nfs on 17.04

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
28 messages Options
12
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

nfs on 17.04

R Kimber-3
I'd be grateful if someone could confirm that nfs works on their 17.04
machine.

I've spent 2 days trying to get my raspberry pi to access files on my 17.04
PC, and I need to know that someone else has it working before spending more
time on it. The Pi side of things seems to be OK since it will access files
on a networked NAS drive which is mounted by nfs.

The main online guides (which I've followed) seem to be:
https://help.ubuntu.com/community/SettingUpNFSHowTo
https://help.ubuntu.com/lts/serverguide/network-file-system.html
A lot of the online documentation is out of date (e.g. it refers to portmap)
and is thus somewhat confusing. If anyone knows any documentation that
works on 17.04, I'd be glad to know about it.

It all worked fine on 16.04  :-(

--
Richard Kimber


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nfs on 17.04

Tom H-4
On Tue, Jun 27, 2017 at 5:02 PM, R Kimber
<[hidden email]> wrote:

>
> I'd be grateful if someone could confirm that nfs works on their 17.04
> machine.
>
> I've spent 2 days trying to get my raspberry pi to access files on my 17.04
> PC, and I need to know that someone else has it working before spending more
> time on it. The Pi side of things seems to be OK since it will access files
> on a networked NAS drive which is mounted by nfs.
>
> The main online guides (which I've followed) seem to be:
> https://help.ubuntu.com/community/SettingUpNFSHowTo
> https://help.ubuntu.com/lts/serverguide/network-file-system.html
> A lot of the online documentation is out of date (e.g. it refers to portmap)
> and is thus somewhat confusing. If anyone knows any documentation that
> works on 17.04, I'd be glad to know about it.
>
> It all worked fine on 16.04  :-(

It's working for me, on amd64. The way to set up nfs hasn't changed in
a LONG time, modulo rpcbind/portmap.

What's the output on the server of
exportfs -v
rpcinfo -p

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nfs on 17.04

R Kimber-3
On Wed, 28 Jun 2017 03:11:19 -0400
Tom H wrote:

> It's working for me, on amd64. The way to set up nfs hasn't changed in
> a LONG time, modulo rpcbind/portmap.

That's encouraging, thanks.

> What's the output on the server of
> exportfs -v

/media/audio
192.168.1.78(ro,async,wdelay,nohide,insecure,root_squash,
no_subtree_check,sec=sys,ro,root_squash,no_all_squash)

/mnt/record
192.168.1.78(ro,async,wdelay,nohide,insecure,root_squash,
no_subtree_check,sec=sys,ro,root_squash,no_all_squash)

These are all one line in each case

> rpcinfo -p
 program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100005    1   udp  35717  mountd
    100005    1   tcp  44669  mountd
    100005    2   udp  43736  mountd
    100005    2   tcp  44603  mountd
    100005    3   udp  58317  mountd
    100005    3   tcp  53855  mountd
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100227    2   tcp   2049
    100227    3   tcp   2049
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100227    2   udp   2049
    100227    3   udp   2049
    100021    1   udp  39762  nlockmgr
    100021    3   udp  39762  nlockmgr
    100021    4   udp  39762  nlockmgr
    100021    1   tcp  46353  nlockmgr
    100021    3   tcp  46353  nlockmgr
    100021    4   tcp  46353  nlockmgr

--
Richard Kimber


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nfs on 17.04

Tom H-4
On Wed, Jun 28, 2017 at 9:38 AM, R Kimber
<[hidden email]> wrote:
> On Wed, 28 Jun 2017 03:11:19 -0400 Tom H wrote:


>> It's working for me, on amd64. The way to set up nfs hasn't changed in
>> a LONG time, modulo rpcbind/portmap.
>
> That's encouraging, thanks.

You're welcome.


>> What's the output on the server of
>> exportfs -v
>
> /media/audio
> 192.168.1.78(ro,async,wdelay,nohide,insecure,root_squash,
> no_subtree_check,sec=sys,ro,root_squash,no_all_squash)
>
> /mnt/record
> 192.168.1.78(ro,async,wdelay,nohide,insecure,root_squash,
> no_subtree_check,sec=sys,ro,root_squash,no_all_squash)

Is "192.168.1.78" the address of the client? if it isn't, this is your problem.

[FYI: I use the mask in "/etc/exports" even if I'm only allowing one
address, "192.168.1.78/24(...)" that way I don't forget to use it when
I'm allowing a network, "192.168.1.0/24(...)".


>> rpcinfo -p
>  program vers proto   port  service
> ...

Given the exportfs and rpcinfo, your nfs server seems to be up and running.

I forgot to ask whether rpc.idmapd was running and whether you can
mount an export on the server.

