Network Services Overview: NFS
General Information
This page covers the Network Services objectives, specifically for NFS.
Network Services Objectives
- Install the packages needed to provide the service
- Configure SELinux to support the service
- Use SELinux port labeling to allow services to use non-standard ports
- Configure the service to start when the system is booted
- Configure the service for basic operation
- Configure host-based and user-based security for the service
Lab Setup
The following virtual machines will be used:
- server1.example.com (192.168.1.150) → Perform all NFS client tests from here
- server2.example.com (192.168.1.151) → Install the NFS server here
Install the packages needed to provide the service
Install the service
yum install nfs-utils
Configure SELinux to support the service
- Service agnostic → Ensure SELinux is running and enabled (RHCSA objective).
- IMPORTANT: View all label types
# Install package yum install setools-console # View all label types seinfo -t # Find NFS types seinfo -t | grep nfs
Use SELinux port labeling to allow services to use non-standard ports
Configuring the <service-name> with a non standard port and allowing port access with selinux.
NOTE: “man semanage-port” has examples for allowing non-standard ports!
Configure the service to start when the system is booted
Check Current Service Status
systemctl status nfs-server
- Also displays if the service is enabled or disabled
Enabling a service to start on boot
systemctl enable nfs-server
Configure the service for basic operation
Enable and Start the service
systemctl enable nfs-server
systemctl start nfs-server
Configure host-based and user-based security for the service
Firewall
Allow access through the firewall to the NFS service
firewall-cmd --permanent --add-service=nfs firewall-cmd --reload
Allow access through the firewall to allow the showmount command from clients to work
firewall-cmd --permanent --add-service=rpc-bind firewall-cmd --permanent --add-service=mountd firewall-cmd --reload
Host Based
Configure host based access in /etc/exports
/data-share *.example.com(ro) /data-share2 192.168.1.0/24(rw)
- Hostname based and network based
- Others refused
Export modifications
exportfs -var
User Based
Default NFS security (sec=sys) is via IP addresses or hostname.
Kerberos can be used to provide user authentication to NFS services.