TrueNAS SCALETrueNAS SCALE Nightly Development Documentation
This content follows experimental early release software. Use the Product and Version selectors above to view content specific to a stable software release.

Adding NFS Shares

About UNIX (NFS) Shares

Creating a Network File System (NFS) share on TrueNAS makes a lot of data available for anyone with share access. Depending on the share configuration, it can restrict users to read or write privileges.

NFS treats each dataset as its own file system. When creating the NFS share on the server, the specified dataset is the location that client accesses. If you choose a parent dataset as the NFS file share location, the client cannot access any nested or child datasets beneath the parent.

If you need to create shares that include child datasets, SMB sharing is an option. Note that Windows NFS Client versions currently support only NFSv2 and NFSv3.

The UDP protocol is deprecated and not supported with NFS. It is disabled by default in the Linux kernel. Using UDP over NFS on modern networks (1Gb+) can lead to data corruption caused by fragmentation during high loads.

Sharing Administrator Access

SCALE has implemented administrator roles to further comply with FIPS security hardening standards. The Sharing Admin role allows the user to create new shares and datasets, modify the dataset ACL permissions, and to start/restart the sharing service, but does not permit the user to modify users to grant the sharing administrator role to new or existing users.

Full Admin users retain full access control over shares and creating/modifying user accounts.

Creating an NFS Share and Dataset

It is best practice to use a dataset instead of a full pool for SMB and/or NFS shares. Sharing an entire pool makes it more difficult to later restrict access if needed.
You have the option to create the share and dataset at the same time from either the Add Dataset or Add NFS screens.

If creating a dataset and share from the Add Dataset screen, we recommend creating a new dataset with the Dataset Preset set to Generic for the new NFS share. Or you can set it to Multiprotocol and select only the NFS share type.

Creating a Dataset Using Add Dataset

To create a basic dataset, go to Datasets. Default settings include those inherited from the parent dataset.

Select a dataset (root, parent, or child), then click Add Dataset.

Enter a value in Name.

Select the Dataset Preset option you want to use. Options are:

  • Generic for non-SMB share datasets such as iSCSI and NFS share datasets or datasets not associated with application storage.
  • Multiprotocol for datasets optimized for SMB and NFS multi-mode shares or to create a dataset for NFS shares.
  • SMB for datasets optimized for SMB shares.
  • Apps for datasets optimized for application storage.

Generic sets ACL permissions equivalent to Unix permissions 755, granting the owner full control and the group and other users read and execute privileges.

SMB, Apps, and Multiprotocol inherit ACL permissions based on the parent dataset. If there is no ACL to inherit, one is calculated granting full control to the owner@, group@, members of the builtin_administrators group, and domain administrators. Modify control is granted to other members of the builtin_users group and directory services domain users.

Apps includes an additional entry granting modify control to group 568 (Apps).

ACL Settings for Dataset Presets
ACL TypeACL ModeCase SensitivityEnable atime

If creating an SMB or multi-protocol (SMB and NFS) share the dataset name value auto-populates the share name field with the dataset name.

If you plan to deploy container applications, the system automatically creates the ix-applications dataset, but this dataset is not used for application data storage. If you want to store data by application, create the dataset(s) first, then deploy your application. When creating a dataset for an application, select Apps as the Dataset Preset. This optimizes the dataset for use by an application.

If you want to configure advanced setting options, click Advanced Options. For the Sync option, we recommend production systems with critical data use the default Standard choice or increase to Always. Choosing Disabled is only suitable in situations where data loss from system crashes or power loss is acceptable.

Select either Sensitive or Insensitive from the Case Sensitivity dropdown. The Case Sensitivity setting is found under Advanced Options and is not editable after saving the dataset.

Click Save.

Review the Dataset Preset and Case Sensitivity under Advanced Options on the Add Dataset screen before clicking Save. You cannot change these or the Name setting after clicking Save.

To create the share and dataset from the Add NFS Share screen:

Go to Shares > Unix (NFS) Shares and click Add to open the Add NFS Share configuration screen.

Add NFS Basic Options
Figure 2: Add NFS Basic Options

Enter the path or use the arrow_right icon to the left of folder/mnt to locate the dataset and populate the path.

Browsing to select a path

Click the arrow to the left of the folder icon to expand that folder and show any child datasets and directories. A solid folder icon shows for datasets and an outlined folder for directories. A selected dataset or directory folder and name shows in blue.

Click Create Dataset, enter a name for the dataset and click Create. The system creates the dataset optimized for an NFS share, and populates the share Name and updates the Path with the dataset name. The dataset name is the share name.

Enter text to help identify the share in Description.

If needed, enter allowed networks and hosts.

