Network File Systems

When Sun Microsystems designed NFS in the early 1980s, they made a radical choice: the server would maintain no state about client activities. Every request would be self-contained, carrying all information needed for processing. The server would have no memory of previous interactions.

This decision—seemingly simple yet profoundly consequential—shaped everything about NFS: its remarkable resilience to failures, its performance characteristics, its consistency semantics, and even its limitations. Understanding stateless design is essential for anyone working with NFS, because virtually every NFS behavior can be traced back to this foundational choice.

In this page, we'll explore why statelessness was chosen, how it enables NFS's legendary crash recovery, the engineering challenges it creates, and how NFS accommodates operations that inherently require state.

To appreciate why NFS chose statelessness, we must understand the alternative—and its problems.

The Stateful Approach

A stateful file server maintains information about each client's session:

Client Session State (stateful server would track):
- Which files this client has open
- Current file positions (offsets)
- Lock ownership
- Pending operations
- Authentication session

This seems natural—after all, local file systems track open files. But in a distributed system, maintaining state creates severe complications:

The Stateless Solution

NFS sidesteps these problems elegantly: the server simply doesn't maintain per-client state.

• No session tracking — Clients don't 'log in' or establish connections
• No open file counts — The server doesn't know which files are 'open'
• No file positions — Each read/write includes the offset explicitly
• No cleanup required — Nothing to clean up when clients disappear

The server treats each request as independent. It looks up the file (via file handle), performs the operation, and forgets about the interaction immediately.

The stateless design works because NFS operations are designed to be idempotent: executing the same operation multiple times produces the same result as executing it once.

Formal Definition:

An operation f is idempotent if: f(f(x)) = f(x)

In NFS terms: sending the same request twice (due to a retry after timeout) should not corrupt the file system or produce errors.

Why Idempotency Matters

Consider what happens with a lost network packet:

1. Client sends READ request
2. Server receives request, sends response
3. Response is lost in the network
4. Client times out, doesn't know if request succeeded
5. Client retries by sending the same request
6. Server processes it again (doesn't know it's a retry)
7. Client receives response

With an idempotent READ, this is completely safe—reading the same data twice is harmless. But what about operations that might not be naturally idempotent?

Handling Non-Idempotent Operations

Some operations cannot be made naturally idempotent. NFS uses several strategies:

1. Exclusive Creation Verifier (NFSv3)

For CREATE with exclusive mode, the client sends a 64-bit verifier:

CREATE3args {
    diropargs3  where;      /* Directory + filename */
    createhow3  how;        /* UNCHECKED | GUARDED | EXCLUSIVE */
    createverf3 verf;       /* 64-bit verifier for EXCLUSIVE */
};

• First request: server creates file, stores verifier in file's metadata (mtime/atime)
• Duplicate request: server checks verifier matches, returns success (no error)

2. Server Reply Cache

Servers may maintain a cache of recent replies. If a duplicate request arrives:

• The server recognizes the XID (transaction ID) and client
• Returns the cached reply without re-executing the operation

Duplicate Request Detection:

Request arrives with XID=12345 from client 10.0.0.1
  ↓
Check reply cache: (client=10.0.0.1, xid=12345)
  ↓
Cache hit? → Return cached reply
Cache miss? → Process request, cache reply

The most celebrated benefit of NFS's stateless design is its exceptional crash recovery. Let's trace through exactly how different failure scenarios are handled.

Scenario 1: Server Crashes and Reboots

Consider an application reading a large file when the server suddenly reboots:

Timeline:

  Client                        Server
    |                             |  
    |--- READ(fh, off=0, 8K) --->|  Server receives, processing
    |<-- [data bytes 0-8K] ------|  Response sent
    |                             |  
    |--- READ(fh, off=8K, 8K) -->|  Request in flight
    |                             X  SERVER CRASHES
    |      [timeout...]           |  
    |                             |  (Server rebooting...)
    |--- READ(fh, off=8K, 8K) -->|  Client retries
    |                             |  SERVER BACK UP
    |                             |  
    |                             |  Server receives retry
    |                             |  Validates file handle
    |                             |  Reads from disk
    |<-- [data bytes 8K-16K] ----|  Response sent
    |                             |
    |  (Application continues    |
    |   reading, unaware of      |
    |   server crash!)           |

