← Back to Frameworks

Network File System (NFS)

Distributed file system protocol. Mounts remote file systems over network. Standard for file sharing in UNIX/Linux environments.

File ServerNFSDistributed File SystemUNIXLinuxNetwork Storage

Server

Network File System (NFS)

Overview

Network File System (NFS) is a distributed file system protocol for sharing file systems over a network. Developed by Sun Microsystems (now Oracle), it has a long history as the standard file sharing solution in UNIX/Linux environments. It allows remote file systems to be mounted transparently like local file systems, enabling multiple clients to simultaneously access the same file resources. NFSv4 realizes enhanced security, performance, and reliability, and is widely adopted in enterprise environments and cloud infrastructure.

Details

NFS 2025 edition continues to evolve as the foundational technology for distributed file systems in UNIX/Linux environments. With proven stability and maturity through over 40 years of track record, its scope has expanded from High Performance Computing (HPC) and cloud-native applications to volume sharing in container environments. NFSv4.2 introduces parallel NFS (pNFS), session management, and enhanced security features, significantly improving performance and scalability in large-scale distributed environments. It is also utilized as Persistent Volumes in Kubernetes environments, becoming an important storage solution in modern container orchestration platforms.

Key Features

  • Transparent File Access: Same operability as local file systems
  • Protocol Maturity: High stability through over 40 years of track record
  • Cross-Platform Support: Complete compatibility between UNIX/Linux systems
  • Scalability: High performance in large-scale distributed environments
  • Enhanced Security: Kerberos authentication and encrypted communication support
  • pNFS Support: High throughput through parallel access

Pros and Cons

Pros

  • Reliability and stability through long track record in UNIX/Linux environments
  • Easy management through simple client-server architecture
  • Standard support in many Linux distributions
  • Rich implementation examples in container environments including Kubernetes
  • High performance and low overhead
  • Advanced file system features like file locking and access control

Cons

  • Additional software required for Windows client usage
  • Lower resilience to network failures compared to SMB/CIFS
  • Complex security configuration requiring specialized knowledge
  • Performance degradation possible when handling large files
  • Bandwidth and latency constraints for WAN usage
  • Complexity of cache management on client side

Reference Pages

Code Examples

Installation and Basic Setup

# Installation on Ubuntu/Debian
sudo apt update
sudo apt install nfs-kernel-server nfs-common

# Installation on CentOS/RHEL/Fedora
sudo dnf install nfs-utils

# Check service status
sudo systemctl status nfs-server
sudo systemctl status rpcbind

# Enable and start services
sudo systemctl enable nfs-server rpcbind
sudo systemctl start nfs-server rpcbind

# Check NFS version
rpcinfo -p | grep nfs

# Check available NFS services
showmount -e localhost

Basic Export Configuration (/etc/exports)

# Create export configuration file
sudo tee /etc/exports << 'EOF'
# Basic read-write share
/srv/nfs/public *(rw,sync,no_subtree_check)

# Allow access only from specific network
/srv/nfs/private 192.168.1.0/24(rw,sync,no_subtree_check,no_root_squash)

# Read-only share
/srv/nfs/readonly *(ro,sync,no_subtree_check)

# Home directory share
/home *.example.com(rw,sync,no_subtree_check,root_squash)

# High performance configuration
/srv/nfs/fast 192.168.1.100(rw,async,no_subtree_check,no_root_squash,wdelay,nohide)

# Secure configuration (without Kerberos)
/srv/nfs/secure 192.168.1.0/24(rw,sync,no_subtree_check,secure,root_squash)
EOF

# Create shared directories
sudo mkdir -p /srv/nfs/{public,private,readonly,fast,secure}

# Set permissions
sudo chown -R nobody:nogroup /srv/nfs/
sudo chmod -R 755 /srv/nfs/

# Reload export configuration
sudo exportfs -ra

# Check export status
sudo exportfs -v
showmount -e

Client-side Mount Configuration

# Install NFS client packages
sudo apt install nfs-common  # Ubuntu/Debian
sudo dnf install nfs-utils   # CentOS/RHEL/Fedora

