Configuration client et serveur NFSv4 (sans Kerberos)

Voir

• http://www.cyberciti.biz/faq/nfs4-server-debian-ubuntu-linux/
• https://help.ubuntu.com/community/NFSv4Howto
• http://nfsv4.bullopensource.org/doc/admin_tools/latex_doc/administrationNFSv4.pdf
• https://wiki.archlinux.org/index.php/NFSv4
• http://anf2014.mathrice.fr/mercredi/nfs4_serveur.html
• https://wiki.auf.org/wikiteki/NFS/NFSv4
• http://wiki.linux-nfs.org/wiki/index.php/Nfsv4_configuration
• https://www.suse.com/communities/blog/configuring-nfsv4-server-and-client-suse-linux-enterprise-server-10/
• https://blog.stephane-robert.info/docs/services/stockage/nfs/
• https://inetdoc.net/pdf/sysadm-net.nfs.pdf

Voir :

• https://www.bortzmeyer.org/7530.pdf

En NFSv4 contrairement aux versions précédentes seul le port TCP 2049 suffit

cat /proc/fs/nfsd/versions
+2 +3 +4 +4.1 -4.2

apt-get install nfs-kernel-server

lsmod  | grep nfs
nfsv4                 410783  1 
dns_resolver           12641  1 nfsv4
nfsd                  263032  13 
auth_rpcgss            51211  2 nfsd,rpcsec_gss_krb5
nfs_acl                12511  1 nfsd
nfs                   188136  2 nfsv4
lockd                  83389  2 nfs,nfsd
fscache                45542  2 nfs,nfsv4
sunrpc                237402  33 nfs,nfsd,rpcsec_gss_krb5,auth_rpcgss,lockd,nfsv4,nfs_acl

/etc/default/nfs-common

NEED_STATD=no
STATDOPTS=
NEED_GSSD=no
 
# Nécessaire que si mapping d'utilisateur en NFSv4
NEED_IDMAPD=no

/etc/default/nfs-kernel-server

# /usr/sbin/rpc.mountd --manage-gids -N 2 -N 3 -V 4 -V 4.1
# man rpc.mountd
#RPCMOUNTDOPTS="--manage-gids"
RPCMOUNTDOPTS="--manage-gids -N 2 -N 3 -V 4 -V 4.1"

/etc/exports

# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#
/export         192.168.1.0/24(rw,sync,fsid=0,crossmnt,no_subtree_check) 127.0.0.1(rw,sync,fsid=0,crossmnt,no_subtree_check)
/export/partage 192.168.1.0/24(rw,sync,nohide,insecure,no_subtree_check) 127.0.0.1(rw,sync,nohide,insecure,no_subtree_check)

chown jean: /export/partage/

Après avoir modifié le fichier /etc/exports

exportfs -ra

killall rpc.statd
service nfs-common restart
service nfs-kernel-server restart

Notes : pour une base de donnée Postgres sur le serveur il faut absolument mettre l'option hard et il est recommandé de mettre coté serveur sync

The only firm requirement for using NFS with PostgreSQL is that the file system is mounted using the hard option. With the hard option, processes can “hang” indefinitely if there are network problems, so this configuration will require a careful monitoring setup. The soft option will interrupt system calls in case of network problems, but PostgreSQL will not repeat system calls interrupted in this way, so any such interruption will result in an I/O error being reported.

It is not necessary to use the sync mount option. The behavior of the async option is sufficient, since PostgreSQL issues fsync calls at appropriate times to flush the write caches. (This is analogous to how it works on a local file system.) However, it is strongly recommended to use the sync export option on the NFS server on systems where it exists (mainly Linux). Otherwise, an fsync or equivalent on the NFS client is not actually guaranteed to reach permanent storage on the server, which could cause corruption similar to running with the parameter fsync off. The defaults of these mount and export options differ between vendors and versions, so it is recommended to check and perhaps specify them explicitly in any case to avoid any ambiguity.

