Re: has anyone tried running an NFS network *solely* using NFSv4?
On 03/12/2011 05:51 PM, Robert P. J. Day wrote: On Sat, 12 Mar 2011, Alec T. Habig wrote: I was poking at this yesterday myself with no success, so would love to know what the answer is. This is especially important since by default, iptables is installed and active, and AFAIK the only way for nfs to coexist with iptables is use nfs4. So out of the box, nfs doesn't work unless one disables a security tool, aside from the issue that nfs4 is designed to have a much higher level of security than the older versions, such that we really should all be using it exclusively anyway. actually, i take it back, it's possible this is fixed. i edited /etc/sysconfig/nfs and uncommented all references to dropping support for NFS v2 and v3, and NFS seems to start. didn't used to, so maybe this issue has been resolved. once NFS is running, is there a convenient command to *show* me what versions of NFS are currently supported? rday One option will be to use nfsstat command. -- CL Martinez carlopmart {at} gmail {d0t} com
Re: has anyone tried running an NFS network *solely* using NFSv4?
On Sat, Mar 12, 2011 at 11:31 AM, Alec T. Habig wrote: > > I was poking at this yesterday myself with no success, so would love to > know what the answer is. > > This is especially important since by default, iptables is installed and > active, and AFAIK the only way for nfs to coexist with iptables is use > nfs4. So out of the box, nfs doesn't work unless one disables a > security tool, aside from the issue that nfs4 is designed to have a much > higher level of security than the older versions, such that we really > should all be using it exclusively anyway. You can firewall an nfsv3 box. You have to set static ports in "/etc/sysconfig/nfs" and allow access to those ports in iptables. You can use nfsv4 only (meaning set RPCNFSDARGS="-N 2 -N 3" and MOUNTD_NFS_V1="no", MOUNTD_NFS_V2="no", in "/etc/sysconfig/nfs") You have to keep MOUNTD_NFS_V3="no" commented out though because nfsd needs mountd locally. You then only need to open ports 111 and 2049 iptables and can disallow access to the ports of the other "nfs daemons".
Re: has anyone tried running an NFS network *solely* using NFSv4?
On Sat, 12 Mar 2011, Ray Van Dolson wrote: > On Sat, Mar 12, 2011 at 11:51:11AM -0500, Robert P. J. Day wrote: > > On Sat, 12 Mar 2011, Alec T. Habig wrote: > > > > > I was poking at this yesterday myself with no success, so would love > > > to know what the answer is. > > > > > > This is especially important since by default, iptables is installed > > > and active, and AFAIK the only way for nfs to coexist with iptables > > > is use nfs4. So out of the box, nfs doesn't work unless one > > > disables a security tool, aside from the issue that nfs4 is designed > > > to have a much higher level of security than the older versions, > > > such that we really should all be using it exclusively anyway. > > > > actually, i take it back, it's possible this is fixed. i edited > > /etc/sysconfig/nfs and uncommented all references to dropping support > > for NFS v2 and v3, and NFS seems to start. didn't used to, so maybe > > this issue has been resolved. > > > > once NFS is running, is there a convenient command to *show* me what > > versions of NFS are currently supported? > > > > rday > > rpcinfo -p :) i tried that earlier but it still suggested i was supporting all of versions 2, 3 and 4, but perhaps i'm misinterpreting how to do this. more research would seem to be in order. feel free to mess with the contents of /etc/sysconfig/nfs and report back any interesting observations. rday -- Robert P. J. Day Waterloo, Ontario, CANADA http://crashcourse.ca Twitter: http://twitter.com/rpjday LinkedIn: http://ca.linkedin.com/in/rpjday
Re: has anyone tried running an NFS network *solely* using NFSv4?
On Sat, Mar 12, 2011 at 11:51:11AM -0500, Robert P. J. Day wrote: > On Sat, 12 Mar 2011, Alec T. Habig wrote: > > > I was poking at this yesterday myself with no success, so would love > > to know what the answer is. > > > > This is especially important since by default, iptables is installed > > and active, and AFAIK the only way for nfs to coexist with iptables > > is use nfs4. So out of the box, nfs doesn't work unless one > > disables a security tool, aside from the issue that nfs4 is designed > > to have a much higher level of security than the older versions, > > such that we really should all be using it exclusively anyway. > > actually, i take it back, it's possible this is fixed. i edited > /etc/sysconfig/nfs and uncommented all references to dropping support > for NFS v2 and v3, and NFS seems to start. didn't used to, so maybe > this issue has been resolved. > > once NFS is running, is there a convenient command to *show* me what > versions of NFS are currently supported? > > rday rpcinfo -p :)
Re: has anyone tried running an NFS network *solely* using NFSv4?
On Sat, 12 Mar 2011, Alec T. Habig wrote: > I was poking at this yesterday myself with no success, so would love > to know what the answer is. > > This is especially important since by default, iptables is installed > and active, and AFAIK the only way for nfs to coexist with iptables > is use nfs4. So out of the box, nfs doesn't work unless one > disables a security tool, aside from the issue that nfs4 is designed > to have a much higher level of security than the older versions, > such that we really should all be using it exclusively anyway. actually, i take it back, it's possible this is fixed. i edited /etc/sysconfig/nfs and uncommented all references to dropping support for NFS v2 and v3, and NFS seems to start. didn't used to, so maybe this issue has been resolved. once NFS is running, is there a convenient command to *show* me what versions of NFS are currently supported? rday -- Robert P. J. Day Waterloo, Ontario, CANADA http://crashcourse.ca Twitter: http://twitter.com/rpjday LinkedIn: http://ca.linkedin.com/in/rpjday
Re: has anyone tried running an NFS network *solely* using NFSv4?
On Sat, 12 Mar 2011, Alec T. Habig wrote: > I was poking at this yesterday myself with no success, so would love > to know what the answer is. > > This is especially important since by default, iptables is installed > and active, and AFAIK the only way for nfs to coexist with iptables > is use nfs4. So out of the box, nfs doesn't work unless one > disables a security tool, aside from the issue that nfs4 is designed > to have a much higher level of security than the older versions, > such that we really should all be using it exclusively anyway. from my own playing around, i'm fairly confident that you *can* run solely NFSv4, you just can't *start* it and say you want to deactivate all of v1, v2 and v3. i suspect this is an historical holdover from the old days of v3, where you (correctly) couldn't say that you wanted to deactivate all three versions, and somewhere there's a startup script that still contains that (now obsolete) check. AFAICT, it doesn't matter which earlier version you leave turned on, you just have to leave one of them on and all works well. but it would be nice to not have to use that hack. rday -- Robert P. J. Day Waterloo, Ontario, CANADA http://crashcourse.ca Twitter: http://twitter.com/rpjday LinkedIn: http://ca.linkedin.com/in/rpjday
Re: has anyone tried running an NFS network *solely* using NFSv4?
I was poking at this yesterday myself with no success, so would love to know what the answer is. This is especially important since by default, iptables is installed and active, and AFAIK the only way for nfs to coexist with iptables is use nfs4. So out of the box, nfs doesn't work unless one disables a security tool, aside from the issue that nfs4 is designed to have a much higher level of security than the older versions, such that we really should all be using it exclusively anyway. -- Alec Habig, University of Minnesota Duluth Physics Dept. ha...@neutrino.d.umn.edu http://neutrino.d.umn.edu/~habig/