Koozali.org: home of the SME Server

Smeserver-nfs : need test

Offline stephdl

  • *
  • 1,519
  • +0/-0
    • Linux et Geekeries
Smeserver-nfs : need test
« on: December 08, 2014, 12:37:44 AM »
Hi All

A new toy to test : http://mirror.de-labrusse.fr/Sme-Server/smeserver-nfs/

Code: [Select]
wget http://mirror.de-labrusse.fr/Sme-Server/smeserver-nfs/smeserver-nfs-1.2.0-5.el6.sme.noarch.rpm
yum install smeserver-nfs-1.2.0-5.el6.sme.noarch.rpm
chkconfig nfs on
signal-event nfs-update
config set UnsavedChanges no

you have now a panel, with /etc/exports templated...

Options are really secured, i hope so, if not, shout. I tried to follow advices given by gordon http://lists.contribs.org/pipermail/devinfo/2014-November/012671.html

if you need to debug http://wiki.contribs.org/NFS#for_sme9

show your export

Code: [Select]
showmount -eand
Code: [Select]
cat /etc/exports
what you have to know for security options

if you chose to share an ibay to all your local network, automatically options are : root_squash,read-only,secure(port under 1024), other options can be set.

if you need other options, you have to specify each IP of your local network (it is a mandatory).
« Last Edit: December 08, 2014, 12:45:32 AM by stephdl »
See http://wiki.contribs.org/Koozali_Foundation
irc : Freenode #sme_server #sme-fr

!!! Please write your knowledge to the Wiki !!!

Offline mats

  • *
  • 20
  • +0/-0
Re: Smeserver-nfs : need test
« Reply #1 on: December 09, 2014, 01:54:32 AM »
Hi Steph,

I started testing messing around with the panel and nfs. No real testing yet suitable for the bugtracker, but anyway here are some quick findings :

- read-only access works ok, but I did not manage to setup a read-writable nfs share through the server-manager panel (although the panel suggest something like group-based write access, this again seems to interfere with ext4 not providing nfs style acl rules for client access. This maybe just me, and/or time of day,though.

