Work in progress
This site is in the process of being reviewed and updated.
Setting Up The Server
For an NFSv4 server, all of the exports are handled through one export point (the pseudofilesystem), with all other exports grouped underneath a root export.
- Create a root export directory.
- Bind all of the shares we intend to export into the root export directory.
- Export everything.
Create Server Export Directories
The "/exports" directory will hold all of our local filesystem resources that will be made available as exports. The subdirectories are the actual exported resources which need to be mapped back to the real resources.
Make sure all of the directories have at least one test file in them, so we can more easily verify when a mount has worked.
Read-Only NFSv4 Mount
Read-Only (RO) mounts are useful for distributing public files, installation software, etc. In this example, we export a 'distros' directory as read-only.
Read/Write NFSv4 Mount
The most common type of NFS mount is the Read/Write (RW) mount. Since we created the /exports/users directory with the sticky bit set, any remote user will be able to read and write to the directory, but only the owner of the files will be able to modify or delete them. If the "root" user on the NFSv4 client writes a file to the directory, the ownership will be changed to "nobody". Root squashing is on by default, which means that the "root" user on remote NFS clients does not have root privileges on the server.
The only difference between read-only and read-write exports is the 'ro' vs. 'rw' in the export statement.
The following configuration is bind mounting the original directories (left) into the main "/exports" directory. Note the filesystem type is defined as "none" and the only option defined is the "bind" method.
After the /etc/fstab file has been configured, the mounts can be bound using the following command.
For testing, you can use mount --bind and exportfs to set this up temporarily:
Check the active mounts to confirm the successful mounting of the bound directories.
Doing a directory listing of the "/exports/sge" directory displays the directories that are actually located in "/opt/sge".
The exports can now be defined for the server. Instead of exporting a number of distinct exports, an NFSv4 client sees the NFSv4 server's exports as existing inside a single filesystem, called the nfsv4 "pseudofilesystem". The most important configuration setting here is the "fsid=0" option which tells the server that this is the pseudofilesystem and that all other directories are contained within this one. Another important setting here is the anonuid and anongid values, they are set to 65534 which is the nobody account. Be sure to check the nfs man page for NFSv4 specific export options.
To export using Kerberos v5, use the special client named "gss/krb5". You can use "krb5i" for integrity or "krb5p" for privacy.
The exports that are available from the server can be checked with the following commands.
If you have changed the export configuration and need to re-export, you can use: