{{tag>Brouillon Réseau FS Debian}}

= NFSv4 sous Debian

Configuration client et serveur NFSv4 (sans Kerberos)

Voir 
* http://www.cyberciti.biz/faq/nfs4-server-debian-ubuntu-linux/
* https://help.ubuntu.com/community/NFSv4Howto
* http://nfsv4.bullopensource.org/doc/admin_tools/latex_doc/administrationNFSv4.pdf
* https://wiki.archlinux.org/index.php/NFSv4
* http://anf2014.mathrice.fr/mercredi/nfs4_serveur.html
* https://wiki.auf.org/wikiteki/NFS/NFSv4
* http://wiki.linux-nfs.org/wiki/index.php/Nfsv4_configuration
* https://www.suse.com/communities/blog/configuring-nfsv4-server-and-client-suse-linux-enterprise-server-10/
* https://blog.stephane-robert.info/docs/services/stockage/nfs/
* https://inetdoc.net/pdf/sysadm-net.nfs.pdf


== Protocole 

Voir :
* https://www.bortzmeyer.org/7530.pdf

| Étape    | Date   | Réf         |
| Création | 1984   |             |
| NFSv2    | 1989   | RFC 1094    |
| NFSv3    | 1995   | RFC 1813    |
| NFSv4    | 2003   | RFC 3530    |
| NFSv4.1  | 2010   | RFC 5661    |
| NFSv4.2  | 2016   | RFC 7862    |

En NFSv4 contrairement aux versions précédentes seul le port TCP 2049 suffit


== Sur le serveur

<code ->
cat /proc/fs/nfsd/versions
+2 +3 +4 +4.1 -4.2
</code>

<code bash>
apt-get install nfs-kernel-server
</code>

<code ->
lsmod  | grep nfs
nfsv4                 410783  1 
dns_resolver           12641  1 nfsv4
nfsd                  263032  13 
auth_rpcgss            51211  2 nfsd,rpcsec_gss_krb5
nfs_acl                12511  1 nfsd
nfs                   188136  2 nfsv4
lockd                  83389  2 nfs,nfsd
fscache                45542  2 nfs,nfsv4
sunrpc                237402  33 nfs,nfsd,rpcsec_gss_krb5,auth_rpcgss,lockd,nfsv4,nfs_acl
</code>

''/etc/default/nfs-common''
<code ini>
NEED_STATD=no
STATDOPTS=
NEED_GSSD=no

# Nécessaire que si mapping d'utilisateur en NFSv4
NEED_IDMAPD=no
</code>

''/etc/default/nfs-kernel-server''
<code ini>
# /usr/sbin/rpc.mountd --manage-gids -N 2 -N 3 -V 4 -V 4.1
# man rpc.mountd
#RPCMOUNTDOPTS="--manage-gids"
RPCMOUNTDOPTS="--manage-gids -N 2 -N 3 -V 4 -V 4.1"
</code>


''/etc/exports''
<code ->
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#
/export         192.168.1.0/24(rw,sync,fsid=0,crossmnt,no_subtree_check) 127.0.0.1(rw,sync,fsid=0,crossmnt,no_subtree_check)
/export/partage 192.168.1.0/24(rw,sync,nohide,insecure,no_subtree_check) 127.0.0.1(rw,sync,nohide,insecure,no_subtree_check)
</code>

<code bash>
chown jean: /export/partage/
</code>

Après avoir modifié le fichier /etc/exports
<code bash>
exportfs -ra
</code>

<code bash>
killall rpc.statd
service nfs-common restart
service nfs-kernel-server restart
</code>


Notes : pour une base de donnée Postgres sur le serveur il faut absolument mettre l'option ''hard'' et il est recommandé de mettre coté serveur ''sync''


The only firm requirement for using NFS with PostgreSQL is that the file system is mounted using the hard option. With the hard option, processes can “hang” indefinitely if there are network problems, so this configuration will require a careful monitoring setup. The soft option will interrupt system calls in case of network problems, but PostgreSQL will not repeat system calls interrupted in this way, so any such interruption will result in an I/O error being reported.

It is not necessary to use the sync mount option. The behavior of the async option is sufficient, since PostgreSQL issues fsync calls at appropriate times to flush the write caches. (This is analogous to how it works on a local file system.) However, it is strongly recommended to use the sync export option on the NFS server on systems where it exists (mainly Linux). Otherwise, an fsync or equivalent on the NFS client is not actually guaranteed to reach permanent storage on the server, which could cause corruption similar to running with the parameter fsync off. The defaults of these mount and export options differ between vendors and versions, so it is recommended to check and perhaps specify them explicitly in any case to avoid any ambiguity.