- more seriously, there's something amiss with the LDAP side of things:
  * create a test i-bay "nfstest"
  * export this i-bay through the new nfsshare panel
  * deactivate the nfs share
  * delete the i-bay -> Message: "ERROR deleting this i-bay", but i-bay disappears anyway
  * /var/log/messages at this point:
Code: [Select]
Dec  9 01:39:53 smeserver esmith::event[20849]: Processing event: ibay-delete nfstest2
Dec  9 01:39:53 smeserver esmith::event[20849]: Running event handler: /etc/e-smith/events/actions/generic_template_expand
Dec  9 01:39:53 smeserver esmith::event[20849]: expanding /etc/shells
Dec  9 01:39:53 smeserver esmith::event[20849]: expanding /etc/hosts.allow
Dec  9 01:39:53 smeserver esmith::event[20849]: expanding /etc/services
Dec  9 01:39:53 smeserver esmith::event[20849]: expanding /etc/proftpd.conf
Dec  9 01:39:53 smeserver esmith::event[20849]: expanding /etc/hosts.deny
Dec  9 01:39:53 smeserver esmith::event[20849]: expanding /etc/securetty
Dec  9 01:39:53 smeserver esmith::event[20849]: expanding /etc/samba/smbusers
Dec  9 01:39:53 smeserver esmith::event[20849]: expanding /etc/samba/smb.conf
Dec  9 01:39:53 smeserver esmith::event[20849]: expanding /etc/httpd/conf/httpd.conf
Dec  9 01:39:54 smeserver esmith::event[20849]: expanding /etc/e-smith/pam/users.allow
Dec  9 01:39:54 smeserver esmith::event[20849]: expanding /etc/e-smith/pam/accounts.deny
Dec  9 01:39:54 smeserver esmith::event[20849]: expanding /etc/e-smith/pam/accounts.allow
Dec  9 01:39:54 smeserver esmith::event[20849]: generic_template_expand=action|Event|ibay-delete|Action|generic_template_expand|Start|1418085593 561125|End|1418085594 315450|Elapsed|0.754325
Dec  9 01:39:54 smeserver esmith::event[20849]: Running event handler: /etc/e-smith/events/ibay-delete/S15ibay-delete
Dec  9 01:39:54 smeserver esmith::event[20849]: CPU: ldapOperation: ldap_bind_s: Can't contact LDAP server
Dec  9 01:39:54 smeserver esmith::event[20849]:      The LDAP server specified at localhost could not be contacted.
Dec  9 01:39:54 smeserver esmith::event[20849]:      Your LDAP server may be down or incorrectly specified.
Dec  9 01:39:54 smeserver esmith::event[20849]: CPU: ldapOperation: ldap_bind_s: Can't contact LDAP server
Dec  9 01:39:54 smeserver esmith::event[20849]:      The LDAP server specified at localhost could not be contacted.
Dec  9 01:39:54 smeserver esmith::event[20849]:      Your LDAP server may be down or incorrectly specified.
Dec  9 01:39:54 smeserver esmith::event[20849]: S15ibay-delete=action|Event|ibay-delete|Action|S15ibay-delete|Start|1418085594 315737|End|1418085594 627833|Elapsed|0.312096
Dec  9 01:39:54 smeserver esmith::event[20849]: Running event handler: /etc/e-smith/events/ibay-delete/S55ldap-delete
Dec  9 01:39:54 smeserver esmith::event[20849]: IO::Socket::INET: connect: Connection refused at /etc/e-smith/events/ibay-delete/S55ldap-delete line 54.
Dec  9 01:39:54 smeserver esmith::event[20849]: S55ldap-delete=action|Event|ibay-delete|Action|S55ldap-delete|Start|1418085594 628121|End|1418085594 755800|Elapsed|0.127679|Status|28416
Dec  9 01:39:54 smeserver esmith::event[20849]: Running event handler: /etc/e-smith/events/actions/adjust-services
Dec  9 01:39:54 smeserver esmith::event[20849]: adjusting supervised httpd-e-smith (sigusr1)
Dec  9 01:39:54 smeserver esmith::event[20849]: adjusting supervised httpd-e-smith (up)
Dec  9 01:39:54 smeserver esmith::event[20849]: adjusting supervised smbd (sighup)
Dec  9 01:39:54 smeserver esmith::event[20849]: adjusting supervised smbd (up)
Dec  9 01:39:54 smeserver esmith::event[20849]: adjust-services=action|Event|ibay-delete|Action|adjust-services|Start|1418085594 756003|End|1418085594 867899|Elapsed|0.111896


The strange thing is that when I try to create a new i-bay with the same name as the original "nfstest2" afterwards, I receive an ERROR: The account "nfstest" already exists. There is nothing logged in /var/log/messages at this point, but I see a possibility that this relates to the previous error.

Oha. Just noticed that I do receive similar ldap related log errors now (ie. after installing the new smeserver-nfs.rpm) when trying to create a completely new i-bay, which fails in server-manager (error creating i-bay).

Will check more methodically tomorrow.

Cheers, mats

Offline stephdl

  • *
  • 1,519
  • +0/-0
    • Linux et Geekeries
Re: Smeserver-nfs : need test
« Reply #2 on: December 09, 2014, 08:43:32 AM »
Hi mats

Check the ldap ownership of its database /var/lib/ldap
See http://wiki.contribs.org/Koozali_Foundation
irc : Freenode #sme_server #sme-fr

!!! Please write your knowledge to the Wiki !!!

Offline mats

  • *
  • 20
  • +0/-0
Re: Smeserver-nfs : need test
« Reply #3 on: December 09, 2014, 12:47:58 PM »
EDIT: I found the same problem on another virtual SME test server without smeserver-nfs installed, so probably unrelated to NFS.