Source: https://www.postgresql.org/docs/current/creating-cluster.html

Voir : https://learn.microsoft.com/fr-fr/azure/azure-netapp-files/performance-linux-mount-options

apt-get install nfs-common

lsmod |grep nfs
nfsv4                 410783  1 
dns_resolver           12641  1 nfsv4
nfsd                  263032  2 
auth_rpcgss            51211  2 nfsd,rpcsec_gss_krb5
nfs_acl                12511  1 nfsd
nfs                   188136  2 nfsv4
lockd                  83389  2 nfs,nfsd
sunrpc                237402  14 nfs,nfsd,rpcsec_gss_krb5,auth_rpcgss,lockd,nfsv4,nfs_acl
fscache                45542  2 nfs,nfsv4

/etc/default/nfs-common

NEED_STATD=no
STATDOPTS=
NEED_GSSD=no
# Nécessaire que si mapping d'utilisateur en NFSv4
NEED_IDMAPD=no

/etc/fstab

192.168.1.10:/partage  /mnt/nfs nfs4    _netdev,noatime,bg,soft,rw,nodev,nosuid,noexec,noauto,proto=tcp,port=2049,vers=4.1,timeo=5,retrans=5,actimeo=10,retry=5  0  0

killall rpc.statd
systemctl disable rpcbind
service rpcbind stop
service nfs-common restart

Les uid des utilisateur doivent coïncider (sinon il est possible de mapper les utilisateurs sur le nom mais dans ce cas il faut activer Kerberos) Voir “you need to use Kerberos for the mapping to have any effect” https://help.ubuntu.com/community/NFSv4Howto Voir

• /etc/idmapd.conf
• rpc.mountd --manage-gids (RPCMOUNTDOPTS)
• apt-get install nscd

Après avoir modifier /etc/idmap.conf faire

nfsidmap -c

Dans la conf actuelle, root ne peut pas écrire sur la partition NFS

Le service rpcbind semble nécessaire qu'une seul fois au lancement de nfs-kernel-server Sinon pas d'écoute sur le port TCP 2049. Semble possible sur RedHat Ho can I disable rpcbind on NFSv4-only servers

Voir /var/lib/nfs/

Source : https://www.spinics.net/linux/fedora/fedora-users/msg513100.html

systemctl mask --now rpc-statd.service rpcbind.service rpcbind.socket
systemctl restart nfs-server

nfsstat -m

/etc/auto.master

/mnt/nfs        /etc/auto.nfs --ghost,--timeout=60

/etc/auto.nfs

partage  -fstype=nfs4,noatime,bg,soft,rw,nodev,nosuid,noexec,proto=tcp,port=2049,vers=4.1,timeo=5,retrans=5,actimeo=10,retry=5  192.168.1.10:/partage

umount -lf /mnt/nfs

Montez le répertoire / et observez son contenu.

# mount myserver:/ /mnt/
#cd /mnt/
exports
# ls exports
foo
bar

showmount -e 127.0.0.1

La commande showmount n'affiche que les exportations des versions 2 et 3 de NFS.
Cependant si le serveur gère simultanément NFSv4 et NFSv3, cette méthode fonctionnera quand même.

Quel port le serveur écoute

# rpcinfo -p | grep nfs
rsize=8192,wsize=8192

Rationale: This issue is a bug on the NFS server that involves handling of delegations. NOTE: Disabling delegations may impact performance and depends on your workload. For more information, see What is the performance impact of disabling or enabling NFS4 delegations?. Disable delegations on the NFS server with the following commands:

echo 0 > /proc/sys/fs/leases-enable
sysctl -w fs.leases-enable=0

Source https://access.redhat.com/solutions/3915571

tshark -Y 'tcp.port == 2049' -r tcpdump.pcap > tcpdump.txt
tshark -Y 'frame.number == 961595' -V -r tcpdump.pcap > tcpdump-frame-961595.txt
grep -A 30 SEQUENCE tcpdump-frame-961595.txt 
tshark -r tcpdump.pcap -Y 'rpc.msgtyp == 1 && nfs' | wc -l
tshark -r tcpdump.pcap -Y 'rpc.msgtyp == 1 && nfs.sequence.flags.recallable_state_revoked == 1' | wc -l

# systemctl enable --now nfs-server.service
Failed to enable unit: Unit file /etc/systemd/system/nfs-server.service is masked.
# ls -l /etc/systemd/system/nfs-server.service
lrwxrwxrwx. 1 root root 9 Apr 24  2024 /etc/systemd/system/nfs-server.service -> /dev/null
# rm /etc/systemd/system/nfs-server.service
rm: remove symbolic link '/etc/systemd/system/nfs-server.service'? y
# systemctl enable --now nfs-server.service
Created symlink /etc/systemd/system/multi-user.target.wants/nfs-server.service → /usr/lib/systemd/system/nfs-server.service.
Job for nfs-server.service canceled.