Quantum| NAS Mounting NFS V4 with ACL Security Notes |
MDC Configuration
For ACL’s to work over NFS you need to configure the file system Security Model.
· If you are bound to an Apple Open Directory the Stornext File System Security Model is set to ACL with algorithmic ID Mapping.
o The correct domain SID must be put in the MDC /usr/cvfs/config directory.
§ This is done by populating the /usr/cvfs/config/domainsid file with the domain sid.
· 
· This SID can be obtained from the OD server, excluding the user RID
· If you are bound to an Active Directory the Stornext File System Security Model is set to ACL with winbind ID Mapping.
NAS Configuration:
By default the Quantum NAS cluster only allows NFS connections as NFS V2 and V3. To enable NFS V2, V3 and V4, in the NAS shell ‘system set nfsv4 yes’ is used. Note this must be done on all nodes individually in a NAS cluster:
M660:cx-node2> system set nfsv4 yes
NFSv4 successfully enabled only on this node.
Other nodes are unaffected.
With Quantum Xcellis systems you can use the ‘nascluster set nfs-ha yes’ option for NFS HA environments. This option disables the lower protocol connections (V1,V2,V3) and clients that cannot connection as V4 will be denied access. This command only need to be run from the NAS cluster master node. This will override the ‘system set nfsv4’ option regardless if it’s set to ‘yes’ or ‘no’.
BHM:sps-xcellis2> nascluster set nfs-ha yes
To enable NFS-HA, you must unmount all NFS clients from all cluster nodes. Those clients must re-mount via the VIP.
Are you sure you want to enable NFS-HA? (yes/No)? y
A ‘nascluster show’ will confirm if NFS-HA is enabled or disabled.
BHM:sps-xcellis2> nascluster show
NAS Cluster IP: 10.20.232.6/em2, Master: Yes, SNFS Root: /stornext/collintest, Joined: Yes
Load balancing: Disabled
NFS-HA: Enabled
Master IP: 10.20.232.6
Nodes: 2
1: 10.20.232.6 (Joined) (MDC-No load balancing)
2: 10.20.232.5 (Joined) (MDC-No load balancing)
If this command is issued on a system that doesn’t support nfs-ha you get this error.
M660:cx-node1> nascluster set nfs-ha yes
NFS-HA is not supported on this version of the operating system.
When mounting MAC NFS clients you need to specify the ‘unsecure’ mount option to mount via Finder. This is due to the none-super users not having access to ports below 1024.
M660:cx-node2> share change nfs cx-nfs insecure
Waiting for nascluster_share_config_sync to complete on node 10.20.232.41
[10.20.232.41]:
Share cx-nfs successfully changed
This command only need issued from the NAS master, even when not using NFS-HA.
M660:cx-node1> share change nfs cx-nfs insecure
Request allowed only from NAS cluster master (E-5063)
Mac NFV4 Clients:
Mac clients will honor ACLs, even if they aren’t displayed. By default mac nfs mounts, as seen in this section of the mount_nfs man page, noacl is turned on. This means the ACL’s won’t display from Finder or a ‘ls –le’ command, but still will be honored.
To view ACLs you need to mount with the ‘acl’ option.
spsmac:~ spssupport$ sudo mount -o vers=4,acl 10.20.232.41:/stornext/cx-node/cx-nfs /mnt/nfsmnt/
Password:
spsmac:~ spssupport$ mount | grep -i nfs
10.20.232.41:/stornext/cx-node/cx-nfs on /mnt/nfsmnt (nfs)
spsmac:~ spssupport$ ls -led
drwxr-xr-x+ 24 spssupport staff 816 Jul 21 09:31 .
0: group:everyone deny delete
NFSV4 clients can force protocol negotiation using the /etc/nfs.conf file as well as other options.
Mounting from command line (mac):
spsmac:~ spssupport$ sudo mount -o vers=4,resvport,acl 10.20.232.55:/stornext/collintest/nfs_mount /mnt/nfsmnt/
Checking Mount version:
spsmac:~ spssupport$ nfsstat -m
/mnt/nfsmnt from 10.20.232.55:/stornext/collintest/nfs_mount
-- Original mount options:
General mount flags: 0x0
NFS parameters: vers=4,resvport,acl
File system locations:
/stornext/collintest/nfs_mount @ 10.20.232.55 (10.20.232.55)
-- Current mount parameters:
General mount flags: 0x4000000 multilabel
NFS parameters: vers=4.0,tcp,port=2049,hard,nointr,resvport,callback,negnamecache,namedattr,acl,noaclonly,locks,noquota,rsize=32768,wsize=32768,readahead=16,dsize=32768,nordirplus,nodumbtimr,timeo=10,maxgroups=16,acregmin=5,acregmax=60,acdirmin=5,acdirmax=60,nomutejukebox,noephemeral,nonfc,sec=sys
File system locations:
/stornext/collintest/nfs_mount @ 10.20.232.55 (10.20.232.55)
Status flags: 0x0
Setting up auto mount NFS on mac to Volumes Directory:
#client configuration
iMac03:bfrsan2 quantumsandbox$ cat /etc/fstab
xcellis-nas:/stornext/bfrsan2/ /../Volumes/bfrsan2 nfs rw,acl,vers=4 0 0
iMac03:bfrsan2 quantumsandbox$ cat /etc/auto_master
#
# Automounter master map
#
+auto_master # Use directory service
/net -hosts -nobrowse,hidefromfinder,nosuid
/home auto_home -nobrowse,hidefromfinder
/- -static
/../Volumes/bfrsan2 -fstab
If you got Finder > Go > Go to Folder and put the /volumes path.
The drive will map.
Then you can drag it over to the favorites section in the Finder sidebar.
I rebooted and the mounts survived
Managing ACLs:
The snacl command is used to manage NFS ACLs from the MDC. From NFS linux clients you can install the nfs4-acl binary to view ACLs. The output is a bit cryptic for the ACL. The man page for nfs4_acl can help translate the ACL.
The nfs4_setacl command isn’t currently supported. ACL’s should be set only from the MDC.
Manditory NFV4 ports:
[root@sps-xcellis2 ~]# cat /proc/filesystems | grep nfs
nodev nfsd
nodev nfs
nodev nfs4
[root@sps-xcellis2 ~]# rpcinfo -p | egrep "nfs|portmapper|rqoutad|lockd|statd"
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100003 4 tcp 2049 nfs
100003 4 udp 2049 nfs
100003 3 tcp 2049 nfs
100227 3 tcp 2049 nfs_acl
100003 3 udp 2049 nfs
100227 3 udp 2049 nfs_acl
This page was generated by the BrainKeeper Enterprise Wiki, © 2018 |