Troubleshooting NFS Permission Denied Errors When Writing to Mount Point (RHEL7)


2 views

Here's the exact configuration I encountered between two RHEL7 nodes:

# On NFS Server (10.164.175.246)
$ cat /etc/exports
/var/www/html/ ip-10-184-161-46.ec2.internal(rw)

# On NFS Client (10.184.161.46)
$ mount ip-10-164-175-246.ec2.internal:/var/www/html/ /mnt/
$ touch /mnt/testfile
touch: cannot touch '/mnt/testfile': Permission denied

First, verify these critical points on the server:

# Check export permissions
$ exportfs -v
/var/www/html ip-10-184-161-46.ec2.internal(rw,wdelay,no_root_squash)

# Verify directory permissions
$ ls -ld /var/www/html
drwxr-xr-x. 2 root root 4096 Aug 15 10:00 /var/www/html

# Check NFS service status
$ systemctl status nfs-server

The issue typically stems from one of these common NFS gotchas:

1. Directory ownership mismatch (client UID/GID vs server)
2. Missing no_root_squash when testing as root
3. SELinux context issues
4. Firewall blocking NFS ports (2049, 111, etc.)

Here's the complete fix that worked in my environment:

# On the NFS server:
$ chmod 777 /var/www/html
$ chown nobody:nobody /var/www/html
$ setsebool -P nfs_export_all_rw 1
$ systemctl restart nfs-server

# Update /etc/exports with:
/var/www/html ip-10-184-161-46.ec2.internal(rw,sync,no_root_squash,no_subtree_check)

# On the client:
$ umount /mnt
$ mount -o rw,hard,intr,rsize=8192,wsize=8192 ip-10-164-175-246.ec2.internal:/var/www/html /mnt

For deeper diagnostics, use these commands:

# Check NFS shares from client perspective
$ showmount -e ip-10-164-175-246.ec2.internal

# Verify actual mounted options
$ mount | grep /mnt

# Check NFS version negotiation
$ nfsstat -m

# Test SELinux context
$ ls -Z /var/www/html

For production environments, add to /etc/fstab:

ip-10-164-175-246.ec2.internal:/var/www/html /mnt nfs rw,hard,intr,noatime,nolock 0 0

Remember to test with different users and files to ensure proper permission inheritance.

When dealing with NFS permission issues, we need to consider multiple layers of security:

# Check current NFS export permissions
showmount -e nfs-server-ip

The most common culprits for NFS write permission issues include:

  • SELinux contexts mismatch
  • Incorrect export options in /etc/exports
  • UID/GID mapping problems between client and server
  • Filesystem permissions on the exported directory

First, verify the export configuration on the server:

# On NFS server
cat /etc/exports
# Should include proper options like:
/var/www/html client-ip(rw,sync,no_root_squash,no_all_squash)

Even with correct NFS exports, local permissions matter:

# On NFS server
ls -ld /var/www/html
chmod -R 755 /var/www/html
chown -R apache:apache /var/www/html  # Or appropriate user/group

Ensure these parameters are set in /etc/exports:

/path/to/export client-ip(rw,sync,no_subtree_check,no_root_squash)

Mount with proper options for better compatibility:

mount -t nfs -o rw,hard,intr,noatime,vers=3 server:/path /mnt/point

For RHEL/CentOS systems:

# Check SELinux status
getenforce
# Temporary solution (not recommended for production)
setenforce 0
# Better solution
setsebool -P nfs_export_all_rw 1

Ensure proper ports are open:

# For NFSv3
firewall-cmd --add-service={nfs,mountd,rpc-bind}
firewall-cmd --runtime-to-permanent

After making changes, test thoroughly:

# On client
umount /mnt
mount -a
touch /mnt/testfile
echo "test" > /mnt/testfile

Use these commands for deeper investigation:

# Check NFS server logs
journalctl -u nfs-server

# Check client-side NFS stats
nfsstat -m

# Check RPC services
rpcinfo -p server-ip

Here's a complete working configuration example:

# On server /etc/exports
/var/www/html 10.184.161.46(rw,sync,no_root_squash,no_subtree_check)

# On server after editing exports
exportfs -rav

# On client /etc/fstab
server-ip:/var/www/html /mnt nfs rw,hard,intr,noatime,vers=3 0 0