Manage NFS networking using the CLI
This page describes how to configure the NFS networking using the CLI.
Using the CLI, you can:
Configure the NFS global settings
NFSv4 and Kerberos require a persistent cluster-wide configuration filesystem for the protocol's internal operations.
Use the following command line to set the NFS configuration on the configuration filesystem:
weka nfs global-config set [--mountd-port mountd-port] [--config-fs config-fs] [--lockmgr-port lockmgr-port] [--statmon-port statmon-port] [--notify-port notify-port] [--acl acl] [--default-acl-type default-acl-type] [--default-supported-versions default-supported-versions]... [--enable-auth-types enable-auth-types]... [--no-restart]
To support NFS file-locking, ensure the system meets the prerequisites outlined in NFS file-locking support.
For the default published ports, see the Required ports.
Parameters
Name | Value | Default |
---|---|---|
| Set the alternate port if the existing mountd service is not operating on the default published port. 0 means use the default published port. |
|
| ||
| Set the alternate port for the NFS lock manager used in NFSv3. 0 means use the default published port. |
|
| Set the alternate port for the NFS status monitor used in NFSv3. 0 means use the default published port. |
|
| Set the alternate port for notification used in NFSv3. 0 means use the default published port. |
|
| Enables or disables NFSv4 ACL. Options are: |
|
| Specifies the default ACL type. Options are |
|
| Determines the default NFS version.
Possible values:
|
|
| A comma-separated list of authentication types that can be used when setting the NFS client permissions. Possible values: | Depends on Kerberos configuration:
|
| Prevents the restart of NFS-W containers when applying changes. | False |
Show NFS global configuration
Command: weka nfs global-config show
Example
The parameters Default Auth Types
and Supported Auth Types
are determined internally.
Configure the NFS cluster level
Create interface groups
Command: weka nfs interface-group add
Use the following command line to add an interface group:
weka nfs interface-group add <name> <type> [--subnet subnet] [--gateway gateway]
Example
weka nfs interface-group add nfsw NFS --subnet 255.255.255.0 --gateway 10.0.1.254
Parameters
Name | Value | Default |
---|---|---|
| Unique interface group name. | |
| Group type.
Can only be | |
| The valid subnet mask in the 255.255.0.0 format. |
|
| Gateway valid IP. |
|
Set interface group ports
Commands:
weka nfs interface-group port add
weka nfs interface-group port delete
Use the following command lines to add or delete an interface group port:
weka nfs interface-group port add <name> <container-id> <port>
weka nfs interface-group port delete <name> <container-id> <port>
Example
The following command line adds the interface enp2s0
on the Frontend container-id 3
to the interface group named nfsw
.
weka nfs interface-group port add nfsw 3 enp2s0
Parameters
Name | Value |
---|---|
| Interface group name. |
| Valid frontend container ID on which the port resides. You can obtain the container ID by running the |
| Valid port's device. Maximum 14 characters.
Example: |
Set interface group IPs
Commands:
weka nfs interface-group ip-range add
weka nfs interface-group ip-range delete
Use the following command lines to add/delete an interface group IP:
weka nfs interface-group ip-range add <name> <ips>
weka nfs interface-group ip-range delete <name> <ips>
Example
The following command line adds IPs in the range 10.0.1.101
to 10.0.1.118
to the interface group named nfsw
.
weka nfs interface-group ip-range add nfsw 10.0.1.101-118
Parameters
Name | Value |
---|---|
| Interface group name |
| Valid IP range |
Configure the service mountd port
The mountd service receives requests from clients to mount to the NFS server. It is possible to set it explicitly rather than have it randomly selected on each server startup. This allows an easier setup of the firewalls to allow that port.
Use the following command lines to set and view the mountd configuration:
weka nfs global-config set --mountd-port <mountd-port>
weka nfs global-config show
Configure user group resolution
NFS-W can authenticate more than 16 user groups, but it requires the external resolution of the user's groups, which means associating users with their respective group-IDs outside of the NFS protocol.
Procedure
Configure interface groups:
Configure NFS client permissions:
Set up servers for group-IDs retrieval:
Configure relevant servers to retrieve user group-IDs information. This task is specific to NFS-W and does not involve WEKA management. See the following procedure.
Integrate the NFS and Kerberos service
Integrating the NFS and Kerberos service is critical to setting up a secure network communication process. This procedure involves defining the Key Distribution Center (KDC) details, administrative credentials, and other parameters to ensure a robust and secure authentication process.
