====== Network Services Overview: NFS ======

**General Information**

This page covers the Network Services objectives, specifically for NFS. 

**Network Services Objectives**
  * Install the packages needed to provide the service
  * Configure SELinux to support the service
  * Use SELinux port labeling to allow services to use non-standard ports
  * Configure the service to start when the system is booted
  * Configure the service for basic operation
  * Configure host-based and user-based security for the service

----

====== Lab Setup ======

The following virtual machines will be used:
  * server1.example.com (192.168.1.150) -> Perform all NFS client tests from here
  * server2.example.com (192.168.1.151) -> Install the NFS server here

----

====== Install the packages needed to provide the service ======

Install the service
<code bash>
yum install nfs-utils
</code>

----

====== Configure SELinux to support the service ======

  * Service agnostic -> [[linux_wiki:set_enforcing_and_permissive_modes_for_selinux|Ensure SELinux is running and enabled (RHCSA objective)]].
  * **IMPORTANT**: View all label types<code bash># Install package
yum install setools-console

# View all label types
seinfo -t

# Find NFS types
seinfo -t | grep nfs
</code>

----

====== Use SELinux port labeling to allow services to use non-standard ports ======

Configuring the <service-name> with a non standard port and allowing port access with selinux.

**NOTE**: "man semanage-port" has examples for allowing non-standard ports!

----

====== Configure the service to start when the system is booted ======

Check Current Service Status
<code bash>
systemctl status nfs-server
</code>
  * Also displays if the service is enabled or disabled

\\
Enabling a service to start on boot
<code bash>
systemctl enable nfs-server
</code>

----

====== Configure the service for basic operation ======

Enable and Start the service
<code bash>
systemctl enable nfs-server
systemctl start nfs-server
</code>

----

====== Configure host-based and user-based security for the service ======

===== Firewall =====

Allow access through the firewall to the NFS service
<code bash>
firewall-cmd --permanent --add-service=nfs
firewall-cmd --reload
</code>

\\
Allow access through the firewall to allow the showmount command from clients to work
<code bash>
firewall-cmd --permanent --add-service=rpc-bind
firewall-cmd --permanent --add-service=mountd
firewall-cmd --reload
</code>

===== Host Based =====

Configure host based access in /etc/exports
<code bash>
/data-share  *.example.com(ro)

/data-share2  192.168.1.0/24(rw)
</code>
  * Hostname based and network based
  * Others refused

Export modifications<code bash>exportfs -var</code>
===== User Based =====

Default NFS security (sec=sys) is via IP addresses or hostname.

[[linux_wiki:use_kerberos_to_control_access_to_nfs_network_shares|Kerberos can be used to provide user authentication to NFS services]].

----