NFS – Set up an NFS server on CentOS/RHEL 7

If you have directories on your machine that you want to share out to other machines then you can do this by setting up your system as an NFS server. You can follow along this article using this vagrant project on Github.

We will walk through the following example:

+--------------------------+              +--------------------------+
|                          |              |                          |
|       nfs-storage        |              |        nfs-client        |
|     (IP: 10.0.6.10)      |              |                          |
|                          |              |                          |
|                          |              |                          |
|                          |              |                          |
|                          |              |                          |
|   +-----------------+    |              |     +---------------+    |
|   | /nfs/export_ro  |<----------------------->| /mnt/ref_data |    |
|   +-----------------+    |              |     +---------------+    |
|                          |              |                          |
|   +-----------------+    |              |     +---------------+    |
|   | /nfs/export_rw  |<----------------------->| /mnt/backups  |    |
|   +-----------------+    |              |     +---------------+    |
|                          |              |                          |
|                          |              |                          |
+--------------------------+              +--------------------------+

To do this, you first need to ensure the following package is installed:

$ yum install nfs-utils

If SELinux is running, the we need to ensure SE booleans setting are enabled:

setsebool -P nfs_export_all_rw 1
setsebool -P nfs_export_all_ro 1

Here we made (P)ersistant changes, you can check with getsebool command to confirm that the changes have been made.

Next if you want firewalld running then you need to add the following services to the whitelist:

$ firewall-cmd --permanent --add-service=nfs
$ firewall-cmd --permanent --add-service=mountd
$ firewall-cmd --permanent --add-service=rpc-bind
$ systemctl restart firewalld

Next we make the mount points as per our example:

$ mkdir -p /nfs/export_ro
$ mkdir -p /nfs/export_rw

Also change ownership of these folders to:

$ chown nfsnobody:nobody /nfs/export_rw
$ chown nfsnobody:nobody /nfs/export_rw

The nfsnobody is a special reserved name that’s used for this purpose. Now we have:

[root@nfs-storage ~]# ll -Z /nfs
drwxr-xr-x. nfsnobody  nobody    unconfined_u:object_r:default_t:s0 export_ro
drwxr-xr-x. nfsnobody  nobody    unconfined_u:object_r:default_t:s0 export_rw

The SELinux type attribute needs to be fixed, which we do by running:

[root@nfs-storage ~]# semanage fcontext -a -t public_content_rw_t  "/nfs(/.*)?"
[root@nfs-storage ~]# restorecon -Rv /nfs

[root@nfs-storage ~]# ll -Z /nfs/
drwxr-xr-x. nfsnobody  nobody    unconfined_u:object_r:public_content_rw_t:s0 export_ro
drwxr-xr-x. nfsnobody  nobody    unconfined_u:object_r:public_content_rw_t:s0 export_rw

Tip: if you forget what the tags are called, run the following for a remindoer:

$ seinfo -t | grep public

The security attribute ‘public_content_ro_t’ doesn’t appear to exist anymore. Instead it look like this has been renamged to simply public_content_t. For more info, see:

$ man nfsd_selinux

Next we need to create the following nfs config file, with the content:

$ cat /etc/exports
/nfs/export_ro  *(sync)
/nfs/export_rw  *(rw,no_root_squash)

Note this file might not exist, or does exist but is empty. The ‘sync’ option is basically to make it read only. For more info, check out:

$ man exports

This man page also gives sample entries at the bottom.

Now start and enable the nfs-server service:

$ systemctl enable nfs-server
$ systemctl restart nfs-server

Now we are ready to test this by Setting up an NFS client on CentOS 7.

What command can you run to check if the exports have been successfully exported:

[root@nfs-storage nfs]# exportfs -avr
exporting *:/nfs/export_rw
exporting *:/nfs/export_ro

Take the RHCSA Quiz

This article is part of our RHCSA Study guide (click on the yellow tab on the far left). By the end of this article you should be able to answer the following questions:

In this quiz we’ll assume the 2 folders you want to export are called /nfs/export_ro and /nfs/export_rw


What rpm do you need to install to setup an NFS server?

$ yum install nfs-utils

What SELinux boolean setting do you need to apply?

$ setsebool -P nfs_export_all_rw 1
$ setsebool -P nfs_export_all_ro 1

What firewall rules you do you need allow?

$ firewall-cmd –permanent –add-service=nfs
$ firewall-cmd –permanent –add-service=mountd
$ firewall-cmd –permanent –add-service=rpc-bind
$ systemctl restart firewalld

What folders do you need to create and what permissions should they have?

$ mkdir -p /nfs/export_ro
$ mkdir -p /nfs/export_rw
$ chown nfsnobody:nobody /nfs/export_rw
$ chown nfsnobody:nobody /nfs/export_ro

What is the command to help identify what selinux fcontext tags to use

$ seinfo -t | grep public

What SELinux rules should be applied to these folders?

$ semanage fcontext -a -t public_content_t “/nfs/export_ro(/.*)?”
$ semanage fcontext -a -t public_content_rw_t “/nfs/export_rw(/.*)?”
$ restorecon -Rv /nfs

What config file do you need to create, and what should it's content be (also restrict export_rw access so that only box with ip address of 10.0.6.11 can access it)?

$ cat /etc/exports
/nfs/export_ro *(sync)
/nfs/export_rw 10.0.6.11(rw,no_root_squash)

Where can you find more info about this config file?

$ man exports

What are the commands to enable+start the nfs deamon?

$ systemctl enable nfs-server
$ systemctl restart nfs-server

What can you check to confirm the nfs exports are now available?

view the etab file: /var/lib/nfs/etab
also you can run:
$ exportfs -avr

What is the man page to view more info on nfs related selinux stuff?

$ man nfsd_selinux