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nfs on 17.04

R Kimber-3
On Wed, 28 Jun 2017 12:37:32 -0400
Tom H wrote:

> > /media/audio
> > 192.168.1.78(ro,async,wdelay,nohide,insecure,root_squash,
> > no_subtree_check,sec=sys,ro,root_squash,no_all_squash)
> >
> > /mnt/record
> > 192.168.1.78(ro,async,wdelay,nohide,insecure,root_squash,
> > no_subtree_check,sec=sys,ro,root_squash,no_all_squash)  
>
> Is "192.168.1.78" the address of the client? if it isn't, this is your
> problem.

Yes, it's the client.

> [FYI: I use the mask in "/etc/exports" even if I'm only allowing one
> address, "192.168.1.78/24(...)" that way I don't forget to use it when
> I'm allowing a network, "192.168.1.0/24(...)".

I originally put "192.168.1.0/24" and when I couldn't get it to work I
replaced it with the specific IP.

> I forgot to ask whether rpc.idmapd was running

Yes, rpc.idmapd is running.

> and whether you can
> mount an export on the server.

I'm not quite sure what you're asking here. The two exported folders are
mounted on the PC via normal fstab entries. I can see their contents in the
normal way.

BTW: in case its relevant my firewall has:
ACCEPT     tcp  --  192.168.1.78         192.168.1.64         tcp spt:2049
dpt:2049
ACCEPT     udp  --  192.168.1.78         192.168.1.64         udp
spt:2049 dpt:2049

--
Richard Kimber


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nfs on 17.04

Tom H-4
On Wed, Jun 28, 2017 at 1:10 PM, R Kimber
<[hidden email]> wrote:
> On Wed, 28 Jun 2017 12:37:32 -0400 Tom H wrote:
>>
>> and whether you can mount an export on the server.
>
> I'm not quite sure what you're asking here. The two exported folders
> are mounted on the PC via normal fstab entries. I can see their
> contents in the normal way.

What do you mean by "on the PC"? That you have another computer that's
accessing these shares? How can it do so if you only have one ip
address authorized in "/etc/exports"?

What I meant was "can you run 'mount -t server:/nfs/export/path
/local/directory/path'?"


> BTW: in case its relevant my firewall has:
> ACCEPT  tcp  --  192.168.1.78  192.168.1.64  tcp  spt:2049  dpt:2049
> ACCEPT  udp  --  192.168.1.78  192.168.1.64  udp  spt:2049  dpt:2049

That's OK is you're using nfsv4 (which is the default).

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nfs on 17.04

R Kimber-3
On Wed, 28 Jun 2017 13:54:29 -0400
Tom H wrote:

> What do you mean by "on the PC"? That you have another computer that's
> accessing these shares? How can it do so if you only have one ip
> address authorized in "/etc/exports"?

By the PC I meant the server

> What I meant was "can you run 'mount -t server:/nfs/export/path
> /local/directory/path'?"

yes, I can do
mount -t <server>:/nfs/media/audio /export/audio

and see the files in /export/audio

--
Richard Kimber


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nfs on 17.04

Tom H-4
On Wed, Jun 28, 2017 at 4:22 PM, R Kimber
<[hidden email]> wrote:

> On Wed, 28 Jun 2017 13:54:29 -0400 Tom H wrote:
>>
>> What do you mean by "on the PC"? That you have another computer that's
>> accessing these shares? How can it do so if you only have one ip
>> address authorized in "/etc/exports"?
>
> By the PC I meant the server
>
>> What I meant was "can you run 'mount -t server:/nfs/export/path
>> /local/directory/path'?"
>
> yes, I can do
> mount -t <server>:/nfs/media/audio /export/audio
>
> and see the files in /export/audio

OK. Thanks.

So the server's working.

So something's not right at the client end...

Is "nfs-common" installed on the RPi?

Can you mount the nfs share on the RPi if you disable the firewall on
the server?

What's the output on the RPi of

rpcinfo -p ip_address_of_server
(you'll only get OK output with a disabled firewall or after allowing port 111)

showmount -e ip_address_of_server
(you'll only get OK output with a disabled firewall or after setting
static ports and allowing port 111)

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nfs on 17.04

R Kimber-3
On Thu, 29 Jun 2017 04:31:49 -0400
Tom H wrote:

> Can you mount the nfs share on the RPi if you disable the firewall on
> the server?

Aaarrgh! It's the firewall. But the explanation is beyond me.

I disabled the server firewall and the client mounted the drives correctly.
I re-enabled the firewall (without making any changes to it) and the client
continued to re-mount the drives correctly.

So the problem has been solved for the time being without my understanding
the solution, which is not the most satisfactory outcome.

