Koozali.org: home of the SME Server
Obsolete Releases => SME 9.x Contribs => Topic started by: stephdl on December 08, 2014, 12:37:44 AM
-
Hi All
A new toy to test : http://mirror.de-labrusse.fr/Sme-Server/smeserver-nfs/
wget http://mirror.de-labrusse.fr/Sme-Server/smeserver-nfs/smeserver-nfs-1.2.0-5.el6.sme.noarch.rpm
yum install smeserver-nfs-1.2.0-5.el6.sme.noarch.rpm
chkconfig nfs on
signal-event nfs-update
config set UnsavedChanges no
you have now a panel, with /etc/exports templated...
Options are really secured, i hope so, if not, shout. I tried to follow advices given by gordon http://lists.contribs.org/pipermail/devinfo/2014-November/012671.html
if you need to debug http://wiki.contribs.org/NFS#for_sme9
show your export
showmount -eand
cat /etc/exports
what you have to know for security options
if you chose to share an ibay to all your local network, automatically options are : root_squash,read-only,secure(port under 1024), other options can be set.
if you need other options, you have to specify each IP of your local network (it is a mandatory).
-
Hi Steph,
I started testing messing around with the panel and nfs. No real testing yet suitable for the bugtracker, but anyway here are some quick findings :
- read-only access works ok, but I did not manage to setup a read-writable nfs share through the server-manager panel (although the panel suggest something like group-based write access, this again seems to interfere with ext4 not providing nfs style acl rules for client access. This maybe just me, and/or time of day,though.
- more seriously, there's something amiss with the LDAP side of things:
* create a test i-bay "nfstest"
* export this i-bay through the new nfsshare panel
* deactivate the nfs share
* delete the i-bay -> Message: "ERROR deleting this i-bay", but i-bay disappears anyway
* /var/log/messages at this point:
Dec 9 01:39:53 smeserver esmith::event[20849]: Processing event: ibay-delete nfstest2
Dec 9 01:39:53 smeserver esmith::event[20849]: Running event handler: /etc/e-smith/events/actions/generic_template_expand
Dec 9 01:39:53 smeserver esmith::event[20849]: expanding /etc/shells
Dec 9 01:39:53 smeserver esmith::event[20849]: expanding /etc/hosts.allow
Dec 9 01:39:53 smeserver esmith::event[20849]: expanding /etc/services
Dec 9 01:39:53 smeserver esmith::event[20849]: expanding /etc/proftpd.conf
Dec 9 01:39:53 smeserver esmith::event[20849]: expanding /etc/hosts.deny
Dec 9 01:39:53 smeserver esmith::event[20849]: expanding /etc/securetty
Dec 9 01:39:53 smeserver esmith::event[20849]: expanding /etc/samba/smbusers
Dec 9 01:39:53 smeserver esmith::event[20849]: expanding /etc/samba/smb.conf
Dec 9 01:39:53 smeserver esmith::event[20849]: expanding /etc/httpd/conf/httpd.conf
Dec 9 01:39:54 smeserver esmith::event[20849]: expanding /etc/e-smith/pam/users.allow
Dec 9 01:39:54 smeserver esmith::event[20849]: expanding /etc/e-smith/pam/accounts.deny
Dec 9 01:39:54 smeserver esmith::event[20849]: expanding /etc/e-smith/pam/accounts.allow
Dec 9 01:39:54 smeserver esmith::event[20849]: generic_template_expand=action|Event|ibay-delete|Action|generic_template_expand|Start|1418085593 561125|End|1418085594 315450|Elapsed|0.754325
Dec 9 01:39:54 smeserver esmith::event[20849]: Running event handler: /etc/e-smith/events/ibay-delete/S15ibay-delete
Dec 9 01:39:54 smeserver esmith::event[20849]: CPU: ldapOperation: ldap_bind_s: Can't contact LDAP server
Dec 9 01:39:54 smeserver esmith::event[20849]: The LDAP server specified at localhost could not be contacted.
