has anyone tried running an NFS network *solely* using NFSv4?
i've tried this a couple times with centos 5.5 and ubuntu and, so far, i haven't been able to make this work. has anyone tried setting up an NFS network so that both servers and clients use *only* nfsv4? that is, when you configure (or start) NFS, you can typically add mount options like --no-nfs-version 2 or something like that. but i've tried to do that while explicitly specifying i don't want version 1, 2 *or* 3, and that's never worked yet -- apparently, NFS still wants *some* earlier version than v4, no matter what it is. given that NFSv4 would seem to be adequately mature by now, is it not possible to use it exclusively for your network? has anyone else tried this? thanks. rday -- Robert P. J. Day Waterloo, Ontario, CANADA http://crashcourse.ca Twitter: http://twitter.com/rpjday LinkedIn: http://ca.linkedin.com/in/rpjday
Re: has anyone tried running an NFS network *solely* using NFSv4?
I was poking at this yesterday myself with no success, so would love to know what the answer is. This is especially important since by default, iptables is installed and active, and AFAIK the only way for nfs to coexist with iptables is use nfs4. So out of the box, nfs doesn't work unless one disables a security tool, aside from the issue that nfs4 is designed to have a much higher level of security than the older versions, such that we really should all be using it exclusively anyway. -- Alec Habig, University of Minnesota Duluth Physics Dept. ha...@neutrino.d.umn.edu http://neutrino.d.umn.edu/~habig/
Re: has anyone tried running an NFS network *solely* using NFSv4?
On Sat, 12 Mar 2011, Alec T. Habig wrote: I was poking at this yesterday myself with no success, so would love to know what the answer is. This is especially important since by default, iptables is installed and active, and AFAIK the only way for nfs to coexist with iptables is use nfs4. So out of the box, nfs doesn't work unless one disables a security tool, aside from the issue that nfs4 is designed to have a much higher level of security than the older versions, such that we really should all be using it exclusively anyway. from my own playing around, i'm fairly confident that you *can* run solely NFSv4, you just can't *start* it and say you want to deactivate all of v1, v2 and v3. i suspect this is an historical holdover from the old days of v3, where you (correctly) couldn't say that you wanted to deactivate all three versions, and somewhere there's a startup script that still contains that (now obsolete) check. AFAICT, it doesn't matter which earlier version you leave turned on, you just have to leave one of them on and all works well. but it would be nice to not have to use that hack. rday -- Robert P. J. Day Waterloo, Ontario, CANADA http://crashcourse.ca Twitter: http://twitter.com/rpjday LinkedIn: http://ca.linkedin.com/in/rpjday
Re: has anyone tried running an NFS network *solely* using NFSv4?
On Sat, 12 Mar 2011, Alec T. Habig wrote: I was poking at this yesterday myself with no success, so would love to know what the answer is. This is especially important since by default, iptables is installed and active, and AFAIK the only way for nfs to coexist with iptables is use nfs4. So out of the box, nfs doesn't work unless one disables a security tool, aside from the issue that nfs4 is designed to have a much higher level of security than the older versions, such that we really should all be using it exclusively anyway. actually, i take it back, it's possible this is fixed. i edited /etc/sysconfig/nfs and uncommented all references to dropping support for NFS v2 and v3, and NFS seems to start. didn't used to, so maybe this issue has been resolved. once NFS is running, is there a convenient command to *show* me what versions of NFS are currently supported? rday -- Robert P. J. Day Waterloo, Ontario, CANADA http://crashcourse.ca Twitter: http://twitter.com/rpjday LinkedIn: http://ca.linkedin.com/in/rpjday
Re: has anyone tried running an NFS network *solely* using NFSv4?
