Managing NFS
How to manage NFS networking configuration (interface groups) and access control (client access groups) using the CLI.
User groups resolution
The NFS protocol, using AUTH_SYS protocol, has a limitation of 16 security groups users can be part of. The protocol truncates the group list to 16 if a user is part of more than 16 groups, and a permissions check can fail for authorized users.
As in many cases, a user can be part of more than 16 security groups. It is possible to configure the Weka system to ignore the groups passed by the NFS protocol and resolve the user's groups external to the protocol. For that, several steps should be taken:
- Define an interface group that supports external group-IDs resolution (
allow-manage-gids
option). - Define the NFS client permissions to use external group-IDs resolution (
manage-gids
option). - Set up the relevant hosts to retrieve the user's group-IDs information.
Set up the hosts to retrieve user's group-IDs information
For the hosts that are part of the interface group, you can set the host to retrieve the user's group-IDs information in any method that is part of the environment.
You can also set the group resolution by joining the AD domain, the Kerberos domain, or using LDAP with a read-only user.
Configure the sssd on the host to serve as a group IDs provider. For example, you can configure the sssd
directly using LDAP, or as a proxy to a different nss group IDs provider.
[sssd] services = nss config_file_version = 2 ldap_search_base = dc=example,dc=com # The DN used to search the ldap directory with. ldap_default_bind_dn = cn=ro_admin,ou=groups,dc=example,dc=com # The password of the bind DN. ldap_default_authtok = password
If you use another method than the sssd, but with a different provider, configure an sssd proxy on each relevant host. The proxy is used for the Content Software for File container to resolve the groups by any method defined on the host.
To configure sssd proxy on a host, use the following:
# install sssd yum install sssd # set up a proxy for weka in /etc/sssd/sssd.conf [sssd] services = nss config_file_version = 2 domains = proxy_for_weka [nss] [domain/proxy_for_weka] id_provider = proxy auth_provider = none # the name of the nss lib to be proxied, e.g. ldap, nis, winbind, vas4, etc. proxy_lib_name = ldap
sssd
for the groups resolution. In the above example, using an LDAP-only provider, local users (such as a local root) that are not present in LDAP do not receive their groups resolved and they are denied. For such users or applications, add the LDAP user.Supported NFS client mount options
This section describes the supported mount options for NFS clients.
Non-coherent mount options
ac
async
noatime
lookupcache=all
Coherent mount options
noac
sync
atime
lookupcache=none
Common mount options
rw
hard
rsize=524288
wsize=524288
namlen=255
timeo=600
retrans=2
Fixed mount options
nolock
sec=sys
proto=tcp
mountproto=tcp
Manage NFS networking using the CLI
Creating interface groups using the CLI
Use the following command line to add an interface group:
weka nfs interface-group add <name> <type> [--subnet subnet] [--gateway gateway] [--allow-manage-gids allow-manage-gids]
Name | Type | Value | Limitation | Mandatory | Default |
name | String | Unique interface group name | Up to 11 characters length | Yes | |
type | String | Group type | Can only be NFS | Yes | |
subnet | String | The subnet mask in the 255.255.0.0 format | Valid netmask | No | 255.255.255.255 |
gateway | String | Gateway IP | Valid IP | No | 255.255.255.255 |
allow-manage-gids | String | Allows the hosts within this interface group to use manage-gids when set in exports.With | on or off Cannot be set if one of the hosts belongs to an interface group which does not have the | No | on |
allow-manage-gids. In
addition, you must not mount the same filesystem by the hosts residing in interface groups with different values of allow-manage-gids.
- Do not mount the same filesystem by containers residing in interface groups with different values of the `allow-manage-gids.
- As a best practice, it is recommended to have only one of the following protocol containers, NFS or SMB installed on the same server.
[Review note: Left out this sentence bc we are not releasing 4.2 yet] Starting from version 4.2, setting more than one additional protocol to the existing POSIX is not allowed.
