Closed kohlerdominik closed 6 years ago
Thanks for your question, and I'm glad to hear you're making good use of the image!
For NFSv4, the only port that needs to be exposed is TCP 2049; the other ports you listed need to be exposed for NFSv3. Whether you use bridge or host networking shouldn't matter. Here's a working docker-compose.yml
for an NFSv4 service that I use daily:
version: "3"
services:
nfs-server:
image: erichough/nfs-server
container_name: nfs-server
hostname: nas
environment:
NFS_PORT: 2049
NFS_VERSION: 4.2
NFS_DISABLE_VERSION_3: 1
NFS_SERVER_THREAD_COUNT: 8
NFS_EXPORT_0: ... *(ro,no_subtree_check,insecure,fsid=1)
NFS_EXPORT_0: ... *(rw,no_subtree_check,insecure,fsid=2,sec=krb5p)
NFS_ENABLE_KERBEROS: 1
restart: always
volumes:
- ...
- /media/nas/apps/nfs/krb5.keytab:/etc/krb5.keytab:ro
- /media/nas/apps/kerberos/krb5.conf:/etc/krb5.conf:ro
- /media/nas/apps/nfs/idmapd.conf:/etc/idmapd.conf:ro
- /etc/passwd:/etc/passwd:ro
cap_add:
- SYS_ADMIN
ports:
- 2049:2049
If you have to open all the ports that you described, it sounds to me like your clients are performing NFSv3 mounts. If you share the server container's log (docker logs ...
) and/or your client logs (mount -v -o nfsvers=4 <container-IP>:/some/export /some/local/path
) we could probably figure out what's happening.
Another idea would be to use tcpdump
or similar to examine the network traffic. I'd be curious to see if the clients are attempting v4 before falling back to v3.
One more thing in case you're not already aware of it; NFSv4 has a notion of pseudo-filesystems that can make mounting from a client a little unusual. It has generated a lot of confusion and frustration, but the punchline is that you'll need to add the option fsid=0
to at least one of your exports.
If you can post a copy of your /etc/exports
, I'd be glad to take a look.
I added a section to the README
regarding necessary ports.
Were you able to get mounts working with only port 2049 exposed?
Closing this issue for now but please feel free to continue the discussion, comment, criticize, opine, etc.
I'm sorry for my delayed answer, had to do some other stuff.
One more thing in case you're not already aware of it; NFSv4 has a notion of pseudo-filesystems that can make mounting from a client a little unusual. It has generated a lot of confusion and frustration, but the punchline is that you'll need to add the option fsid=0 to at least one of your exports.
This was the real issue, and i solved, somehow, with accidentally fixing it and moving to v3 the same time. Maybe you can point that out clearer in the readme? Can example 2 (environent variables) even work?
my config
containers:
- env:
- name: NFS_DISABLE_VERSION_3
value: "true"
- name: NFS_EXPORT_0
value: /export *(rw,no_subtree_check,insecure,fsid=0)
- name: NFS_PORT
value: "2049"
- name: NFS_VERSION
value: "4.2"
image: erichough/nfs-server
imagePullPolicy: Always
name: nfsserv
ports:
- containerPort: 2049
name: 2049tcp20492
protocol: TCP
- containerPort: 2049
name: 2049udp20492
protocol: UDP
resources: {}
securityContext:
allowPrivilegeEscalation: true
capabilities: {}
privileged: true
readOnlyRootFilesystem: false
runAsNonRoot: false
stdin: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
tty: true
volumeMounts:
- mountPath: /export
name: export
dnsPolicy: ClusterFirst
nodeName: nli1
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
volumes:
- hostPath:
path: /root/export
type: ""
name: export-volume
mounted in client with
mount -t nfs4 <server-ip>:/ /mount/path/client
Hi I'd like to open a discussion about necessary ports for the application to work. I used your package in kubernetes cluster to share data from one node (physical host) to multiple workloads along several nodes. For this, I registered a service, so the container is accessible via DNS. Then I needed to define to forward the necessary ports. I tried several variants, but I ended up with this ports (NFSv4) to get it working: TCP: 111, 2049, 32765, 32767 UDP: 111, 632, 646, 2049, 32765, 32767 You only forwarded 2049 to bridged network. So, I’m curious: any ideas why this behavior happened? Maybe if it’s normal behavior, it should be added to the readme, as it costs some time to find that out.