====== Network Services Overview: NFS ======
**General Information**
This page covers the Network Services objectives, specifically for NFS.
**Network Services Objectives**
* Install the packages needed to provide the service
* Configure SELinux to support the service
* Use SELinux port labeling to allow services to use non-standard ports
* Configure the service to start when the system is booted
* Configure the service for basic operation
* Configure host-based and user-based security for the service
----
====== Lab Setup ======
The following virtual machines will be used:
* server1.example.com (192.168.1.150) -> Perform all NFS client tests from here
* server2.example.com (192.168.1.151) -> Install the NFS server here
----
====== Install the packages needed to provide the service ======
Install the service
yum install nfs-utils
----
====== Configure SELinux to support the service ======
* Service agnostic -> [[linux_wiki:set_enforcing_and_permissive_modes_for_selinux|Ensure SELinux is running and enabled (RHCSA objective)]].
* **IMPORTANT**: View all label types# Install package
yum install setools-console
# View all label types
seinfo -t
# Find NFS types
seinfo -t | grep nfs
----
====== Use SELinux port labeling to allow services to use non-standard ports ======
Configuring the with a non standard port and allowing port access with selinux.
**NOTE**: "man semanage-port" has examples for allowing non-standard ports!
----
====== Configure the service to start when the system is booted ======
Check Current Service Status
systemctl status nfs-server
* Also displays if the service is enabled or disabled
\\
Enabling a service to start on boot
systemctl enable nfs-server
----
====== Configure the service for basic operation ======
Enable and Start the service
systemctl enable nfs-server
systemctl start nfs-server
----
====== Configure host-based and user-based security for the service ======
===== Firewall =====
Allow access through the firewall to the NFS service
firewall-cmd --permanent --add-service=nfs
firewall-cmd --reload
\\
Allow access through the firewall to allow the showmount command from clients to work
firewall-cmd --permanent --add-service=rpc-bind
firewall-cmd --permanent --add-service=mountd
firewall-cmd --reload
===== Host Based =====
Configure host based access in /etc/exports
/data-share *.example.com(ro)
/data-share2 192.168.1.0/24(rw)
* Hostname based and network based
* Others refused
Export modificationsexportfs -var
===== User Based =====
Default NFS security (sec=sys) is via IP addresses or hostname.
[[linux_wiki:use_kerberos_to_control_access_to_nfs_network_shares|Kerberos can be used to provide user authentication to NFS services]].
----