On Sat, Mar 12, 2011 at 11:51:11AM -0500, Robert P. J. Day wrote: On Sat, 12 Mar 2011, Alec T. Habig wrote: I was poking at this yesterday myself with no success, so would love to know what the answer is. This is especially important since by default, iptables is installed and active, and AFAIK the only way for nfs to coexist with iptables is use nfs4. So out of the box, nfs doesn't work unless one disables a security tool, aside from the issue that nfs4 is designed to have a much higher level of security than the older versions, such that we really should all be using it exclusively anyway. actually, i take it back, it's possible this is fixed. i edited /etc/sysconfig/nfs and uncommented all references to dropping support for NFS v2 and v3, and NFS seems to start. didn't used to, so maybe this issue has been resolved. once NFS is running, is there a convenient command to *show* me what versions of NFS are currently supported? rday rpcinfo -p :)
Re: has anyone tried running an NFS network *solely* using NFSv4?
On Sat, 12 Mar 2011, Ray Van Dolson wrote: On Sat, Mar 12, 2011 at 11:51:11AM -0500, Robert P. J. Day wrote: On Sat, 12 Mar 2011, Alec T. Habig wrote: I was poking at this yesterday myself with no success, so would love to know what the answer is. This is especially important since by default, iptables is installed and active, and AFAIK the only way for nfs to coexist with iptables is use nfs4. So out of the box, nfs doesn't work unless one disables a security tool, aside from the issue that nfs4 is designed to have a much higher level of security than the older versions, such that we really should all be using it exclusively anyway. actually, i take it back, it's possible this is fixed. i edited /etc/sysconfig/nfs and uncommented all references to dropping support for NFS v2 and v3, and NFS seems to start. didn't used to, so maybe this issue has been resolved. once NFS is running, is there a convenient command to *show* me what versions of NFS are currently supported? rday rpcinfo -p :) i tried that earlier but it still suggested i was supporting all of versions 2, 3 and 4, but perhaps i'm misinterpreting how to do this. more research would seem to be in order. feel free to mess with the contents of /etc/sysconfig/nfs and report back any interesting observations. rday -- Robert P. J. Day Waterloo, Ontario, CANADA http://crashcourse.ca Twitter: http://twitter.com/rpjday LinkedIn: http://ca.linkedin.com/in/rpjday
Re: has anyone tried running an NFS network *solely* using NFSv4?
On Sat, Mar 12, 2011 at 11:31 AM, Alec T. Habig ha...@neutrino.d.umn.edu wrote: I was poking at this yesterday myself with no success, so would love to know what the answer is. This is especially important since by default, iptables is installed and active, and AFAIK the only way for nfs to coexist with iptables is use nfs4. So out of the box, nfs doesn't work unless one disables a security tool, aside from the issue that nfs4 is designed to have a much higher level of security than the older versions, such that we really should all be using it exclusively anyway. You can firewall an nfsv3 box. You have to set static ports in /etc/sysconfig/nfs and allow access to those ports in iptables. You can use nfsv4 only (meaning set RPCNFSDARGS=-N 2 -N 3 and MOUNTD_NFS_V1=no, MOUNTD_NFS_V2=no, in /etc/sysconfig/nfs) You have to keep MOUNTD_NFS_V3=no commented out though because nfsd needs mountd locally. You then only need to open ports 111 and 2049 iptables and can disallow access to the ports of the other nfs daemons.
Re: has anyone tried running an NFS network *solely* using NFSv4?
On 03/12/2011 05:51 PM, Robert P. J. Day wrote:
On Sat, 12 Mar 2011, Alec T. Habig wrote:
I was poking at this yesterday myself with no success, so would love
to know what the answer is.
This is especially important since by default, iptables is installed
and active, and AFAIK the only way for nfs to coexist with iptables
is use nfs4. So out of the box, nfs doesn't work unless one
disables a security tool, aside from the issue that nfs4 is designed
to have a much higher level of security than the older versions,
such that we really should all be using it exclusively anyway.
actually, i take it back, it's possible this is fixed. i edited
/etc/sysconfig/nfs and uncommented all references to dropping support
for NFS v2 and v3, and NFS seems to start. didn't used to, so maybe
this issue has been resolved.
once NFS is running, is there a convenient command to *show* me what
versions of NFS are currently supported?
rday
One option will be to use nfsstat command.
--
CL Martinez
carlopmart {at} gmail {d0t} com
