Bugzilla – Bug 1199450
yast2-nfs-client: NFSv4 server and directory scanning doesn't work (firewall?)
Last modified: 2022-08-02 15:14:07 UTC
Hi Could you help me out with the nfs setup please. Following issue found, using opensuse 15.3 both NFS server and NFS client. The client can`t search and find & mount the nfs shares. If firewall is disabled (server and client too),NFS is working without any issues. Currently using NFSv4, in firewall ports 111,2049 opened (TCP and UDP)on server and client in this case the nfs client can`t search network , sees no nfs server . Tried to follow opensuse reference , where in chapter 22.1 says if firewalld is running check section 25.4 , unfortunately section 25.4 is FTP authentication . Yast complaining about missing services nfs-kernel-server / nfs server i see that is already a ticket opened. Could you tell me please which ports to be opened , for nfs to work, firewall being imperative ( at this moment using firewall public, opening port manually ) Thank you, best regards, Laszlo
This is not for security. Maybe the maintainer of nfs-client can help out or point into the right direction.
NFSv4.1 and later only require port 2049 to be open. What exactly do you mean by "The client can't search" ?? How do you try to mount the NFS filesystem? /etc/fstab, "mount" command, autofs ???
hi I`ve made screenshot, about how nfs behaves with firewall on and off. I`m working entirely from Yast2. With firewall on (server), aftre nfs server is discovered and selected going to the remote directory hitting select and empty list is presented (nfs1 attachment ). After disabling the firewall and following the same procedure the exported directory list is populated , can select expoted directory , then follow from yast the mount protocol, going to mount point(local)selecting local folder and finalizing the process. Tomorrow will try to recreat the issue on the client, when firewall is on also there, and when the discovery of nfs servers fail. Hop this helps , thanks,Laszlo
Created attachment 858949 [details] server firewall on
Created attachment 858950 [details] nfs server firewall off
Thanks for the extra detail. As you haven't explicitly requested "Force NFSv4" for the "NFS Version", yast is used "showmount -e" to get a list of exports. This doesn't work through the firewall that you have created. I think this is incorrect behaviour for yast2-nfs-client, so I'm adding Martin Vidner who should know who might be able to fix it. When no explicit NFS version is requested, it is (now) safest to assume NFSv4. I think yast should only use the "showmount" approach if v3 is explicitly requested, or if the nfs4 mount doesn't work. For now you can work around this problem by selecting "Force NFSv4" rather than "Any (Highest Available)" as the NFS Version before attempting to select a Remote Directory.
Hi Neil I`ve made 2 vm`s, bot opensuse one being nfs server, the other nfs client , if you want we can have a shared session and we can do whatever we want, those machines not being in active use. Meanwhile i`ve attach, as promised, the screenshot (nfs3) about failing nfs server discovery process when client firewall is on ( port 2049 being opened ) If you consider having a shared session to check the issues i provided, just let me know Thank you, best regards, Laszlo
Created attachment 859081 [details] nfs server discovery fail
Hi Saigi, did you see comment #6 where I explained the problem at told you how to work around it? The screen shot in comment #8 seems to be a different problem. The first problem you described was not getting a list of filesystems. Now your problem seems to be not getting a list of servers. There is no reliable way to scan for NFSv4 servers. You need to explicitly request name the server that you want to use. Possibly yast you disable that option when NFSv4 is selected.
Hi Neil Yes i have seen you`re suggest and i`ve checked both server and client settings (screnshot nfs4,5 ) Futhermore i`ve changed the nfs config file , commenting out nfs3 (screenshot nfs6 , and hev the same results . If firewall is on on client , discovery fails , if firewall is disbaled on the nfs server dicovery and remote directory is working . Thanks, best regards, Laszlo
Created attachment 859121 [details] nfs server setting yast
Created attachment 859122 [details] nfs client setting yast
Created attachment 859123 [details] nfs modified config
None of the setting you mentioned are the setting that I was referring to. The setting I was referring to is calls "NFS Version", which none of those were. When you sellect "Network Services" and "NFS Client" Then "Add" You get a dialog box. Fields include NFS Server Hostname Remote Directory NFS Version Mount Point (local) Options The third one as "NFS Version". The default is "Any (Highest Available)". If you select this option there are a number of choices. You need to select "Force NFSv4". You need to choose an NFS Server Hostname too. Then you can go to the "Remote Directory" field and "Select", and you will get a list of mount points. By the way, the functionality for choosing from a list of NFS Service probably doesn't even work without a firewall, even with NFSv3 servers. It tries to use functionality that was disabled some years ago because it is insecure. We should probably get the option removed.
Hi Neil The method suggested by you is working prefectly, but i discovered another issue using this method, if the nfs server exposed folder has subfolders , those are not presented on the client when select directory is selected . Should create new ticket for it ? If needed, can make some screenshots Thanks for your help, time, best regards, Laszlo
> if the nfs server exposed folder has subfolders , those are not presented on the client when select directory is selected . The code to get a list of exported directories mounts the root directory from the server and just lists everything it finds in there. As you say, this may not match the set of filesystems which are exported. There is even a comment in the code wondering if it should use 'find -xdev' instead. What is actually needs to do is to run "find -xdev" twice. The output on the second run is the list of exported directories. I'm not in a position to fix any of this. We really need one of the yast developers to take over. So I"m assigning this to the yast team (I hope I have the correct email address).
Thanks, Neil. In case you wanna remember, yast2-maintainers@suse.de is the "incoming" address and yast-internal@suse.de is for our internal triage/scheduling.
Summarizing the report, there are problems with YaST scanning for servers AND directories, when the firewall is enabled. 1. Scanning for servers ("Choose" button) Neil says there is no reliable method for v4 servers. 2. Scanning for exported directories ("Select" button) YaST has 2 methods for this, mount-and-find for v4, and showexports for v3. We should fix the decision logic to use showexports only as the last resort. 3. Exported subdirectories of exported directories are not shown(?)
Moving into the team's board for planning.
Hi Martin I`ve added 2 screenshots , trying to help with the exposed directory structure not complete , subdirectory not visible Thank, best regards, Laszlo
Created attachment 859440 [details] exposed directory structure servre side
Created attachment 859441 [details] exposed directory structure on client sidde
hi gents Any news about it? The bug will be fixed anytime soon? Thanks, best regards, laszlo