Before you begin
Ensure a configuration filesystem is set. See Configure the NFS global settings.
Ensure the NFS cluster is configured and running. see Configure the NFS cluster level.
For Active Directory (AD) integration, obtain the required information from the AD administrator. (WEKA handles the generation of the keytab file.)
For MIT integration, ensure the following:
Obtain the required information from the MIT Key Distribution Center (KDC) and OpenLDAP administrators.
A pre-generated keytab file in format stored in an accessible location is required.
In all KDC and LDAP parameters, use the FQDN format. The hostname part of the FQDN is restricted to a maximum of 20 characters.
Set the Kerberos service
Command: weka nfs kerberos service setup
Use the following command to set up NFS Kerberos Service information:
weka nfs kerberos service setup <kdc-realm-name> <kdc-primary-server> <kdc-admin-server> [--kdc-secondary-server kdc-secondary-server][--force] [--restart]
Example
Parameters
Name | Value | Default |
---|---|---|
| Specifies the realm (domain) used by Kerberos. | |
| Identifies the server hosting the primary Key Distribution Center service. | |
| Identifies the server hosting the administrative Key Distribution Center service. | |
| Identifies the server hosting the secondary Key Distribution Center service. | |
| When used, it forces the action to proceed without further confirmation. Typically used when the service is configured or registered. | Not used |
| When used, the command restarts the NFS-W containers after the changes are applied. | Not used |
Show NFS Kerberos service setup information
Command: weka nfs kerberos service show
Example
Integrate Kerberos with AD
Integrating Kerberos with AD involves the following:
Register Kerberos with AD
Command: weka nfs kerberos registration setup-ad
Use the following command to register the Kerberos with Microsoft Active Directory:
weka nfs kerberos registration setup-ad <nfs-service-name> <realm-admin-name> [realm-admin-passwd] [--force] [--restart]
Example
Parameters
Name | Value | Default |
---|---|---|
| This refers to the complete domain name for a specific NFS server. | |
| The username of an administrator who has access to the LDAP directory. This user manages the KDC within a realm. | |
| This parameter is for the password of the administrative user who manages the KDC within a realm. It’s not stored in the configuration for security reasons. If it’s not provided during setup, the system asks for it. The entered password isn’t shown on the screen to protect privacy and security. | |
| When used, it forces the action to proceed without further confirmation. Typically used when the service is configured or registered. | Not used |
| When used, the command restarts the NFS-W containers after the changes are applied. | Not used |
Set up Kerberos to use AD LDAP
Command: weka nfs ldap setup-ad
Use the following command to set up NFS configuration to use AD LDAP:
weka nfs ldap setup-ad [--force] [--no-restart]
Example
Parameters
Name | Value | Default |
---|---|---|
| When used, it forces the action to proceed without further confirmation. Typically used when the service is configured or registered. | Not used |
| When used, it prevents NFS-W containers from restarting to apply changes. | Not used |
In a successful operation, the system automatically restarts the NFS containers, leading to a temporary disruption in the IO service for connected NFS clients. However, if you want to avoid restarting the NFS-W containers, add the --no-restart
option to the command line.
Integrate Kerberos with MIT
Integrating Kerberos with MIT involves the following:
Register Kerberos with MIT
Command: weka nfs kerberos registration setup-mit
Use the following command to register the Kerberos with MIT KDC:
weka nfs kerberos registration setup-mit <nfs-service-name> <keytab-file> [--force] [--restart]
To register the Kerberos service with MIT, a pre-generated , stored in an accessible location, is required.
