Setting up a NetApp NFSv4 Share for Linux Guests

Trying to set up a NetApp Data ONTAP NFSv4 share.

Software

Software used in this article:

  1. NetApp Release 8.2.2P2 7-Mode
  2. CentOS 6.7

Disclaimer: NFSv3 with CentOS 6

When configuring sec=sys on a Linux client and sec=none on a NetApp filer, with NFSv3, the client makes an “AUTH_UNIX” call and the filer responds with “AUTH_NULL“.

However, this is not the response that the client would expect. Therefore the filer replies incorrectly with only 1 flavor (it should be replying with 2), because NetApp code does not allow for “AUTH_NULL“.

The ONTAP code does not support AUTH_NULL calls for anything except NULL calls. As for the response, where the filer responds with AUTH_NULL, this behavior is incorrect, as normally the filer should respond with two flavors of AUTH. However, even though the filer responds incorrectly, there is no immediate plan to resolve this across ONTAP and so the advice remains to use NFSv4 whenever AUTH_NULL is required.

We were advised that there are a number of internal cases open within NetApp, but there is no expected fix as NFSv4 will take care of the issues encountered with NFSv3.

So the advice from NetApp would be to use sec=sys on the client, sec=none on the filer, using NFSv4 from RHEL6 and upwards.

Configure NFS Permissions on the Filer

Connect to the filer and create a new volume called NFS_TEST.

Setup Permissions

Navigate to Filer > Storage > Exports.

Pick /vol/NFS_TEST for editing, and put the following permissions, where IP addresses are the ones used by our NFS clients (Linux guests):

Security Flavor: None
Client Permissions: 10.10.0.147 / Read Write / Allow
Client Permissions: 10.10.0.149 / Read Write / Allow

It is important to note that the security on the filer must be sec=none. We’ve spent hours with NetApp support engineers trying to figure out why it doesn’t squash regular users. The filer must have sec=none, and the NFS client must have sec=sys.

Allow root access for both clients.

This will allow r/w access for Linux guests.

Mount the NFS Share on the Linux Guest

We are using CentOS 6 in this example. The IP of the filer (NFS server) is 10.10.0.51.

# yum install nfs-utils nfs-utils-lib
# mkdir /mnt/netapp_nfs
# mount.nfs -o vers=4,sec=sys 10.10.0.51:/vol/NFS_TEST /mnt/netapp_nfs

Make sure the client uses sec=sys and not sec=none. This will squash all users and not just the root.

Also ensure the NFS version the client uses is NFSv4. NFSv3 is broken on ONTAP 8.x when used with RHEL 6 clients.

At this point the share will be mounted as NFSv4 and owned by root, but we won’t be able to change the ownership. The reason for this is because the NFSv4 client sends symbolic user/group names rather than numeric userid/groupid as it was in NFSv2 and NFSv3 and the filer needs some way to map this symbolic names to numeric IDs.

These are exports and security settings on the filer:

filer> rdfile /etc/exports
/vol/NFS_TEST  -sec=none,rw=10.10.0.149:10.10.0.147,root=10.10.0.149:10.10.0.147,nosuid
filer> exportfs -v
/vol/NFS_TEST  -sec=none,rw=10.10.0.149:10.10.0.147,root=10.10.0.149:10.10.0.147,nosuid
filer> fsecurity show /vol/NFS_TEST
[/vol/NFS_TEST - Directory (inum 64)]
  Security style: Unix
  Effective style: Unix

  DOS attributes: 0x0010 (----D---)

  Unix security:
    uid: 0 (root)
    gid: 0
    mode: 0755 (rwxr-xr-x)

  No security descriptor available.
filer> rdfile /etc/passwd
root:<removed>:0:1::/:
pcuser::65534:65534::/:
nobody::65535:65535::/:
ftp::65533:65533:FTP Anonymous:/home/ftp:
filer> rdfile /etc/group
daemon:*:1:
pcuser:*:65534:
nobody:*:65535:

The default NetApp NFSv4 iddomain is defaultv4iddomain.com. In Data ONTAP, the default NFS user for anonymous access is pcuser (UID 65534). Taking this into account, on the client, open the file /etc/idmapd.conf, and make sure the configuration is as follows:

[General]
Verbosity = 0
Domain = defaultv4iddomain.com

[Mapping]

#Nobody-User = nobody
#Nobody-Group = nobody
#Nobody-User = nfsnobody
#Nobody-Group = nfsnobody
Nobody-User = pcuser
Nobody-Group = pcuser

To be able to change the ownership, we need to create a matching NetApp user pcuser:

# groupadd -g 65535 pcuser
# useradd -M -s /sbin/nologin -u 65535 -g 65535 pcuser

Clear cache, restart services and remount the share:

# umount /mnt/netapp_nfs/
# /usr/sbin/nfsidmap -c
# /etc/init.d/rpcbind restart
# /etc/init.d/rpcgssd restart
# /etc/init.d/rpcidmapd restart
# mount.nfs -o vers=4,sec=sys 10.10.0.51:/vol/NFS_TEST /mnt/netapp_nfs

Now, the share will still be owned by root, but we can change the ownership thanks to the matching user pcuser (NFSv4 idmapd):

# chown pcuser:pcuser /mnt/netapp_nfs/

If the above does not work, change -sec=sys on the NetApp export.

Verify on the filer:

filer> fsecurity show /vol/NFS_TEST
[/vol/NFS_TEST - Directory (inum 64)]
Security style: Unix
Effective style: Unix

DOS attributes: 0x0010 (----D---)

Unix security:
uid: 65534 (pcuser)
gid: 65534 (pcuser)
mode: 0755 (rwxr-xr-x)

No security descriptor available.

Delete the user pcuser from the client machine as it’s no longer required (we have changed the ownership on the filer):

# userdel pcuser

Open /etc/idmapd.conf, remove the pcuser lines and put the following

Nobody-User = nfsnobody
Nobody-Group = nfsnobody

Clear cache, restart services and remount:

# umount /mnt/netapp_nfs/
# /usr/sbin/nfsidmap -c
# /etc/init.d/rpcbind restart
# /etc/init.d/rpcgssd restart
# /etc/init.d/rpcidmapd restart
# mount.nfs -o vers=4,sec=sys 10.10.0.51:/vol/NFS_TEST /mnt/netapp_nfs

Check the ownership:

# ls -ld /mnt/netapp_nfs/
drwxr-xr-x. 3 nfsnobody nfsnobody 4096 Jun 4 19:32 /mnt/netapp_nfs/

At this point all users should get squashed.

Leave a Reply

Your email address will not be published. Required fields are marked *