NFS Configuration and Management

Nexfs can optionally directly manage and/or configure the Linux NFS server. You can choose if Nexfs should configure the NFS server and if Nexfs should manage (start and stop) the NFS server.

 

NFS Service Configuration

To allow Nexfs to configure the NFS server you must first enable the NFS service in Nexfs by setting NFSENABLED to 1 (enabled), to disable NFS management set NFSENABLED to 0

Example of using nexfscli to enable the NFS service on Nexfs start:

# nexfscli configfile set NFSENABLED 1
Updated Configuration file

If Nexfs is already running, you can enable NFS without requiring a restart with:

# nexfscli liveconfig set NFSENABLED 1

Updated Live Configuration

More information on managing Nexfs using nexfscli can be found here

By default Nexfs will manage up to 12 NFS exports, this is a soft limit that can be changed through the NFSMAXEXPORTS setting

NFS Start/Stop Management

Nexfs can be configured to start and stop the Linux NFS service, to enable NFS management set NFSSTARTSTOP to 1, or set NFSSTARTSTOP to 0 to disable direct management.

Note: NFS configuration must also be enabled in Nexfs (see NEXFSENABLED above) in addition to NFSSTARTSTOP for Nexfs to start and stop the Linux NFS service.

Example of using nexfscli to enable the NFS service management on Nexfs start:

# nexfscli configfile set NFSSTARTSTOP 1
Updated Configuration file

If Nexfs is already running, you can enable NFS management without requiring a restart with:

# nexfscli liveconfig set NFSSTARTSTOP 1

Updated Live Configuration

More information on managing Nexfs using nexfscli can be found here

Configuring NFS exports

NFS exports are managed through a standard JSON formatted configuration file, the easiest way to view and modify exports is by using the nexfscli management command.

Viewing NFS exports

You can view or make a copy of the current loaded NFS export file using nexfscli, to view the export configuration run:

# nexfscli nfs getexports

To save a copy of the exports configuration to a file, include a filename at the end of the getexports command, for example, to save a copy to a file in /tmp called nexfsnfsexports, run:

# nexfscli nfs getexports /tmp/nexfsnfsexports

Updating, creating and removing NFS exports 

You can add, remove and update existing NFS export using nexfscli, first create a correctly formatted JSON file which contains all exports, including all new and existing exports that should remain, to remove an existing export simply remove it from the JSON file, and run:

# nexfscli nfs putexports /tmp/nexfsnfsexports

Where /tmp/nexfsnfsexports is the location of the JSON file which contains the new configuration.

Once loaded check that the configuration has been accepted by viewing the NFS exports as detailed above, check the nexfs logfile (defaults to syslog) for details if any formatting errors were encountered loading the new configuration file.

Sample NFS JSON Configuration File

Below shows a JSON Configuration file that includes two NFS exported directories, the first exports the directory called "nfsroot" from within the Nexfs mount point, the second exports the directory "diskimages" located at "virtualservers/diskimages" from within the Nexfs mount point. 

 

For exportdir, the prefix directory that the Nexfs file system is mounted to is excluded, for example, if Nexfs is mounted to /mnt/nexfs and the intention is to mount /mnt/nexfs/virtualservers/diskimages, then the exportdir in the JSON configuration is only "virtualservers/diskimages". This allows the Nexfs mount point location to be changed without the need to update existing NFS exports.

See below for a description of each NFS configuration parameter.

{
        "nfsexports":   [{
                        "exportdir":    "nfsroot",
                        "enabled":      1,
                        "auth": "192.168.178.0/24",
                        "secsys":       1,
                        "seckrb5":      1,
                        "seckrb5i":     0,
                        "seckrb5p":     0,
                        "rw":   1,
                        "async":        1,
                        "nowdelay":     1,
                        "squash":       1,
                        "anonuid":      -1,
                        "anongid":      -1,
                        "securelocks":  1,

                        "subtree_check":    1,
                        "rootexport":   1
                }, {
                        "exportdir":    "virtualservers/diskimages",
                        "enabled":      1,
                        "auth": "*",
                        "secsys":       1,
                        "seckrb5":      0,
                        "seckrb5i":     0,
                        "seckrb5p":     1,
                        "rw":   0,
                        "async":        1,
                        "nowdelay":     1,
                        "squash":       1,
                        "anonuid":      -1,
                        "anongid":      -1,
                        "securelocks":  1,

                        "subtree_check":    0,
                        "rootexport":   0
                }]
}

 

 

 

 

NFS Export Configuration Parameters

Green Light TIP.png

"exportdir" is the only required parameter for any export, any parameters not included in the JSON file will be set to the corresponding default value as  documented below

