search

ehough / docker-nfs-server

A lightweight, robust, flexible, and containerized NFS server.
https://hub.docker.com/r/erichough/nfs-server/
GNU General Public License v3.0
672 stars 221 forks source link

Disussion: necessary ports #6

Closed kohlerdominik closed 6 years ago

kohlerdominik commented 6 years ago

Hi I'd like to open a discussion about necessary ports for the application to work. I used your package in kubernetes cluster to share data from one node (physical host) to multiple workloads along several nodes. For this, I registered a service, so the container is accessible via DNS. Then I needed to define to forward the necessary ports. I tried several variants, but I ended up with this ports (NFSv4) to get it working: TCP: 111, 2049, 32765, 32767 UDP: 111, 632, 646, 2049, 32765, 32767 You only forwarded 2049 to bridged network. So, I’m curious: any ideas why this behavior happened? Maybe if it’s normal behavior, it should be added to the readme, as it costs some time to find that out.

ehough commented 6 years ago

Thanks for your question, and I'm glad to hear you're making good use of the image!

For NFSv4, the only port that needs to be exposed is TCP 2049; the other ports you listed need to be exposed for NFSv3. Whether you use bridge or host networking shouldn't matter. Here's a working docker-compose.yml for an NFSv4 service that I use daily:

version: "3"
services:
  nfs-server:
    image: erichough/nfs-server 
    container_name: nfs-server
    hostname: nas
    environment:
      NFS_PORT: 2049
      NFS_VERSION: 4.2
      NFS_DISABLE_VERSION_3: 1
      NFS_SERVER_THREAD_COUNT: 8
      NFS_EXPORT_0: ... *(ro,no_subtree_check,insecure,fsid=1)
      NFS_EXPORT_0: ... *(rw,no_subtree_check,insecure,fsid=2,sec=krb5p)
      NFS_ENABLE_KERBEROS: 1
    restart: always
    volumes:
      - ...
      - /media/nas/apps/nfs/krb5.keytab:/etc/krb5.keytab:ro
      - /media/nas/apps/kerberos/krb5.conf:/etc/krb5.conf:ro
      - /media/nas/apps/nfs/idmapd.conf:/etc/idmapd.conf:ro
      - /etc/passwd:/etc/passwd:ro
    cap_add:
      - SYS_ADMIN
    ports:
      - 2049:2049

If you have to open all the ports that you described, it sounds to me like your clients are performing NFSv3 mounts. If you share the server container's log (docker logs ...) and/or your client logs (mount -v -o nfsvers=4 <container-IP>:/some/export /some/local/path) we could probably figure out what's happening.

Another idea would be to use tcpdump or similar to examine the network traffic. I'd be curious to see if the clients are attempting v4 before falling back to v3.

ehough commented 6 years ago

One more thing in case you're not already aware of it; NFSv4 has a notion of pseudo-filesystems that can make mounting from a client a little unusual. It has generated a lot of confusion and frustration, but the punchline is that you'll need to add the option fsid=0 to at least one of your exports.

If you can post a copy of your /etc/exports, I'd be glad to take a look.

ehough commented 6 years ago

I added a section to the README regarding necessary ports.

Were you able to get mounts working with only port 2049 exposed?

Closing this issue for now but please feel free to continue the discussion, comment, criticize, opine, etc.

kohlerdominik commented 6 years ago

I'm sorry for my delayed answer, had to do some other stuff.

One more thing in case you're not already aware of it; NFSv4 has a notion of pseudo-filesystems that can make mounting from a client a little unusual. It has generated a lot of confusion and frustration, but the punchline is that you'll need to add the option fsid=0 to at least one of your exports.

This was the real issue, and i solved, somehow, with accidentally fixing it and moving to v3 the same time. Maybe you can point that out clearer in the readme? Can example 2 (environent variables) even work?

kohlerdominik commented 6 years ago

my config

      containers:
      - env:
        - name: NFS_DISABLE_VERSION_3
          value: "true"
        - name: NFS_EXPORT_0
          value: /export *(rw,no_subtree_check,insecure,fsid=0)
        - name: NFS_PORT
          value: "2049"
        - name: NFS_VERSION
          value: "4.2"
        image: erichough/nfs-server
        imagePullPolicy: Always
        name: nfsserv
        ports:
        - containerPort: 2049
          name: 2049tcp20492
          protocol: TCP
        - containerPort: 2049
          name: 2049udp20492
          protocol: UDP
        resources: {}
        securityContext:
          allowPrivilegeEscalation: true
          capabilities: {}
          privileged: true
          readOnlyRootFilesystem: false
          runAsNonRoot: false
        stdin: true
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        tty: true
        volumeMounts:
        - mountPath: /export
          name: export
      dnsPolicy: ClusterFirst
      nodeName: nli1
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      terminationGracePeriodSeconds: 30
      volumes:
      - hostPath:
          path: /root/export
          type: ""
        name: export-volume

mounted in client with

mount -t nfs4 <server-ip>:/ /mount/path/client