Why this works:

1. The READ request contains all necessary information (file handle, offset, count)
2. The server needs no memory of previous reads
3. The file handle remains valid across reboot (encoded in file metadata)
4. The client simply retries until success
5. The application never sees an error

Scenario 2: Client Crashes and Reboots

Timeline:

  Client                         Server
    |                              |
    |--- WRITE(fh, off=0, data)->  |  Server writes to cache
    |<-- OK ---------------------- |  Write acknowledged
    X  CLIENT CRASHES              |
                                   |  (Server doesn't notice)
    |  (Client rebooting...)       |
    |                              |
    |  (Application restarts,      |
    |   reopens file)              |
    |--- LOOKUP(dir_fh, "file") ->|  Normal operation
    |<-- file_fh + attrs --------- |  
    |                              |

Why this works:

1. The server has no per-client state to clean up
2. The written data is safely on the server
3. When the client restarts, it simply performs normal operations
4. No recovery protocol is needed

While statelessness works brilliantly for file I/O, it creates a fundamental problem for file locking. Locks are inherently stateful—they represent an ongoing relationship between a client and a file.

Why Locks Need State

Consider what a lock represents:

Client A: "I own the exclusive lock on file X"
           ↓
         This is STATE - the server must remember it
         to deny locks to Client B
           ↓
Client B: "Can I lock file X?"  
           ↓
         Server must consult state to answer

The Dilemma:

• Without server-maintained state, Client B has no way to know Client A holds the lock
• But maintaining state reintroduces all the crash recovery problems we avoided
• UNIX applications expect flock() and fcntl() locking to work

The Solution: Auxiliary Stateful Protocols

NFS solved this by separating concerns:

1. Core NFS Protocol — Remains stateless (file I/O, metadata)
2. Network Lock Manager (NLM) — Separate stateful protocol for locking
3. Network Status Monitor (NSM) — Monitors machine health for lock recovery

This separation means that a crash affects only the locking subsystem, not basic file operations.

The Network Lock Manager (NLM) Protocol

NLM is a separate RPC service (program 100021) that handles lock operations:

• NLM_LOCK — Request a lock (blocking or non-blocking)
• NLM_UNLOCK — Release a lock
• NLM_TEST — Test if a lock would succeed
• NLM_CANCEL — Cancel a pending lock request
• NLM_GRANTED — Callback: previously blocked lock now available

Locking Sequence:

  Client A                Lock Manager              Client B
     |                         |                       |
     |--- NLM_LOCK(file) ----->|                       |
     |<-- NLM_LOCK_RES(ok) ----|  [A owns lock]        |
     |                         |                       |
     |                         |<--- NLM_LOCK(file) ---|
     |                         |  [blocked - A has it] |
     |                         |                       |
     |--- NLM_UNLOCK(file) --->|                       |
     |<-- NLM_UNLOCK_RES(ok) --|                       |
     |                         |                       |
     |                         |--- NLM_GRANTED ------>|
     |                         |<-- NLM_GRANTED_RES ---|  
     |                         |  [B now owns lock]    |

Locks create a new crash recovery problem: what happens to locks when machines fail? This is where the Network Status Monitor (NSM) protocol comes in.

The Lock Recovery Problem

Scenario: Server Crashes While Holding Lock State

1. Client A holds lock on file X
2. Client B is blocked waiting for the lock
3. Server crashes, losing all lock state
4. Server reboots
5. ??? What happens to the locks?

Without a recovery mechanism:

• Client A thinks it still holds the lock
• Client B's blocked request was lost
• New lock requests might conflict with Client A's 'ghost' lock
• Or the server might grant locks that conflict with Client A's assumption

NSM Protocol Operation

NSM (program 100024) tracks the health of networked machines and provides crash notifications:

On Startup (SM_NOTIFY): When a machine boots, its statd daemon notifies all previously-registered peers:

"I'm machine X. My state counter is now 5."

State counter increments on each reboot, so peers know this is a fresh boot.

