[OmniOS-discuss] [zfs] Heads up: Redhat/CentOS NFSv3 clients file locking failures

Stefan Skoglund stefan.skoglund at agj.net
Thu Jan 30 15:08:10 UTC 2014 

ons 2014-01-22 klockan 14:47 -0600 skrev Schweiss, Chip:
> A recent change in the NLM for NFSv3 has exposed a problem with the
> firewall on Redhat/CentOS.   
> 
> Connections back to the client are blocked by the firewall because the
> connection tracking module is not catching connections as part of the
> open NFS connections to the server.
> 

This is (i think) callback related.

The portmapper works such that its users (for example the client-side
nfs kernel modules) bind to a tcp port and then registers the port's
number with the portmapper. 

Which means that the user's port number gets randomized, EXCEPT this:
---
[sudo root at compaq: /home/stefan]# lsmod |grep nfs
nfsd                  173890  2 
nfs                   265921  2 
nfs_acl                12463  2 nfs,nfsd
auth_rpcgss            32143  5 nfs,nfsd,rpcsec_gss_krb5
fscache                31978  1 nfs
lockd                  57277  2 nfs,nfsd
sunrpc                143904  16
lockd,auth_rpcgss,nfs_acl,nfs,nfsd,rpcsec_gss_krb5
[sudo root at compaq: /home/stefan]# modinfo nfsd
filename:       /lib/modules/3.2.0-4-686-pae/kernel/fs/nfsd/nfsd.ko
license:        GPL
author:         Olaf Kirch <okir at monad.swb.de>
depends:        auth_rpcgss,sunrpc,lockd,nfs_acl
intree:         Y
vermagic:       3.2.0-4-686-pae SMP mod_unload modversions 686 
[sudo root at compaq: /home/stefan]# modinfo nfs
filename:       /lib/modules/3.2.0-4-686-pae/kernel/fs/nfs/nfs.ko
license:        GPL
author:         Olaf Kirch <okir at monad.swb.de>
alias:          nfs4
depends:        fscache,sunrpc,lockd,auth_rpcgss,nfs_acl
intree:         Y
vermagic:       3.2.0-4-686-pae SMP mod_unload modversions 686 
parm:           callback_tcpport:portnr
parm:           cache_getent:Path to the client cache upcall program
(string)
parm:           cache_getent_timeout:Timeout (in seconds) after which
the cache upcall is assumed to have failed (ulong)
parm:           enable_ino64:bool
parm:           nfs4_disable_idmapping:Turn off NFSv4 idmapping when
using 'sec=sys' (bool)
[sudo root at compaq: /home/stefan]# [sudo root at compaq: /home/stefan]#
cat /etc/modprobe.d/local-conf-nfs-fixed-ports.conf 
options nfs callback_tcpport=2050
options lockd nlm_tcpport=2051 nlm_udpport=2051
[sudo root at compaq: /home/stefan]# 
----

The nfs related modules has parameters for using locally defined
well-known port numbers and which the firewall can be configured to
recognize.
 
I do use NFS4.

More information about the OmniOS-discuss mailing list