Manage NFS networking using the CLI

This page describes how to configure the NFS networking using the CLI.

Using the CLI, you can:
Configure the NFS cluster level
​Set the global configuration filesystem​
​Create interface groups​
​Set interface group ports​
​Set interface group IPs​
​Configure the service mountd port​
​Configure user groups resolution when using the legacy NFS​
Configure the NFS export level (permissions)
​Define client access groups​
​Manage client access groups​
​Manage NFS client permissions​
Configure the NFS cluster level
Set the NFS configuration filesystem
NFSv4 requires a persistent cluster-wide configuration filesystem for internal operations of the protocol.
Use the following command line to set the NFS configuration on the configuration filesystem:
weka nfs global-config set --config-fs <config-fs> 
Parameters
Name
Value
config-fs*
The predefined filesystem name for maintaining the persisting cluster-wide protocol configurations.
Ensure the filesystem is already created. If not, create a filesystem with 100 GB capacity.
Create interface groups
Command: weka nfs interface-group add
Use the following command line to add an interface group:
weka nfs interface-group add <name> <type> [--subnet subnet] [--gateway gateway] [--allow-manage-gids allow-manage-gids]
The parameter allow-manage-gids determines the type of NFS stack. The default value of this parameter is on, which sets the NFS-W stack.
Do not mount the same filesystem by containers residing in interface groups with different values of the allow-manage-gids.
Example
weka nfs interface-group add nfsw NFS  --subnet 255.255.255.0 --gateway 10.0.1.254
Parameters
Name
Value
Default
name*
Unique interface group name.
Supports a maximum of 11 characters.
​
type*
Group type.
Can only be  NFS.
​
subnet
The valid subnet mask in the 255.255.0.0 format.
255.255.255.255
gateway
Gateway valid IP.
255.255.255.255
allow-manage-gids
Allows the containers within this interface group to use manage-gids when set in exports. 
With manage-gids, the list of group IDs received from the client is replaced by a list of group IDs determined by an appropriate lookup on the server.

NFS-W: on
Legacy NFS: off
​
Each container can be set to be part of interface groups with the same value of allow-manage-gids.
on
Set interface group ports
Commands:
weka nfs interface-group port add
weka nfs interface-group port delete
Use the following command lines to add or delete an interface group port:
weka nfs interface-group port add <name> <container-id> <port>
weka nfs interface-group port delete <name> <container-id> <port>
Example
The following command line adds the interface enp2s0 on the Frontend container-id 3 to the interface group named nfsw.
weka nfs interface-group port add nfsw 3 enp2s0
Parameters
Name
Value
name*
Interface group name.
container-id*
Valid frontend container ID on which the port resides. You can obtain the container ID by running the weka cluster container command.
port*
Valid port's device.
Example: eth1.
Set interface group IPs
Commands: 
weka nfs interface-group ip-range add
weka nfs interface-group ip-range delete
Use the following command lines to add/delete an interface group IP:
weka nfs interface-group ip-range add <name> <ips>
weka nfs interface-group ip-range delete <name> <ips>
Example
The following command line adds IPs in the range 10.0.1.101 to 10.0.1.118 to the interface group named nfsw.
weka nfs interface-group ip-range add nfsw 10.0.1.101-118
Parameters
Name
Value
name*
Interface group name
ips*
Valid IP range
Cloud environments do not support interface group IPs.
Configure the service mountd port
The mountd service receives requests from clients to mount to the NFS server. In NFS-W, it is possible to set it explicitly rather than have it randomly selected on each server startup. This allows an easier setup of the firewalls to allow that port.
Use the following command lines to set and view the mountd configuration:
weka nfs global-config set --mountd-port <mountd-port> 
weka nfs global-config show
Configure user groups resolution when using the legacy NFS
The legacy NFS protocol uses the AUTH_SYS protocol to authenticate clients and grant them access to network resources. This protocol is limited to 16 security groups. Therefore, it truncates the group list to 16 if a user is in more than 16 groups. This can cause an access failure for authorized users.
To ignore the groups passed by the NFS protocol and resolve the user's groups external to the protocol, configure the WEKA system as follows:
Procedure
1.Ensure the interface group supports the external group-IDs resolution. When creating interface groups, ensure that the allow-manage-gids option is set to on (default value). 
2.​Set the NFS client permissions for external group-IDs resolution by setting the manage-gids option to on.
3.Set up the relevant servers to retrieve the user's group-IDs information. See the following procedure. (This task does not involve the WEKA management.)
Set up the servers to retrieve user's group-IDs information
For the servers that are part of the interface group, set the servers to retrieve the user's group-IDs information in any method that is part of the environment.
You can also set the group resolution by joining the AD and Kerberos domains or using LDAP with a read-only user.
Configure the sssd on the server to serve as a group IDs provider. For example, you can configure the sssd directly using LDAP or as a proxy to a different nss group IDs provider.
Example: set sssd directly for nss services using LDAP with a read-only user
[sssd]
services = nss
config_file_version = 2
domains = LDAP
​
[domain/LDAP]
id_provider = ldap
ldap_uri = ldap://ldap.example.com
ldap_search_base = dc=example,dc=com
​
# The DN used to search the ldap directory with. 
ldap_default_bind_dn = cn=ro_admin,ou=groups,dc=example,dc=com
​
# The password of the bind DN.
ldap_default_authtok = password
​
If you use another method than the sssd but with a different provider, configure an sssd proxy on each relevant server. The proxy is used for the WEKA container to resolve the groups by any method defined on the server.
To configure sssd proxy on a server, use the following:
# install sssd
yum install sssd
​
# set up a proxy for WEKA in /etc/sssd/sssd.conf
[sssd]
services = nss
config_file_version = 2
domains = proxy_for_weka
​
[nss]
[domain/proxy_for_weka]
id_provider = proxy
auth_provider = none
 