Hm, ok.

I have:

Code: [Select]
[root@smeserver ldap]# ls -l /var/lib/ldap
insgesamt 1068
-rw-r--r-- 1 ldap ldap    2048  9. Dez 12:25 alock
dr-xr-xr-x 2 ldap ldap    4096  9. Dez 00:02 backup.1418079752
-rw------- 1 ldap ldap   16384  9. Dez 00:02 cn.bdb
-rw------- 1 root root   24576  9. Dez 12:25 __db.001
-rw------- 1 root root  245760  9. Dez 12:25 __db.002
-rw------- 1 root root 2629632  9. Dez 12:25 __db.003
-rw------- 1 root root 3145728  9. Dez 12:25 __db.004
-rw------- 1 root root  753664  9. Dez 12:25 __db.005
-rw------- 1 root root   32768  9. Dez 12:25 __db.006
-rw-r--r-- 1 root root     623 26. Nov 16:36 DB_CONFIG
-rw------- 1 ldap ldap    8192  9. Dez 00:02 dn2id.bdb
-rw------- 1 ldap ldap    8192  9. Dez 00:02 gidNumber.bdb
-rw------- 1 ldap ldap    8192  9. Dez 00:02 givenName.bdb
-rw------- 1 ldap ldap   65536  9. Dez 00:02 id2entry.bdb
-rw------- 1 ldap ldap    8192  9. Dez 00:02 mail.bdb
-rw------- 1 ldap ldap    8192  9. Dez 00:02 memberUid.bdb
-rw------- 1 ldap ldap    8192  9. Dez 00:02 objectClass.bdb
-rw------- 1 ldap ldap    8192  9. Dez 00:02 sambaPrimaryGroupSID.bdb
-rw------- 1 ldap ldap    8192  9. Dez 00:02 sambaSID.bdb
-rw------- 1 ldap ldap    8192  9. Dez 00:02 sn.bdb
-rw------- 1 ldap ldap    8192  9. Dez 00:02 uid.bdb
-rw------- 1 ldap ldap    8192  9. Dez 00:02 uidNumber.bdb

and in a backup folder that according to its mdate got created during a system update prior to installing the new smeserver-nfs contrib:

Code: [Select]
[root@smeserver ldap]# ls -l /var/lib/ldap/backup.1418079752/
insgesamt 1080
-r--r--r-- 1 ldap ldap    4096  9. Dez 00:02 alock
-r-------- 1 ldap ldap   14867  9. Dez 00:02 backup.ldif
-r-------- 1 ldap ldap   16384  9. Dez 00:02 cn.bdb
-r-------- 1 ldap ldap   24576  9. Dez 00:02 __db.001
-r-------- 1 ldap ldap  245760  9. Dez 00:02 __db.002
-r-------- 1 ldap ldap 2629632  9. Dez 00:02 __db.003
-r-------- 1 ldap ldap 3145728  9. Dez 00:02 __db.004
-r-------- 1 ldap ldap  753664  9. Dez 00:02 __db.005
-r-------- 1 ldap ldap   32768  9. Dez 00:02 __db.006
-r--r--r-- 1 ldap ldap     623 26. Nov 16:36 DB_CONFIG
-r-------- 1 ldap ldap    8192  9. Dez 00:02 dn2id.bdb
-r-------- 1 ldap ldap    8192  9. Dez 00:02 gidNumber.bdb
-r-------- 1 ldap ldap    8192  2. Dez 02:39 givenName.bdb
-r-------- 1 ldap ldap   65536  9. Dez 00:02 id2entry.bdb
-r-------- 1 ldap ldap    8192  9. Dez 00:02 mail.bdb
-r-------- 1 ldap ldap    8192  9. Dez 00:02 memberUid.bdb
-r-------- 1 ldap ldap    8192  9. Dez 00:02 objectClass.bdb
-r-------- 1 ldap ldap    8192  2. Dez 02:39 sambaPrimaryGroupSID.bdb
-r-------- 1 ldap ldap    8192  9. Dez 00:02 sambaSID.bdb
-r-------- 1 ldap ldap    8192  2. Dez 02:39 sn.bdb
-r-------- 1 ldap ldap    8192  9. Dez 00:02 uid.bdb
-r-------- 1 ldap ldap    8192  9. Dez 00:02 uidNumber.bdb

