How to set up NFSv4 Server through YaST2

I recently tried to set up a NFS share using YaST and experienced some rather frustrating difficulties.

The most significant one was the YaST2 NFS Server module telling me that the firewall was not configurable.

Firewall not configurable
Some firewalld services are not available:
-nfs-kernel-server (Not available)

(I tried pasting a screenshot using https://susepaste.org, but after clicking Create I get: 404 Page Not Found
I also tried Insert Image from a URL. It doesn’t show up.)
Here’s the screenshot: Pasteboard - Uploaded Image

I went ahead with the configuration and manually added the ‘nfs’ service to the appropriate zone in the Firewall module. That didn’t work. No exported mounts were visible from the client machine. I knew it was a firewall issue because stopping it on the server machine allowed the mounts to be found by the client machine.

After quit a bit of time researching, I learned from this StackExchange answer that ‘rpc-bind’ and ‘mountd’ services are also required for NFSv4. So, I added those services to the zone in Firewall.

And, yes, that worked.

This, then, begs the question: why is there no ‘nfs-kernel-server’ service available to firewalld? There is no nfs-kernel-server.xml file anywhere on the system. [Ref. Documentation - HowTo - Add a Service | firewalld] (There are, though, still remnants of SuSEfirewall2.)

Knowing what does work, I then created a nfs-kernel-server.xml file from content in nfs.xml, rpc-bind.xml, and mountd.xml. I copied it to /etc/firewalld/services and reloaded the firewall. Back in the Firewall module of YaST2, I added the now-available service ‘nfs-kernel-server’ and removed ‘nfs’, ‘rpc-bind’, and ‘mountd’.

That works too.

Here’s the the content of nfs-kernel-server.xml:

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>nfs-kernel-server</short>
  <description>Service ports required for NFS Kernel Server</description>
  <!-- NFS -->
  <port protocol="tcp" port="2049"/>
  <!-- RPC Bind -->
  <port protocol="tcp" port="111"/>
  <port protocol="udp" port="111"/>
  <!-- mountd -->
  <port protocol="tcp" port="20048"/>
  <port protocol="udp" port="20048"/>
</service>

I thought about posting this in the “How To/FAQ Forums”, but hopefully this will be a temporary issue.

I have been adding “nfs”, “nfs3”, “mountd” and “rpc-bind” to the firewall allowed services.

Yes, back when we were using the old firewall, Yast did that automatically on setting up NFS.

I am not running 15.3, thus thi is a bit of a guess.

Did you check if the YaST firewall module is installed?

I ask, because in another thread they found that 15.3 did not by default install some YaST modules.

I had no need to check (unless I’ve misunderstood your question). The YaST Firewall module was what I was using to manage the firewall:

I … manually added the ‘nfs’ service to the appropriate zone in the Firewall module.

I think the issue is that the nfs-kernel-server package does not include the nfs-kernel-server.xml firewalld service definition file. rpm -ql nfs-kernel-server does not list any XML file.

I was not sure about what you used. AFAIK firewald brings it’s own GUI and CLI configuration tools.

That’s interesting. I was aware that firewalld has CLI config tools, but I did not know it also provided a GUI config tool. (It’s in the ‘firewall-config’ package.)

I apologize for not being clear on that.

This reads like you’re actually using NFSv3. NFSv4 requires one single port only (TCP port 2049).

https://sniansfblog.org/the-advantages-of-nfsv4-1/Hosting NFSv4 behind a firewall - Learning RHEL Networking [Book]

Granted, that StackExchange answer is from 2015.

I had enabled NSFv4 in the YaST2 NFS Server Configuration dialog, and the client was set to “Any (Highest Available)”.

As a test, I removed the ‘nfs-kernel-service’ service and added back in ‘nfs’ to the Firewall configuration on the server, and forced the client to NSFv4.

Showmount doesn’t like it:

linux-desktop:/ # showmount -e 192.168.0.100
clnt_create: RPC: Unable to receive
linux-desktop:/ # 

I don’t know why that is. But, I do know that with rpc-bind and mountd services allowed in the firewall, it works; without, it does not (operator error?).

Hmmm…NFSv4 doesn’t use mountd as it has pseudo file system that does the job of determining mount-points, and the server and client interact via a single TCP port. What does the /etc/sysconfig/nfs server config look like?

grep -v "^#" /etc/sysconfig/nfs

On the client…

grep vers /etc/nfs.conf

Showmount doesn’t like it:

linux-desktop:/ # showmount -e 192.168.0.100
clnt_create: RPC: Unable to receive
linux-desktop:/ # 

I don’t know why that is. But, I do know that with rpc-bind and mountd services allowed in the firewall, it works; without, it does not (operator error?).

This is appearing like NFSv3 behaviour.

Check

nfsstat -m

This may be useful…

showmount will not work with pure NFSv4 at all. It queries mountd which is not used by NFSv4. If your server exports the same directories via both NFSv3 and NFSv4 then showmount will query NFSv3 exports and may look like it works, but it gives you the answer to different question

Just in case it makes a difference, the following outputs are with rpc-bind and mountd services allowed in the firewall. Should I redo the nfsstat queries with those services disallowed?