Dec 9 01:39:54 smeserver esmith::event[20849]: Your LDAP server may be down or incorrectly specified.
Dec 9 01:39:54 smeserver esmith::event[20849]: CPU: ldapOperation: ldap_bind_s: Can't contact LDAP server
Dec 9 01:39:54 smeserver esmith::event[20849]: The LDAP server specified at localhost could not be contacted.
Dec 9 01:39:54 smeserver esmith::event[20849]: Your LDAP server may be down or incorrectly specified.
Dec 9 01:39:54 smeserver esmith::event[20849]: S15ibay-delete=action|Event|ibay-delete|Action|S15ibay-delete|Start|1418085594 315737|End|1418085594 627833|Elapsed|0.312096
Dec 9 01:39:54 smeserver esmith::event[20849]: Running event handler: /etc/e-smith/events/ibay-delete/S55ldap-delete
Dec 9 01:39:54 smeserver esmith::event[20849]: IO::Socket::INET: connect: Connection refused at /etc/e-smith/events/ibay-delete/S55ldap-delete line 54.
Dec 9 01:39:54 smeserver esmith::event[20849]: S55ldap-delete=action|Event|ibay-delete|Action|S55ldap-delete|Start|1418085594 628121|End|1418085594 755800|Elapsed|0.127679|Status|28416
Dec 9 01:39:54 smeserver esmith::event[20849]: Running event handler: /etc/e-smith/events/actions/adjust-services
Dec 9 01:39:54 smeserver esmith::event[20849]: adjusting supervised httpd-e-smith (sigusr1)
Dec 9 01:39:54 smeserver esmith::event[20849]: adjusting supervised httpd-e-smith (up)
Dec 9 01:39:54 smeserver esmith::event[20849]: adjusting supervised smbd (sighup)
Dec 9 01:39:54 smeserver esmith::event[20849]: adjusting supervised smbd (up)
Dec 9 01:39:54 smeserver esmith::event[20849]: adjust-services=action|Event|ibay-delete|Action|adjust-services|Start|1418085594 756003|End|1418085594 867899|Elapsed|0.111896
The strange thing is that when I try to create a new i-bay with the same name as the original "nfstest2" afterwards, I receive an ERROR: The account "nfstest" already exists. There is nothing logged in /var/log/messages at this point, but I see a possibility that this relates to the previous error.
Oha. Just noticed that I do receive similar ldap related log errors now (ie. after installing the new smeserver-nfs.rpm) when trying to create a completely new i-bay, which fails in server-manager (error creating i-bay).
Will check more methodically tomorrow.
Cheers, mats
-
Hi mats
Check the ldap ownership of its database /var/lib/ldap
-
EDIT: I found the same problem on another virtual SME test server without smeserver-nfs installed, so probably unrelated to NFS.
Hm, ok.
