Bug 1199450

Summary: yast2-nfs-client: NFSv4 server and directory scanning doesn't work (firewall?)
Product: [openSUSE] openSUSE Distribution Reporter: Saigi Laszlo <laca3400>
Component: NetworkAssignee: YaST Team <yast-internal>
Status: CONFIRMED --- QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: mvidner
Version: Leap 15.3   
Target Milestone: ---   
Hardware: 64bit   
OS: openSUSE Leap 15.3   
URL: https://trello.com/c/3fwSd7oS
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: server firewall on
nfs server firewall off
nfs server discovery fail
nfs server setting yast
nfs client setting yast
nfs modified config
exposed directory structure servre side
exposed directory structure on client sidde

Description Saigi Laszlo 2022-05-11 16:55:16 UTC
Hi
  Could you help me out  with the nfs setup please. Following issue found, using opensuse 15.3 both NFS server and NFS client. The client can`t search and  find &   mount the nfs shares. If firewall is disabled (server and client too),NFS is working  without any issues. Currently using NFSv4, in firewall  ports 111,2049 opened (TCP and UDP)on server and client in this case  the nfs client can`t search network , sees no nfs server . 
  Tried to follow  opensuse reference , where  in chapter  22.1 says  if firewalld is running check section 25.4 , unfortunately section 25.4 is FTP authentication .
    Yast complaining about missing services  nfs-kernel-server  / nfs server i see that is already a ticket opened. 
Could you tell me please which ports to be opened , for nfs to work, firewall being imperative ( at this moment  using firewall public, opening port manually )

Thank you, best regards, Laszlo
Comment 1 Matthias Gerstner 2022-05-12 07:50:00 UTC
This is not for security. Maybe the maintainer of nfs-client can help out or
point into the right direction.
Comment 2 Neil Brown 2022-05-12 22:05:22 UTC
NFSv4.1 and later only require port 2049 to be open.

What exactly do you mean by "The client can't search" ??

How do you try to mount the NFS filesystem?  /etc/fstab, "mount" command, autofs ???
Comment 3 Saigi Laszlo 2022-05-16 18:03:54 UTC
hi  
I`ve made screenshot, about how nfs behaves with firewall on and  off. I`m working entirely from Yast2. With firewall on (server), aftre nfs server is discovered and selected going to the remote directory hitting select and empty list is presented (nfs1 attachment ). After disabling  the firewall and following the same procedure the exported directory list is populated , can select expoted directory , then follow from yast the mount protocol, going to mount point(local)selecting local folder and finalizing the process.
Tomorrow will try to recreat the issue on the client, when firewall is on also there, and when  the discovery of nfs servers fail. Hop this helps , thanks,Laszlo
Comment 4 Saigi Laszlo 2022-05-16 18:04:53 UTC
Created attachment 858949 [details]
server firewall on
Comment 5 Saigi Laszlo 2022-05-16 18:06:32 UTC
Created attachment 858950 [details]
nfs server firewall off
Comment 6 Neil Brown 2022-05-16 23:54:23 UTC
Thanks for the extra detail.

As you haven't explicitly requested "Force NFSv4" for the "NFS Version", yast is used "showmount -e" to get a list of exports.  This doesn't work through the firewall that you have created.

I think this is incorrect behaviour for yast2-nfs-client, so I'm adding Martin Vidner who should know who might be able to fix it.

When no explicit NFS version is requested, it is (now) safest to assume NFSv4.  I think yast should only use the "showmount" approach if v3 is explicitly requested, or if the nfs4 mount doesn't work.

For now you can work around this problem by selecting "Force NFSv4" rather than "Any (Highest Available)" as the NFS Version before attempting to select a Remote Directory.
Comment 7 Saigi Laszlo 2022-05-19 17:15:18 UTC
Hi Neil 
   I`ve made  2 vm`s, bot opensuse  one being nfs server, the other  nfs client ,  if  you want  we can have a shared session and we can do whatever we want, those machines not being in active use. 
   Meanwhile i`ve attach, as promised, the screenshot (nfs3) about failing nfs server discovery process when client firewall is  on ( port 2049 being opened )
   If you consider  having a shared session to check  the issues  i provided, just let me know 
   Thank you, best regards, Laszlo
Comment 8 Saigi Laszlo 2022-05-19 17:16:13 UTC
Created attachment 859081 [details]
nfs server discovery fail
Comment 9 Neil Brown 2022-05-20 00:10:24 UTC
Hi Saigi,
 did you see comment #6 where I explained the problem at told you how to work around it?

