Manage NFS networking using the CLI
This page describes how to configure the NFS networking using the CLI.
Last updated
This page describes how to configure the NFS networking using the CLI.
Last updated
Using the CLI, you can:
NFSv4 and Kerberos require a persistent cluster-wide configuration filesystem for the protocol's internal operations.
Use the following command line to set the NFS configuration on the configuration filesystem:
weka nfs global-config set [--mountd-port mountd-port] [--config-fs config-fs] [--lockmgr-port lockmgr-port] [--statmon-port statmon-port] [--notify-port notify-port] [--acl acl] [--default-acl-type default-acl-type] [--default-supported-versions default-supported-versions]... [--enable-auth-types enable-auth-types]... [--no-restart]
To support NFS file-locking, ensure the system meets the prerequisites outlined in .
For the default published ports, see the .
Parameters
Name | Value | Default |
---|---|---|
Command: weka nfs global-config show
Example
The parameters Default Auth Types
and Supported Auth Types
are determined internally.
Command: weka nfs interface-group add
Use the following command line to add an interface group:
weka nfs interface-group add <name> <type> [--subnet subnet] [--gateway gateway]
Example
weka nfs interface-group add nfsw NFS --subnet 255.255.255.0 --gateway 10.0.1.254
Parameters
Commands:
weka nfs interface-group port add
weka nfs interface-group port delete
Use the following command lines to add or delete an interface group port:
weka nfs interface-group port add <name> <container-id> <port>
weka nfs interface-group port delete <name> <container-id> <port>
Example
The following command line adds the interface enp2s0
on the Frontend container-id 3
to the interface group named nfsw
.
weka nfs interface-group port add nfsw 3 enp2s0
Parameters
Commands:
weka nfs interface-group ip-range add
weka nfs interface-group ip-range delete
Use the following command lines to add/delete an interface group IP:
weka nfs interface-group ip-range add <name> <ips>
weka nfs interface-group ip-range delete <name> <ips>
Example
The following command line adds IPs in the range 10.0.1.101
to 10.0.1.118
to the interface group named nfsw
.
weka nfs interface-group ip-range add nfsw 10.0.1.101-118
Parameters
The mountd service receives requests from clients to mount to the NFS server. It is possible to set it explicitly rather than have it randomly selected on each server startup. This allows an easier setup of the firewalls to allow that port.
Use the following command lines to set and view the mountd configuration:
weka nfs global-config set --mountd-port <mountd-port>
weka nfs global-config show
NFS-W can authenticate more than 16 user groups, but it requires the external resolution of the user's groups, which means associating users with their respective group-IDs outside of the NFS protocol.
Procedure
Configure interface groups:
Configure NFS client permissions:
Set up servers for group-IDs retrieval:
Configure relevant servers to retrieve user group-IDs information. This task is specific to NFS-W and does not involve WEKA management. See the following procedure.
Integrating the NFS and Kerberos service is critical to setting up a secure network communication process. This procedure involves defining the Key Distribution Center (KDC) details, administrative credentials, and other parameters to ensure a robust and secure authentication process.
Before you begin
Ensure a configuration filesystem is set. See Configure the NFS global settings.
Ensure the NFS cluster is configured and running. see Configure the NFS cluster level.
For Active Directory (AD) integration, obtain the required information from the AD administrator. (WEKA handles the generation of the keytab file.)
For MIT integration, ensure the following:
Obtain the required information from the MIT Key Distribution Center (KDC) and OpenLDAP administrators.
A pre-generated keytab file in format stored in an accessible location is required.
In all KDC and LDAP parameters, use the FQDN format. The hostname part of the FQDN is restricted to a maximum of 20 characters.
Command: weka nfs kerberos service setup
Use the following command to set up NFS Kerberos Service information:
weka nfs kerberos service setup <kdc-realm-name> <kdc-primary-server> <kdc-admin-server> [--kdc-secondary-server kdc-secondary-server][--force] [--restart]
Example
Parameters
Command: weka nfs kerberos service show
Example
Integrating Kerberos with AD involves the following:
Command: weka nfs kerberos registration setup-ad
Use the following command to register the Kerberos with Microsoft Active Directory:
weka nfs kerberos registration setup-ad <nfs-service-name> <realm-admin-name> [realm-admin-passwd] [--force] [--restart]
Example
Parameters
Command: weka nfs ldap setup-ad
Use the following command to set up NFS configuration to use AD LDAP:
weka nfs ldap setup-ad [--force] [--no-restart]
Example
Parameters
In a successful operation, the system automatically restarts the NFS containers, leading to a temporary disruption in the IO service for connected NFS clients. However, if you want to avoid restarting the NFS-W containers, add the --no-restart
option to the command line.
Integrating Kerberos with MIT involves the following:
Command: weka nfs kerberos registration setup-mit
Use the following command to register the Kerberos with MIT KDC:
weka nfs kerberos registration setup-mit <nfs-service-name> <keytab-file> [--force] [--restart]
To register the Kerberos service with MIT, a pre-generated , stored in an accessible location, is required.