So the __db.00* files are now owned by root. I changed ownership of these files back to ldap:ldap and can create new shares and delete them again if I use a previously unused name for the i-bay. If I use "nfstest" as  in my last post, I still get the error message (Status: The account "nfstest" is an existing account; in German: "Statusbericht: Das Konto "nfstest" ist ein existierendes Konto").
« Last Edit: December 09, 2014, 01:03:41 PM by mats »

guest22

Re: Smeserver-nfs : need test
« Reply #4 on: December 09, 2014, 02:10:20 PM »
Mats,

your findings seem like a good catch. Could you log it in bugzilla please?

Thanks,
guest

Offline mats

  • *
  • 20
  • +0/-0
Re: Smeserver-nfs : need test
« Reply #5 on: December 09, 2014, 02:32:09 PM »
HF,

will do (after some more investigation in order to be able to properly describe the steps leading up to this problem). Right now it looks like slapd is not started on boot on the two SME servers in question. EDIT: which is because /var/lib/ldap dir itself had no write permission for ldap user set on these machines; I don't know yet what may have caused this, but fixing the permission eliminates the erroneous behaviour described above.
« Last Edit: December 09, 2014, 03:25:39 PM by mats »

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Smeserver-nfs : need test
« Reply #6 on: December 09, 2014, 03:54:23 PM »

Offline stephdl

  • *
  • 1,519
  • +0/-0
    • Linux et Geekeries
Re: Smeserver-nfs : need test
« Reply #7 on: December 09, 2014, 05:39:43 PM »
Normally, once the server fully updated, the correct ownership to the ldap server should return to the normal. In fact not all  servers have this issue, but all come from an update of ldap rpm.
See http://wiki.contribs.org/Koozali_Foundation
irc : Freenode #sme_server #sme-fr

!!! Please write your knowledge to the Wiki !!!

Offline mats

  • *
  • 20
  • +0/-0
Re: Smeserver-nfs : need test
« Reply #8 on: December 09, 2014, 09:07:32 PM »
Stefano, I think my ldap woes were indeed related to the bug you mentioned. Sorted it out by deleting the offending "nfstest" manually in both ldap and db accounts after installing the latest updates to the test machine.

Anyway, back to OP, some observations:

- after creating or modifying an nfs share, there is a somewhat significant delay (> 20 sec.) both on mounting the nfs share on a client and and on issuing the first commands on a client (eg. cd'ing into the directory where the share is mounted). Probably due to nfsd and rpcbind being restarted on every change - is this really necessary or would an "exportfs -ra" be sufficient?

- read-write access still is a mixed bag in terms of user experience; the 'no_root_squash' option at least allows remote root on the client to create subdirs in the mount directory which ordinary client users can access, though.

on server:

Code: [Select]
[root@smeserver ~]# showmount -e
Export list for smeserver:
/home/e-smith/files/ibays/nfstest3/files 192.168.99.65
Code: [Select]
[root@smeserver ~]# tail -1 /etc/exports
/home/e-smith/files/ibays/nfstest3/files  192.168.99.65(hide,sync,wdelay,rw,no_root_squash,secure)

on client:

Code: [Select]
test@smeclient ~ $ time sudo mount -t nfs 192.168.99.1:/home/e-smith/files/ibays/nfstest3/files tmp
real 0m16.048s
user 0m0.004s
sys 0m0.008s
Code: [Select]
test@smeclient ~ $ mount |tail -1
192.168.99.1:/home/e-smith/files/ibays/nfstest3/files on /home/test/tmp type nfs (rw,vers=4,addr=192.168.99.1,clientaddr=192.168.99.65)

