4.2

Manage NFS networking using the CLI

This page describes how to configure the NFS networking using the CLI.

Using the CLI, you can:

Configure the NFS cluster level

Set the NFS configuration filesystem

NFSv4 requires a persistent cluster-wide configuration filesystem for the protocol's internal operations.

Use the following command line to set the NFS configuration on the configuration filesystem:

weka nfs global-config set --config-fs <config-fs>

Parameters

Create interface groups

Command: weka nfs interface-group add

Use the following command line to add an interface group:

weka nfs interface-group add <name> <type> [--subnet subnet] [--gateway gateway] [--allow-manage-gids allow-manage-gids]

The parameter allow-manage-gids determines the type of NFS stack. The default value of this parameter is on, which sets the NFS-W stack.

Do not mount the same filesystem by containers residing in interface groups with different values of the allow-manage-gids.

Example

weka nfs interface-group add nfsw NFS --subnet 255.255.255.0 --gateway 10.0.1.254

Parameters

Set interface group ports

Commands:

weka nfs interface-group port add

weka nfs interface-group port delete

Use the following command lines to add or delete an interface group port:

weka nfs interface-group port add <name> <container-id> <port>

weka nfs interface-group port delete <name> <container-id> <port>

Example

The following command line adds the interface enp2s0 on the Frontend container-id 3 to the interface group named nfsw.

weka nfs interface-group port add nfsw 3 enp2s0

Parameters

Set interface group IPs

Commands:

weka nfs interface-group ip-range add

weka nfs interface-group ip-range delete

Use the following command lines to add/delete an interface group IP:

weka nfs interface-group ip-range add <name> <ips>

weka nfs interface-group ip-range delete <name> <ips>

Example

The following command line adds IPs in the range 10.0.1.101 to 10.0.1.118 to the interface group named nfsw.

weka nfs interface-group ip-range add nfsw 10.0.1.101-118

Parameters

Configure the service mountd port

The mountd service receives requests from clients to mount to the NFS server. In NFS-W, it is possible to set it explicitly rather than have it randomly selected on each server startup. This allows an easier setup of the firewalls to allow that port.

Use the following command lines to set and view the mountd configuration:

weka nfs global-config set --mountd-port <mountd-port>

weka nfs global-config show

Configure user groups resolution

NFS-W can authenticate more than 16 user groups, but it requires the external resolution of the user's groups, which means associating users with their respective group-IDs outside of the NFS protocol.

Configuring more than 16 user groups is not supported with the legacy NFS.

Procedure

  1. Configure interface groups:

  2. Configure NFS client permissions:

  3. Set up servers for group-IDs retrieval:

    • Configure relevant servers to retrieve user group-IDs information. This task is specific to NFS-W and does not involve WEKA management. See the following procedure.

Set up the servers to retrieve user's group-IDs information

For the servers that are part of the interface group, set the servers to retrieve the user's group-IDs information in any method that is part of the environment.

You can also set the group resolution by joining the AD and Kerberos domains or using LDAP with a read-only user.

Configure the sssd on the server to serve as a group IDs provider. For example, you can configure the sssd directly using LDAP or as a proxy to a different nss group IDs provider.

Example: set sssd directly for nss services using LDAP with a read-only user

[sssd]
services = nss
config_file_version = 2
domains = LDAP

[domain/LDAP]
id_provider = ldap
ldap_uri = ldap://ldap.example.com
ldap_search_base = dc=example,dc=com

# The DN used to search the ldap directory with. 
ldap_default_bind_dn = cn=ro_admin,ou=groups,dc=example,dc=com

# The password of the bind DN.
ldap_default_authtok = password

If you use another method than the sssd but with a different provider, configure an sssd proxy on each relevant server. The proxy is used for the WEKA container to resolve the groups by any method defined on the server.

To configure sssd proxy on a server, use the following:

# install sssd
yum install sssd

# set up a proxy for WEKA in /etc/sssd/sssd.conf
[sssd]
services = nss
config_file_version = 2
domains = proxy_for_weka

[nss]
[domain/proxy_for_weka]
id_provider = proxy
auth_provider = none
 
# the name of the nss lib to be proxied, e.g., ldap, nis, winbind, vas4, etc.
proxy_lib_name = ldap

All users must be present and resolved in the method used in the sssd for the group's resolution. In the above example, using an LDAP-only provider, local users (such as a local root) absent in LDAP do not receive their groups resolved and are denied. For such users or applications, add the LDAP user.

Configure the NFS export level (permissions)

Define client access groups

Command: weka nfs client-group

Use the following command lines to add/delete a client access group:

weka nfs client-group add <name>

weka nfs client-group delete <name>

Parameters

Manage client access groups' rules

Clients are part of groups when their IP address or DNS hostname match the rules of that group. Similar to IP routing rules, clients are matched to client groups according to the most specific matching rule.

Command: weka nfs rules

Add DNS-based client group rules

Use the following command lines to add a rule that causes a client to be part of a client group based on its DNS hostname:

weka nfs rules add dns <name> <dns>

Example

weka nfs rules add dns client-group1 hostname.example.com

Delete DNS-based client group rules

Use the following command lines to delete a rule that causes a client to be part of a client group based on its DNS hostname:

weka nfs rules delete dns <name> <dns>

Example

weka nfs rules delete dns client-group1 hostname.example.com

Parameters

Add IP-based client group rules

Command: weka nfs rules

Use the following command lines to add or delete a rule which causes a client to be part of a client group based on its IP and subnet mask (both CIDR and standard subnet mask formats are supported for enhanced flexibility):

weka nfs rules add ip <name> <ip>

Examples

weka nfs rules add ip client-group1 192.168.114.0/8 weka nfs rules add ip client-group2 172.16.0.0/255.255.0.0

Delete IP-based client group rules

weka nfs rules delete ip <name> <ip>

Examples

weka nfs rules delete ip client-group1 192.168.114.0/255.255.255.0 weka nfs rules delete ip client-group2 172.16.0.0/16

Parameters

Manage NFS client permissions

Command: weka nfs permission

Use the following command lines to add NFS permissions:

weka nfs permission add <filesystem> <group> [--path path] [--permission-type permission-type] [--squash squash] [--anon-uid anon-uid] [--anon-gid anon-gid] [--obs-direct obs-direct] [--manage-gids manage-gids] [--privileged-port privileged-port] [--supported-versions supported-versions]

Use the following command lines to update NFS permissions:

weka nfs permission update <filesystem> <group> [--path path] [--permission-type permission-type] [--squash squash] [--anon-uid anon-uid] [--anon-gid anon-gid] [--obs-direct obs-direct] [--manage-gids manage-gids] [--privileged-port privileged-port] [--supported-versions supported-versions]

Use the following command lines to delete NFS permissions:

weka nfs permission delete <filesystem> <group> [--path path]

Parameters

PreviousManage NFS networking using the GUINextManage the S3 protocol

Last updated