Manage NFS networking using the CLI

This page describes how to configure the NFS networking using the CLI.

Using the CLI, you can:

Configure the NFS cluster level
Configure the NFS export level (permissions)

Configure the NFS cluster level

Set the global configuration filesystem

The global configuration filesystem is a shared location for persistent cluster-wide NFSv4, S3, and SMB-W protocol configurations. It is recommended to allocate 100 GB to support future system expansions.

Use the following command line to set the configuration filesystem:

weka nfs global-config set --config-fs <config-fs>

Create interface groups

Command: weka nfs interface-group add

Use the following command line to add an interface group:

weka nfs interface-group add <name> <type> [--subnet subnet] [--gateway gateway] [--allow-manage-gids allow-manage-gids]

The parameter allow-manage-gids determines the type of NFS stack. The default value of this parameter is on, which sets the NFS-W stack.

Example

weka nfs interface-group add nfsw NFS --subnet 255.255.255.0 --gateway 10.0.1.254

Notes:

Do not mount the same filesystem by containers residing in interface groups with different values of the allow-manage-gids.
As a best practice, it is recommended to have only one of the following protocol containers, NFS, SMB, or S3, installed on the same server. Starting from version 4.2, setting more than one additional protocol to the existing POSIX is not allowed.

Parameters

Name

Type

Value

Limitations

Mandatory

Default

name

String

Unique interface group name

Up to 11 characters in length

Yes

type

String

Group type

Can only be NFS

Yes

subnet

String

The subnet mask in the 255.255.0.0 format

Valid netmask

255.255.255.255

gateway

String

Gateway IP

Valid IP

255.255.255.255

allow-manage-gids

String

Allows the containers within this interface group to use manage-gids when set in exports.

With manage-gids, the list of group IDs received from the client is replaced by a list of group IDs determined by an appropriate lookup on the server.

NFS-W: on

Legacy NFS: off

Each container can be set to be part of interface groups with the same value of allow-manage-gids.

on

Set interface group ports

Commands:

weka nfs interface-group port add

weka nfs interface-group port delete

Use the following command lines to add or delete an interface group port:

weka nfs interface-group port add <name> <container-id> <port>

weka nfs interface-group port delete <name> <container-id> <port>

Example

The following command line adds the interface enp2s0 on the Frontend container-id 3 to the interface group named nfsw.

weka nfs interface-group port add nfsw 3 enp2s0

Parameters

Name

Type

Value

Limitations

Mandatory

Default

name

String

Interface group name

None

Yes

container-id

String

Container ID on which the port resides (can be obtained by running the weka cluster container command)

Valid container ID

Yes

port

String

Port's device, e.g., eth1

Valid device

Yes

Set interface group IPs

Commands:

weka nfs interface-group ip-range add

weka nfs interface-group ip-range delete

Use the following command lines to add/delete an interface group IP:

weka nfs interface-group ip-range add <name> <ips>

weka nfs interface-group ip-range delete <name> <ips>

Example

The following command line adds IPs in the range 10.0.1.101 to 10.0.1.118 to the interface group named nfsw.

weka nfs interface-group ip-range add nfsw 10.0.1.101-118

Parameters

Name

Type

Value

Limitations

Mandatory

Default

name

String

Interface group name

None

Yes

ips

String

IP range

Valid IP range

Yes

Note: Cloud environments do not support interface group IPs.

Configure the service mountd port

The mountd service receives requests from clients to mount to the NFS server. In NFS-W, it is possible to set it explicitly rather than have it randomly selected on each server startup. This allows an easier setup of the firewalls to allow that port.

Use the following command lines to set and view the mountd configuration:

weka nfs global-config set --mountd-port <mountd-port>

weka nfs global-config show

Configure user groups resolution when using the legacy NFS

The legacy NFS protocol uses the AUTH_SYS protocol to authenticate clients and grant them access to network resources. This protocol is limited to 16 security groups. Therefore, it truncates the group list to 16 if a user is in more than 16 groups. This can cause an access failure for authorized users.

To ignore the groups passed by the NFS protocol and resolve the user's groups external to the protocol, configure the WEKA system as follows:

Procedure

Ensure the interface group supports the external group-IDs resolution. When creating interface groups, ensure that the allow-manage-gids option is set to on (default value).
Set the NFS client permissions for external group-IDs resolution by setting the manage-gids option to on.
Set up the relevant servers to retrieve the user's group-IDs information. See the following procedure. (This task does not involve the WEKA management.)

Set up the servers to retrieve user's group-IDs information

For the servers that are part of the interface group, set the servers to retrieve the user's group-IDs information in any method that is part of the environment.

You can also set the group resolution by joining the AD and Kerberos domains or using LDAP with a read-only user.