If needed, adjust access permissions.

Click Save to create the share.

After adding the first NFS share, the system opens an enable service dialog.

Enable Service Dialog
Figure 4: Enable Service Dialog

Enable Service turns the NFS service on and changes the toolbar status to Running. If you wish to create the share without immediately enabling it, select Cancel.

Adding NFS Share Networks and Hosts

If you want to enter allowed networks, click Add to the right of Networks. Enter an IP address in Network and select the mask CIDR notation. Click Add for each network address and CIDR you want to define as an authorized network. Defining an authorized network restricts access to all other networks. Leave empty to allow all networks.

If you want to enter allowed systems, click Add to the right of Hosts. Enter a host name or IP address to allow that system access to the NFS share. Click Add for each allowed system you want to define. Defining authorized systems restricts access to all other systems. Press the X to delete the field and allow all systems access to the share.

Adjusting Access Permissions

If you want to tune the NFS share access permissions or define authorized networks, click Advanced Options.

Advanced Options Access Settings
Figure 5: Advanced Options Access Settings

Select Read-Only to prohibit writing to the share.

To map user permissions to the root user, enter a string or select the user from the Maproot User dropdown list. To map the user permissions to all clients, enter a string or select the user from the Mapall User dropdown list.

To map group permissions to the root user, enter a string or select the group from the Maproot Group dropdown list. To map the group permissions to all clients, enter a string or select the group from the Mapall Group dropdown list.

Select an option from the Security dropdown. If you select KRB5 security, you can use a Kerberos ticket. Otherwise, everything is based on IDs.

Security Types
SYSUses locally acquired UIDs and GIDs. No cryptographic security.
KRB5Uses Kerberos for authentication.
KRB5IUses Kerberos for authentication and includes a hash with each transaction to ensure integrity.
KRB5PUses Kerberos for authentication and encrypts all traffic between the client and server. KRB5P is the most secure but also incurs the most load.

Editing an NFS Share

To edit an existing NFS share, go to Shares > Unix Shares (NFS) and click the share you want to edit. The Edit NFS screen settings are identical to the share creation options, but you cannot create a new dataset.

Starting the NFS Service

To begin sharing, click the more_vert on the toolbar and select Turn On Service. Turn Off Service displays if NFS is on. Turn On Service displays if NFS is off.

Unix (NFS) Shares Widget Options
Figure 6: Unix (NFS) Shares Widget Options

Or you can go to System Settings > Services, locate NFS, and click the toggle to running. Select Start Automatically if you want NFS to activate when TrueNAS boots.

The NFS service does not automatically start on boot if all NFS shares are encrypted and locked.

Configuring NFS Service

You can configure the NFS service from either the System Settings > Services or the Shares > Unix Shares (NFS) widget.

To configure NFS service settings from the Services screen, click on the System Settings > Services screen to open the NFS service screen.

To configure NFS service settings from the Shares > Unix Shares (NFS) widget, click the Config Service from the more_vert dropdown menu on the widget header to open the NFS service screen. Unless you need specific settings, we recommend using the default NFS settings.

When TrueNAS is already connected to Active Directory, setting NFSv4 and Require Kerberos for NFSv4 also requires a Kerberos Keytab.

Connecting to the NFS Share

Although you can connect to an NFS share with various operating systems, we recommend using a Linux/Unix OS.

First, download the nfs-common kernel module. You can do this using the installed distribution package manager. For example, on Ubuntu/Debian, enter command sudo apt-get install nfs-common in the terminal.

After installing the module, connect to an NFS share by entering sudo mount -t nfs {IPaddressOfTrueNASsystem}:{path/to/nfsShare} {localMountPoint}. Where {IPaddressOfTrueNASsystem} is the remote TrueNAS system IP address that contains the NFS share, {path/to/nfsShare} is the path to the NFS share on the TrueNAS system, and {localMountPoint} is a local directory on the host system configured for the mounted NFS share. For example, sudo mount -t nfs /mnt mounts the NFS share NFS_Share to the local directory /mnt.

You can also use the Linux nconnect function to let your NFS mount support multiple TCP connections. To enable nconnect, enter sudo mount -t nfs -o rw,nconnect=16 {IPaddressOfTrueNASsystem}:{path/to/nfsShare} {localMountPoint}. Where {IPaddressOfTrueNASsystem}, {path/to/nfsShare}, and {localMountPoint} are the same ones you used when connecting to the share. For example, sudo mount -t nfs -o rw,nconnect=16 /mnt.

By default, anyone that connects to the NFS share only has read permission. To change the default permissions, edit the share, open the Advanced Options, and change the Access settings.

You must have ESXI 6.7 or later for read/write functionality with NFSv4 shares.