dotlinux guide

Introduction to Linux Network File System (NFS) for Admins

Introduction

In modern IT environments, efficient file sharing across networked systems is critical for collaboration, centralized management, and resource optimization. The Network File System (NFS) is a cornerstone protocol that enables Linux (and Unix-like) systems to share files and directories over a network, allowing clients to access remote storage as if it were a local filesystem.

For system administrators, mastering NFS is essential for tasks like managing centralized home directories, sharing application data, or integrating storage into cloud-native workflows (e.g., Kubernetes persistent volumes). This guide demystifies NFS, covering its core concepts, setup, usage, and best practices to help you deploy and maintain robust NFS infrastructure.

What is NFS?

NFS is a distributed filesystem protocol developed by Sun Microsystems in 1984. It allows a client machine to mount directories from a remote server and interact with those directories (read, write, execute files) as if they were physically stored locally. NFS operates on top of the TCP/IP protocol suite and relies on Remote Procedure Calls (RPC) for communication between clients and servers.

How NFS Works

NFS Architecture

NFS uses a client-server model with two primary components:

  • NFS Server: Exports (shares) directories to authorized clients via a configuration file (/etc/exports). It runs services like nfsd (NFS daemon) and mountd (mount daemon) to handle client requests.
  • NFS Client: Mounts exported directories from the server using the mount command or automount tools. The client interacts with the server’s filesystem transparently, with minimal overhead.

Key supporting services:

  • rpcbind: Maps RPC services (like mountd or nfsd) to specific ports (critical for NFSv2/v3; less so for NFSv4).
  • idmapd: Handles user/group ID mapping between clients and servers (NFSv4 only).

NFS Versions: A Comparison

NFS has evolved through multiple versions, each addressing security, performance, and scalability limitations. Here’s a summary of key versions:

VersionRelease YearKey FeaturesUse Case
NFSv21989Original version, 32-bit file sizes (max 4GB), UDP-only, stateless.Legacy systems (rarely used today).
NFSv3199564-bit file support (up to 16EB), TCP/UDP, asynchronous writes, improved error handling.Most common for local networks (LANs).
NFSv42003Stateful, integrated security (Kerberos), TCP-only, support for WANs, unified port (2049).Modern deployments, WANs, security-sensitive environments.
NFSv4.12010Parallel NFS (pNFS) for distributed storage (e.g., clusters), improved performance.HPC, large-scale storage systems.
NFSv4.22016Sparse files, space reservation, enhanced security.Cloud and container environments.

Recommendation: Use NFSv4.2 for new deployments due to its security, performance, and modern features.

Setting Up NFS: Server and Client Configuration

NFS Server Setup

Follow these steps to configure an NFS server on a Linux system (Debian/Ubuntu or RHEL/CentOS).

Step 1: Install NFS Server Packages

  • Debian/Ubuntu: 
    sudo apt update && sudo apt install nfs-kernel-server -y
  • RHEL/CentOS/Rocky Linux: 
    sudo dnf install nfs-utils -y

Step 2: Configure Exports (/etc/exports)

The /etc/exports file defines which directories the server shares and access rules for clients. Syntax:

<directory> <client>(options) [<client>(options)...]

Example: Share /data/nfs-share with the subnet 192.168.1.0/24 with read-write access:

sudo mkdir -p /data/nfs-share
sudo chown nobody:nogroup /data/nfs-share  # Ensure client access
sudo nano /etc/exports

Add this line to /etc/exports:

/data/nfs-share 192.168.1.0/24(rw,sync,no_subtree_check)
  • rw: Read-write access.
  • sync: Server writes to disk before acknowledging client (data integrity).
  • no_subtree_check: Disables subtree validation (improves performance).

Step 3: Export the Shares

Apply changes and restart the NFS service:

sudo exportfs -a  # Export all shares in /etc/exports
sudo systemctl enable --now nfs-server  # Start and enable on boot

Step 4: Configure Firewall

Allow NFS traffic (NFSv4 uses port 2049; NFSv3 requires additional ports):

  • UFW (Debian/Ubuntu): 
    sudo ufw allow from 192.168.1.0/24 to any port nfs
  • firewalld (RHEL/CentOS): 
    sudo firewall-cmd --add-service=nfs --permanent
sudo firewall-cmd --reload

NFS Client Setup

Clients access NFS shares by mounting them locally.

Step 1: Install NFS Client Packages

  • Debian/Ubuntu: 
    sudo apt install nfs-common -y
  • RHEL/CentOS: 
    sudo dnf install nfs-utils -y

Step 2: Mount the NFS Share Manually

Create a mount point and mount the share:

sudo mkdir -p /mnt/nfs-client
sudo mount -t nfs 192.168.1.100:/data/nfs-share /mnt/nfs-client

Verify with df -h or mount | grep nfs.

Step 3: Persistent Mounts with /etc/fstab

To mount shares automatically on boot, add an entry to /etc/fstab:

sudo nano /etc/fstab

Add:

192.168.1.100:/data/nfs-share  /mnt/nfs-client  nfs  defaults  0  0

Test with sudo mount -a (no output = success).