Transcript of testing read-write access on client, note ownership and permissions on mountpoint and its subdirs (test:test is a user with sudo privilege on the smeclient VM):

Code: [Select]
test@smeclient ~/tmp $ mkdir testdir
mkdir: cannot create directory 'testdir': Permission denied

test@smeclient ~/tmp $ sudo mkdir testdir
test@smeclient ~/tmp $ ls -l
drwxr-sr-x 2 nobody 4294967294 4096 Dec  9 20:49 testdir

test@smeclient ~/tmp $ ls -la
drwxrwsr-x  3 nobody 4294967294 4096 Dec  9 20:49 .
drwxr-xr-x 25 test   test       4096 Dec  9 20:06 ..
drwxr-sr-x  2 nobody 4294967294 4096 Dec  9 20:49 testdir

test@smeclient ~/tmp $ sudo chown test:test testdir

test@smeclient ~/tmp $ ls -la
drwxrwsr-x  3 nobody 4294967294 4096 Dec  9 20:49 .
drwxr-xr-x 25 test   test       4096 Dec  9 20:06 ..
drwxr-sr-x  2 nobody test       4096 Dec  9 20:49 testdir

test@smeclient ~/tmp $ sudo chmod -R g+w testdir

test@smeclient ~/tmp $ ls -la
drwxrwsr-x  3 nobody 4294967294 4096 Dec  9 20:49 .
drwxr-xr-x 25 test   test       4096 Dec  9 20:06 ..
drwxrwsr-x  2 nobody test       4096 Dec  9 20:49 testdir

test@smeclient ~/tmp $ cd testdir/

test@smeclient ~/tmp/testdir $ ls -la
drwxrwsr-x 2 nobody test       4096 Dec  9 20:49 .
drwxrwsr-x 3 nobody 4294967294 4096 Dec  9 20:49 ..

test@smeclient ~/tmp/testdir $ touch testfile.txt

test@smeclient ~/tmp/testdir $ ls -l
-rw-r--r-- 1 nobody 4294967294 4 Dec  9 21:11 testfile.txt

« Last Edit: December 09, 2014, 09:13:46 PM by mats »

Offline stephdl

  • *
  • 1,519
  • +0/-0
    • Linux et Geekeries
Re: Smeserver-nfs : need test
« Reply #9 on: December 10, 2014, 12:13:45 AM »
- after creating or modifying an nfs share, there is a somewhat significant delay (> 20 sec.) both on mounting the nfs share on a client and and on issuing the first commands on a client (eg. cd'ing into the directory where the share is mounted). Probably due to nfsd and rpcbind being restarted on every change - is this really necessary or would an "exportfs -ra" be sufficient?

You are right I have done  an event called 'nfs-update' whose the purpose is to avoid to reboot the server after the installation of the contrib, so we could also imagine an event 'nfs-conf' with less services to restart but this wil bring to us to recall that there are two event, one for after the installation, another for common usages or for the event called by the panel.

That could be tested
- read-write access still is a mixed bag in terms of user experience; the 'no_root_squash' option at least allows remote root on the client to create subdirs in the mount directory which ordinary client users can access, though.

I don't want that the sysadmin can change the group ownership and users permissions of an I-bay in this panel, you should do it in the ibay panel, however you can see them in the nfs panel to recall what are the group owner and file permissions. Of course I'm open to suggestions for enhance it, but I would prefer to be close as possible to the sme sharing way, or we should take another direction, and separate nfs folder and ibays.
See http://wiki.contribs.org/Koozali_Foundation
irc : Freenode #sme_server #sme-fr

!!! Please write your knowledge to the Wiki !!!