Setting interface group ports using the CLI
weka nfs interface-group port
and weka nfs interface-group port delete
Use the following command lines to add or delete an interface group port:
weka nfs interface-group port add <name> <host-id> <port>
weka nfs interface-group port delete <name> <host-id> <port>
Name | Type | Value | Limitations | Mandatory | Default |
name | String | Interface group name | None | Yes | |
host-id | String | Host ID on which the port resides (can be obtained by running the weka cluster host command) | Valid host ID | Yes | |
port | String | Port's device, for example, eth1 | Valid device | Yes |
Setting interface group IPs using the CLI
weka nfs interface-group ip-range add
and
weka nfs interface-group ip-range delete
Use the following command lines to add or delete an interface group IP:
weka nfs interface-group ip-range add <name> <ips>
weka nfs interface-group ip-range delete <name> <ips>
Name | Type | Value | Limitations | Mandatory | Default |
name | String | Interface group name | None | Yes | |
ips | String | IP range | Valid IP range | Yes |
Configuring the service mountd port
The mountd service receives requests from clients to mount to the NFS server. When working with interface groups (with allow-manage-gids=on
), it is possible to set it explicitly, rather than have it randomly selected on each server startup. This allows an easier setup of the firewalls to allow that port.
Use the following command to set and view the mountd configuration: weka nfs global-config set --mountd-port <mountd-port>
and weka nfs global-config show
.
Manage NFS access (client access groups) using the CLI
Defining client access groups using the CLI
Use the following command lines to add or delete a client access group:
weka nfs client-group add <name>
weka nfs client-group delete <name>
Name | Type | Value | Limitations | Mandatory | Default |
name | String | Group name | Valid name | Yes |
Managing client access groups using the CLI
Use the following command lines to add or delete a client group DNS:
weka nfs rules add dns <name> <dns>
weka nfs rules delete dns <name> <dns>
Name | Type | Value | Limitations | Mandatory | Default |
name | String | Group name | Valid name | Yes | |
dns | String | DNS rule with *?[] wildcard rules | Yes |
Adding or deleting an IP using the CLI
Use the following command lines to add or delete a client group IP:
weka nfs rules add ip <name> <ip> weka nfs rules delete ip <name> <ip>
Name | Type | Value | Limitation | Mandatory | Default |
name | String | Group name | Valid name | Yes | |
ip | String | IP with netmask rule, in the 1.1.1.1/255.255.0.0 format | Valid IP | Yes |
Managing NFS client permissions using the CLI
Use the following command lines to add, update, or delete NFS permissions:
weka nfs permission add <filesystem> <group> [--path path] [--permission-type permission-type] [--root-squashing root-squashing] [--anon-uid anon-uid] [--anon-gid anon-gid] [--obs_direct]
weka nfs permission update <filesystem> <group> [--path path] [--permissiontypepermission-type] [--root-squashing root-squashing] [--non-uid anon-uid] [--anon-gid anon-gid] weka nfs permission delete <filesystem> <group> [--path path]
weka nfs permission delete <filesystem> <group> [--path path]
Name | Type | Value | Limitations | Mandatory | Default |
filesystem | String | Filesystem name | Existing filesystem. A filesystem set with required authentication cannot be used for NFS export. | Yes | |
group | String | Client group name | Existing client group | Yes | |
path | String | The root of the share | Valid path | No | / |
permission-type | String | Permission type | ro for readonly orrw for readwrite | No | RW |
squash | String | Squashing type | none, root or all (all is supported only when working on hosts with intrface-groups set with allow-manage-gids, otherwise it is treated as root) | No | On |
anon-uid | Number | Anonymous user ID (relevant only for root squashing) | Valid UID (between 1 and 65535) | Yes (if root squashing is enabled) | 65534 |
anon-gid | Number | Anonymous user group ID (relevant only for root squashing) | Valid GID (between 1 and 65535) | Yes (if root squashing is enabled) | 65534 |
obs-direct | Boolean | See Object-store Direct Mount section | on or off | No | No |
manage-gids | String | Sets external group IDs resolution. The list of group IDs received from the client will be replaced by a list of group IDs determined by an appropriate lookup on the server. | on or off Relevant only when usingallow-manage-gids interface groups. | No | Off |
privileged-port | String | Sets the share to only be mounted via privileged ports (1-1024), usually only allowed by the root user. | on or off. Relevant only when usingallow-manage-gids interface groups. | No | pff |
supported-versions | String | A comma-separated list of supported NFS versions. | v3, v4 | No | v3 |