Page 3 of 3 FirstFirst 123
Results 21 to 25 of 25

Thread: Problems with nfs server after upgrade to Leap 15.0

  1. #21
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,267
    Blog Entries
    1

    Default Re: Problems with nfs server after upgrade to Leap 15.0

    Quote Originally Posted by gostal View Post
    I know and according to man firewall-cmd the option --permanent sets, gets etc. what should happen when firewalld is started/restarted i.e. it should conform to the run-time situation after start/restart before any run-time changes have been made. This does not happen and there is something fishy going on or I still haven't got it!!
    Yes, there's a few moving parts to consider. From 'man firewalld.zones'...
    How to set or change a zone for a connection?

    The zone is stored into the ifcfg of the connection with ZONE= option. If the option is missing or empty, the default zone set in firewalld is used.

    If the connection is controlled by NetworkManager, you can also use nm-connection-editor to change the zone.

    For the addion or change of interfaces that are not under control of NetworkManager: firewalld tries to change the ZONE setting in the ifcfg file, if an ifcfg file exists that is using the interface.

    Only for the removal of interfaces that are not under control of NetworkManager: firewalld is not trying to change the ZONE setting in the ifcfg file. This is needed to make sure that an ifdown of the interface will not result in a reset of the zone setting to the default zone.

    Only the zone binding is then removed in firewalld then.
    So, this could be impacting on the behaviour you're expecting perhaps.
    Last edited by deano_ferrari; 14-Aug-2019 at 03:29.
    openSUSE Leap 15.0; KDE Plasma 5

  2. #22
    Join Date
    Apr 2011
    Location
    Stockholm
    Posts
    81

    Default Re: Problems with nfs server after upgrade to Leap 15.0

    Quote Originally Posted by deano_ferrari View Post
    Yes, there's a few moving parts to consider. From 'man firewalld.zones'...
    "Reply with quote" doesn't quote your quotation of man firewalld.zones but here it is:

    How to set or change a zone for a connection?

    The zone is stored into the ifcfg of the connection with ZONE= option. If the option is missing or empty, the default zone set in firewalld is used.

    If the connection is controlled by NetworkManager, you can also use nm-connection-editor to change the zone.

    For the addion or change of interfaces that are not under control of NetworkManager: firewalld tries to change the ZONE setting in the ifcfg file, if an ifcfg file exists that is using the interface.

    Only for the removal of interfaces that are not under control of NetworkManager: firewalld is not trying to change the ZONE setting in the ifcfg file. This is needed to make sure that an ifdown of the interface will not result in a reset of the zone setting to the default zone.

    Only the zone binding is then removed in firewalld then.
    Now,

    • It is already established that the only interface I have, eth0, is controlled by NetworkManager so only the first two sentences (below the heading) of your quotation apply.
    • It is already established that ifcfg-eth0 says that ZONE=work
    • The 2nd sentence says that zone can be changed by using n.b. also nm-connection-editor. The implied other methods are mentioned in the section "How to configure or add zones?", immediately above your quotation, and are firewall-config (graphical) and firewall-cmd (CLI).

    So according to man-page I can use either method to change the zone of an interface. Not so! I ran nm-connection-editor and picked Wired connection 1 in the GUI that came up and lo and behold the firewall zone in the first tab was Default and apparently NetworkManager has consistenly acted on this information. So now my findings make sense and mean that the link between firewall-cmd and nm-connection-editor (NetworkManager) is broken and settings done by firewall-cmd are not picked up during boot. Question is why and what to do about it. Ideas anyone?

    So using the nm-connection-editor GUI I changed the zone to work and rebooted and now I get:
    Code:
    sudo firewall-cmd --get-active-zones
    work
      interfaces: eth0
    as expected.

    So one by one these configuration tools seem to work reagarding the zone setting but they don't talk to each other.

    But there's more:
    Although nfs is enabled in the active zone:
    Code:
    sudo firewall-cmd --zone=work --list-services
    ssh dhcpv6-client nfs
    my exports:
    Code:
    showmount -e
    Export list for k2003734.win.foi.se:
    /usr/local   ki003685.win.foi.se
    /disk2       ki003685.win.foi.se
    /opt         ki003685.win.foi.se
    /home/gostal ki003685.win.foi.se
    don't show on the other machine. It is as if NetworkManager fails also to pick up this information. What do I do about that? The only thing that seems to work so far is to turn the firewall off so it would indicate that allowing nfs in the active zone has no effect.

    Cheers,
    gostal

  3. #23
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,267
    Blog Entries
    1

    Default Re: Problems with nfs server after upgrade to Leap 15.0

    Quote Originally Posted by gostal View Post
    So now my findings make sense and mean that the link between firewall-cmd and nm-connection-editor (NetworkManager) is broken and settings done by firewall-cmd are not picked up during boot. Question is why and what to do about it. Ideas anyone?
    Bug report perhaps?

    So using the nm-connection-editor GUI I changed the zone to work and rebooted and now I get:
    Code:
    sudo firewall-cmd --get-active-zones
    work
      interfaces: eth0
    as expected.

    So one by one these configuration tools seem to work reagarding the zone setting but they don't talk to each other.

    But there's more:
    Although nfs is enabled in the active zone:
    Code:
    sudo firewall-cmd --zone=work --list-services
    ssh dhcpv6-client nfs
    my exports:
    Code:
    showmount -e
    Export list for k2003734.win.foi.se:
    /usr/local   ki003685.win.foi.se
    /disk2       ki003685.win.foi.se
    /opt         ki003685.win.foi.se
    /home/gostal ki003685.win.foi.se
    don't show on the other machine. It is as if NetworkManager fails also to pick up this information. What do I do about that? The only thing that seems to work so far is to turn the firewall off so it would indicate that allowing nfs in the active zone has no effect.

    Cheers,
    gostal
    The iptables rules (eg output from 'iptables -S') should reflect these runtime changes dynamically, but perhaps nfs-server needs to be restarted at this point.
    openSUSE Leap 15.0; KDE Plasma 5

  4. #24
    Join Date
    Apr 2011
    Location
    Stockholm
    Posts
    81

    Default Re: Problems with nfs server after upgrade to Leap 15.0

    Quote Originally Posted by deano_ferrari View Post
    Bug report perhaps?


    The iptables rules (eg output from 'iptables -S') should reflect these runtime changes dynamically, but perhaps nfs-server needs to be restarted at this point.
    I will make a bug report on the broken link between firewall-cmd and NetworkManager. This may also be connected to the fact that YaST NFS Server module says that nfs-kernel-server is not available and that the firewall cannot be configured.

    Iptables rules do reflect runtime changes and this is working. It turns out that more services than nfs need to be enabled in the active zone namely mountd and rpc-bind, see in this thread:

    https://forums.opensuse.org/showthread.php/531849-nfs-kernel-service-error-in-exporting-NFS-directory


    the first post by mchnz where I can add that the services nfs, mountd and rpc-bind are strictly required. That was all done automatically by YaST NFS Server module last time I did it so I had forgot about it. All done now and nfs-server.service does not need to be restarted after runtime changes in the firewall.

    Thanks for helping me to sort these things out.

    Cheers,
    gostal

  5. #25
    Join Date
    Apr 2011
    Location
    Stockholm
    Posts
    81

    Default Re: Problems with nfs server after upgrade to Leap 15.0

    Just did the bug-report regarding NeworkManager and firewall-cmd.

    Cheers,
    gostal

Page 3 of 3 FirstFirst 123

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •