NFS v4 finally sorted

I’m new to this forum. Please forgive me for not having searched all the
posts before posting myself but I’ve got to get this off my chest. For
the last week I’ve searched hi and lo for a concise and usable description
of NFS v4. The system manual just didn’t do it right. Finally I think I’ve
got it figured out but correct info has been pieced together from various
sources. There is much confusion regarding NFS v4 on the Internet so I
hope my findings may help a little along the way.

My setup:
Server: OpenSuse 11.1 kernel 2.6.27.56-0.1-pae 32 bit
Client: OpenSuse 11.4 kernel 2.6.37.1-1.2-desktop 64 bit

It has taken me a week to get a working configuration. There have been errors
in the manuals and important things have not been mentioned…

The short story:
1 All the emty directories in the pseudo file system must be exported in
/etc/exports i.e. it’s not the info you want to share that’s directly exported.
The actual share is mounted via bind on a sub dir in the pseudo file system.
2 Either the option crossmnt has to be set for the pseudo root or the option nohide
must be set for exported sub dirs in the pseudo file system. Otherwise the real
share only shows up on the server but not on the client who then only sees the
empty dir structure of the pseudo file system.
3 The port used by mountd has to be locked by setting MOUNTD_PORT=“20048”
in /etc/sysconfig/nfs. Otherwise mountd will use different ports from time to
time and connection attempts will be blocked by the firewall and eventually
time out if not by chance the picked port happens to be 20048.

The long story:
Assume the following pseudo filesystem

/nfs4exports
/nfs4exports/dir1
/nfs4exports/dir2

and the following shares

/path-to-shared-dir1
/path-to-shared-dir2

Allow everybody everything in the pseudo file system (for most things below you need to be root):

chmod --recursive 777 /nfs4exports

Access control is done by uid/gid for the real shares through nfs, chf NFS-HOWTO at LDP.

Edit /etc/exports like so:

/nfs4exports *(fsid=0,rw,root_squash,sync,no_subtree_check)
/nfs4exports/dir1 *(rw,nohide,root_squash,sync,no_subtree_check,bind=/path-to-shared-dir1)
/nfs4exports/dir2 *(rw,nohide,root_squash,sync,no_subtree_check,bind=/path-to-shared-dir2)

The option fsid=0 marks the pseudo root. The option bind=/… causes the shared directory
to be mounted on the corresponding dir in the pseudo file system. This is evident by doing:

cat /etc/mtab

on the server machine once the nfsserver is up and running.

As mentioned above crossmnt may be set for the pseudo root instead of setting nohide
for the sub dirs. If crossmnt/nohide is omitted the shared directories get mounted on
the pseudo file system and show up there on the server but the client only sees the empty
pseudo file system.

The wild card “*” may be replaced by hostname, IP or IP/NETMASK to restrict access.
If hostnames are used a working DNS is required.

Finally don’t forget to set MOUNTD_PORT=“20048” in /etc/sysconfig/nfs if you plan on using a firewall on your server. The actual port number is not important as long as it’s not used by
any other process. 20048 is dedicated to the NFS mountd and is the one opened in the
firewall, chf http://www.iana.org/assignments/port-numbers.

Don’t trust the manuals if you’re running OpenSuse 11.x unless x=4. The reference manuals
of 11.1-11.3 do not mention crossmnt/nohide nor do they say anything about the mountd
port number. Moreover 11.1 will have you export the shared directory and set
bind=/psuedo-root/subdir whereas 11.2 and 11.3 are unclear on the subject, maybe on
purpose or maybe I don’t understand the german.

Be warned that if you do follow the 11.1 manual then the empty sub dir of the
pseudo file system gets mounted on top of your shared directory thus hiding its content.
As I’m running 11.1 on my server maybe you can imagine the horror I felt when my shared
data suddenly vanished. At that point I had no clue so naturally I feared the worst had
happened. As for 11.4 it looks like the reference manual is correct and maybe Yast also
locks the mountd port for you. I haven’t tried it though.

It’s also worth mentioning a few points on the client side. Here it looks like the manuals
do it right and you simply mount the nfs share by doing:

mount server:/ /path-to-mountpoint/

wich is much simpler than for NFS v3 or older where you have to do:

mount server:/path-to-share  /path-to-mountpoint/

for every shared directory instead of only once. Of course you can also do:

mount -t nfs4 ....

but it’s not necessary as the mount process will assume nfs due to the form of the
command. There is also a host of other options described in the man pages that you
may use to tweak the connection not to mention automating via /etc/fstab or automount.

Why NFS v4? On the server it takes about the same amount of work to set it up as earlier
versions but you do control the pseudo file system and all the shared info will be at
one point on the client. The downside is that so far complete reference info is hard
to come by in one place only. An obvious advantage is that the client
only needs to know the name of the server.

Many references out there make a point of the files /etc/hosts.deny and /etc/hosts.allow.
OpenSuse 11.x and onwards by default controls access by running an iptables firewall.
The host.deny and hosts.allow files have nothing to do with the firewall and you don’t
have to worry about them unless you plan on skipping the firewall and activate control
by xinetd (TCP wrappers). By default this is not activated. (Maybe Suse inactivated
xinetd prior to OpenSuse 11.x but my acquaintance started with 11.0.)

Happy NFS-ing!

gostal wrote:
> I’m new to this forum. Please forgive me for not having searched all the
>
> posts before posting myself but I’ve got to get this off my chest. For
>
> the last week I’ve searched hi and lo for a concise and usable
> description
> of NFS v4. The system manual just didn’t do it right. Finally I think
> I’ve
> got it figured out but correct info has been pieced together from
> various
> sources. There is much confusion regarding NFS v4 on the Internet so I
>
> hope my findings may help a little along the way.

[snip] - of a very useful posting. Thanks I’ve bookmarked it.

One small point:

> cat /etc/mtab

I think the current fashion is:

cat /proc/mounts

mtab can get out of date / confused in some circumstances, I believe.

Cheers, Dave

Glad somebody liked it!

According to your suggestion I ran

cat /proc/mounts

and it turns out the output is somewhat different compared to that of

cat /etc/mtab.

/proc/mounts does not give the mounted directory only the device. It does
give the mountpoints, though. So even though this command gives the most
current info it is not as easy to interpret as mtab.

Current setup:
Server OpenSuse 12.2 kernel 3.4.63-2.44-desktop 64 bit

Since version 11.1 there has been a change in the
mount command so that it is no longer possible to
just do:

mount server:/ /path-to-mountpoint

Rather one has to specify the exported pseudo-root
(the one marked with fsid=0 in /etc/exports) i.e.

mount server:/path-to-pseudo-root /path-to-mountpoint.

The possible choices can be found, though, by doing

showmount -e server

on the command line of the client IF THE SERVER IS ALSO
RUNNING NFS VERSION 3. So to make things easy for the
client this option should be set in /etc/sysconfig/nfs.

Permissions are mapped/determined by the daemon idmapd
which has to run on both server and client. In fact this is
the only thing running on the client. The behavior is controlled
by the file /etc/idmapd.conf which by default
looks like this:

[General]

Verbosity=0
Pipefs-Directory=/var/lib/nfs/rpc_pipefs
Domain=localdomain

[Mapping]

Nobody-User=nobody
Nobody-Group=nobody

To get things to work two things are necessary:

1 user, uid, group and gid of user on the client has to be
known on the server and it is important that these things
map between client and server.

2 Domain must be set to the actual fully qualified
domain name in /etc/idmapd.conf on server and client.
This is the string returned by

hostname -f 

but without the hostname and the following period.

Leaving /etc/idmapd.conf as it is causes everything to
be mapped to Nobody which means read but not write at
best. The reason for this is that only the username
is transferred during the client-call and
server-response in nfs4. Some sources on the Internet
claim that also the following lines should be added
to /etc/idmapd.conf:

[Translation]

Method=nsswitch

but I have not found it to be necessary.

Security and authentication can also be handled by using
the security watch dog Kerberos and this is enabled by
setting NFS_SECURITY_GSS=“yes” in /etc/sysconfig/nfs.
The *nix user.group.world permission system, however, suffices
for me and I have not bothered with Kerberos. Interested
readers can find a guide in

http://snia.org/sites/default/files/Migrating_NFSv3_to_NFSv4-Final.pdf
The system manuals have improved since my previous postings but
as pointed out above using only server:/ in the mount command
doesn’t work, at least not for me.

Happy NFS-ing!