Links

Manage NFS networking using the CLI

This page describes how to configure the NFS networking using the CLI.
Using the CLI, you can:

Configure the NFS cluster level

Set the NFS configuration filesystem

NFSv4 requires a persistent cluster-wide configuration filesystem for internal operations of the protocol.
Use the following command line to set the NFS configuration on the configuration filesystem:
weka nfs global-config set --config-fs <config-fs>
Parameters
Name
Value
config-fs*
The predefined filesystem name for maintaining the persisting cluster-wide protocol configurations. Ensure the filesystem is already created. If not, create a filesystem with 100 GB capacity.

Create interface groups

Command: weka nfs interface-group add
Use the following command line to add an interface group:
weka nfs interface-group add <name> <type> [--subnet subnet] [--gateway gateway] [--allow-manage-gids allow-manage-gids]
The parameter allow-manage-gids determines the type of NFS stack. The default value of this parameter is on, which sets the NFS-W stack.
Do not mount the same filesystem by containers residing in interface groups with different values of the allow-manage-gids.
Example
weka nfs interface-group add nfsw NFS --subnet 255.255.255.0 --gateway 10.0.1.254
Parameters
Name
Value
Default
name*
Unique interface group name. Supports a maximum of 11 characters.
type*
Group type. Can only be NFS.
subnet
The valid subnet mask in the 255.255.0.0 format.
255.255.255.255
gateway
Gateway valid IP.
255.255.255.255
allow-manage-gids
Allows the containers within this interface group to use manage-gids when set in exports.
With manage-gids, the list of group IDs received from the client is replaced by a list of group IDs determined by an appropriate lookup on the server. NFS-W: on
Legacy NFS: off
Each container can be set to be part of interface groups with the same value of allow-manage-gids.
on

Set interface group ports

Commands:
weka nfs interface-group port add
weka nfs interface-group port delete
Use the following command lines to add or delete an interface group port:
weka nfs interface-group port add <name> <container-id> <port>
weka nfs interface-group port delete <name> <container-id> <port>
Example
The following command line adds the interface enp2s0 on the Frontend container-id 3 to the interface group named nfsw.
weka nfs interface-group port add nfsw 3 enp2s0
Parameters
Name
Value
name*
Interface group name.
container-id*
Valid frontend container ID on which the port resides. You can obtain the container ID by running the weka cluster container command.
port*
Valid port's device. Example: eth1.

Set interface group IPs

Commands:
weka nfs interface-group ip-range add
weka nfs interface-group ip-range delete
Use the following command lines to add/delete an interface group IP:
weka nfs interface-group ip-range add <name> <ips>
weka nfs interface-group ip-range delete <name> <ips>
Example
The following command line adds IPs in the range 10.0.1.101 to 10.0.1.118 to the interface group named nfsw.
weka nfs interface-group ip-range add nfsw 10.0.1.101-118
Parameters
Name
Value
name*
Interface group name
ips*
Valid IP range
Cloud environments do not support interface group IPs.

Configure the service mountd port

The mountd service receives requests from clients to mount to the NFS server. In NFS-W, it is possible to set it explicitly rather than have it randomly selected on each server startup. This allows an easier setup of the firewalls to allow that port.
Use the following command lines to set and view the mountd configuration:
weka nfs global-config set --mountd-port <mountd-port>
weka nfs global-config show

Configure user groups resolution when using the legacy NFS

The legacy NFS protocol uses the AUTH_SYS protocol to authenticate clients and grant them access to network resources. This protocol is limited to 16 security groups. Therefore, it truncates the group list to 16 if a user is in more than 16 groups. This can cause an access failure for authorized users.
To ignore the groups passed by the NFS protocol and resolve the user's groups external to the protocol, configure the WEKA system as follows:
Procedure
  1. 1.
    Ensure the interface group supports the external group-IDs resolution. When creating interface groups, ensure that the allow-manage-gids option is set to on (default value).
  2. 2.
    Set the NFS client permissions for external group-IDs resolution by setting the manage-gids option to on.
  3. 3.
    Set up the relevant servers to retrieve the user's group-IDs information. See the following procedure. (This task does not involve the WEKA management.)
Set up the servers to retrieve user's group-IDs information
For the servers that are part of the interface group, set the servers to retrieve the user's group-IDs information in any method that is part of the environment.
You can also set the group resolution by joining the AD and Kerberos domains or using LDAP with a read-only user.
Configure the sssd on the server to serve as a group IDs provider. For example, you can configure the sssd directly using LDAP or as a proxy to a different nss group IDs provider.
Example: set sssd directly for nss services using LDAP with a read-only user
[sssd]
services = nss
config_file_version = 2
domains = LDAP
[domain/LDAP]
id_provider = ldap
ldap_uri = ldap://ldap.example.com
ldap_search_base = dc=example,dc=com
# The DN used to search the ldap directory with.
ldap_default_bind_dn = cn=ro_admin,ou=groups,dc=example,dc=com
# The password of the bind DN.
ldap_default_authtok = password
If you use another method than the sssd but with a different provider, configure an sssd proxy on each relevant server. The proxy is used for the WEKA container to resolve the groups by any method defined on the server.
To configure sssd proxy on a server, use the following:
# install sssd
yum install sssd
# set up a proxy for WEKA in /etc/sssd/sssd.conf
[sssd]
services = nss
config_file_version = 2
domains = proxy_for_weka
[nss]
[domain/proxy_for_weka]
id_provider = proxy
auth_provider = none
# the name of the nss lib to be proxied, e.g., ldap, nis, winbind, vas4, etc.
proxy_lib_name = ldap
All users must be present and resolved in the method used in the sssd for the group's resolution. In the above example, using an LDAP-only provider, local users (such as a local root) absent in LDAP do not receive their groups resolved and are denied. For such users or applications, add the LDAP user.

