W E K A
4.1
4.1
  • WEKA v4.1 documentation
  • WEKA System Overview
    • About the WEKA system
    • SSD capacity management
    • Filesystems, object stores, and filesystem groups
    • WEKA networking
    • Data lifecycle management
    • WEKA client and mount modes
    • WEKA containers architecture overview
    • Glossary
  • Getting Started with WEKA
    • Quick installation guide
    • Manage the system using the WEKA CLI
    • Manage the system using the WEKA GUI
    • Run first IOs with WEKA filesystem
    • Getting started with WEKA REST API
  • Planning and Installation
    • Prerequisites for installation
    • WEKA installation on bare metal
      • Plan the WEKA system Installation
      • Prepare the system for WEKA software installation
        • Enable the SR-IOV
      • Obtain the WEKA software installation package
      • WEKA cluster installation
        • WEKA legacy system installation process
      • Add clients
    • WEKA installation on AWS
      • Self-service portal
      • CloudFormation template generator
      • Deployment types
      • AWS outposts deployment
      • Supported EC2 instance types
      • Add clients
      • Auto scaling group
      • Troubleshooting
    • WEKA installation on Azure
    • WEKA installation on GCP
      • WEKA project description
      • Deployment on GCP using Terraform
      • GCP Terraform package description
      • Required services and supported regions
      • Supported machine types and storage
      • Auto-scale instances in GCP
      • Add clients
      • Troubleshooting
  • Performance
    • WEKA performance tests
      • Test environment details
  • WEKA Filesystems & Object Stores
    • Manage object stores
      • Manage object stores using the GUI
      • Manage object stores using the CLI
    • Manage filesystem groups
      • Manage filesystem groups using the GUI
      • Manage filesystem groups using the CLI
    • Manage filesystems
      • Manage filesystems using the GUI
      • Manage filesystems using the CLI
    • Attach or detach object store buckets
      • Attach or detach object store bucket using the GUI
      • Attach or detach object store buckets using the CLI
    • Advanced data lifecycle management
      • Advanced time-based policies for data storage location
      • Data management in tiered filesystems
      • Transition between tiered and SSD-only filesystems
      • Manual fetch and release of data
    • Mount filesystems
    • Snapshots
      • Manage snapshots using the GUI
      • Manage snapshots using the CLI
    • Snap-To-Object
      • Manage Snap-To-Object using the GUI
      • Manage Snap-To-Object using the CLI
    • Quota management
      • Manage quotas using the GUI
      • Manage quotas using the CLI
  • Additional Protocols
    • Manage the NFS protocol
      • Supported NFS client mount options
      • Manage NFS networking using the GUI
      • Manage NFS networking using the CLI
    • Manage the SMB protocol
      • Manage SMB using the GUI
      • Manage SMB using the CLI
    • Manage the S3 protocol
      • S3 cluster management
        • Manage the S3 service using the GUI
        • Manage the S3 service using the CLI
      • S3 buckets management
        • Manage S3 buckets using the GUI
        • Manage S3 buckets using the CLI
      • S3 users and authentication
        • Manage S3 users and authentication using the CLI
        • Manage S3 service accounts using the CLI
      • S3 rules information lifecycle management (ILM)
        • Manage S3 lifecycle rules using the GUI
        • Manage S3 lifecycle rules using the CLI
      • Audit S3 APIs
        • Configure audit webhook using the GUI
        • Configure audit webhook using the CLI
        • Example: How to use Splunk to audit S3
      • S3 supported APIs and limitations
      • S3 examples using boto3
  • Operation Guide
    • Alerts
      • Manage alerts using the GUI
      • Manage alerts using the CLI
      • List of alerts and corrective actions
    • Events
      • Manage events using the GUI
      • Manage events using the CLI
      • List of events
    • Statistics
      • Manage statistics using the GUI
      • Manage statistics using the CLI
      • List of statistics
    • System congestion
    • Security management
      • Obtain authentication tokens
      • KMS management
        • Manage KMS using the GUI
        • Manage KMS using the CLI
      • TLS certificate management
        • Manage the TLS certificate using the GUI
        • Manage the TLS certificate using the CLI
      • CA certificate management
        • Manage the CA certificate using the GUI
        • Manage the CA certificate using the CLI
      • Account lockout threshold policy management
        • Manage the account lockout threshold policy using GUI
        • Manage the account lockout threshold policy using CLI
      • Manage the login banner
        • Manage the login banner using the GUI
        • Manage the login banner using the CLI
    • User management
      • Manage users using the GUI
      • Manage users using the CLI
    • Organizations management
      • Manage organizations using the GUI
      • Manage organizations using the CLI
      • Mount authentication for organization filesystems
    • Expand and shrink cluster resources
      • Add a backend server in a multiple containers architecture
      • Add a backend server in a legacy architecture
      • Expand specific resources of a container
      • Shrink a cluster
    • Background tasks
    • Upgrade WEKA versions
  • Billing & Licensing
    • License overview
    • Classic license
    • Pay-As-You-Go license
  • Support
    • Prerequisites and compatibility
    • Get support for your WEKA system
    • Diagnostics management
      • Traces management
        • Manage traces using the GUI
        • Manage traces using the CLI
      • Protocols debug level management
        • Manage protocols debug level using the GUI
        • Manage protocols debug level using the CLI
      • Diagnostics data management
    • Weka Home - The WEKA support cloud
      • Local Weka Home overview
      • Local Weka Home deployment
      • Set the Local Weka Home to send alerts or events
      • Download the Usage Report or Analytics
  • Appendix
    • WEKA CSI Plugin
    • Set up the WEKAmon external monitoring
    • Set up the SnapTool external snapshots manager
  • REST API Reference Guide
Powered by GitBook
On this page
  • Configure the NFS cluster level
  • Set the global configuration filesystem
  • Create interface groups
  • Set interface group ports
  • Set interface group IPs
  • Configure the service mountd port
  • Configure user groups resolution when using the legacy NFS
  • Configure the NFS export level (permissions)
  • Define client access groups
  • Manage client access groups
  • Manage NFS client permissions
  1. Additional Protocols
  2. Manage the NFS protocol