I have:
[root@smeserver ldap]# ls -l /var/lib/ldap
insgesamt 1068
-rw-r--r-- 1 ldap ldap 2048 9. Dez 12:25 alock
dr-xr-xr-x 2 ldap ldap 4096 9. Dez 00:02 backup.1418079752
-rw------- 1 ldap ldap 16384 9. Dez 00:02 cn.bdb
-rw------- 1 root root 24576 9. Dez 12:25 __db.001
-rw------- 1 root root 245760 9. Dez 12:25 __db.002
-rw------- 1 root root 2629632 9. Dez 12:25 __db.003
-rw------- 1 root root 3145728 9. Dez 12:25 __db.004
-rw------- 1 root root 753664 9. Dez 12:25 __db.005
-rw------- 1 root root 32768 9. Dez 12:25 __db.006
-rw-r--r-- 1 root root 623 26. Nov 16:36 DB_CONFIG
-rw------- 1 ldap ldap 8192 9. Dez 00:02 dn2id.bdb
-rw------- 1 ldap ldap 8192 9. Dez 00:02 gidNumber.bdb
-rw------- 1 ldap ldap 8192 9. Dez 00:02 givenName.bdb
-rw------- 1 ldap ldap 65536 9. Dez 00:02 id2entry.bdb
-rw------- 1 ldap ldap 8192 9. Dez 00:02 mail.bdb
-rw------- 1 ldap ldap 8192 9. Dez 00:02 memberUid.bdb
-rw------- 1 ldap ldap 8192 9. Dez 00:02 objectClass.bdb
-rw------- 1 ldap ldap 8192 9. Dez 00:02 sambaPrimaryGroupSID.bdb
-rw------- 1 ldap ldap 8192 9. Dez 00:02 sambaSID.bdb
-rw------- 1 ldap ldap 8192 9. Dez 00:02 sn.bdb
-rw------- 1 ldap ldap 8192 9. Dez 00:02 uid.bdb
-rw------- 1 ldap ldap 8192 9. Dez 00:02 uidNumber.bdb
and in a backup folder that according to its mdate got created during a system update prior to installing the new smeserver-nfs contrib:
[root@smeserver ldap]# ls -l /var/lib/ldap/backup.1418079752/
insgesamt 1080
-r--r--r-- 1 ldap ldap 4096 9. Dez 00:02 alock
-r-------- 1 ldap ldap 14867 9. Dez 00:02 backup.ldif
-r-------- 1 ldap ldap 16384 9. Dez 00:02 cn.bdb
-r-------- 1 ldap ldap 24576 9. Dez 00:02 __db.001
-r-------- 1 ldap ldap 245760 9. Dez 00:02 __db.002
-r-------- 1 ldap ldap 2629632 9. Dez 00:02 __db.003
-r-------- 1 ldap ldap 3145728 9. Dez 00:02 __db.004
-r-------- 1 ldap ldap 753664 9. Dez 00:02 __db.005
-r-------- 1 ldap ldap 32768 9. Dez 00:02 __db.006
-r--r--r-- 1 ldap ldap 623 26. Nov 16:36 DB_CONFIG
-r-------- 1 ldap ldap 8192 9. Dez 00:02 dn2id.bdb
-r-------- 1 ldap ldap 8192 9. Dez 00:02 gidNumber.bdb
-r-------- 1 ldap ldap 8192 2. Dez 02:39 givenName.bdb
-r-------- 1 ldap ldap 65536 9. Dez 00:02 id2entry.bdb
-r-------- 1 ldap ldap 8192 9. Dez 00:02 mail.bdb
-r-------- 1 ldap ldap 8192 9. Dez 00:02 memberUid.bdb
-r-------- 1 ldap ldap 8192 9. Dez 00:02 objectClass.bdb
-r-------- 1 ldap ldap 8192 2. Dez 02:39 sambaPrimaryGroupSID.bdb
-r-------- 1 ldap ldap 8192 9. Dez 00:02 sambaSID.bdb
-r-------- 1 ldap ldap 8192 2. Dez 02:39 sn.bdb
-r-------- 1 ldap ldap 8192 9. Dez 00:02 uid.bdb
-r-------- 1 ldap ldap 8192 9. Dez 00:02 uidNumber.bdb
So the __db.00* files are now owned by root. I changed ownership of these files back to ldap:ldap and can create new shares and delete them again if I use a previously unused name for the i-bay. If I use "nfstest" as in my last post, I still get the error message (Status: The account "nfstest" is an existing account; in German: "Statusbericht: Das Konto "nfstest" ist ein existierendes Konto").
-
Mats,
your findings seem like a good catch. Could you log it in bugzilla please?
Thanks,
guest
-
HF,
will do (after some more investigation in order to be able to properly describe the steps leading up to this problem). Right now it looks like slapd is not started on boot on the two SME servers in question. EDIT: which is because /var/lib/ldap dir itself had no write permission for ldap user set on these machines; I don't know yet what may have caused this, but fixing the permission eliminates the erroneous behaviour described above.
