RHEL7: Provide NFS network shares to specific clients

Server side configuration

Install the file-server package group:
# yum groupinstall -y file-server
Add a new service to the firewall:
# firewall-cmd --permanent --add-service=nfs
success
Reload the firewall configuration:
# firewall-cmd --reload
success
Activate the NFS services at boot:
# systemctl enable rpcbind
# systemctl enable nfs-server
# systemctl enable nfs-lock
# systemctl enable nfs-idmap
Note: The nfs-idmap service is required by NFSv4 but doesn’t allow you any UID/GID mismatches between clients and server. It is only used when setting ACL by names or to display user/group names.
All permission checks are still done with the UID/GID used by the server (see this thread about nfs-idmap for more details).
Start the NFS services:
# systemctl start rpcbind
# systemctl start nfs-server
# systemctl start nfs-lock
# systemctl start nfs-idmap
Note: By default, 8 NFS threads are used (RPCNFSDCOUNT=8 in the /etc/sysconfig/nfs file). This should be increased in a production environment to at least 32 (source: http://initrd.org/wiki/NFS_Setup).
Create directories to export and assign access rights:
# mkdir -p /home/tools
# chmod 777 /home/tools
# mkdir -p /home/guests
# chmod 777 /home/guests
Assign the correct SELinux contexts to the new directories:
# yum install -y setroubleshoot-server
# semanage fcontext -a -t public_content_rw_t "/home/tools(/.*)?"
# semanage fcontext -a -t public_content_rw_t "/home/guests(/.*)?"
# restorecon -R /home/tools
# restorecon -R /home/guests
Note: The public_content_rw_t context is not the only available, you can also use the public_content_ro_t (only read-only) or nfs_t (more limited) contexts according to your needs.
Check the SELinux booleans used for NFS:
# semanage boolean -l | egrep "nfs|SELinux"
SELinux boolean                State  Default Description
xen_use_nfs                    (off  ,  off)  Allow xen to use nfs
virt_use_nfs                   (off  ,  off)  Allow virt to use nfs
mpd_use_nfs                    (off  ,  off)  Allow mpd to use nfs
nfsd_anon_write                (off  ,  off)  Allow nfsd to anon write
ksmtuned_use_nfs               (off  ,  off)  Allow ksmtuned to use nfs
git_system_use_nfs             (off  ,  off)  Allow git to system use nfs
virt_sandbox_use_nfs           (off  ,  off)  Allow virt to sandbox use nfs
logrotate_use_nfs              (off  ,  off)  Allow logrotate to use nfs
git_cgi_use_nfs                (off  ,  off)  Allow git to cgi use nfs
cobbler_use_nfs                (off  ,  off)  Allow cobbler to use nfs
httpd_use_nfs                  (off  ,  off)  Allow httpd to use nfs
sge_use_nfs                    (off  ,  off)  Allow sge to use nfs
ftpd_use_nfs                   (off  ,  off)  Allow ftpd to use nfs
sanlock_use_nfs                (off  ,  off)  Allow sanlock to use nfs
samba_share_nfs                (off  ,  off)  Allow samba to share nfs
openshift_use_nfs              (off  ,  off)  Allow openshift to use nfs
polipo_use_nfs                 (off  ,  off)  Allow polipo to use nfs
use_nfs_home_dirs              (off  ,  off)  Allow use to nfs home dirs
nfs_export_all_rw              (on   ,   on)  Allow nfs to export all rw
nfs_export_all_ro              (on   ,   on)  Allow nfs to export all ro
Note1: The State column respectively shows the current boolean configuration and the Default column the permanent boolean configuration.
Note2: Here we are interested in the nfs_export_all_rw, nfs_export_all_ro and potentially use_nfs_home_dirs booleans.
Note3: The nfs_export_all_ro boolean allows files to be shared through NFS in read-only mode but doesn’t restrict them from being used in read-write mode. It’s the role of the nfs_export_all_rw boolean to allow read-write mode.
If necessary, assign the correct setting to the SELinux booleans:
# setsebool -P nfs_export_all_rw on
# setsebool -P nfs_export_all_ro on
# setsebool -P use_nfs_home_dirs on
Edit the /etc/exports file and add the following lines with the name (or IP address) of the client(s):
/home/tools client1(rw,no_root_squash)
/home/guests client2(rw,no_root_squash)
Note: Please, don’t put any space before the opening parenthesis, this would completely change the meaning of the line!
Export the directories:
# exportfs -avr
# systemctl restart nfs-server
Note: This last command shouldn’t be necessary in the future. But, for the time being, it avoids rebooting.
Check your configuration:
# showmount -e localhost
Export list for localhost:
/home/guests *
/home/tools  *

Client side configuration

On the client side, the commands are:
# yum install -y nfs-utils
# mount -t nfs nfsserver:/home/tools /mnt

Comments

Post a Comment

Popular posts from this blog

RHEL 7

RHEL 7 ..... ************************RHCSA Version 7 **************** Initial configuration.txt: *you have been provided a virtual box named as serverX.example.com (hint:where X is your domain number) * password for both virtual machine should be "Postroll" *serverX.example.com provided with ip=172.25.X.10/255.255.255.0 *serverX.example.com are provided with gateway 172.25.254.254 & example.com dns domain with the IP: 172.25.254.254 gateway 172.25.0.1 netmask 255.255.255.0 nameserver 172.25.254.250 1) configure your systems that should be running Enforcing 2) create a new 100MB Physical partition mounted under /Gluster (Note because partition sizes are seldom exactly what is specified when they are created, any thing within the range of 70MB to 120MB is acceptable) 3) create a new 150MB swap partition f/s. (Note because partition sizes are seldom exactly what is specified when they are created, any thing within the range of 13
Read more

Configure TLS SSL 389 Directory Server CentOS

Image
389 Directory server is an amazing MultiMaster LDAP solution. Out of the box 389 is not configured to use TLS/SSL, so we are going to walk through the setup process. Please note, that we are using this as a test, so we are using a self-signed certificate, but the directions should work for both scenarios. login, and su to root Generate the Self-Signed Certificate: change to the necessary directory, and setup a few files for the CA now generate the key/certificate setup your certificate as appropriate set permissions on the cert key now we need to make sure certificate matching is disabled (unless you are using a full cert) modify lines 85-88 as follows: Generate and Self-Sign Certificate launch the 389-console open the directory server you were just working on, and click "Manage Certificates" Servername –> Directory Server –> Manage Certificates set, and REMEMBER
Read more

How to configure apache server in linux

Image
Apache is the most popular, secure, robust, reliable and powerful web server. Apache is used by more websites than all other web servers combined. RHEL6 includes Apache version 2.2 RHCE6 Exam objectives covered in this article HTTP/HTTPS Configure a virtual host. Configure private directories. Deploy a basic CGI application. Configure group-managed content. In this tutorial I will use three systems Server, linuxclient and windowclient from our LAB environment. I will configure Apache Web Server on Server system and test from inuxclient and windowclient system. If you want to check the network topology used in this article please check following article. Lab set up for RHCE 6 practice Installation of Apache Two packages are required for Apache server httpd mod_ssl elinks httpd package install Apache web server. mod_ssl is the additional package which required to create secure websites elinks is the additional package for text based we
Read more