Results 1 to 4 of 4

Thread: NFS v4 finally sorted

  1. #1
    Join Date
    Apr 2011
    Location
    Stockholm
    Posts
    84

    Default NFS v4 finally sorted

    I'm new to this forum. Please forgive me for not having searched all the
    posts before posting myself but I've got to get this off my chest. For
    the last week I've searched hi and lo for a concise and usable description
    of NFS v4. The system manual just didn't do it right. Finally I think I've
    got it figured out but correct info has been pieced together from various
    sources. There is much confusion regarding NFS v4 on the Internet so I
    hope my findings may help a little along the way.

    My setup:
    Server: OpenSuse 11.1 kernel 2.6.27.56-0.1-pae 32 bit
    Client: OpenSuse 11.4 kernel 2.6.37.1-1.2-desktop 64 bit

    It has taken me a week to get a working configuration. There have been errors
    in the manuals and important things have not been mentioned...

    The short story:
    1 All the emty directories in the pseudo file system must be exported in
    /etc/exports i.e. it's not the info you want to share that's directly exported.
    The actual share is mounted via bind on a sub dir in the pseudo file system.
    2 Either the option crossmnt has to be set for the pseudo root or the option nohide
    must be set for exported sub dirs in the pseudo file system. Otherwise the real
    share only shows up on the server but not on the client who then only sees the
    empty dir structure of the pseudo file system.
    3 The port used by mountd has to be locked by setting MOUNTD_PORT="20048"
    in /etc/sysconfig/nfs. Otherwise mountd will use different ports from time to
    time and connection attempts will be blocked by the firewall and eventually
    time out if not by chance the picked port happens to be 20048.

    The long story:
    Assume the following pseudo filesystem

    /nfs4exports
    /nfs4exports/dir1
    /nfs4exports/dir2

    and the following shares

    /path-to-shared-dir1
    /path-to-shared-dir2

    Allow everybody everything in the pseudo file system (for most things below you need to be root):
    Code:
    chmod --recursive 777 /nfs4exports
    Access control is done by uid/gid for the real shares through nfs, chf NFS-HOWTO at LDP.

    Edit /etc/exports like so:

    /nfs4exports *(fsid=0,rw,root_squash,sync,no_subtree_check)
    /nfs4exports/dir1 *(rw,nohide,root_squash,sync,no_subtree_check,bind=/path-to-shared-dir1)
    /nfs4exports/dir2 *(rw,nohide,root_squash,sync,no_subtree_check,bind=/path-to-shared-dir2)

    The option fsid=0 marks the pseudo root. The option bind=/... causes the shared directory
    to be mounted on the corresponding dir in the pseudo file system. This is evident by doing:

    Code:
    cat /etc/mtab
    on the server machine once the nfsserver is up and running.

    As mentioned above crossmnt may be set for the pseudo root instead of setting nohide
    for the sub dirs. If crossmnt/nohide is omitted the shared directories get mounted on
    the pseudo file system and show up there on the server but the client only sees the empty
    pseudo file system.

    The wild card "*" may be replaced by hostname, IP or IP/NETMASK to restrict access.
    If hostnames are used a working DNS is required.

    Finally don't forget to set MOUNTD_PORT="20048" in /etc/sysconfig/nfs if you plan on using a firewall on your server. The actual port number is not important as long as it's not used by
    any other process. 20048 is dedicated to the NFS mountd and is the one opened in the
    firewall, chf http://www.iana.org/assignments/port-numbers.

    Don't trust the manuals if you're running OpenSuse 11.x unless x=4. The reference manuals
    of 11.1-11.3 do not mention crossmnt/nohide nor do they say anything about the mountd
    port number. Moreover 11.1 will have you export the shared directory and set
    bind=/psuedo-root/subdir whereas 11.2 and 11.3 are unclear on the subject, maybe on
    purpose or maybe I don't understand the german.

    Be warned that if you do follow the 11.1 manual then the empty sub dir of the
    pseudo file system gets mounted on top of your shared directory thus hiding its content.
    As I'm running 11.1 on my server maybe you can imagine the horror I felt when my shared
    data suddenly vanished. At that point I had no clue so naturally I feared the worst had
    happened. As for 11.4 it looks like the reference manual is correct and maybe Yast also
    locks the mountd port for you. I haven't tried it though.

    It's also worth mentioning a few points on the client side. Here it looks like the manuals
    do it right and you simply mount the nfs share by doing:

    Code:
    mount server:/ /path-to-mountpoint/
    wich is much simpler than for NFS v3 or older where you have to do:

    Code:
    mount server:/path-to-share  /path-to-mountpoint/
    for every shared directory instead of only once. Of course you can also do:

    Code:
    mount -t nfs4 ....
    but it's not necessary as the mount process will assume nfs due to the form of the
    command. There is also a host of other options described in the man pages that you
    may use to tweak the connection not to mention automating via /etc/fstab or automount.

