# Manage NFS networking using the CLI Using the CLI, you can: * **Configure the NFS cluster level** * [Set the global configuration filesystem](#configure-the-nfs-configuration-filesystem) * [Create interface groups](#create-interface-groups) * [Set interface group ports](#set-interface-group-ports) * [Set interface group IPs](#set-interface-group-ips) * [Configure the service mountd port](#configure-the-service-mountd-port) * [Configure user groups resolution when using the legacy NFS](#configure-user-groups-resolution-when-using-the-legacy-nfs) * **Configure the NFS export level (permissions)** * [Define client access groups](#uploading-a-snapshot-using-the-ui) * [Manage client access groups](#manage-client-access-groups) * [Manage NFS client permissions](#manage-nfs-client-permissions) ## **Configure the NFS cluster level** ### Set the NFS configuration filesystem NFSv4 requires a persistent cluster-wide configuration filesystem for the protocol's internal operations. Use the following command line to set the NFS configuration on the configuration filesystem: `weka nfs global-config set --config-fs ` **Parameters**

Name	Value
`config-fs`*	The predefined filesystem name for maintaining the persisting cluster-wide protocols' configurations. Verify that the filesystem is already created. If not, create it. For details, see #dedicated-filesystem-requirement-for-persistent-protocol-configurations

### Create interface groups **Command:** `weka nfs interface-group add` Use the following command line to add an interface group: `weka nfs interface-group add [--subnet subnet] [--gateway gateway] [--allow-manage-gids allow-manage-gids]` The parameter `allow-manage-gids` determines the type of NFS stack. The default value of this parameter is `on`, which sets the NFS-W stack. {% hint style="warning" %} Do not mount the same filesystem by containers residing in interface groups with different values of the `allow-manage-gids.` {% endhint %} **Example** `weka nfs interface-group add nfsw NFS --subnet 255.255.255.0 --gateway 10.0.1.254` **Parameters**

Name	Value	Default
`name`*	Unique interface group name.
`type`*	Group type. Can only be `NFS`.
`subnet`	The valid subnet mask in the 255.255.0.0 format.	`255.255.255.255`
`gateway`	Gateway valid IP.	`255.255.255.255`
`allow-manage-gids`	Allows the containers within this interface group to use `manage-gids` when set in exports. With `manage-gids`, the list of group IDs received from the client is replaced by a list of group IDs determined by an appropriate lookup on the server. NFS-W: `on` Legacy NFS: `off` Each container can be set to be part of interface groups with the same value of `allow-manage-gids`.	`on`

### Set interface group ports **Commands:** `weka nfs interface-group port add` `weka nfs interface-group port delete` Use the following command lines to add or delete an interface group port: `weka nfs interface-group port add

` `weka nfs interface-group port delete

` **Example** The following command line adds the interface `enp2s0` on the Frontend container-id `3` to the interface group named `nfsw`. `weka nfs interface-group port add nfsw 3 enp2s0` **Parameters**

Name	Value
`name`*	Interface group name.
`container-id`*	Valid frontend container ID on which the port resides. You can obtain the container ID by running the `weka cluster container` command.
`port`*	Valid port's device. Maximum 14 characters. Example: `eth1`.

### Set interface group IPs **Commands:** `weka nfs interface-group ip-range add` `weka nfs interface-group ip-range delete` Use the following command lines to add/delete an interface group IP: `weka nfs interface-group ip-range add ` `weka nfs interface-group ip-range delete ` **Example** The following command line adds IPs in the range `10.0.1.101` to `10.0.1.118` to the interface group named `nfsw`. `weka nfs interface-group ip-range add nfsw 10.0.1.101-118` **Parameters**

Name	Value
`name`*	Interface group name
`ips`*	Valid IP range

### Configure the service mountd port The mountd service receives requests from clients to mount to the NFS server. In NFS-W, it is possible to set it explicitly rather than have it randomly selected on each server startup. This allows an easier setup of the firewalls to allow that port. Use the following command lines to set and view the mountd configuration: `weka nfs global-config set --mountd-port ` `weka nfs global-config show` ### Configure user groups resolution NFS-W can authenticate more than 16 user groups, but it requires the external resolution of the user's groups, which means associating users with their respective group-IDs outside of the NFS protocol. {% hint style="info" %} Configuring more than 16 user groups is not supported with the legacy NFS. {% endhint %} **Procedure** 1. **Configure interface groups:** * Ensure that the `allow-manage-gids` option is set to `on` (default value). See [Create interface groups](#create-interface-groups). 2. **Configure NFS client permissions:** * Set the `manage-gids` option to `on` for the NFS client to enable external group-IDs resolution. See [Set the NFS client permissions](#manage-nfs-client-permissions). 3. **Set up servers for group-IDs retrieval:** * Configure relevant servers to retrieve user group-IDs information.\ This task is specific to NFS-W and does not involve WEKA management. See the following procedure.