Monitor Registration (SM_MON): When a client locks a file, its lockd tells statd:

"Monitor server.example.com. If it reboots, tell me."

Crash Notification: When the server reboots and sends SM_NOTIFY:

• Client's statd receives notification
• Client's statd tells local lockd: "Server rebooted!"
• Client's lockd initiates lock recovery

The Grace Period

When the server's lock manager restarts, it enters a grace period (typically 90 seconds):

• During grace period:

  • Only lock reclaim requests accepted (clients recovering existing locks)
  • New lock requests rejected with 'denied_grace_period'
  • This ensures previous lock holders can re-establish their locks

• After grace period:

  • Normal lock operations resume
  • Any locks not reclaimed are considered abandoned

This mechanism prevents a race where new lock requests sneak in before legitimate owners can reclaim their locks.

Statelessness creates an interesting problem with file deletion. In UNIX, a deleted file remains accessible to processes that have it open—they hold references to the inode. But NFS has no concept of 'open files'.

The UNIX Deletion Model

Local File System:

1. Process A opens file X (gets file descriptor)
2. Process B deletes file X
3. File disappears from directory (unlinked)
4. Process A can still read/write via its file descriptor
5. When Process A closes, the inode is freed

This works because the kernel tracks open files and delays
actual deletion until the reference count reaches zero.

The NFS Problem

With NFS, the server doesn't know the client has the file 'open':

1. Client A opens file X (gets file handle)
2. Client B deletes file X (REMOVE RPC)
3. Server removes directory entry AND inode (no references known)
4. Client A tries to read via its file handle
5. Server: "File not found!" (NFS3ERR_STALE)
6. Application on Client A gets unexpected error

This violates UNIX semantics that applications depend on.

The 'Silly Rename' Solution

The NFS client implements a workaround called silly rename:

When a file is deleted but has open references on the client:

1. Client detects: "file is open locally"
2. Instead of REMOVE, client sends RENAME
3. File is renamed to .nfsXXXXXXXXXXXXXXXX (unique temporary name)
4. Client continues using file via existing handle
5. When all local references close, client sends REMOVE for the silly name

This preserves UNIX semantics while working within NFS's stateless model.

NFSv4, released in 2003, represents a significant evolution: it deliberately incorporates limited statefulness to address the most painful limitations of the stateless model while preserving its benefits.

Key NFSv4 Stateful Features:

Delegations: Caching with Confidence

A delegation is the server saying to a client: "I delegate control of this file to you. Until I recall the delegation, you can cache and modify without asking me."

Delegation Types:

- Read Delegation: "No one else will modify this file"
  → Client can cache reads without revalidating
  
- Write Delegation: "No one else will read or modify this file"
  → Client can cache writes locally without sending to server

The server tracks delegations. If another client wants access that conflicts with a delegation, the server issues a recall:

1. Client A has write delegation on file X
2. Client B tries to open file X
3. Server: "Wait, I need to recall A's delegation"
4. Server → Client A: CB_RECALL (give back your delegation)
5. Client A flushes cached writes, returns delegation
6. Server → Client B: "OK, proceed with open"

This requires the server to maintain state about delegations, but provides significant performance benefits.

Leases: State with Expiration

NFSv4 uses leases to bound the lifetime of state. Every piece of state (delegation, lock, open file) has a lease period:

• Default: 90 seconds
• Client must renew before expiration
• If lease expires, state is revoked

This solves the client-crash cleanup problem:

Client crash scenario:

1. Client holds lock on file (with 90-second lease)
2. Client crashes, stops sending renewals
3. 90 seconds elapse
4. Server: "Lease expired, revoking state"
5. State cleaned up automatically
6. Other clients can now acquire lock

Renewal is efficient—a single SEQUENCE or RENEW operation extends all of a client's leases.

The stateless protocol design is one of NFS's most important and influential architectural decisions. Let's consolidate what we've learned:

What's Next

With statelessness understood, we're ready to explore NFS Versions—the evolution from NFSv2 through NFSv4.2. We'll see how each version addressed limitations of its predecessors while maintaining compatibility, and understand the specific features and trade-offs of each version. This practical knowledge helps you choose the right NFS version for your deployment.