Example
Parameters
Command: weka nfs ldap setup-openldap
Use the following command to set up Kerberos to use OpenLDAP:
weka nfs ldap setup-openldap <server-name> <ldap-domain> <reader-user-name>[reader-user-password] [--base-dn base-dn] [--ldap-port-number ldap-port-number][--force] [--no-restart]
Example
Parameters
In a successful operation, the system automatically restarts the NFS containers, leading to a temporary disruption in the IO service for connected NFS clients. However, if you want to avoid restarting the NFS-W containers, add the --no-restart
option to the command line.
Command: weka nfs ldap show
Example
Command: weka nfs ldap reset
Use the following command to clear the NFS LDAP configuration:
weka nfs ldap reset [--force] [--no-restart]
Parameters
Command: weka nfs kerberos registration show
Example
Command: weka nfs kerberos reset
Use the following command to clear the NFS Kerberos service configuration:
weka nfs kerberos reset [--force] [--no-restart]
Parameters
In a successful operation, the system automatically restarts the NFS containers, leading to a temporary disruption in the IO service for connected NFS clients. However, if you want to avoid restarting the NFS-W containers, add the --no-restart
option to the command line.
Once the Kerberos integration with NFS is configured, there might be instances where the Kerberos setup is modified.
Changes to the Kerberos configuration in a production environment are rare. We recommend making any necessary updates during periods of low load from NFS clients, such as when the system are in maintenance mode. This approach helps to minimize potential disruptions to your operations.
Select the relevant tab to learn what to do for each scenario:
Use this procedure if you want to add or remove a secondary KDC server:
Procedure
Run the command: weka nfs kerberos reset --no-restart --force
Run the command: weka nfs kerberos service setup <options>
Run one of the following commands:
For AD implementation: weka nfs kerberos registration setup-ad <options> --restart
For MIT implementation: weka nfs kerberos registration setup-mit <options> --restart
Command: weka nfs ldap setup-ad-nokrb
Use the following command to configure NFS to use LDAP for ACLs only when Kerberos is not in use:
weka nfs ldap setup-ad-nokrb <server-name> <ldap-domain> <nfs-service-name> <admin-user-name> [admin-user-password] [--force] [--no-restart]
Parameters
Command: weka nfs client-group
Use the following command lines to add/delete a client access group:
weka nfs client-group add <name>
weka nfs client-group delete <name>
Parameters
Clients are part of groups when their IP address or DNS hostname match the rules of that group. Similar to IP routing rules, clients are matched to client groups according to the most specific matching rule.
Command: weka nfs rules
Use the following command lines to add a rule that causes a client to be part of a client group based on its DNS hostname:
weka nfs rules add dns <name> <dns>
Example
weka nfs rules add dns client-group1 hostname.example.com
Use the following command lines to delete a rule that causes a client to be part of a client group based on its DNS hostname:
weka nfs rules delete dns <name> <dns>
Example
weka nfs rules delete dns client-group1 hostname.example.com
Parameters
Command: weka nfs rules
Use the following command lines to add or delete a rule which causes a client to be part of a client group based on its IP and subnet mask (both CIDR and standard subnet mask formats are supported for enhanced flexibility):
weka nfs rules add ip <name> <ip>
Examples
weka nfs rules add ip client-group1 192.168.114.0/8
weka nfs rules add ip client-group2 172.16.0.0/255.255.0.0
weka nfs rules delete ip <name> <ip>
Examples
weka nfs rules delete ip client-group1 192.168.114.0/255.255.255.0
weka nfs rules delete ip client-group2 172.16.0.0/16
Parameters
Command: weka nfs permission
Use the following command lines to add NFS permissions:
weka nfs permission add <filesystem> <group> [--path path] [--permission-type permission-type] [--root-squashing root-squashing] [--squash squash] [--anon-uid anon-uid] [--anon-gid anon-gid] [--obs-direct obs-direct] [--manage-gids manage-gids] [--privileged-port privileged-port] [--acl-type acl-type] [--force-acl-type force-acl-type] [--supported-versions supported-versions]... [--enable-auth-types enable-auth-types]... [--no-restart]
Use the following command lines to update NFS permissions:
weka nfs permission update <filesystem> <group> [--path path] [--permission-type permission-type] [--squash squash] [--anon-uid anon-uid] [--anon-gid anon-gid] [--obs-direct obs-direct] [--manage-gids manage-gids] [--privileged-port privileged-port] [--acl-type acl-type] [--force-acl-type force-acl-type] [--supported-versions supported-versions]... [--enable-auth-types enable-auth-types]... [--no-restart]
Use the following command lines to delete NFS permissions:
weka nfs permission delete <filesystem> <group> [--path path]
Parameters
Command: weka nfs clients show
Use the following command line to view insights of NFS clients connected to the NFS-W cluster in JSON output format.
weka nfs clients show [--interface-group interface-group] [--container-id container-id] [--fip floating-ip]
Parameters
Name | Value | Default |
---|---|---|
Name | Value |
---|---|
Name | Value |
---|---|
Name | Value | Default |
---|---|---|
Name | Value | Default |
---|---|---|
Name | Value | Default |
---|---|---|
Name | Value | Default |
---|---|---|
Name | Value | Default |
---|---|---|
Name | Value | Default |
---|---|---|
Name | Value | Default |
---|---|---|
Parameter | Description | Default |
---|---|---|
Name | Value |
---|---|
Name | Value |
---|---|
Name | Value |
---|---|
Name | Value | Default |
---|---|---|
Name | Value | Default |
---|---|---|