Manage NFS networking using the CLI

This page describes how to configure the NFS networking using the CLI.

PreviousManage NFS networking using the GUINextManage the SMB protocol

Last updated 1 year ago

Using the CLI, you can:

  • Configure the NFS cluster level

  • Configure the NFS export level (permissions)

Configure the NFS cluster level

Set the global configuration filesystem

The global configuration filesystem is a shared location for persistent cluster-wide NFSv4, S3, and SMB-W protocol configurations. It is recommended to allocate 100 GB to support future system expansions.

Use the following command line to set the configuration filesystem:

weka nfs global-config set --config-fs <config-fs>

Create interface groups

Command: weka nfs interface-group add

Use the following command line to add an interface group:

weka nfs interface-group add <name> <type> [--subnet subnet] [--gateway gateway] [--allow-manage-gids allow-manage-gids]

The parameter allow-manage-gids determines the type of NFS stack. The default value of this parameter is on, which sets the NFS-W stack.

Example

weka nfs interface-group add nfsw NFS --subnet 255.255.255.0 --gateway 10.0.1.254

Notes:

  • Do not mount the same filesystem by containers residing in interface groups with different values of the allow-manage-gids.

  • As a best practice, it is recommended to have only one of the following protocol containers, NFS, SMB, or S3, installed on the same server. Starting from version 4.2, setting more than one additional protocol to the existing POSIX is not allowed.

Parameters

Name

Type

Value

Limitations

Mandatory

Default

name

String

Unique interface group name

Up to 11 characters in length

Yes

type

String

Group type

Can only be NFS

Yes

subnet

String

The subnet mask in the 255.255.0.0 format

Valid netmask

No

255.255.255.255

gateway

String

Gateway IP

Valid IP

No

255.255.255.255

allow-manage-gids

String

Allows the containers within this interface group to use manage-gids when set in exports.