Source: https://www.postgresql.org/docs/current/creating-cluster.html


== Sur le client

Voir : https://learn.microsoft.com/fr-fr/azure/azure-netapp-files/performance-linux-mount-options

<code bash>
apt-get install nfs-common
</code> 

<code ->
lsmod |grep nfs
nfsv4                 410783  1 
dns_resolver           12641  1 nfsv4
nfsd                  263032  2 
auth_rpcgss            51211  2 nfsd,rpcsec_gss_krb5
nfs_acl                12511  1 nfsd
nfs                   188136  2 nfsv4
lockd                  83389  2 nfs,nfsd
sunrpc                237402  14 nfs,nfsd,rpcsec_gss_krb5,auth_rpcgss,lockd,nfsv4,nfs_acl
fscache                45542  2 nfs,nfsv4
</code>

''/etc/default/nfs-common''
<code ini>
NEED_STATD=no
STATDOPTS=
NEED_GSSD=no
# Nécessaire que si mapping d'utilisateur en NFSv4
NEED_IDMAPD=no
</code>

''/etc/fstab''
<code ->
192.168.1.10:/partage  /mnt/nfs nfs4    _netdev,noatime,bg,soft,rw,nodev,nosuid,noexec,noauto,proto=tcp,port=2049,vers=4.1,timeo=5,retrans=5,actimeo=10,retry=5  0  0
</code>


<code bash>
killall rpc.statd
systemctl disable rpcbind
service rpcbind stop
service nfs-common restart
</code>

== Notes

Les uid des utilisateur doivent coïncider (sinon il est possible de mapper les utilisateurs sur le nom mais dans ce cas il faut activer Kerberos) Voir "you need to use Kerberos for the mapping to have any effect" https://help.ubuntu.com/community/NFSv4Howto
Voir 
* /etc/idmapd.conf
* rpc.mountd --manage-gids (RPCMOUNTDOPTS)
* apt-get install nscd

Après avoir modifier /etc/idmap.conf faire 
<code bash>
nfsidmap -c
</code>

Dans la conf actuelle, root ne peut pas écrire sur la partition NFS

Le service **rpcbind** semble nécessaire qu'une seul fois au lancement de **nfs-kernel-server**
Sinon pas d'écoute sur le port TCP 2049. 
Semble possible sur RedHat [[https://access.redhat.com/solutions/902013|Ho can I disable rpcbind on NFSv4-only servers]]

Voir /var/lib/nfs/


=== Disable rpcbind on NFS server (RedHat)

Source : https://www.spinics.net/linux/fedora/fedora-users/msg513100.html

<code bash>
systemctl mask --now rpc-statd.service rpcbind.service rpcbind.socket
systemctl restart nfs-server
</code>


=== Obtenir des info sur le montage / quelle version de NFS

<code bash>
nfsstat -m
</code>


=== Client Autofs

''/etc/auto.master''
<code ->
/mnt/nfs        /etc/auto.nfs --ghost,--timeout=60
</code>

''/etc/auto.nfs''
<code ->
partage  -fstype=nfs4,noatime,bg,soft,rw,nodev,nosuid,noexec,proto=tcp,port=2049,vers=4.1,timeo=5,retrans=5,actimeo=10,retry=5  192.168.1.10:/partage
</code>


=== Démonter une partition NFS en erreur

<code bash>
umount -lf /mnt/nfs
</code>


=== Liste des partages


Montez le répertoire / et observez son contenu.

<code ->
# mount myserver:/ /mnt/
#cd /mnt/
exports
# ls exports
foo
bar
</code>

<code bash>
showmount -e 127.0.0.1
</code>


** La commande showmount n'affiche que les exportations des versions 2 et 3 de NFS.** \\
Cependant si le serveur gère simultanément NFSv4 et NFSv3, cette méthode fonctionnera quand même.



=== Autres 

Quel port le serveur écoute

<code ->
# rpcinfo -p | grep nfs
rsize=8192,wsize=8192
</code>


Rationale: This issue is a bug on the NFS server that involves handling of delegations. NOTE: Disabling delegations may impact performance and depends on your workload. For more information, see What is the performance impact of disabling or enabling NFS4 delegations?. Disable delegations on the NFS server with the following commands:

<code bash>
echo 0 > /proc/sys/fs/leases-enable
sysctl -w fs.leases-enable=0
</code>

== Diag

Source https://access.redhat.com/solutions/3915571

<code bash>
tshark -Y 'tcp.port == 2049' -r tcpdump.pcap > tcpdump.txt
tshark -Y 'frame.number == 961595' -V -r tcpdump.pcap > tcpdump-frame-961595.txt
grep -A 30 SEQUENCE tcpdump-frame-961595.txt 
tshark -r tcpdump.pcap -Y 'rpc.msgtyp == 1 && nfs' | wc -l
tshark -r tcpdump.pcap -Y 'rpc.msgtyp == 1 && nfs.sequence.flags.recallable_state_revoked == 1' | wc -l
</code>


== Err nfs-server.service is masked (RedHat)

<code ->
# systemctl enable --now nfs-server.service
Failed to enable unit: Unit file /etc/systemd/system/nfs-server.service is masked.
# ls -l /etc/systemd/system/nfs-server.service
lrwxrwxrwx. 1 root root 9 Apr 24  2024 /etc/systemd/system/nfs-server.service -> /dev/null
# rm /etc/systemd/system/nfs-server.service
rm: remove symbolic link '/etc/systemd/system/nfs-server.service'? y
# systemctl enable --now nfs-server.service
Created symlink /etc/systemd/system/multi-user.target.wants/nfs-server.service → /usr/lib/systemd/system/nfs-server.service.
Job for nfs-server.service canceled.
</code>