1245103 – nfs-ganesha: Configure ports used by MOUNT, NLM, RQUOTA services and provide firewalld service to open them

Bug 1245103 - nfs-ganesha: Configure ports used by MOUNT, NLM, RQUOTA services and provide firewalld service to open them

Summary: nfs-ganesha: Configure ports used by MOUNT, NLM, RQUOTA services and provide ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Gluster Storage
Classification:	Red Hat Storage
Component:	nfs-ganesha
Sub Component:
Version:	rhgs-3.1
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	RHGS 3.1.3
Assignee:	Soumya Koduri
QA Contact:	Shashank Raj
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1299184 1300175 1329637
TreeView+	depends on / blocked

Reported:	2015-07-21 08:32 UTC by Saurabh
Modified:	2016-11-08 03:52 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Previously, nfs-ganesha randomly choose the ports to be used while bringing up mountd, rquota and nlm services. But these ports would change with each restart of nfs-ganesha, and was difficult to configure them to be opened by firewalld or iptables. With this fix, these ports can be configured in '/etc/ganesha/ganesha.conf' file. Now mountd, nlm, and rquota services will come up with the ports listed in '/etc/ganesha/ganesha.conf' so you can configure them to open via firewalld or iptables.
Clone Of:
Environment:
Last Closed:	2016-06-23 05:32:38 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2016:1247	0	normal	SHIPPED_LIVE	nfs-ganesha update for Red Hat Gluster Storage 3.1 update 3	2016-06-23 09:12:43 UTC

Description Saurabh 2015-07-21 08:32:51 UTC

Description of problem:
We need to put a documentation that the RQUOTA port number that we are using is already hard coded and it is not same as used with other nfs servers.

This is the update in the ganesha.conf
 Rquota_Port = 4501;

Version-Release number of selected component (if applicable):
nfs-ganesha-2.2.0-5.el7rhgs.x86_64
glusterfs-3.7.1-10.el7rhgs.x86_64

How reproducible:
always

Comment 4 Soumya Koduri 2016-03-11 07:53:08 UTC

As per the latest discussion we had, we shall configure the ports to be used for mountd, nlm and rquota services in the nfs-ganesha.conf file and also provide firewalld service (nfs-ganesha) to open up these ports.

The only remaining statd-port which is used by rpc.statd service has to be manually configured by the admin in '/etc/sysconfig/nfs' file and open it up by adding firewalld/iptables rule.

Comment 5 Soumya Koduri 2016-03-11 09:29:12 UTC

Upstream discussion regarding registering ports for these services can be found at - http://thread.gmane.org/gmane.linux.nfs/73398/focus=73416

For now, we shall configure these ports only for downstream nfs-ganesha.

Comment 6 Soumya Koduri 2016-04-06 07:53:57 UTC

The fix we are going to provide for this BZ is that we will package ganesha.conf with below default ports configured for all these services and then provide ganesha.xml to be used by firewalld to open those ports.

        MNT_Port = 20048;
	NLM_Port = 32803;
        Rquota_Port = 875;
Note: these port numbers are chosen based on the values mentioned in  '/etc/sysconfig/nfs' 

But however for STATD service, admin still has to edit below line in '/etc/sysconfig/nfs' file and restart statd service after adding firewall rule to open it.

# Port rpc.statd should listen on.
#STATD_PORT=662
# Outgoing port statd should used. The default is port
# is random
#STATD_OUTGOING_PORT=2020

Comment 7 Soumya Koduri 2016-04-11 06:57:28 UTC

The fix is under review.

Comment 8 Kaleb KEITHLEY 2016-04-13 14:26:37 UTC

fixed in nfs-ganesha-2.3.1-3.el7rhgs and nfs-ganesha-2.3.1-3.el6rhs

Comment 9 Shashank Raj 2016-04-14 09:08:44 UTC

ON RHEL 7:

While verifying this bug, i have an observation where after installing nfs-ganesha-2.3.1-3 rpm's on the cluster, ganesha.conf file gets updated with mentioned ports in bug as below:

NFS_Core_Param {
        #Use supplied name other tha IP In NSM operations
        NSM_Use_Caller_Name = true;
        #Copy lock states into "/var/lib/nfs/ganesha" dir
        Clustered = false;
        #By default port number '2049' is used for NFS service.
        #Configure ports for MNT, NLM, RQuota services.
        #The ports chosen here are from '/etc/sysconfig/nfs'
        MNT_Port = 20048;
        NLM_Port = 32803;
        Rquota_Port = 875;
}

However these ports doesn't get added in firewalld and even restarting firewalld service doesn't help.