    Why NFS v4? On the server it takes about the same amount of work to set it up as earlier
    versions but you do control the pseudo file system and all the shared info will be at
    one point on the client. The downside is that so far complete reference info is hard
    to come by in one place only. An obvious advantage is that the client
    only needs to know the name of the server.

    Many references out there make a point of the files /etc/hosts.deny and /etc/hosts.allow.
    OpenSuse 11.x and onwards by default controls access by running an iptables firewall.
    The host.deny and hosts.allow files have nothing to do with the firewall and you don't
    have to worry about them unless you plan on skipping the firewall and activate control
    by xinetd (TCP wrappers). By default this is not activated. (Maybe Suse inactivated
    xinetd prior to OpenSuse 11.x but my acquaintance started with 11.0.)

    Happy NFS-ing!

  2. #2

    Default Re: NFS v4 finally sorted

    gostal wrote:
    > I'm new to this forum. Please forgive me for not having searched all the
    >
    > posts before posting myself but I've got to get this off my chest. For
    >
    > the last week I've searched hi and lo for a concise and usable
    > description
    > of NFS v4. The system manual just didn't do it right. Finally I think
    > I've
    > got it figured out but correct info has been pieced together from
    > various
    > sources. There is much confusion regarding NFS v4 on the Internet so I
    >
    > hope my findings may help a little along the way.


    [snip] - of a very useful posting. Thanks I've bookmarked it.

    One small point:

    > cat /etc/mtab


    I think the current fashion is:

    cat /proc/mounts

    mtab can get out of date / confused in some circumstances, I believe.

    Cheers, Dave

  3. #3
    Join Date
    Apr 2011
    Location
    Stockholm
    Posts
    84

    Default Re: NFS v4 finally sorted

    Glad somebody liked it!

    According to your suggestion I ran

    cat /proc/mounts

    and it turns out the output is somewhat different compared to that of

    cat /etc/mtab.

    /proc/mounts does not give the mounted directory only the device. It does
    give the mountpoints, though. So even though this command gives the most
    current info it is not as easy to interpret as mtab.

  4. #4
    Join Date
    Apr 2011
    Location
    Stockholm
    Posts
    84

    Default Re: NFS v4 finally sorted

    Current setup:
    Server OpenSuse 12.2 kernel 3.4.63-2.44-desktop 64 bit

    Since version 11.1 there has been a change in the
    mount command so that it is no longer possible to
    just do:

    Code:
    mount server:/ /path-to-mountpoint
    Rather one has to specify the exported pseudo-root
    (the one marked with fsid=0 in /etc/exports) i.e.

    Code:
    mount server:/path-to-pseudo-root /path-to-mountpoint.
    The possible choices can be found, though, by doing

    Code:
    showmount -e server
    on the command line of the client IF THE SERVER IS ALSO
    RUNNING NFS VERSION 3.
    So to make things easy for the
    client this option should be set in /etc/sysconfig/nfs.

    Permissions are mapped/determined by the daemon idmapd
    which has to run on both server and client. In fact this is
    the only thing running on the client. The behavior is controlled
    by the file /etc/idmapd.conf which by default
    looks like this:

    ---
    [General]

    Verbosity=0
    Pipefs-Directory=/var/lib/nfs/rpc_pipefs
    Domain=localdomain

    [Mapping]

    Nobody-User=nobody
    Nobody-Group=nobody
    ---

    To get things to work two things are necessary:

    1 user, uid, group and gid of user on the client has to be
    known on the server and it is important that these things
    map between client and server.

    2 Domain must be set to the actual fully qualified
    domain name in /etc/idmapd.conf on server and client.
    This is the string returned by
    Code:
    hostname -f
    but without the hostname and the following period.

    Leaving /etc/idmapd.conf as it is causes everything to
    be mapped to Nobody which means read but not write at
    best. The reason for this is that only the username
    is transferred during the client-call and
    server-response in nfs4. Some sources on the Internet
    claim that also the following lines should be added
    to /etc/idmapd.conf:

    [Translation]

    Method=nsswitch

    but I have not found it to be necessary.

    Security and authentication can also be handled by using
    the security watch dog Kerberos and this is enabled by
    setting NFS_SECURITY_GSS="yes" in /etc/sysconfig/nfs.
    The *nix user.group.world permission system, however, suffices
    for me and I have not bothered with Kerberos. Interested
    readers can find a guide in

    http://snia.org/sites/default/files/Migrating_NFSv3_to_NFSv4-Final.pdf

    The system manuals have improved since my previous postings but
    as pointed out above using only server:/ in the mount command
    doesn't work, at least not for me.

    Happy NFS-ing!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •