NFS server
NFS is a file-share technology that is supported only by *Nix systems. It's very simple to setup and use, but the set of restrictions is lower than Samba.
- NFS is perfect for a NetBoot strategy (thin clients)
- NFS is not fit to act as company's main file-server. If you plan to share a lof of data as a file-server then Samba will be a better choice.
Contents
Installation
NFS support
apt-get install nfs-kernel-server nfs-common
Debootstrap (manage netboot image)
apt-get install debootstrap
Initramfs (to manage "virtual disks")
apt-get install initramfs-tools
NFS server setup
You have to create the folders you'd like to share:
mkdir -p /nfs/qa
mkdir -p /nfs/prod
mkdir -p /nfs/common
- NOTES -
- The folder name should match your TFTP configuration (see TFTP server PXE configuration)
- If you plan to serve many images you should put meaningful names !!
Configuration
The NFS configuration is done in the /etc/exports file
vim /etc/exports
Add something like that:
### list of available O.S
/nfs/qa 172.16.50.0/24(ro,no_root_squash,no_subtree_check,async,insecure)
/nfs/prod 172.16.50.0/24(ro,no_root_squash,no_subtree_check,async,insecure)
### common share
/nfs/common 172.16.50.0/24(rw,no_root_squash,no_subtree_check,async,insecure)
Adjust "172.16.50.0/24" to your own network address
- rw : Allow clients to read as well as write access
- ro : Read only access
- insecure : Tells the NFS server to use unpriveledged ports (ports > 1024).
- no_subtree_check : If the entire volume (/users) is exported, disabling this check will speed up transfers.
- async : async will speed up transfers.
- no_root_squash: This phrase allows root to connect to the designated directory.
- NOTE -
- It's always a good idea to use Read-Only if you plan to share this disk. That will avoid user to mess with your image!
- There must not be any space between network IP and "("
- If you plan to share a NFS to all users - like my /nfs/common - don't forget to set chmod -R 777 /nfs/common
Security
Like TFTP, this part is insecure !
You must restrict the access to your NFS server by a firewall script and filtering BEFORE reaching the LAN !
NFS is using dynamic ports numbers because it runs over rpcbind. Making NFS using specifics port is a pain in the ass !! :(
So, instead of that you should allow your LAN communication.
IPTABLES=`which iptables`
LAN_ADDRESS="172.16.50.0/24"
# Allow LAN communication
$IPTABLES -A INPUT -s $LAN_ADDRESS -d $LAN_ADDRESS -m state ! --state INVALID -j ACCEPT
$IPTABLES -A OUTPUT -s $LAN_ADDRESS -d $LAN_ADDRESS -m state ! --state INVALID -j ACCEPT
Management
service nfs-kernel-server {status|start|stop|restart}
Test the server
Install the NFS v4 client:
apt-get install nfs-common
To mount the default path:
mount -t nfs nfs-server:/ /mnt
You'll see: "/nfs"
It's better to do:
mount -t nfs nfs-server:/nfs /mnt