Parameter
Values
Description
exportdir
Default: None Valid Values: The directory to export
An existing directory from within the Nexfs mount point/filesystem tree. Do not include the Nexfs mount point or a leader slash '/' for example, to export /mnt/nexfs/exportfolder, when /mnt/nexfs is the Nexfs file system mount point, set the value of exportdir to "exportfolder"
rootexport
Default: 0 (no) Valid Values: 0 (no), 1 (yes)
If this export should be used as the NFSv4 root export. Only one export can be configured as the root export. Setting a root export is optional.
enabled
Default: 0 (disable) Valid Values: 0 - Disabled, 1 - Enabled
Set to 1 (enabled) for the export to be active, or 0 (disabled)
subtree_check
Default: 1 (enabled) Valid Values: 0 - Disabled, 1 - Enabled"
This option enables or disables subtree checking. The system must check a subdirectory of a filesystem is exported, but when the whole filesystem isn't then whenever a NFS request arrives, the server must check not only that the accessed file is in the appropriate filesystem (which is easy) but also that it is in the exported tree (which is harder). See man exports for more information
auth
Default: * Valid Values: See Description
The NFS client who can access the export. Can be a single host, netgroup, or IP networks, wildcards for client names are supported. Exports man page 5 documents valid formats as: single host You may specify a host either by an abbreviated name recognized be the resolver, the fully qualified domain name, an IPv4 address, or an IPv6 address. IPv6 addresses must not be inside square brackets in /etc/exports lest they be confused with character-class wildcard matches. netgroups NIS netgroups may be given as @group. Only the host part of each netgroup members is consider in checking for membership. Empty host parts or those containing a single dash (-) are ignored. wildcards +Machine names may contain the wildcard characters * and ?, or may contain character class lists within [square brackets]. This can be used to make the exports file more compact; for instance, *.cs.foo.edu matches all hosts in the domain cs.foo.edu. As these characters also match the dots in a domain name, the given pattern will also match all hosts within any subdomain of cs.foo.edu. IP networks You can also export directories to all hosts on an IP (sub-) network simultaneously. This is done by specifying an IP address and netmask pair as address/netmask where the netmask can be specified in dotted-decimal format, or as a contiguous mask length. For example, either '/255.255.252.0' or '/22' appended to the network base IPv4 address results in identical subnetworks with 10 bits of host. IPv6 addresses must use a contiguous mask length and must not be inside square brackets to avoid confusion with character-class wildcards. Wildcard characters generally do not work on IP addresses, though they may work by accident when reverse DNS lookups fail.
rw
Default: 0 (Readonly) Valid Values: 0 (Readonly), 1 (Read Write)
If the export should be exported read write or read only
async
Default: 0 (sync) Valid Values: 0 (sync), 1 (async)
This option allows the NFS server to reply to requests before change have been committed to storage. Using this option may improve performance, but can cause data to be lost or corrupted if the server is uncleanly restarted or crashed
nowdelay
Default: 0 (off) Valid Values: 0 (off), 1 (on)
When enabled performance can improve by allowing the NFS server to send multiple related write requests to Nexfs in a single operation, but performance can also be reduced if the NFS server receives small unrelated write requests. Note: async must also be disabled on the export for this feature to activate.
squash
Default: 0 (root_squash) Valid Values: 0 - root squash 1 - all squash 2 - no root squash 3 - no root squash, no all squash
root_squash Map requests from uid/gid 0 to the anonymous uid/gid. Note that this does not apply to any other uids or gids that might be equally sensitive, such as user bin or group staff no_root_squash Turn off root squashing. all_squash Map all uids and gids to the anonymous user. Useful for NFS-exported public FTP directories, news spool directories, etc
anonuid
Default: -1
Explicitly set the uid of the anonymous account
anongid
Default: -1
Explicitly set the gid of the anonymous account
securelocks
Default: 1 (secure locks) Valid Values: 0 - insecure locks 1 - secure locks
Insecure locks informs the NFS server not to require authentication of locking requests. Normally the NFS server will require a lock request to hold a credential for a user who has read access to the file. With this flag no access checks will be performed. Use this flag if you find that you can only lock files which are world readable
secsys
Default: 1 (yes) Valid Values: 0 (no), 1 (yes)
Basic Linux system security (no cryptographic security)
seckrb5
Default: 0 (no) Valid Values: 0 (no), 1 (yes)
The export supports krb5 security (authentication only)
seckrb5i
Default: 0 (no) Valid Values: 0 (no), 1 (yes)
The export supports krb5i security (integrity protection)
seckrb5p
Default: 0 (no) Valid Values: 0 (no), 1 (yes)
The export supports krb5p security (privacy protection)