/etc/sysconfig/nfs server config:

home-server:/ # grep -v "^#" /etc/sysconfig/nfs
USE_KERNEL_NFSD_NUMBER="4"

MOUNTD_PORT=""

NFS3_SERVER_SUPPORT="yes"

NFS4_SUPPORT="yes"

SM_NOTIFY_OPTIONS=""

STATD_PORT=""

STATD_HOSTNAME=""

LOCKD_TCPPORT=""

LOCKD_UDPPORT=""

STATD_OPTIONS=""

NFSV4LEASETIME=""

RPC_PIPEFS_DIR=""

SVCGSSD_OPTIONS=""

NFSD_OPTIONS=""

GSSD_OPTIONS=""

MOUNTD_OPTIONS=""

NFS_GSSD_AVOID_DNS="no"
NFS_SECURITY_GSS="no"
home-server:/ #

On the client:

linux-desktop:/ # grep vers /etc/nfs.conf
# reverse-lookup=n
# vers2=n
 vers3=$NFS3_SERVER_SUPPORT
 vers4=$NFS4_SUPPORT
# vers4.0=y
# vers4.1=y
# vers4.2=y
linux-desktop:/ # 

I don’t see where the NFS* variables are defined in the config file. So, for completeness even though it may be a different environment:

linux-desktop:/ # echo $NFS3_SERVER_SUPPORT

linux-desktop:/ # echo $NFS4_SUPPORT

linux-desktop:/ # 

linux-desktop:/ # nfsstat -m
/mnt/home-server from 192.168.0.100:/mnt/public
 Flags: rw,relatime,vers=4.2,rsize=524288,wsize=524288,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.0.102,local_lock=none,addr=192.168.0.100

linux-desktop:/ # 

Further Info:
On the server:

home-server:/ # rpcinfo -p
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  42725  status
    100024    1   tcp  34205  status
    100005    1   udp  20048  mountd
    100005    1   tcp  20048  mountd
    100005    2   udp  20048  mountd
    100005    2   tcp  20048  mountd
    100005    3   udp  20048  mountd
    100005    3   tcp  20048  mountd
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100227    3   tcp   2049  nfs_acl
    100003    3   udp   2049  nfs
    100227    3   udp   2049  nfs_acl
    100021    1   udp  58870  nlockmgr
    100021    3   udp  58870  nlockmgr
    100021    4   udp  58870  nlockmgr
    100021    1   tcp  41229  nlockmgr
    100021    3   tcp  41229  nlockmgr
    100021    4   tcp  41229  nlockmgr
home-server:/ # 

home-server:/ # nfsstat -s
Server rpc stats:
calls      badcalls   badfmt     badauth    badclnt
103        0          0          0          0       

Server nfs v4:
null             compound         
1         0%     102      99%     

Server nfs v4 operations:
op0-unused       op1-unused       op2-future       access           close            
0         0%     0         0%     0         0%     9         2%     3         0%     
commit           create           delegpurge       delegreturn      getattr          
0         0%     0         0%     0         0%     3         0%     79       24%     
getfh            link             lock             lockt            locku            
4         1%     0         0%     0         0%     0         0%     0         0%     
lookup           lookup_root      nverify          open             openattr         
12        3%     0         0%     0         0%     5         1%     0         0%     
open_conf        open_dgrd        putfh            putpubfh         putrootfh        
0         0%     0         0%     96       29%     0         0%     2         0%     
read             readdir          readlink         remove           rename           
3         0%     1         0%     0         0%     0         0%     0         0%     
renew            restorefh        savefh           secinfo          setattr          
0         0%     0         0%     0         0%     0         0%     0         0%     
setcltid         setcltidconf     verify           write            rellockowner     
0         0%     0         0%     0         0%     0         0%     0         0%     
bc_ctl           bind_conn        exchange_id      create_ses       destroy_ses      
0         0%     0         0%     2         0%     1         0%     0         0%     
free_stateid     getdirdeleg      getdevinfo       getdevlist       layoutcommit     
0         0%     0         0%     0         0%     0         0%     0         0%     
layoutget        layoutreturn     secinfononam     sequence         set_ssv          
0         0%     0         0%     1         0%     99       30%     0         0%     
test_stateid     want_deleg       destroy_clid     reclaim_comp     allocate         
0         0%     0         0%     0         0%     1         0%     0         0%     
copy             copy_notify      deallocate       ioadvise         layouterror      
0         0%     0         0%     0         0%     0         0%     0         0%     
layoutstats      offloadcancel    offloadstatus    readplus         seek             
0         0%     0         0%     0         0%     0         0%     0         0%     
write_same       
0         0%     

home-server:/ #

On the client:

linux-desktop:/ # nfsstat -c
Client rpc stats:
calls      retrans    authrefrsh
154        0          154     