I'd like to thank you very much for your help and patience, without which I
might have given up!

--
Richard Kimber


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nfs on 17.04

R Kimber-3
On Thu, 29 Jun 2017 12:20:45 +0100
R Kimber wrote:

> So the problem has been solved for the time being without my understanding
> the solution, which is not the most satisfactory outcome.

OK. It seems it's a bit more complicated. If I reboot the client, the drives
will not mount until I disable the firewall. If I re-enable it they
continue to re-mount OK.

Ideally, I need a solution that survives a reboot.

--
Richard Kimber


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Xen
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nfs on 17.04

Xen
R Kimber schreef op 29-06-2017 13:34:

> On Thu, 29 Jun 2017 12:20:45 +0100
> R Kimber wrote:
>
>> So the problem has been solved for the time being without my
>> understanding
>> the solution, which is not the most satisfactory outcome.
>
> OK. It seems it's a bit more complicated. If I reboot the client, the
> drives
> will not mount until I disable the firewall. If I re-enable it they
> continue to re-mount OK.

It may have to do with the client remembering the server's address.

Are you sure it's not about the portmapper?

I mean you need access to that little RPC daemon that will tell you what
port to use.

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nfs on 17.04

R Kimber-3
In reply to this post by Tom H-4
On Thu, 29 Jun 2017 04:31:49 -0400
Tom H wrote:

> What's the output on the RPi of
>
> rpcinfo -p ip_address_of_server
> (you'll only get OK output with a disabled firewall or after allowing
> port 111)

With the nfs drives correctly mounted and the firewall enabled I get:

rpcinfo: can't contact portmapper: RPC: Remote system error - Connection
timed out

> showmount -e ip_address_of_server

gives:

clnt_create: RPC: Port mapper failure - Timed out

Port 111 is not enabled.  Is that the problem? Should I enable it? A bit of
Googling implies that its a security risk.

--
Richard Kimber


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nfs on 17.04

Tom H-4
In reply to this post by R Kimber-3
On Thu, Jun 29, 2017 at 7:20 AM, R Kimber
<[hidden email]> wrote:

> On Thu, 29 Jun 2017 04:31:49 -0400 Tom H wrote:
>>
>> Can you mount the nfs share on the RPi if you disable the firewall on
>> the server?
>
> Aaarrgh! It's the firewall. But the explanation is beyond me.
>
> I disabled the server firewall and the client mounted the drives correctly.
> I re-enabled the firewall (without making any changes to it) and the client
> continued to re-mount the drives correctly.
>
> So the problem has been solved for the time being without my understanding
> the solution, which is not the most satisfactory outcome.
>
> I'd like to thank you very much for your help and patience, without which I
> might have given up!

You're welcome. But I doubt that you're at the end of your troubles
because if it works after re-enabling the firewall, it must be because
there's some caching going on somewhere.

What happens after you reboot the RPi?

If it fails, ...

If it fails, does it work with "mount -t nfs -o nfsvers=4 ..."? It
should work because nfsv4 doesn't need the other ports but it'd be
surprising because the RPi should be defaulting to nfsv4.

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Xen
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nfs on 17.04

Xen
In reply to this post by R Kimber-3
R Kimber schreef op 29-06-2017 13:45:

> gives:
>
> clnt_create: RPC: Port mapper failure - Timed out
>
> Port 111 is not enabled.  Is that the problem? Should I enable it? A
> bit of
> Googling implies that its a security risk.

The portmapper has been used to amplify "damage" to other hosts by using
the portmapper daemon as a responder to fake packets directed at a
target host.

In other words your own system is not at risk, but what has happened is
that systems have been used to amplify botnet damage to other systems
(not yours).

You can easily use /etc/hosts.deny to deny traffic to this portmapper to
anything other than your own networks or hosts.

On a Debian 8 system this looks like this:

# cat /etc/hosts.allow
ALL EXCEPT nfsd, rpcbind @<ip address>: ALL

# cat /etc/hosts.deny
ALL: ALL EXCEPT 127. [::1]/128 10. 192.168.

What you see here is that I denied access to everything except local
networks.
Then I allowed access to everything (on this IP) except nfsd and
rpcbind.

So in this example all external hosts have access to everything on this
primary IP except for nfsd and rpcbind, that have been denied by the
hosts.deny file, except for local networks.

An alternative is this:

# hosts.deny:

nfsd, rpcbind: ALL EXCEPT 127. [::1]/128 10. 192.168.

and no hosts.allow.

The nfsd and rpcbind are the names of the required daemons, as you can
see.

My VPS host ran a portscan on me and determined it to be safe.

Regards.