# Manual mount
sudo mkdir -p /mnt/nfs/{public,private}

# Basic mount
sudo mount -t nfs server.example.com:/srv/nfs/public /mnt/nfs/public

# High performance mount
sudo mount -t nfs -o vers=4.2,proto=tcp,rsize=32768,wsize=32768,timeo=14,intr \
    server.example.com:/srv/nfs/fast /mnt/nfs/fast

# Persistent configuration in /etc/fstab
sudo tee -a /etc/fstab << 'EOF'
# NFS mount configuration
server.example.com:/srv/nfs/public /mnt/nfs/public nfs4 defaults,user,auto,noatime,intr 0 0
server.example.com:/srv/nfs/private /mnt/nfs/private nfs4 rw,hard,intr,rsize=8192,wsize=8192,timeo=14 0 0
EOF

# Test fstab configuration
sudo mount -a

# Check mount status
mount | grep nfs
df -h | grep nfs

Security Configuration and Kerberos Integration

# Install Kerberos related packages
sudo apt install krb5-user krb5-config  # Ubuntu/Debian
sudo dnf install krb5-workstation        # CentOS/RHEL/Fedora

# Kerberos configuration (/etc/krb5.conf)
sudo tee /etc/krb5.conf << 'EOF'
[libdefaults]
    default_realm = EXAMPLE.COM
    dns_lookup_realm = false
    dns_lookup_kdc = true
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true

[realms]
    EXAMPLE.COM = {
        kdc = kdc.example.com
        admin_server = kdc.example.com
    }

[domain_realm]
    .example.com = EXAMPLE.COM
    example.com = EXAMPLE.COM
EOF

# NFS with Kerberos authentication configuration (/etc/exports)
sudo tee /etc/exports << 'EOF'
# Kerberos authentication required
/srv/nfs/krb5 *(rw,sync,sec=krb5,no_subtree_check)

# Kerberos encryption
/srv/nfs/krb5p *(rw,sync,sec=krb5p,no_subtree_check)

# Kerberos integrity check
/srv/nfs/krb5i *(rw,sync,sec=krb5i,no_subtree_check)
EOF

# NFS Kerberos configuration (/etc/default/nfs-kernel-server)
sudo tee -a /etc/default/nfs-kernel-server << 'EOF'
# Kerberos configuration
NEED_SVCGSSD="yes"
RPCGSSDOPTS="-vvv"
EOF

# Configure gssd daemon
sudo systemctl enable nfs-idmapd rpc-gssd
sudo systemctl start nfs-idmapd rpc-gssd

# Create host principal (run on KDC)
kadmin.local -q "addprinc -randkey nfs/nfsserver.example.com"
kadmin.local -q "ktadd -k /etc/krb5.keytab nfs/nfsserver.example.com"

# Set keytab file permissions
sudo chmod 600 /etc/krb5.keytab
sudo chown root:root /etc/krb5.keytab

Advanced Configuration and Performance Tuning

# High performance NFS configuration (/etc/default/nfs-kernel-server)
sudo tee /etc/default/nfs-kernel-server << 'EOF'
# Increase NFS thread count
RPCNFSDCOUNT=16

# Fix NFS ports (for firewall configuration)
RPCNFSDOPTS="--port 2049 --udp-port 2049"
RPCMOUNTDOPTS="--port 20048"
RPCSTATDOPTS="--port 32765 --outgoing-port 32766"

# Set log level
RPCNFSDOPTS="$RPCNFSDOPTS --debug 1"
EOF

# Kernel parameter tuning (/etc/sysctl.conf)
sudo tee -a /etc/sysctl.conf << 'EOF'
# NFS performance improvement
fs.nfs.nfs_congestion_kb = 164000
net.core.rmem_default = 262144
net.core.rmem_max = 16777216
net.core.wmem_default = 262144
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_rmem = 4096 65536 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_sack = 1
EOF

# Apply kernel parameters
sudo sysctl -p

# High-speed export configuration (/etc/exports)
sudo tee /etc/exports << 'EOF'
# High performance configuration
/srv/nfs/hpc *(rw,async,no_wdelay,no_subtree_check,no_root_squash,insecure)