# the name of the nss lib to be proxied, e.g., ldap, nis, winbind, vas4, etc.
proxy_lib_name = ldap
All users must be present and resolved in the method used in the sssd for the group's resolution. In the above example, using an LDAP-only provider, local users (such as a local root) absent in LDAP do not receive their groups resolved and are denied. For such users or applications, add the LDAP user.
Configure the NFS export level (permissions)
Define client access groups
Command: weka nfs client-group
Use the following command lines to add/delete a client access group:
weka nfs client-group add <name>
weka nfs client-group delete <name>
Parameters
Name
Value
name*
Valid group name.
Manage client access groups' rules
Clients are part of groups when their IP address or DNS hostname match the rules of that group. Similar to IP routing rules, clients are matched to client groups according to the most specific matching rule.
Command: weka nfs rules
Add DNS-based client group rules
Use the following command lines to add a rule that causes a client to be part of a client group based on its DNS hostname:
weka nfs rules add dns <name> <dns>
Example
 weka nfs rules add dns client-group1 hostname.example.com
Delete DNS-based client group rules
Use the following command lines to delete a rule that causes a client to be part of a client group based on its DNS hostname:
weka nfs rules delete dns <name> <dns>
Example
weka nfs rules delete dns client-group1 hostname.example.com
Parameters
Name
Value
name*
Valid client group name.
dns*
DNS rule with *?[] wildcard rules.
Add IP-based client group rules
Command: weka nfs rules
Use the following command lines to add or delete a rule which causes a client to be part of a client group based on its IP and subnet mask:
weka nfs rules add ip <name> <ip/subnet mask>
Examples
 weka nfs rules add ip client-group1 192.168.114.0/8
 weka nfs rules add ip client-group2 172.16.0.0/16
Delete IP-based client group rules
weka nfs rules delete ip <name> <ip/subnet mask>
Examples
 weka nfs rules delete ip client-group1 192.168.114.0/8
 weka nfs rules delete ip client-group2 172.16.0.0/16
Parameters
Name
Value
name*
Valid client group name.
ip*
Valid IP address with a subnet mask.
The subnet mask is represented in CIDR (Classless Inter-Domain Routing) format.
Examples of subnet masks in CIDR format:
A value of 16 corresponds to a subnet mask of 255.255.0.0.
A value of 8 corresponds to a subnet mask of 255.255.255.0.
Format: 1.1.1.1/16
Manage NFS client permissions
Command: weka nfs permission
Use the following command lines to add NFS permissions:
weka nfs permission add <filesystem> <group> [--path path] [--permission-type permission-type] [--squash squash] [--anon-uid anon-uid] [--anon-gid anon-gid] [--obs-direct obs-direct] [--manage-gids manage-gids] [--privileged-port privileged-port] [--supported-versions supported-versions]
Use the following command lines to update NFS permissions:
weka nfs permission update <filesystem> <group> [--path path] [--permission-type permission-type] [--squash squash] [--anon-uid anon-uid] [--anon-gid anon-gid] [--obs-direct obs-direct] [--manage-gids manage-gids] [--privileged-port privileged-port] [--supported-versions supported-versions]
Use the following command lines to delete NFS permissions:
weka nfs permission delete <filesystem> <group> [--path path]
Parameters
Name
Value
Default
filesystem*
Existing filesystem name.
A filesystem with Required Authentication set to ON cannot be used for NFS client permissions.
​
 group*
Existing client group name.
​
 path
The root of the valid share path.
/
permission-type
Permission type.
Possible values: ro (read-only), rw (read-write)
rw
squash
Squashing type.
Possible values: none , root, all 

