp 0 0 0.0.0.0:nfs 0.0.0.0:* LISTENtcp6 0 0 [::]:nfs [::]:* LISTEN

Next you can create a share using/etc/exports. We don't need to define any additional permission here:

/dump/backups 10.43.138.2(rw,sync)

Now this share will be accessible only over NFSv4.

10. Enable root access on the NFS share

As informed earlier, by defaultroot_squashpermission is added to the NFS share which means this permission prevents remote root users from having superuser (root) privileges on remote NFS-mounted volumes. Here, squash literally means to squash the power of the remote root user

So to enable root access we will useno_root_squashwhich allows root user on the NFS client host to access the NFS-mounted directory with the same rights and privileges that the superuser would normally have.

To disable root squash we use:

# cat /etc/exports/dump/backups 10.43.138.2(rw,sync,no_root_squash)

To refresh the shares

# exportfs -v/dump/backups 10.43.138.2(sync,wdelay,hide,no_subtree_check,sec=sys,rw,secure,no_root_squash,no_all_squash)

Recommended Read

To learn more about different supported NFS exports options for NFS server and client I would recommend you to read:
Beginners guide to different NFS mount and exports options with examples

Conclusion

In this tutorial I shared multiple examples with different scenarios to export NFS share with and without restrictions. It is important that with NFS we also consider the security of these shares so that it is not accessed by unauthorized users over the network so you must assign the NFS options properly.

Lastly I hope the steps from the article to configure NFS exports share on Linux was helpful. So, let me know your suggestions and feedback using the comment section.