-
it seems related to:
http://bugs.contribs.org/show_bug.cgi?id=8635
-
Normally, once the server fully updated, the correct ownership to the ldap server should return to the normal. In fact not all servers have this issue, but all come from an update of ldap rpm.
-
Stefano, I think my ldap woes were indeed related to the bug you mentioned. Sorted it out by deleting the offending "nfstest" manually in both ldap and db accounts after installing the latest updates to the test machine.
Anyway, back to OP, some observations:
- after creating or modifying an nfs share, there is a somewhat significant delay (> 20 sec.) both on mounting the nfs share on a client and and on issuing the first commands on a client (eg. cd'ing into the directory where the share is mounted). Probably due to nfsd and rpcbind being restarted on every change - is this really necessary or would an "exportfs -ra" be sufficient?
- read-write access still is a mixed bag in terms of user experience; the 'no_root_squash' option at least allows remote root on the client to create subdirs in the mount directory which ordinary client users can access, though.
on server:
[root@smeserver ~]# showmount -e
Export list for smeserver:
/home/e-smith/files/ibays/nfstest3/files 192.168.99.65
[root@smeserver ~]# tail -1 /etc/exports
/home/e-smith/files/ibays/nfstest3/files 192.168.99.65(hide,sync,wdelay,rw,no_root_squash,secure)
on client:
test@smeclient ~ $ time sudo mount -t nfs 192.168.99.1:/home/e-smith/files/ibays/nfstest3/files tmp
real 0m16.048s
user 0m0.004s
sys 0m0.008s
test@smeclient ~ $ mount |tail -1
192.168.99.1:/home/e-smith/files/ibays/nfstest3/files on /home/test/tmp type nfs (rw,vers=4,addr=192.168.99.1,clientaddr=192.168.99.65)
Transcript of testing read-write access on client, note ownership and permissions on mountpoint and its subdirs (test:test is a user with sudo privilege on the smeclient VM):
test@smeclient ~/tmp $ mkdir testdir
mkdir: cannot create directory 'testdir': Permission denied
test@smeclient ~/tmp $ sudo mkdir testdir
test@smeclient ~/tmp $ ls -l
drwxr-sr-x 2 nobody 4294967294 4096 Dec 9 20:49 testdir
test@smeclient ~/tmp $ ls -la
drwxrwsr-x 3 nobody 4294967294 4096 Dec 9 20:49 .
drwxr-xr-x 25 test test 4096 Dec 9 20:06 ..
drwxr-sr-x 2 nobody 4294967294 4096 Dec 9 20:49 testdir
test@smeclient ~/tmp $ sudo chown test:test testdir
test@smeclient ~/tmp $ ls -la
drwxrwsr-x 3 nobody 4294967294 4096 Dec 9 20:49 .
drwxr-xr-x 25 test test 4096 Dec 9 20:06 ..
drwxr-sr-x 2 nobody test 4096 Dec 9 20:49 testdir
test@smeclient ~/tmp $ sudo chmod -R g+w testdir
test@smeclient ~/tmp $ ls -la
drwxrwsr-x 3 nobody 4294967294 4096 Dec 9 20:49 .
drwxr-xr-x 25 test test 4096 Dec 9 20:06 ..
drwxrwsr-x 2 nobody test 4096 Dec 9 20:49 testdir
test@smeclient ~/tmp $ cd testdir/
test@smeclient ~/tmp/testdir $ ls -la
drwxrwsr-x 2 nobody test 4096 Dec 9 20:49 .
drwxrwsr-x 3 nobody 4294967294 4096 Dec 9 20:49 ..
test@smeclient ~/tmp/testdir $ touch testfile.txt
test@smeclient ~/tmp/testdir $ ls -l
-rw-r--r-- 1 nobody 4294967294 4 Dec 9 21:11 testfile.txt
-
- after creating or modifying an nfs share, there is a somewhat significant delay (> 20 sec.) both on mounting the nfs share on a client and and on issuing the first commands on a client (eg. cd'ing into the directory where the share is mounted). Probably due to nfsd and rpcbind being restarted on every change - is this really necessary or would an "exportfs -ra" be sufficient?