NFS Usage Methods

Mounting NFS Shares

NFS shares can be mounted manually, via /etc/fstab, or dynamically with tools like autofs. The basic syntax for manual mounting is:

mount -t nfs [-o options] <server>:/<exported-directory> <local-mount-point>

Key Mount Options

Customize behavior with these common options (add to /etc/fstab or mount command):

OptionDescription
rw/roRead-write or read-only access.
sync/asyncsync: Server confirms writes after disk commit (safe). async: Server confirms before disk commit (faster, risky).
root_squashMaps client root to nobody (default, security).
no_root_squashClient root retains root privileges (insecure, avoid!).
all_squashMaps all clients to nobody (anonymity).
anonuid=<uid>/anongid=<gid>Sets UID/GID for anonymous users (with all_squash).
rsize=<bytes>/wsize=<bytes>Read/write block size (e.g., rsize=1048576 for 1MB).

Managing Exports and Shares

  • List exports on the server: 
    exportfs -v  # Verbose list of exported shares
  • Unexport a share: 
    exportfs -u 192.168.1.0/24:/data/nfs-share  # Remove specific export
exportfs -ra  # Re-export all shares (refresh)
  • Unmount a share on the client: 
    umount /mnt/nfs-client  # Ensure no processes are using the mount!

Auto-Mounting with Autofs

autofs dynamically mounts shares when accessed and unmounts them after inactivity (saves resources).

Setup autofs on the Client:

  1. Install:

    sudo apt install autofs -y  # Debian/Ubuntu
# OR
sudo dnf install autofs -y  # RHEL/CentOS

  2. Configure the master map (/etc/auto.master):

    sudo nano /etc/auto.master

    Add:

    /mnt/nfs-autofs  /etc/auto.nfs  --timeout=60
    • /mnt/nfs-autofs: Base mount directory.
    • /etc/auto.nfs: Per-share configuration file.
    • --timeout=60: Unmount after 60 seconds of inactivity.

  3. Create /etc/auto.nfs:

    sudo nano /etc/auto.nfs

    Add a share (e.g., my-share maps to the server’s export):

    my-share  -rw,sync  192.168.1.100:/data/nfs-share

  4. Restart autofs:

    sudo systemctl restart autofs

    Access the share via /mnt/nfs-autofs/my-share (mounts automatically).

Common NFS Use Cases for Admins

  • Centralized Home Directories: Share /home across workstations for consistent user environments.
  • Application Data Sharing: Host databases or logs on a central NFS server for multi-node apps (e.g., web servers).
  • HPC Clusters: Distribute binaries and datasets across compute nodes.
  • Kubernetes Persistent Volumes: Use NFS to provide shared storage for containers.
  • Backup Targets: Mount NFS shares as backup destinations for client systems.

Best Practices for NFS Administration

Security Best Practices

  • Use NFSv4+ with Kerberos: Enable sec=krb5 for authentication/encryption (avoids plaintext RPC). 
    # Example /etc/exports with Kerberos
/data/nfs-share 192.168.1.0/24(rw,sync,sec=krb5)
  • Restrict Exports: Limit clients to specific IPs/subnets (avoid * in /etc/exports).
  • Avoid no_root_squash: Prevents client root from gaining server root access.
  • Encrypt Traffic: Use IPSec or VPNs for NFS over untrusted networks (e.g., WAN).

Performance Optimization

  • Tune rsize/wsize: Use large block sizes (e.g., rsize=1048576,wsize=1048576) for large files.
  • Prefer sync Over async: Prioritize data integrity unless latency is critical.
  • Dedicated Network: Use 10Gbps+ links for NFS traffic to avoid bottlenecks.
  • Avoid Overloading the Server: Limit concurrent clients and monitor CPU/memory usage.

Reliability and Maintenance

  • Use RAID on the Server: Protect exported data with RAID 5/6 or hardware RAID.
  • Monitor NFS Services: Track nfsd CPU usage, network latency, and disk I/O (tools: nfsstat, iostat).
  • Backup Exports: Regularly back up NFS shares (e.g., with rsync or borgbackup).
  • Document Configurations: Track exports, clients, and options in a wiki or CMDB.

Troubleshooting Common NFS Issues

Mount Failures

  • Check Firewall: Ensure NFS ports (2049, rpcbind:111) are open on the server.
  • Verify Exports: On the server: exportfs -v; on the client: showmount -e <server>. 
    showmount -e 192.168.1.100  # List exports from server
  • Permission Denied: Check root_squash (client root may be mapped to nobody).

Slow Performance

  • Tune rsize/wsize: Test larger values (e.g., 1MB) with mount -o rsize=1048576 ....
  • Check Network: Use tcpdump or iftop to identify congestion.
  • Server Load: Use top or htop to check for CPU/disk bottlenecks.

Stale File Handles

  • Cause: Server unexported a share while clients were mounted.
  • Fix: Unmount and remount the share on the client: 
    umount -f /mnt/nfs-client  # Force unmount if stuck
mount /mnt/nfs-client

Conclusion

NFS remains a powerful tool for networked file sharing in Linux environments, offering simplicity, flexibility, and broad compatibility. By understanding its architecture, mastering setup/configuration, and following best practices for security and performance, admins can leverage NFS to build scalable, reliable storage solutions. Whether for centralized home directories, HPC clusters, or Kubernetes, NFS is a foundational technology that every Linux admin should know.

References