Set up the servers to retrieve user's group-IDs information

For the servers that are part of the interface group, set the servers to retrieve the user's group-IDs information in any method that is part of the environment. You can also set the group resolution by joining the AD and Kerberos domains or using LDAP with a read-only user. Configure the `sssd` on the server to serve as a group IDs provider. For example, you can configure the `sssd` directly using LDAP or as a proxy to a different `nss` group IDs provider. **Example: set `sssd` directly for `nss` services using LDAP with a read-only user** ``` [sssd] services = nss config_file_version = 2 domains = LDAP [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap.example.com ldap_search_base = dc=example,dc=com # The DN used to search the ldap directory with. ldap_default_bind_dn = cn=ro_admin,ou=groups,dc=example,dc=com # The password of the bind DN. ldap_default_authtok = password ``` If you use another method than the `sssd` but with a different provider, configure an `sssd proxy` on each relevant server. The proxy is used for the WEKA container to resolve the groups by any method defined on the server. To configure `sssd proxy` on a server, use the following: ``` # install sssd yum install sssd # set up a proxy for WEKA in /etc/sssd/sssd.conf [sssd] services = nss config_file_version = 2 domains = proxy_for_weka [nss] [domain/proxy_for_weka] id_provider = proxy auth_provider = none # the name of the nss lib to be proxied, e.g., ldap, nis, winbind, vas4, etc. proxy_lib_name = ldap ``` All users must be present and resolved in the method used in the `sssd` for the group's resolution. In the above example, using an LDAP-only provider, local users (such as a local root) absent in LDAP do not receive their groups resolved and are denied. For such users or applications, add the LDAP user.

## **Configure the NFS export level (permissions)** ### Define client access groups **Command:** `weka nfs client-group` Use the following command lines to add/delete a client access group: `weka nfs client-group add ` `weka nfs client-group delete ` **Parameters**

Name	Value
`name`*	Valid group name.

### Manage client access groups' rules Clients are part of groups when their IP address or DNS hostname match the rules of that group. Similar to IP routing rules, clients are matched to client groups according to the most specific matching rule. **Command:** `weka nfs rules` #### **Add DNS-based client group rules** Use the following command lines to add a rule that causes a client to be part of a client group based on its DNS hostname: `weka nfs rules add dns ` **Example** `weka nfs rules add dns client-group1 hostname.example.com` #### **Delete DNS-based client group rules** Use the following command lines to delete a rule that causes a client to be part of a client group based on its DNS hostname: `weka nfs rules delete dns ` **Example** `weka nfs rules delete dns client-group1 hostname.example.com` **Parameters**

Name	Value
`name`*	Valid client group name.
`dns`*	DNS rule with *?[] wildcard rules.

#### **Add IP-based client group rules** **Command:** `weka nfs rules` Use the following command lines to add or delete a rule which causes a client to be part of a client group based on its IP and subnet mask (both CIDR and standard subnet mask formats are supported for enhanced flexibility): `weka nfs rules add ip ` **Examples** `weka nfs rules add ip client-group1 192.168.114.0/8`\ `weka nfs rules add ip client-group2 172.16.0.0/255.255.0.0` #### **Delete IP-based client group rules** `weka nfs rules delete ip ` **Examples** `weka nfs rules delete ip client-group1 192.168.114.0/255.255.255.0`\ `weka nfs rules delete ip client-group2 172.16.0.0/16` **Parameters**

Name Value

name* Valid client group name.

ip*

Valid IP address with subnet mask.

Both CIDR and standard subnet mask formats are supported for enhanced flexibility.

CIDR format: 1.1.1.1/16

Standard format: 1.1.1.1/255.255.0.0

### **Manage NFS client permissions** **Command:** `weka nfs permission` Use the following command lines to add NFS permissions: `weka nfs permission add [--path path] [--permission-type permission-type] [--squash squash] [--anon-uid anon-uid] [--anon-gid anon-gid] [--obs-direct obs-direct] [--manage-gids manage-gids] [--privileged-port privileged-port] [--supported-versions supported-versions]` Use the following command lines to update NFS permissions: `weka nfs permission update [--path path] [--permission-type permission-type] [--squash squash] [--anon-uid anon-uid] [--anon-gid anon-gid] [--obs-direct obs-direct] [--manage-gids manage-gids] [--privileged-port privileged-port] [--supported-versions supported-versions]` Use the following command lines to delete NFS permissions: `weka nfs permission delete [--path path]` **Parameters**

Name	Value	Default
`filesystem`*	Existing filesystem name. A filesystem with Required Authentication set to ON cannot be used for NFS client permissions.
`group`*	Existing client group name.
`path`	The root of the valid share path.	/
`permission-type`	Permission type. Possible values: `ro` (read-only), `rw` (read-write)	`rw`
`squash`	Squashing type. Possible values: `none` , `root`, `all` `all` is only applicable for NFS-W. Otherwise, it is treated as `root`.	`none`
`anon-uid`*	Anonymous user ID. Relevant only for root squashing. Possible values: `1` to `65535`.	`65534`
`anon-gid`*	Anonymous user group ID. Relevant only for root squashing. Possible values: `1` to `65535`.	`65534`
`obs-direct`	See Object-store Direct Mount. Possible values: `on`, `off`.	`on`
`manage-gids`	Sets external group IDs resolution. The list of group IDs received from the client is replaced by a list determined by an appropriate lookup on the server. This option is only applicable in NFS-W. Possible values: `on`, `off`.	`off`
`privileged-port`	Sets the share only to be mounted via privileged ports (1-1024), usually allowed by the root user. This option is only applicable in NFS-W. Possible values: `on`, `off`.	`off`
`supported-versions`	A comma-separated list of supported NFS versions. Possible values: `v3`, `v4`. `v4` is only applicable in NFS-W.	`v3`