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nfs on 17.04

R Kimber-3
In reply to this post by Xen
On Thu, 29 Jun 2017 13:42:14 +0200
Xen wrote:

> It may have to do with the client remembering the server's address.
>
> Are you sure it's not about the portmapper?
>
> I mean you need access to that little RPC daemon that will tell you what
> port to use.

Yes, it may well be to do with this
--
Richard Kimber


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nfs on 17.04

Tom H-4
In reply to this post by R Kimber-3
On Thu, Jun 29, 2017 at 7:34 AM, R Kimber
<[hidden email]> wrote:

> On Thu, 29 Jun 2017 12:20:45 +0100 R Kimber wrote:
>
>> So the problem has been solved for the time being without my
>> understanding the solution, which is not the most satisfactory
>> outcome.
>
> OK. It seems it's a bit more complicated. If I reboot the client, the
> drives will not mount until I disable the firewall. If I re-enable it
> they continue to re-mount OK.
>
> Ideally, I need a solution that survives a reboot.

I more or less expected this :(

I don't understand why your RPi isn't defaulting to nfsv4 and
succeeding. Please add "-v" to your mount command and paste the output
here.

Port-wise, if you're using nfsv3, you need to set up static ports if
you're going to use a firewall on an nfs server in order to allow its
ports to be network-accessible.

Add "--port 32765 --outgoing-port 32766" to "STATDOPTS" in
"/etc/default/nfs-common".

Add "--port 32767" to "RPCMOUNTDOPTS" in "/etc/default/nfs-kernel-server"

Create /etc/modprobe.d/nfs-nlm-cb.conf" with these two lines:
options lockd nlm_udpport=32768 nlm_tcpport=32768
options nfs callback_tcpport=32764

(If you compile your own kernel and you compile in nlm, you have to
use "/etc/sysctl.d/")

If you then poke holes for these ports in your firewall, nfsv3 will work.

You can use other port numbers but these have somehow become
"standard". I've been using them for years. AFAIK, they were first
used in some Slackware documentation and others have simply followed
suit.

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nfs on 17.04

Tom H-4
In reply to this post by R Kimber-3
On Thu, Jun 29, 2017 at 7:45 AM, R Kimber
<[hidden email]> wrote:
> On Thu, 29 Jun 2017 04:31:49 -0400 Tom H wrote:


>> What's the output on the RPi of
>>
>> rpcinfo -p ip_address_of_server
>> (you'll only get OK output with a disabled firewall or after allowing
>> port 111)
>
> With the nfs drives correctly mounted and the firewall enabled I get:
>
> rpcinfo: can't contact portmapper: RPC: Remote system error - Connection
> timed out

It needs access to 111 so this won't work if the firewall doesn't
allow it, whether you have a share mounted or not.


>> showmount -e ip_address_of_server
>
> gives:
>
> clnt_create: RPC: Port mapper failure - Timed out
>
> Port 111 is not enabled. Is that the problem? Should I enable it? A bit of
> Googling implies that its a security risk.

In this case you need access to the port on which mountd is running, not 111.


If this is on a lan, it's not insecure - especially if you're limiting
access to one ip address as you seem to be.

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nfs on 17.04

R Kimber-3
On Thu, 29 Jun 2017 08:15:06 -0400
Tom H wrote:


> In this case you need access to the port on which mountd is running, not
> 111.
>
>
> If this is on a lan, it's not insecure - especially if you're limiting
> access to one ip address as you seem to be.

OK. It's all working now, and I understand the problem much better. Many
thanks
--
Richard Kimber


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nfs on 17.04

R Kimber-3
In reply to this post by Xen
On Thu, 29 Jun 2017 13:56:44 +0200
Xen wrote:

Thanks very much for your full explanation. I've changed hosts.allow and
hosts.deny and the firewall, and it's all working fine now.

I appreciate you help
--
Richard Kimber


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nfs on 17.04

Tom H-4
In reply to this post by Xen
On Thu, Jun 29, 2017 at 7:56 AM, Xen <[hidden email]> wrote:

>
> You can easily use /etc/hosts.deny to deny traffic to this portmapper to
> anything other than your own networks or hosts.
>
> On a Debian 8 system this looks like this:
>
> # cat /etc/hosts.allow
> ALL EXCEPT nfsd, rpcbind @<ip address>: ALL
>
> # cat /etc/hosts.deny
> ALL: ALL EXCEPT 127. [::1]/128 10. 192.168.
>
> What you see here is that I denied access to everything except local
> networks.
> Then I allowed access to everything (on this IP) except nfsd and rpcbind.

I wouldn't waste time on tcpwrappers; it's iptables is more than
enough and tcpwrappers won't prevent iptables from blocking nfs
requests.

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
12
Loading...