Example
Parameters
Name | Value | Default |
---|---|---|
| Fully Qualified Domain Name (FQDN) for the NFS Service. This refers to the complete domain name for a specific NFS server. The hostname part of the FQDN is restricted to a maximum of 20 characters. | |
| The path to the pre-generated keytab file containing the keys for the NFS service’s unique identity in format. | |
| When used, it forces the action to proceed without further confirmation. Typically used when the service is configured. | Not used |
| When used, the command restarts the NFS-W containers after the changes are applied. | Not used |
Set up Kerberos to use OpenLDAP
Command: weka nfs ldap setup-openldap
Use the following command to set up Kerberos to use OpenLDAP:
weka nfs ldap setup-openldap <server-name> <ldap-domain> <reader-user-name>[reader-user-password] [--base-dn base-dn] [--ldap-port-number ldap-port-number][--force] [--no-restart]
Example
Parameters
Name | Value | Default |
---|---|---|
| Specifies the server hosting the Lightweight Directory Access Protocol service. | |
| Defines the domain the Lightweight Directory Access Protocol service will access. | |
| The username of an administrative user used to generate the keytab file. | |
| The administrative user's password. (It is maintained in a configuration file.) | |
| The base Distinguished Name (DN) for the Lightweight Directory Access Protocol directory tree. | |
| The port number on which the Lightweight Directory Access Protocol server listens. | 389 |
| When used, it forces the action to proceed without further confirmation. Typically used when the service is configured or registered. | Not used |
| When used, it prevents NFS-W containers from restarting to apply changes. | Not used |
In a successful operation, the system automatically restarts the NFS containers, leading to a temporary disruption in the IO service for connected NFS clients. However, if you want to avoid restarting the NFS-W containers, add the --no-restart
option to the command line.
Show Kerberos LDAP setup information
Command: weka nfs ldap show
Example
Clear the Kerberos LDAP configuration
Command: weka nfs ldap reset
Use the following command to clear the NFS LDAP configuration:
weka nfs ldap reset [--force] [--no-restart]
Parameters
Name | Value | Default |
---|---|---|
| When used, it forces the action to proceed without further confirmation. Typically used when the service is configured. | Not used |
| When used, it prevents NFS-W containers from restarting to apply changes. | Not used |
Show Kerberos registration information
Command: weka nfs kerberos registration show
Example
Clear Kerberos configuration
Command: weka nfs kerberos reset
Use the following command to clear the NFS Kerberos service configuration:
weka nfs kerberos reset [--force] [--no-restart]
Parameters
Name | Value | Default |
---|---|---|
| When used, it forces the action to proceed without further confirmation. Typically used when the service is configured or registered.
Use this flag only to clear the configuration created by a previous call to | False |
| Prevents NFS-W containers from restarting when applying changes. | False |
In a successful operation, the system automatically restarts the NFS containers, leading to a temporary disruption in the IO service for connected NFS clients. However, if you want to avoid restarting the NFS-W containers, add the --no-restart
option to the command line.
Update Kerberos configuration during maintenance mode
Once the Kerberos integration with NFS is configured, there might be instances where the Kerberos setup is modified.
Changes to the Kerberos configuration in a production environment are rare. We recommend making any necessary updates during periods of low load from NFS clients, such as when the system are in maintenance mode. This approach helps to minimize potential disruptions to your operations.
Select the relevant tab to learn what to do for each scenario:
Use this procedure if you want to add or remove a secondary KDC server:
Procedure
Run the command:
weka nfs kerberos reset --no-restart --force
Run the command:
weka nfs kerberos service setup <options>
Run one of the following commands:
For AD implementation:
weka nfs kerberos registration setup-ad <options> --restart
For MIT implementation:
weka nfs kerberos registration setup-mit <options> --restart
Configure NFS for LDAP with ACLs (without Kerberos)
Command: weka nfs ldap setup-ad-nokrb
Use the following command to configure NFS to use LDAP for ACLs only when Kerberos is not in use:
weka nfs ldap setup-ad-nokrb <server-name> <ldap-domain> <nfs-service-name> <admin-user-name> [admin-user-password] [--force] [--no-restart]
Parameters
Parameter | Description | Default |
---|---|---|
| AD server name. | |
| AD domain. | |
| NFS FQDN service name. Maximum 20 characters for hostname in FQDN. | |
| AD Admin Name | |
| AD Admin password | |
| Force this action when Active Directory LDAP client is already setup. | False |
| Don't restart the NFS-W containers to apply changes. | False |
Manage the NFS export level (permissions)
Define client access groups
Command: weka nfs client-group
Use the following command lines to add/delete a client access group:
weka nfs client-group add <name>
weka nfs client-group delete <name>
Parameters
Name | Value |
---|---|
| Valid group name. |
Manage client access groups' rules
Clients are part of groups when their IP address or DNS hostname match the rules of that group. Similar to IP routing rules, clients are matched to client groups according to the most specific matching rule.