With manage-gids, the list of group IDs received from the client is replaced by a list of group IDs determined by an appropriate lookup on the server.

NFS-W: on

Legacy NFS: off

Each container can be set to be part of interface groups with the same value of allow-manage-gids.

No

on

Set interface group ports

Commands:

weka nfs interface-group port add

weka nfs interface-group port delete

Use the following command lines to add or delete an interface group port:

weka nfs interface-group port add <name> <container-id> <port>

weka nfs interface-group port delete <name> <container-id> <port>

Example

The following command line adds the interface enp2s0 on the Frontend container-id 3 to the interface group named nfsw.

weka nfs interface-group port add nfsw 3 enp2s0

Parameters

Name

Type

Value

Limitations

Mandatory

Default

name

String

Interface group name

None

Yes

container-id

String

Container ID on which the port resides (can be obtained by running the weka cluster container command)

Valid container ID

Yes

port

String

Port's device, e.g., eth1

Valid device

Yes

Set interface group IPs

Commands:

weka nfs interface-group ip-range add

weka nfs interface-group ip-range delete

Use the following command lines to add/delete an interface group IP:

weka nfs interface-group ip-range add <name> <ips>

weka nfs interface-group ip-range delete <name> <ips>

Example

The following command line adds IPs in the range 10.0.1.101 to 10.0.1.118 to the interface group named nfsw.

weka nfs interface-group ip-range add nfsw 10.0.1.101-118

Parameters

Name

Type

Value

Limitations

Mandatory

Default

name

String

Interface group name

None

Yes

ips

String

IP range

Valid IP range

Yes

Note: Cloud environments do not support interface group IPs.

Configure the service mountd port

The mountd service receives requests from clients to mount to the NFS server. In NFS-W, it is possible to set it explicitly rather than have it randomly selected on each server startup. This allows an easier setup of the firewalls to allow that port.

Use the following command lines to set and view the mountd configuration:

weka nfs global-config set --mountd-port <mountd-port>

weka nfs global-config show

Configure user groups resolution when using the legacy NFS

The legacy NFS protocol uses the AUTH_SYS protocol to authenticate clients and grant them access to network resources. This protocol is limited to 16 security groups. Therefore, it truncates the group list to 16 if a user is in more than 16 groups. This can cause an access failure for authorized users.

To ignore the groups passed by the NFS protocol and resolve the user's groups external to the protocol, configure the WEKA system as follows:

Procedure

  3. Set up the relevant servers to retrieve the user's group-IDs information. See the following procedure. (This task does not involve the WEKA management.)

Set up the servers to retrieve user's group-IDs information

For the servers that are part of the interface group, set the servers to retrieve the user's group-IDs information in any method that is part of the environment.

You can also set the group resolution by joining the AD and Kerberos domains or using LDAP with a read-only user.

Configure the sssd on the server to serve as a group IDs provider. For example, you can configure the sssd directly using LDAP or as a proxy to a different nss group IDs provider.

Example: set sssd directly for nss services using LDAP with a read-only user

[sssd]
services = nss
config_file_version = 2
domains = LDAP

[domain/LDAP]
id_provider = ldap
ldap_uri = ldap://ldap.example.com
ldap_search_base = dc=example,dc=com

# The DN used to search the ldap directory with. 
ldap_default_bind_dn = cn=ro_admin,ou=groups,dc=example,dc=com

# The password of the bind DN.
ldap_default_authtok = password

If you use another method than the sssd but with a different provider, configure an sssd proxy on each relevant server. The proxy is used for the WEKA container to resolve the groups by any method defined on the server.

To configure sssd proxy on a server, use the following:

# install sssd
yum install sssd

# set up a proxy for WEKA in /etc/sssd/sssd.conf
[sssd]
services = nss
config_file_version = 2
domains = proxy_for_weka

[nss]
[domain/proxy_for_weka]
id_provider = proxy
auth_provider = none
 
# the name of the nss lib to be proxied, e.g., ldap, nis, winbind, vas4, etc.
proxy_lib_name = ldap

All users must be present and resolved in the method used in the sssd for the group's resolution. In the above example, using an LDAP-only provider, local users (such as a local root) absent in LDAP do not receive their groups resolved and are denied. For such users or applications, add the LDAP user.

