NFS
Introduction
Network File System (NFS) is an industry standard protocol to share files
over a network. The Sun ZFS Storage Appliance supports NFS versions
2, 3, and 4. For more information on how the filesystem
namespace is constructed, see the filesystem namespace section.
Properties
|
|
Minimum supported version |
Use this drop-down list
to control which versions of NFS the appliance supports. |
Maximum supported version |
Use this
drop-down list to control which versions of NFS the appliance supports. |
Maximum #
of server threads |
Define the maximum number of concurrent NFS requests (from 20
to 1000). This should at least cover the number of concurrent
NFS clients that you anticipate. |
Grace period |
Define the number of seconds that
all clients have to reclaim locks after an appliance reboot (from 15
to 600). During this period, the NFS service only processes reclaims
of old locks. All other requests for service must wait until
the grace period is over, which by default is 90. Reducing
this value allows NFS clients to resume operation more quickly after a
server reboot, but reducing the value also increases the probability that a
client cannot recover all its locks. |
Custom NFSv4 identity domain |
Use this property to
define the domain for mapping NFSv4 users and group identities. If
you do not set this property, the appliances uses DNS to obtain
the identity domain, first by checking for a _nfsv4idmapdomain DNS resource record,
and then by falling back to the DNS domain itself. |
Enable NFSv4 delegation |
Select
this property to allow clients to cache files locally and make modifications
without contacting the server. This option is enabled by default and
typically results in better performance; but in rare circumstances it can cause
problems. You should only disable this setting after careful performance measurements
of your particular workload and after validating that the setting has a
measurable performance benefit. This option only affects NFSv4 mounts. |
Kerberos realm |
A realm
is logical network, similar to a domain, that defines a group of
systems that are under the same master KDC. Realm names can consist
of any ASCII string. Usually, your realm name is the same as
your DNS domain name, except that the realm name is in uppercase.
Using this convention helps you differentiate problems with the Kerberos service from
problems with the DNS namespace, while still using a name that is
familiar. |
Kerberos master KDC |
In each realm, you must include a server that maintains
the master copy of the principal database. The most significant difference between
a master KDC and a slave KDC is that only the master
KDC handles database administration requests. For instance, you must change a password
or add a new principal on the master KDC. |
Kerberos slave KDC |
The slave
contains duplicate copies of the principal database. Both the master KDC server
and the slave KDC server create tickets that are used to establish
authentication. |
Kerberos admin principal |
This property identifies the client. By convention, a principal
name is divided into three components: the primary, the instance, and the
realm. You can specify a principal as joe, joe/admin, or joe/admin@ENG.EXAMPLE.COM. |
Kerberos admin
password |
Define the password for the admin principal. |
|
Changing services properties is documented in the BUI and CLI sections of
Services.
Setting the NFS minimum and maximum versions to the same value causes
the appliance to only communicate with clients using that version. This
may be useful if you find an issue with one NFS version
or the other (such as the performance characteristics of an NFS version
with your workload), and you want to force clients to only use
the version that works best.
Kerberos Realms
Configuring a Kerberos realm creates certain service principals and adds the necessary
keys to the system's local keytab. The NTP service must be configured before
configuring Kerberized NFS. The following service principals are created and updated to
support Kerberized NFS:
host/node1.example.com@EXAMPLE.COM
nfs/node1.example.com@EXAMPLE.COM
If you clustered your appliances, principals and keys are generated for each
cluster node:
host/node1.example.com@EXAMPLE.COM
nfs/node1.example.com@EXAMPLE.COM
host/node2.example.com@EXAMPLE.COM
nfs/node2.example.com@EXAMPLE.COM
If these principals have already been created, configuring the realm resets the
password for each of those principals. If you configured your appliance
to join an Active Directory domain, you cannot configure it to be
part of a Kerberos realm.
For information on setting up KDCs and Kerberized clients, see http://download.oracle.com/docs/cd/E19253-01/816-4557/setup-8/index.html. After
setting NFS properties for Kerberos, change the Security mode on the Shares->Filesystem->Protocols
screen to a mode using Kerberos.
The following ports are used by the appliance for Kerberos.
-
Kerberos V authentication: 88
-
Kerberos V change and set password SET_CHANGE: 464
-
Kerberos V change and set password RPCSEC_GSS: 749
Logs
These logs are available for the NFS service:
|
|
network-nfs-server:default |
Master NFS server log |
appliance-kit-nfsconf:default |
Log of
appliance NFS configuration events |
network-nfs-cbd:default |
Log for the NFSv4 callback daemon |
network-nfs-mapid:default |
Log for the NFSv4
mapid daemon - which maps NFSv4 user and group credentials |
network-nfs-status:default |
Log for the
NFS statd daemon - which assists crash and recovery functions for NFS
locks |
network-nfs-nlockmgr:default |
Log for the NFS lockd daemon - which supports record locking operations
for files |
|
To view service logs, refer to the Logs section from Services.
Analytics
You can monitor NFS activity in the Analytics section. This includes:
Note: When the NFS server reboots or fails over the filename is
unknown at the server until a new open from the client. The
file appears as unknown in Analytics worksheets.
CLI
The following table describes the mapping between CLI properties and the BUI property
descriptions above.
|
|
version_min |
Minimum supported version |
version_max |
Maximum supported version |
nfsd_servers |
Maximum # of server threads |
grace_period |
Grace
period |
mapid_domain |
Custom NFSv4 identity domain |
enable_delegation |
Enable NFSv4 delegation |
krb5_realm |
Kerberos Realm |
krb5_kdc |
Kerberos master KDC |
krb5_kdc2 |
Kerberos slave KDC |
krb5_admin |
Kerberos admin
principal |
|
Tasks
NFS Tasks
Sharing a Filesystem over NFS
- Go to the Configuration->Services screen.
- Check that the NFS service is enabled and online. If
not, enable the service.
- Got to the Shares screen and edit an existing share or
create a new share.
- Click the Protocols tab of the share you are editing and
check that NFS sharing is enabled. You can also configure the
NFS share mode (read/read+write) in this screen.