Configure the sssd on the server to serve as a group IDs provider. For example, you can configure the sssd directly using LDAP or as a proxy to a different nss group IDs provider.

Example: set sssd directly for nss services using LDAP with a read-only user

[sssd]
services = nss
config_file_version = 2
domains = LDAP

[domain/LDAP]
id_provider = ldap
ldap_uri = ldap://ldap.example.com
ldap_search_base = dc=example,dc=com

# The DN used to search the ldap directory with. 
ldap_default_bind_dn = cn=ro_admin,ou=groups,dc=example,dc=com

# The password of the bind DN.
ldap_default_authtok = password

If you use another method than the sssd but with a different provider, configure an sssd proxy on each relevant server. The proxy is used for the WEKA container to resolve the groups by any method defined on the server.

To configure sssd proxy on a server, use the following:

# install sssd
yum install sssd

# set up a proxy for WEKA in /etc/sssd/sssd.conf
[sssd]
services = nss
config_file_version = 2
domains = proxy_for_weka

[nss]
[domain/proxy_for_weka]
id_provider = proxy
auth_provider = none
 
# the name of the nss lib to be proxied, e.g., ldap, nis, winbind, vas4, etc.
proxy_lib_name = ldap

All users must be present and resolved in the method used in the sssd for the group's resolution. In the above example, using an LDAP-only provider, local users (such as a local root) absent in LDAP do not receive their groups resolved and are denied. For such users or applications, add the LDAP user.

Configure the NFS export level (permissions)

Define client access groups

Command: weka nfs client-group

Use the following command lines to add/delete a client access group:

weka nfs client-group add <name>

weka nfs client-group delete <name>

Parameters

Name

Type

Value

Limitations

Mandatory

Default

name

String

Group name

Valid name

Yes

Manage client access groups

Add or delete DNS

Command: weka nfs rules

Use the following command lines to add/delete a client group DNS:

weka nfs rules add dns <name> <dns>

weka nfs rules delete dns <name> <dns>

Parameters

Name

Type

Value

Limitations

Mandatory

Default

name

String

Group name

Valid name

Yes

dns

String

DNS rule with *?[] wildcard rules

Yes

Add or delete an IP

Command: weka nfs rules

Use the following command lines to add/delete a client group IP:

weka nfs rules add ip <name> <ip>

weka nfs rules delete ip <name> <ip>

Parameters

Name

Type

Value

Limitations

Mandatory

Default

name

String

Group name

Valid name

Yes

ip

String

IP with netmask rule, in the 1.1.1.1/255.255.0.0 format

Valid IP

Yes

Manage NFS client permissions

Command: weka nfs permission

Use the following command lines to add/update/delete NFS permissions: weka nfs permission add <filesystem> <group> [--path path] [--permission-type permission-type] [--squash squash] [--anon-uid anon-uid] [--anon-gid anon-gid] [--obs-direct obs-direct] [--manage-gids manage-gids] [--privileged-port privileged-port]

weka nfs permission update <filesystem> <group> [--path path] [--permission-type permission-type] [--squash squash] [--anon-uid anon-uid] [--anon-gid anon-gid] [--obs-direct obs-direct] [--manage-gids manage-gids] [--privileged-port privileged-port] [--supported-versions supported-versions]

weka nfs permission delete <filesystem> <group> [--path path]

Parameters

Name

Type

Value

Limitations

Mandatory

Default

filesystem

String

Filesystem name

Existing filesystem. A filesystem set with required authentication cannot be used for NFS client permissions.

Yes

group

String

Client group name

Existing client group

Yes

path

String

The root of the share

Valid path

permission-type

String

Permission type

ro for read-only or

rw for read-write

rw

squash

String

Squashing type

none , root or all all is only applicable in NFS-W. Otherwise, it is treated as root.

on

anon-uid

Number

Anonymous user ID (relevant only for root squashing)

Valid UID (between 1 and 65535)

Yes (if root squashing is enabled)

65534

anon-gid

Number

Anonymous user group ID (relevant only for root squashing)

Valid GID (between 1 and 65535)

Yes (if root squashing is enabled)

65534

obs-direct

Boolean

See Object-store Direct Mount section

on or off

manage-gids

String

Sets external group IDs resolution.

The list of group IDs received from the client is replaced by a list of group IDs determined by an appropriate lookup on the server.

on or off.

This option is only applicable in NFS-W.

off

privileged-port

String

Sets the share to only be mounted via privileged ports (1-1024), usually only allowed by the root user.

on or off.

This option is only applicable in NFS-W.

off

supported-versions

String

A comma-separated list of supported NFS versions.

v3,v4 v4 is only applicable in NFS-W.

v3

PreviousManage NFS networking using the GUI NextManage the SMB protocol

Last updated 1 year ago