Configure the NFS export level (permissions)

Define client access groups

Command: weka nfs client-group

Use the following command lines to add/delete a client access group:

weka nfs client-group add <name>

weka nfs client-group delete <name>

Parameters

Name

Type

Value

Limitations

Mandatory

Default

name

String

Group name

Valid name

Yes

Manage client access groups

Add or delete DNS

Command: weka nfs rules

Use the following command lines to add/delete a client group DNS:

weka nfs rules add dns <name> <dns>

weka nfs rules delete dns <name> <dns>

Parameters

Name

Type

Value

Limitations

Mandatory

Default

name

String

Group name

Valid name

Yes

dns

String

DNS rule with *?[] wildcard rules

Yes

Add or delete an IP

Command: weka nfs rules

Use the following command lines to add/delete a client group IP:

weka nfs rules add ip <name> <ip>

weka nfs rules delete ip <name> <ip>

Parameters

Name

Type

Value

Limitations

Mandatory

Default

name

String

Group name

Valid name

Yes

ip

String

IP with netmask rule, in the 1.1.1.1/255.255.0.0 format

Valid IP

Yes

Manage NFS client permissions

Command: weka nfs permission

Use the following command lines to add/update/delete NFS permissions: weka nfs permission add <filesystem> <group> [--path path] [--permission-type permission-type] [--squash squash] [--anon-uid anon-uid] [--anon-gid anon-gid] [--obs-direct obs-direct] [--manage-gids manage-gids] [--privileged-port privileged-port]

weka nfs permission update <filesystem> <group> [--path path] [--permission-type permission-type] [--squash squash] [--anon-uid anon-uid] [--anon-gid anon-gid] [--obs-direct obs-direct] [--manage-gids manage-gids] [--privileged-port privileged-port] [--supported-versions supported-versions]

weka nfs permission delete <filesystem> <group> [--path path]

Parameters

Name

Type

Value

Limitations

Mandatory

Default

filesystem

String

Filesystem name

Existing filesystem. A filesystem set with required authentication cannot be used for NFS client permissions.

Yes

group

String

Client group name

Existing client group

Yes

path

String

The root of the share

Valid path

No

/

permission-type

String

Permission type

ro for read-only or

rw for read-write

No

rw

squash

String

Squashing type

none , root or all all is only applicable in NFS-W. Otherwise, it is treated as root.

No

on

anon-uid

Number

Anonymous user ID (relevant only for root squashing)

Valid UID (between 1 and 65535)

Yes (if root squashing is enabled)

65534

anon-gid

Number

Anonymous user group ID (relevant only for root squashing)

Valid GID (between 1 and 65535)

Yes (if root squashing is enabled)

65534

obs-direct

Boolean

on or off

No

No

manage-gids

String

Sets external group IDs resolution.

The list of group IDs received from the client is replaced by a list of group IDs determined by an appropriate lookup on the server.

on or off.

This option is only applicable in NFS-W.

No

off

privileged-port

String

Sets the share to only be mounted via privileged ports (1-1024), usually only allowed by the root user.

on or off.

This option is only applicable in NFS-W.

No

off

supported-versions

String

A comma-separated list of supported NFS versions.

v3,v4 v4 is only applicable in NFS-W.

No

v3

Ensure the interface group supports the external group-IDs resolution. When , ensure that the allow-manage-gids option is set to on (default value).

for external group-IDs resolution by setting the manage-gids option to on.

See section

Set the global configuration filesystem
Create interface groups
Set interface group ports
Set interface group IPs
Configure the service mountd port
Configure user groups resolution when using the legacy NFS
Define client access groups
Manage client access groups
Manage NFS client permissions
creating interface groups
Set the NFS client permissions
Object-store Direct Mount