NFS, or Network File System, is a distributed file system protocol that allows you to mount remote directories on your server. This lets you manage storage space in a different location and write to that space from multiple clients. NFS provides a relatively standard and performant way to access remote systems over a network and works well in situations where the shared resources must be accessed regularly.
In this guide, we’ll go over how to install the software needed for NFS functionality on Ubuntu 20.04.
Prerequisites
- Ubuntu 20.04 server with a non-root user and
sudoprivileges. - A firewall set up with UFW
- A private networking, if it’s available to you.
Step 1: Downloading and Installing the NFS server
Install the nfs-kernel-server package, which will allow you to share your directories. Since this is the first operation that you’re performing with apt in this session, refresh your local package index before the installation:
$ sudo apt update
$ sudo apt install nfs-kernel-serverStep 2: Creating the Share Directories on the Host
First, make the share directory:
$ sudo mkdir /var/nfs/general -pSince we’re creating it with sudo, the directory is owned by the host’s root user:
$ ls -la /var/nfs/generaldrwxr-xr-x 2 root root 4096 May 14 18:36 .
NFS will translate any root operations on the client to the nobody:nogroup credentials as a security measure. Therefore, we need to change the directory ownership to match those credentials.
$ sudo chown nobody:nogroup /var/nfs/generalYou’re now ready to export this directory.
Step 3: Configuring the NFS Exports
Next, we’ll dive into the NFS configuration file to set up the sharing of these resources.
Open the /etc/exports file in your text editor with root privileges:
$ sudo nano /etc/exportsThe file has comments showing the general structure of each configuration line. The syntax is as follows:
directory_to_share client(share_option1,...,share_optionN)
We’ll need to create a line for each of the directories that we plan to share. Be sure to change the client_ip placeholder shown here to the client's actual IP address:
/var/nfs/general client_ip(rw,sync,no_subtree_check)When you are finished making your changes, save and close the file. Then, to make the shares available to the clients that you configured, restart the NFS server with the following command:
$ sudo systemctl restart nfs-kernel-serverBefore you can actually use the new shares, however, you’ll need to be sure that traffic to the shares is permitted by firewall rules.
Step 4: Adjusting the Firewall
First, let’s check the firewall status to see if it’s enabled and, if so, to see what’s currently permitted:
$ sudo ufw statusStatus: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
On our system, only SSH traffic is being allowed through, so we’ll need to add a rule for NFS traffic.
With many applications, you can use sudo ufw app list and enable them by name, but nfs is not one of those. However, because ufw also checks /etc/services for the port and protocol of a service, we can still add NFS by name. Best practice recommends that you enable the most restrictive rule that will still allow the traffic you want to permit, so rather than enabling traffic from just anywhere, we’ll be specific.
Use the following command to open port 2049 on the host, being sure to substitute your client IP address:
$ sudo ufw allow from client_ip to any port nfsYou can verify the change by typing:
$ sudo ufw statusYou should see traffic allowed from port 2049 in the output:
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
2049 ALLOW client_ip
OpenSSH (v6) ALLOW Anywhere (v6)
This confirms that UFW will only allow NFS traffic on port 2049 from our client machine.
Step 5: Mount the NFS volume on a NFS client (on K8s)
You can follow this tutorial to mount the exported directories as a NFS volume on K8s using container storage interface protocol (CSI).
Conclusion
In this tutorial, we created an NFS host. If you’re looking to implement NFS in production, it’s important to note that the protocol itself is not encrypted. In cases where you’re sharing over a private network, this may not be a problem. In other cases, a VPN or some other type of encrypted tunnel will be necessary to protect your data.