Configure the NFS export level (permissions)

Define client access groups

Command: weka nfs client-group
Use the following command lines to add/delete a client access group:
weka nfs client-group add <name>
weka nfs client-group delete <name>
Parameters
Name
Value
name*
Valid group name.

Manage client access groups' rules

Clients are part of groups when their IP address or DNS hostname match the rules of that group. Similar to IP routing rules, clients are matched to client groups according to the most specific matching rule.
Command: weka nfs rules

Add DNS-based client group rules

Use the following command lines to add a rule that causes a client to be part of a client group based on its DNS hostname:
weka nfs rules add dns <name> <dns>
Example
weka nfs rules add dns client-group1 hostname.example.com

Delete DNS-based client group rules

Use the following command lines to delete a rule that causes a client to be part of a client group based on its DNS hostname:
weka nfs rules delete dns <name> <dns>
Example
weka nfs rules delete dns client-group1 hostname.example.com
Parameters
Name
Value
name*
Valid client group name.
dns*
DNS rule with *?[] wildcard rules.

Add IP-based client group rules

Command: weka nfs rules
Use the following command lines to add or delete a rule which causes a client to be part of a client group based on its IP and subnet mask:
weka nfs rules add ip <name> <ip/subnet mask>
Examples
weka nfs rules add ip client-group1 192.168.114.0/8 weka nfs rules add ip client-group2 172.16.0.0/16

Delete IP-based client group rules

weka nfs rules delete ip <name> <ip/subnet mask>
Examples
weka nfs rules delete ip client-group1 192.168.114.0/8 weka nfs rules delete ip client-group2 172.16.0.0/16
Parameters
Name
Value
name*
Valid client group name.
ip*
Valid IP address with a subnet mask.
The subnet mask is represented in CIDR (Classless Inter-Domain Routing) format.
Examples of subnet masks in CIDR format:
  • A value of 16 corresponds to a subnet mask of 255.255.0.0.
  • A value of 8 corresponds to a subnet mask of 255.255.255.0.
Format: 1.1.1.1/16

Manage NFS client permissions

Command: weka nfs permission
Use the following command lines to add NFS permissions:
weka nfs permission add <filesystem> <group> [--path path] [--permission-type permission-type] [--squash squash] [--anon-uid anon-uid] [--anon-gid anon-gid] [--obs-direct obs-direct] [--manage-gids manage-gids] [--privileged-port privileged-port] [--supported-versions supported-versions]
Use the following command lines to update NFS permissions:
weka nfs permission update <filesystem> <group> [--path path] [--permission-type permission-type] [--squash squash] [--anon-uid anon-uid] [--anon-gid anon-gid] [--obs-direct obs-direct] [--manage-gids manage-gids] [--privileged-port privileged-port] [--supported-versions supported-versions]
Use the following command lines to delete NFS permissions:
weka nfs permission delete <filesystem> <group> [--path path]
Parameters
Name
Value
Default
filesystem*
Existing filesystem name. A filesystem with Required Authentication set to ON cannot be used for NFS client permissions.
group*
Existing client group name.
path
The root of the valid share path.
/
permission-type
Permission type. Possible values: ro (read-only), rw (read-write)
rw
squash
Squashing type. Possible values: none , root, all all is only applicable for NFS-W. Otherwise, it is treated as root.
none
anon-uid*
Anonymous user ID. Relevant only for root squashing. Possible values: 1 to 65535.
65534
anon-gid*
Anonymous user group ID. Relevant only for root squashing. Possible values: 1 to 65535.
65534
obs-direct
See Object-store Direct Mount. Possible values: on, off.
on
manage-gids
Sets external group IDs resolution.
The list of group IDs received from the client is replaced by a list determined by an appropriate lookup on the server. This option is only applicable in NFS-W. Possible values: on, off.
off
privileged-port
Sets the share only to be mounted via privileged ports (1-1024), usually allowed by the root user. This option is only applicable in NFS-W. Possible values: on, off.
off
supported-versions
A comma-separated list of supported NFS versions. Possible values: v3, v4. v4 is only applicable in NFS-W.
v3