NFS share
Overview
This guide explains how to expose directories via NFS.
Exposing application data as an NFS share helps copy large numbers of media files into or from Emby/Jellyfin, or copy images into Surfer.
Insecure traffic
NFS traffic is unencrypted and can be tampered. Only use NFS mounts on secure private networks.
Install NFS server
Run on the server:
sudo apt install nfs-kernel-server
Disable NFSv3
By default, the NFS server supports v3 and v4. NFSv3 has security implications and should be disabled.
- Edit
/etc/nfs.conf(Ubuntu 22.04+) or/etc/default/nfs-kernel-server(older systems) and add:
RPCNFSDOPTS="-N 2 -N 3"
- Restart the server:
systemctl restart nfs-kernel-server
- Verify NFSv3 is disabled:
cat /proc/fs/nfsd/versions
Expected output:
-2 -3 +4 +4.1 +4.2
- Disable the
rpcbindservice (only required for NFSv3):
systemctl disable rpcbind.socket rpcbind.service
systemctl stop rpcbind.socket rpcbind.service
Exposing a directory
Edit /etc/exports and add a line:
# This exposes data of the app with id appid to the client IP address client_ip
/home/yellowtent/appsdata/app_id/data client_ip(rw,sync,no_subtree_check,no_root_squash)
Options:
rw- Read and write accesssync- Server replies after changes are committed to stable storageno_subtree_check- Skip checking if file access remains in the exported filesystemno_root_squash- Client root user maps to server root user
Export the directory
Export the configured NFS directory:
exportfs -a
systemctl restart nfs-kernel-server
Expose NFS port
NFS uses port 2049 (TCP/UDP). Add it to the firewall by editing /home/yellowtent/platformdata/firewall/ports.json:
{
"allowed_tcp_ports": [ 2049 ],
"allowed_udp_ports": [ 2049 ]
}
Restart the firewall:
systemctl restart cloudron-firewall
Mounting on client
Add the following entry to /etc/fstab on your laptop/PC:
cloudron_ip:/home/yellowtent/appsdata/app_id/data /mounts/app nfs auto,nofail,noatime,nolock,intr,tcp,actimeo=1800 0 0