Command: weka nfs rules
Add DNS-based client group rules
Use the following command lines to add a rule that causes a client to be part of a client group based on its DNS hostname:
weka nfs rules add dns <name> <dns>
Example
weka nfs rules add dns client-group1 hostname.example.com
Delete DNS-based client group rules
Use the following command lines to delete a rule that causes a client to be part of a client group based on its DNS hostname:
weka nfs rules delete dns <name> <dns>
Example
weka nfs rules delete dns client-group1 hostname.example.com
Parameters
Name | Value |
---|---|
| Valid client group name. |
| DNS rule with *?[] wildcard rules. |
Add IP-based client group rules
Command: weka nfs rules
Use the following command lines to add or delete a rule which causes a client to be part of a client group based on its IP and subnet mask (both CIDR and standard subnet mask formats are supported for enhanced flexibility):
weka nfs rules add ip <name> <ip>
Examples
weka nfs rules add ip client-group1 192.168.114.0/8
weka nfs rules add ip client-group2 172.16.0.0/255.255.0.0
Delete IP-based client group rules
weka nfs rules delete ip <name> <ip>
Examples
weka nfs rules delete ip client-group1 192.168.114.0/255.255.255.0
weka nfs rules delete ip client-group2 172.16.0.0/16
Parameters
Name | Value |
---|---|
| Valid client group name. |
| Valid IP address with subnet mask. Both CIDR and standard subnet mask formats are supported for enhanced flexibility. CIDR format: Standard format: |
Manage NFS client permissions
Command: weka nfs permission
Use the following command lines to add NFS permissions:
weka nfs permission add <filesystem> <group> [--path path] [--permission-type permission-type] [--root-squashing root-squashing] [--squash squash] [--anon-uid anon-uid] [--anon-gid anon-gid] [--obs-direct obs-direct] [--manage-gids manage-gids] [--privileged-port privileged-port] [--acl-type acl-type] [--force-acl-type force-acl-type] [--supported-versions supported-versions]... [--enable-auth-types enable-auth-types]... [--no-restart]
Use the following command lines to update NFS permissions:
weka nfs permission update <filesystem> <group> [--path path] [--permission-type permission-type] [--squash squash] [--anon-uid anon-uid] [--anon-gid anon-gid] [--obs-direct obs-direct] [--manage-gids manage-gids] [--privileged-port privileged-port] [--acl-type acl-type] [--force-acl-type force-acl-type] [--supported-versions supported-versions]... [--enable-auth-types enable-auth-types]... [--no-restart]
Use the following command lines to delete NFS permissions:
weka nfs permission delete <filesystem> <group> [--path path]
Parameters
Name | Value | Default |
---|---|---|
| Existing filesystem name. A filesystem with Required Authentication set to ON cannot be used for NFS client permissions. | |
| Existing client group name. | |
| The root of the valid share path. |
|
| Toot squashing is a security feature in NFS that prevents root users on client machines from having root privileges on the NFS server. When enabled, it typically maps the root user to an anonymous UID/GID.
Possible values: |
|
| Permission type.
Possible values: |
|
| Permission squashing.
Possible values: The option 'all' can be used only on interface groups with |
|
| Anonymous user ID.
Relevant only for root squashing.
Possible values: |
|
| Anonymous user group ID.
Relevant only for root squashing.
Possible values: |
|
| See Object-store Direct Mount.
Possible values: |
|
| Sets external group IDs resolution. The list of group IDs received from the client is replaced by a list determined by an appropriate lookup on the server.
Possible values: |
|
| Sets the share only to be mounted via privileged ports (1-1024), usually allowed by the root user.
Possible values: |
|
| Specifies the ACL type. Possible values: | Default is determined by the NFS global configuration. |
| Forces a change to the ACL type for existing permissions on the same filesystem. Possible values: |
|
| A comma-separated list of supported NFS versions.
Possible values: | The |
| A comma-separated list of NFS authentication types.
Possible values are determined by the | The |
| Prevents NFS-W containers from restarting when applying changes. | False |
View connected NFS clients
Command: weka nfs clients show
Use the following command line to view insights of NFS clients connected to the NFS-W cluster in JSON output format.
weka nfs clients show [--interface-group interface-group] [--container-id container-id] [--fip floating-ip]
Parameters
Name | Value | Default |
---|---|---|
| Interface group name. A filter to show only the clients connected to the containers in the specified group. | The output shows all clients connected to any container in the NFS-W cluster regardless of the assigned interface group. |
| NFS-W container ID. A filter to show only the clients connected to the specified container ID. | The output shows all clients connected to any container in the NFS-W cluster. |
| Destination floating IP address. | The output shows all clients connected to all floating IP addresses. |
Last updated