all is only applicable for NFS-W. Otherwise, it is treated as root.
none
anon-uid*
Anonymous user ID.
Relevant only for root squashing.
Possible values: 1 to 65535.
65534
anon-gid*
Anonymous user group ID.
Relevant only for root squashing.
Possible values: 1 to 65535.
65534
obs-direct
See Object-store Direct Mount.
Possible values: on, off.
on
manage-gids
Sets external group IDs resolution.
The list of group IDs received from the client is replaced by a list determined by an appropriate lookup on the server.
This option is only applicable in NFS-W.
Possible values: on, off.
off
privileged-port
Sets the share only to be mounted via privileged ports (1-1024), usually allowed by the root user.
This option is only applicable in NFS-W.
Possible values: on, off.
off
supported-versions
A comma-separated list of supported NFS versions.
Possible values: v3, v4.
v4 is only applicable in NFS-W.
v3

Name	Value
`config-fs`*	The predefined filesystem name for maintaining the persisting cluster-wide protocol configurations. Ensure the filesystem is already created. If not, create a filesystem with 100 GB capacity.

Name	Value	Default
`name`*	Unique interface group name. Supports a maximum of 11 characters.
`type`*	Group type. Can only be `NFS`.
`subnet`	The valid subnet mask in the 255.255.0.0 format.	`255.255.255.255`
`gateway`	Gateway valid IP.	`255.255.255.255`
`allow-manage-gids`	Allows the containers within this interface group to use `manage-gids` when set in exports. With `manage-gids`, the list of group IDs received from the client is replaced by a list of group IDs determined by an appropriate lookup on the server. NFS-W: `on` Legacy NFS: `off` Each container can be set to be part of interface groups with the same value of `allow-manage-gids`.	`on`

Name	Value
`name`*	Interface group name.
`container-id`*	Valid frontend container ID on which the port resides. You can obtain the container ID by running the `weka cluster container` command.
`port`*	Valid port's device. Example: `eth1`.

Name	Value
`name`*	Interface group name
`ips`*	Valid IP range

Name	Value
`name`*	Valid group name.

Name	Value
`name`*	Valid client group name.
`dns`*	DNS rule with *?[] wildcard rules.

Name	Value
`name`*	Valid client group name.
`ip`*	Valid IP address with a subnet mask. The subnet mask is represented in CIDR (Classless Inter-Domain Routing) format. Examples of subnet masks in CIDR format: A value of `16` corresponds to a subnet mask of `255.255.0.0`. A value of `8` corresponds to a subnet mask of `255.255.255.0`. Format: `1.1.1.1/16`

Name	Value	Default
`filesystem`*	Existing filesystem name. A filesystem with Required Authentication set to ON cannot be used for NFS client permissions.
`group`*	Existing client group name.
`path`	The root of the valid share path.	/
`permission-type`	Permission type. Possible values: `ro` (read-only), `rw` (read-write)	`rw`
`squash`	Squashing type. Possible values: `none` , `root`, `all` `all` is only applicable for NFS-W. Otherwise, it is treated as `root`.	`none`
`anon-uid`*	Anonymous user ID. Relevant only for root squashing. Possible values: `1` to `65535`.	`65534`
`anon-gid`*	Anonymous user group ID. Relevant only for root squashing. Possible values: `1` to `65535`.	`65534`
`obs-direct`	See Object-store Direct Mount. Possible values: `on`, `off`.	`on`
`manage-gids`	Sets external group IDs resolution. The list of group IDs received from the client is replaced by a list determined by an appropriate lookup on the server. This option is only applicable in NFS-W. Possible values: `on`, `off`.	`off`
`privileged-port`	Sets the share only to be mounted via privileged ports (1-1024), usually allowed by the root user. This option is only applicable in NFS-W. Possible values: `on`, `off`.	`off`
`supported-versions`	A comma-separated list of supported NFS versions. Possible values: `v3`, `v4`. `v4` is only applicable in NFS-W.	`v3`

Manage NFS networking using the GUI

Next - Additional Protocols

Manage the S3 protocol

Last modified 6d ago