 The screen shot in comment #8 seems to be a different problem.
 The first problem you described was not getting a list of filesystems.
 Now your problem seems to be not getting a list of servers.

 There is no reliable way to scan for NFSv4 servers.  You need to explicitly request name the server that you want to use. 
 Possibly yast you disable that option when NFSv4 is selected.
Comment 10 Saigi Laszlo 2022-05-21 15:31:07 UTC
Hi Neil
Yes i have seen you`re suggest and  i`ve checked both server and client settings (screnshot nfs4,5 ) Futhermore i`ve changed the nfs config file , commenting out nfs3 (screenshot nfs6 , and  hev the same results . If firewall is on on client , discovery fails , if firewall is disbaled on the nfs server dicovery and  remote directory is working . 

Thanks, best regards, Laszlo
Comment 11 Saigi Laszlo 2022-05-21 15:32:32 UTC
Created attachment 859121 [details]
nfs server setting yast
Comment 12 Saigi Laszlo 2022-05-21 15:33:16 UTC
Created attachment 859122 [details]
nfs client setting yast
Comment 13 Saigi Laszlo 2022-05-21 15:34:16 UTC
Created attachment 859123 [details]
nfs modified config
Comment 14 Neil Brown 2022-05-23 03:22:44 UTC
None of the setting you mentioned are the setting that I was referring to.
The setting I was referring to is calls "NFS Version", which none of those were.

When you sellect "Network Services" and "NFS Client"
Then "Add"
You get a dialog box.  Fields include
  NFS Server Hostname
  Remote Directory
  NFS Version
  Mount Point (local)
  Options

The third one as "NFS Version".   The default is "Any (Highest Available)".
If you select this option there are a number of choices.
You need to select "Force NFSv4".
You need to choose an NFS Server Hostname too.

Then you can go to the "Remote Directory" field and "Select", and you will get a list of mount points.

By the way, the functionality for choosing from a list of NFS Service probably doesn't even work without a firewall, even with NFSv3 servers.  It tries to use functionality that was disabled some years ago because it is insecure.  We should probably get the option removed.
Comment 15 Saigi Laszlo 2022-05-28 18:17:08 UTC
Hi Neil 
The method suggested by you is working prefectly, but  i discovered another issue using this method, if  the nfs server exposed folder  has subfolders , those are not presented  on the client when select directory is selected . Should create new ticket for it  ? 
If needed, can make some screenshots 
Thanks for your help, time, best regards, Laszlo
Comment 16 Neil Brown 2022-05-30 00:15:38 UTC
> if  the nfs server exposed folder  has subfolders , those are not presented  on the client when select directory is selected . 

The code to get a list of exported directories mounts the root directory from the server and just lists everything it finds in there.  As you say, this may not match the set of filesystems which are exported.

There is even a comment in the code wondering if it should use 'find -xdev' instead.
What is actually needs to do is to run "find -xdev" twice.  The output on the second run is the list of exported directories.

I'm not in a position to fix any of this. We really need one of the yast developers to take over.  So I"m assigning this to the yast team (I hope I have the correct email address).
Comment 17 Martin Vidner 2022-05-30 08:23:30 UTC
Thanks, Neil.
In case you wanna remember, yast2-maintainers@suse.de is the "incoming" address and yast-internal@suse.de is for our internal triage/scheduling.
Comment 18 Martin Vidner 2022-06-06 12:05:33 UTC
Summarizing the report, there are problems with YaST scanning for servers AND directories, when the firewall is enabled.

1. Scanning for servers ("Choose" button)

Neil says there is no reliable method for v4 servers.

2. Scanning for exported directories ("Select" button)

YaST has 2 methods for this, mount-and-find for v4, and showexports for v3. We should fix the decision logic to use showexports only as the last resort.

3. Exported subdirectories of exported directories are not shown(?)
Comment 19 Martin Vidner 2022-06-06 13:45:53 UTC
Moving into the team's board for planning.
Comment 20 Saigi Laszlo 2022-06-06 15:23:14 UTC
Hi Martin  
I`ve added 2 screenshots , trying to help with the  exposed directory structure  not complete , subdirectory not visible 
Thank, best regards, Laszlo
Comment 21 Saigi Laszlo 2022-06-06 15:23:59 UTC
Created attachment 859440 [details]
exposed directory structure  servre side
Comment 22 Saigi Laszlo 2022-06-06 15:24:46 UTC
Created attachment 859441 [details]
exposed  directory structure  on client sidde
Comment 23 Saigi Laszlo 2022-08-02 15:14:07 UTC
hi gents 
Any news about it? The bug will be fixed anytime soon?
Thanks, best regards, laszlo