Offline stephdl

  • *
  • 1,519
  • +0/-0
    • Linux et Geekeries
Re: Smeserver-nfs : need test
« Reply #10 on: December 15, 2014, 11:13:05 PM »
new version of smeserver-nfs

-possible custom shares by db command
-an event faster 'signal-event nfs-conf'

http://mirror.de-labrusse.fr/Sme-Server/smeserver-nfs/

Code: [Select]
wget http://mirror.de-labrusse.fr/Sme-Server/smeserver-nfs/smeserver-nfs-1.2.0-6.el6.sme.noarch.rpm
yum install smeserver-nfs/smeserver-nfs-1.2.0-6.el6.sme.noarch.rpm
chkconfig nfs on
signal-event nfs-update
config set UnsavedChanges no


here changelog

* Mon Dec 15 2014 stephane de Labrusse <stephdl@de-labrusse.fr> 1.2.0-6.sme
- Added an event nfs-conf shorter for the server-manager
- Added a template /etc/exports/20CustomRules for manual settings

and i have updated the documentation http://wiki.contribs.org/NFS#for_sme9
See http://wiki.contribs.org/Koozali_Foundation
irc : Freenode #sme_server #sme-fr

!!! Please write your knowledge to the Wiki !!!

Offline stephdl

  • *
  • 1,519
  • +0/-0
    • Linux et Geekeries
Re: Smeserver-nfs : need test
« Reply #11 on: January 04, 2015, 10:26:32 PM »
Near to be released, be there or be square

http://mirror.de-labrusse.fr/Sme-Server/smeserver-nfs/

Code: [Select]
wget http://mirror.de-labrusse.fr/Sme-Server/smeserver-nfs/smeserver-nfs-1.2.0-8.el6.sme.noarch.rpm
yum install smeserver-nfs-1.2.0-8.el6.sme.noarch.rpm
chkconfig nfs on
signal-event nfs-update
config set UnsavedChanges no

http://wiki.contribs.org/NFS#for_sme9
« Last Edit: January 04, 2015, 10:29:05 PM by stephdl »
See http://wiki.contribs.org/Koozali_Foundation
irc : Freenode #sme_server #sme-fr

!!! Please write your knowledge to the Wiki !!!

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Smeserver-nfs : need test
« Reply #12 on: January 13, 2015, 05:49:12 PM »
stephdl, just reading now

Code: [Select]
chkconfig nfs on

we don't use chkconfig usually..

can you clarify it? thank you

Offline stephdl

  • *
  • 1,519
  • +0/-0
    • Linux et Geekeries
Re: Smeserver-nfs : need test
« Reply #13 on: January 13, 2015, 08:30:46 PM »
the nfs service (which comes from nfs-utils) is not enabled after the installation, nfs is disabled for all run level, mainly because nfs-utils is a bundle which provide the nfs file server and mount.nfs/mount.nfs4  which are needed if you want to be a nfs client

In clear nfs-utils provides
->mount.nfs if you want to mount a remote nfs share
->nfs service not enabled by default

You can use either one, or both together but the service has to be enabled firstly.

try
Code: [Select]
# chkconfig nfs --list
nfs             0:off   1:off   2:off   3:off   4:off   5:off   6:off
See http://wiki.contribs.org/Koozali_Foundation
irc : Freenode #sme_server #sme-fr

!!! Please write your knowledge to the Wiki !!!

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Smeserver-nfs : need test
« Reply #14 on: January 13, 2015, 08:58:05 PM »
well..

on a SME9:
Code: [Select]
[root@server ~]# chkconfig --list smb
smb             0:off   1:off   2:off   3:off   4:off   5:off   6:off

so I can't see the point..
IMHO nfs should be treated in the same way of samba.. then
Code: [Select]
config set nfs service status disabled

and
Code: [Select]
ln -s /etc/rc.d/init.d/e-smith-service /etc/rc7.d/SXXnfs


and so on..

am I missing something? I mean, apart of debating it on bugzilla? :-)

TIA