You are right I have done an event called 'nfs-update' whose the purpose is to avoid to reboot the server after the installation of the contrib, so we could also imagine an event 'nfs-conf' with less services to restart but this wil bring to us to recall that there are two event, one for after the installation, another for common usages or for the event called by the panel.
That could be tested
- read-write access still is a mixed bag in terms of user experience; the 'no_root_squash' option at least allows remote root on the client to create subdirs in the mount directory which ordinary client users can access, though.
I don't want that the sysadmin can change the group ownership and users permissions of an I-bay in this panel, you should do it in the ibay panel, however you can see them in the nfs panel to recall what are the group owner and file permissions. Of course I'm open to suggestions for enhance it, but I would prefer to be close as possible to the sme sharing way, or we should take another direction, and separate nfs folder and ibays.
-
new version of smeserver-nfs
-possible custom shares by db command
-an event faster 'signal-event nfs-conf'
http://mirror.de-labrusse.fr/Sme-Server/smeserver-nfs/
wget http://mirror.de-labrusse.fr/Sme-Server/smeserver-nfs/smeserver-nfs-1.2.0-6.el6.sme.noarch.rpm
yum install smeserver-nfs/smeserver-nfs-1.2.0-6.el6.sme.noarch.rpm
chkconfig nfs on
signal-event nfs-update
config set UnsavedChanges no
here changelog
* Mon Dec 15 2014 stephane de Labrusse <stephdl@de-labrusse.fr> 1.2.0-6.sme
- Added an event nfs-conf shorter for the server-manager
- Added a template /etc/exports/20CustomRules for manual settings
and i have updated the documentation http://wiki.contribs.org/NFS#for_sme9
-
Near to be released, be there or be square
http://mirror.de-labrusse.fr/Sme-Server/smeserver-nfs/
wget http://mirror.de-labrusse.fr/Sme-Server/smeserver-nfs/smeserver-nfs-1.2.0-8.el6.sme.noarch.rpm
yum install smeserver-nfs-1.2.0-8.el6.sme.noarch.rpm
chkconfig nfs on
signal-event nfs-update
config set UnsavedChanges no
http://wiki.contribs.org/NFS#for_sme9
-
stephdl, just reading now
chkconfig nfs on
we don't use chkconfig usually..
can you clarify it? thank you
-
the nfs service (which comes from nfs-utils) is not enabled after the installation, nfs is disabled for all run level, mainly because nfs-utils is a bundle which provide the nfs file server and mount.nfs/mount.nfs4 which are needed if you want to be a nfs client
In clear nfs-utils provides
->mount.nfs if you want to mount a remote nfs share
->nfs service not enabled by default
You can use either one, or both together but the service has to be enabled firstly.
try
# chkconfig nfs --list
nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off
-
well..
on a SME9:
[root@server ~]# chkconfig --list smb
smb 0:off 1:off 2:off 3:off 4:off 5:off 6:off
so I can't see the point..
IMHO nfs should be treated in the same way of samba.. then
config set nfs service status disabled
and
ln -s /etc/rc.d/init.d/e-smith-service /etc/rc7.d/SXXnfs
and so on..
am I missing something? I mean, apart of debating it on bugzilla? :-)
TIA
-
no debating in bugzilla, please test smeserver-nfs without allowing the nfs service and report back for other issues or thoughts.
-
unfortunately I have no nfs target to use, sorry
regarding my thoughts, you already have them :-)
-
Smeserver-nfs is there for that....use a ibay as a nfs target
-
ok.. will try to create a test environment in the next days
-
stephdl, just reading now
chkconfig nfs on
we don't use chkconfig usually..
can you clarify it? thank you
You are right, indeed we don't need it, the link I provide to rc7.d is sufficient. Thanks for this feedback
-
released