Client nfs v4:
null             read             write            commit           open             
10        6%     4         2%     0         0%     0         0%     4         2%     
open_conf        open_noat        open_dgrd        close            setattr          
0         0%     4         2%     0         0%     4         2%     0         0%     
fsinfo           renew            setclntid        confirm          lock             
3         1%     0         0%     0         0%     0         0%     0         0%     
lockt            locku            access           getattr          lookup           
0         0%     0         0%     17       11%     45       29%     20       12%     
lookup_root      remove           rename           link             symlink          
1         0%     0         0%     0         0%     0         0%     0         0%     
create           pathconf         statfs           readlink         readdir          
0         0%     2         1%     25       16%     0         0%     1         0%     
server_caps      delegreturn      getacl           setacl           fs_locations     
5         3%     4         2%     0         0%     0         0%     0         0%     
rel_lkowner      secinfo          fsid_present     exchange_id      create_session   
0         0%     0         0%     0         0%     2         1%     1         0%     
destroy_session  sequence         get_lease_time   reclaim_comp     layoutget        
0         0%     0         0%     0         0%     1         0%     0         0%     
getdevinfo       layoutcommit     layoutreturn     secinfo_no       test_stateid     
0         0%     0         0%     0         0%     1         0%     0         0%     
free_stateid     getdevicelist    bind_conn_to_ses destroy_clientid seek             
0         0%     0         0%     0         0%     0         0%     0         0%     
allocate         deallocate       layoutstats      clone            
0         0%     0         0%     0         0%     0         0%     

linux-desktop:/ # 

Understood.

When I was configuring the client with the YaST2 SFS Client module, clicking the “Choose” button initiated a scan for NFS shares. I found none. And, IIRC, manually entering the server IP address did not work either. I will test that again with pure NFSv4 when I have a bit more time as, at the moment, I’m running late.

Okay, got a bit of time.

With the server offline, I launched YaST2 NFS Client configuration and deleted the existing share (confirming that the entry was indeed removed from /etc/fstab). Then fired up the server and disallowed the rpc-bind and mountd services so it would be forced to serve pure NSFv4.

Back on the client, went in to NFS Client configuration again and with the NFS Version set to “Any (Highest Available)”, clicked to Add a share. Clicking the Choose button in the presented dialog box resulted in a message box saying, “Scanning for hosts on this LAN…”. After a few moments, an Error message appeared saying, “No NFS server has been found on your network. blah blah blah”

I then manually entered the IP address of the server and clicked Select. The list of Exported Directories that popped up was empty.

Then after setting the NFS Version to “Force NFSv4”, clicking Select yielded two exported directories:
/
/mnt

I have not exported either of those two directories. But to play along, I selected the root directory in the list (clicked OK), then clicked OK to add that share. The result:
“The path entered is invalid. It must be shorter than 70 characters and it must begin with a slash (/).”

Hmm, okay, it satisfies both of those conditions. Anyway, I went back in to Select and chose /mnt … same error message.

On the server:

home-server:/ # cat /etc/exports
/mnt/public     192.168.0.0/24(rw,root_squash,sync,no_subtree_check)
home-server:/ #

Well…

Since I did not have a configured client due to the above stated problems with the YaST2 NFS Client configuration module, on a whim I decided to try manually mounting the exported share from the client.

It worked. So, NSFv4 does indeed work using only port 2049.

What does not work is trying to use the YaST2 NFS Server and Client configuration modules to set it up without additional knowledge the average user may not have.

The Server Configuration module thinks that a ‘nfs-kernel-server’ service is required to configure the firewall; leading to a failed configuration unless the user knows to simply add the ‘nfs’ service in the firewall.

https://ibb.co/c2qd2s9

The Client Configuration module reports that the ‘nfs’ service is not available to configure the firewall – when it is available. And, to work with pure NSFv4, the module needs to be spoon-fed the specifics. Again, without this additional user knowledge, this would likely lead to a failed configuration on the client side as well.

https://ibb.co/mCmNHRH

[HR][/HR]
It is now working for me, and I’ve learned a few things. Thank you everyone for your guidance.

Did you open bug report? What is bug number?

No, I did not open a bug report. If it is indeed a confirmed bug, where would I do that?

Found it. And, since it was asked if I opened a bug report, I’m assuming it’s confirmed.

https://bugzilla.opensuse.org/show_bug.cgi?id=1187722

Thanks for reporting the bug, and for giving us the link.

The Firewall definition XML file is provided by the “firewalld” package –

 > rpm --query --whatprovides /usr/lib/firewalld/services/nfs.xml
firewalld-0.9.3-1.1.noarch
 > 
 > cat /usr/lib/firewalld/services/nfs.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>NFS4</short>
  <description>The NFS4 protocol is used to share files via TCP networking. You will need to have the NFS tools installed and properly configure your NFS server for this option to be useful.</description>
  <port protocol="tcp" port="2049"/>
</service>
 > 

The XML file ‘/usr/lib/firewalld/services/nfs3.xml’ provides the NFS3 Firewall definition …

You’re trying to export via NFS a directory which is mounted via NFS?

• The directory ‘/mnt’ is where a Linux Kernel prefers to place the mount points of clients accessing remote servers – <The Linux Documentation Project; …