[root@dhcp37-180 ganesha]# firewall-cmd --list-ports
[root@dhcp37-180 ganesha]#

Also, there is a confusion as to which .xml file should be responsible for adding these ports?

1) Should it be ganesha.xml (which soumya mentioned in comment 6), which is missing from /usr/lib/firewalld/services/
2) or should it be nlm.xml and rquota.xml which are part of /usr/lib/firewalld/services.

[root@dhcp37-180 ~]# ls /usr/lib/firewalld/services/ | grep nlm
nlm.xml
[root@dhcp37-180 ~]# ls /usr/lib/firewalld/services/ | grep rquota
rquota.xml
[root@dhcp37-180 ~]# ls /usr/lib/firewalld/services/ | grep ganesha
[root@dhcp37-180 ~]# 

Please clarify, so that i can move the bug accordingly.


On RHEL 6:

Beacuse of the bug (https://bugzilla.redhat.com/show_bug.cgi?id=1327074), could not proceed with the verification on RHEL 6.

Once we get a new build with working fix, will verify this on RHEL 6 as well.

Comment 11 Shashank Raj 2016-04-25 11:47:47 UTC

Verified this bug with latest ganesha-2.3.1-4 build and in both RHEL 6 and RHEL 7, the ganesha.conf file gets updated with ports as below:


NFS_Core_Param {
        #Use supplied name other tha IP In NSM operations
        NSM_Use_Caller_Name = true;
        #Copy lock states into "/var/lib/nfs/ganesha" dir
        Clustered = false;
        #By default port number '2049' is used for NFS service.
        #Configure ports for MNT, NLM, RQuota services.
        #The ports chosen here are from '/etc/sysconfig/nfs'
        MNT_Port = 20048;
        NLM_Port = 32803;
        Rquota_Port = 875;
}


ON RHEL 7:

we need to add following services to firewalld

[root@dhcp37-180 yum.repos.d]# firewall-cmd --zone=public  --add-service=nlm  --add-service=nfs  --add-service=rpc-bind  --add-service=high-availability --add-service=mountd --add-service=rquota
success

and under /etc/sysconfig/nfs

vi /etc/sysconfig/nfs

uncomment  #STATD_PORT=662, #STATD_OUTGOING_PORT=2020

and add these ports to firewalld

 firewall-cmd --add-port=662/tcp --add-port=662/udp --add-port=2020/tcp --add-port=2020/udp

for statd port 662 to take effect, we need to kill earlier running process and restart nfs-ganesha-lock service

after these settings rpcinfo output is as below:

[root@dhcp37-180 ~]# rpcinfo -p
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100003    3   udp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   udp   2049  nfs
    100003    4   tcp   2049  nfs
    100005    1   udp  20048  mountd
    100005    1   tcp  20048  mountd
    100005    3   udp  20048  mountd
    100005    3   tcp  20048  mountd
    100021    4   udp  32803  nlockmgr
    100021    4   tcp  32803  nlockmgr
    100011    1   udp    875  rquotad
    100011    1   tcp    875  rquotad
    100011    2   udp    875  rquotad
    100011    2   tcp    875  rquotad
    100024    1   udp    662  status
    100024    1   tcp    662  status

ON RHEL 6:

we need to edit /etc/sysconfig/nfs file

vi /etc/sysconfig/nfs

uncomment  #STATD_PORT=662, #STATD_OUTGOING_PORT=2020

and do rpc.statd -p 662 

rpcinfo output after the settings is as below:

[root@dhcp43-59 ~]# rpcinfo -p
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100003    3   udp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   udp   2049  nfs
    100003    4   tcp   2049  nfs
    100005    1   udp  20048  mountd
    100005    1   tcp  20048  mountd
    100005    3   udp  20048  mountd
    100005    3   tcp  20048  mountd
    100021    4   udp  32803  nlockmgr
    100021    4   tcp  32803  nlockmgr
    100011    1   udp    875  rquotad
    100011    1   tcp    875  rquotad
    100011    2   udp    875  rquotad
    100011    2   tcp    875  rquotad
    100024    1   udp    662  status
    100024    1   tcp    662  status


Based on the above observation, marking this bug as Verified.

Comment 12 Divya 2016-06-10 07:17:16 UTC

Soumya, 

Please review and sign-off the edited doc text.

Comment 13 Soumya Koduri 2016-06-10 07:18:55 UTC

Doc text looks good to me.

Comment 15 errata-xmlrpc 2016-06-23 05:32:38 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2016:1247

Note You need to log in before you can comment on or make changes to this bug.