# pNFS support configuration
/srv/nfs/pnfs *(rw,sync,pnfs,no_subtree_check)

# Cache optimization
/srv/nfs/cache *(rw,sync,no_subtree_check,no_acl,fsc)
EOF

# NFSv4.2 only configuration
echo "vers4.2" | sudo tee /proc/fs/nfsd/versions

# Reload exports
sudo exportfs -ra

Monitoring and Troubleshooting

# Display NFS statistics
nfsstat -s  # Server statistics
nfsstat -c  # Client statistics
nfsstat -m  # Mount statistics

# RPC statistics
rpcinfo -p
rpcinfo -t localhost nfs

# Check active connections
sudo netstat -an | grep :2049
sudo ss -tuln | grep :2049

# Check NFS file handles
sudo cat /proc/net/rpc/nfsd.fh/content

# Client connection status
sudo showmount -a

# Log monitoring
sudo journalctl -u nfs-server -f
sudo tail -f /var/log/messages | grep nfs

# Enable debug mode
echo 'module nfs +p' | sudo tee /sys/kernel/debug/dynamic_debug/control
echo 'module nfsd +p' | sudo tee /sys/kernel/debug/dynamic_debug/control

# Performance measurement
# Write performance test
time dd if=/dev/zero of=/mnt/nfs/test bs=1M count=1000

# Read performance test
echo 3 | sudo tee /proc/sys/vm/drop_caches
time dd if=/mnt/nfs/test of=/dev/null bs=1M

# Parallel access test
for i in {1..4}; do
    (dd if=/dev/zero of=/mnt/nfs/test$i bs=1M count=250) &
done
wait

Security Hardening and Best Practices

# Firewall configuration (UFW)
sudo ufw allow from 192.168.1.0/24 to any port 2049
sudo ufw allow from 192.168.1.0/24 to any port 111
sudo ufw allow from 192.168.1.0/24 to any port 20048

# Firewall configuration (firewalld)
sudo firewall-cmd --permanent --add-service=nfs
sudo firewall-cmd --permanent --add-service=rpc-bind
sudo firewall-cmd --permanent --add-service=mountd
sudo firewall-cmd --reload

# Secure export configuration example
sudo tee /etc/exports << 'EOF'
# Principle of least privilege
/srv/nfs/data 192.168.1.0/24(rw,sync,no_subtree_check,root_squash,all_squash,anonuid=65534,anongid=65534)

# Share safely as read-only
/srv/nfs/shared *(ro,sync,no_subtree_check,root_squash)

# Administrator access only
/srv/nfs/admin 192.168.1.10(rw,sync,no_subtree_check,no_root_squash) 192.168.1.11(ro,sync,no_subtree_check,root_squash)
EOF

# Log audit configuration
sudo tee -a /etc/rsyslog.conf << 'EOF'
# NFS log separation
daemon.info                     /var/log/nfs.log
kern.info                       /var/log/nfs-kernel.log
EOF

sudo systemctl restart rsyslog

# Regular backup script
cat > /etc/cron.daily/nfs-backup << 'EOF'
#!/bin/bash
# NFS configuration backup
BACKUP_DIR="/backup/nfs/$(date +%Y%m%d)"
mkdir -p $BACKUP_DIR

# Backup configuration files
cp /etc/exports $BACKUP_DIR/
cp /etc/default/nfs-kernel-server $BACKUP_DIR/
cp /etc/krb5.conf $BACKUP_DIR/
cp /etc/fstab $BACKUP_DIR/

# Save current export status
exportfs -v > $BACKUP_DIR/current-exports.txt
showmount -a > $BACKUP_DIR/current-mounts.txt

# Remove old backups (30 days retention)
find /backup/nfs/ -type d -mtime +30 -exec rm -rf {} \;
EOF

chmod +x /etc/cron.daily/nfs-backup

# NFS statistics monitoring script
cat > /usr/local/bin/nfs-monitor << 'EOF'
#!/bin/bash
# NFS monitoring script
echo "=== NFS Server Status $(date) ==="
systemctl is-active nfs-server
echo

echo "=== Current Exports ==="
exportfs -v
echo

echo "=== Active Connections ==="
showmount -a
echo

echo "=== Performance Statistics ==="
nfsstat -s | head -20
echo

echo "=== Disk Usage ==="
df -h | grep "/srv/nfs"
EOF

chmod +x /usr/local/bin/nfs-monitor