Reese Knowledgebase

Create a multistore vfiler and enabling NFSv4

View Kristian Reese's profile on LinkedIn

If you like this article, please +1 or Recommend via FB with the provided buttons above:

Article ID: 141
by: Reese K.
Posted: 19 Nov, 2013
Last updated: 20 Nov, 2013
Views: 7121


This following scenario demonstrates the advantage of creating a vfiler for use in a test environment without having to impact production or other test environments running under the configuration of the default vfiler, vfiler0.  For example, in one of my environments, there were many NFS clients mounting many volumes from vfiler0 under NFSv3, and NFSv4 was not enabled.  I had a need to enable NFSv4, but did not want to invoke this change on vfiler0 because should any of the aforementioned NFSv3 clients were rebooted, it would then mount [by default] over NFSv4 (unless otherwise specified in the clients fstab), resulting in ownerships of nobody:nobody since idmapd and other configurations haven't been made on the client or filer to ensure proper ownerships. 

NFSv4 utilizes ID mapping to ensure permissions are set properly on exported shares.  If the domain's of the client and server do not match then the permissions are mapped to nobody:nobody.  So, how do we go about preparing a vfiler and enabling NFSv4 to work properly?

Creating a vfiler and enabling NFSv4

  1. First, a volume needs to be created to assign to the new vfiler.  This can be either a traditional or a FlexVol volume.  Later, if desired, a qtree may be created within the volume for use from within the vfiler.  We'll get into that a bit later.  I'll be using this volume on a unix system, and will set the style to unix with the qtree security command.  I also have no need to take snapshots, and will set the export permissions to the desired network:

netapp> vol create vpspcsqa -s none aggr4 100g
netapp> qtree security /vol/vpspcsqa unix
netapp> snap reserve vpspcsqa 0
netapp> snap sched vpspcsqa 000
netapp> exportfs -p sec=sys,rw=,root= /vol/vpspcsqa
  1. Create the vfiler.  The vfiler must have a unique IP address currently not in use on the NetApp.  An attempt to use an IP address that is already in use by another vfiler in the same IP space causes the command to fail.  Any IP address specified as part of this command must also be unconfigured. To unconfigure an interface address you can either configure the interface down, or, if this address is an IP alias remove the address using ifconfig -alias.  For the purposes of demonstration on this requirement, I've went ahead and created an alias to an existing interface.  In addtion, I create the vfiler, enter it, and create a qtree.  The text in green is output from the vfiler create command is is important when setting up NFSv4.
netapp> vfiler create vpspcsqa_vfiler -i /vol/vpspcsqa
Error: assigned to interface vif1-212 that is marked UP, cannot reassign.
Please unconfigure this address either by configuring vif1-212 down, or (if this
address is an alias) by removing it using "ifconfig -alias", and then retry.
Vfiler vpspcsqa_vfiler not created

netapp> ifconfig vif1-212 -alias
netapp> vfiler create vpspcsqa_vfiler -i /vol/vpspcsqa
The etc configuration directory for vfiler "vpspcsqa_vfiler" is /vol/vpspcsqa/etc.

Setting up vfiler vpspcsqa_vfiler
Configure vfiler IP address [y]: y
Interface to assign this address to {vif1-212, vif1-123, vif1-124, vif1-125}: vif1-212
Netmask to use: []:
The administration host is given root access to the filer's
/etc files for system administration. To allow /etc root access
to all NFS clients enter RETURN below.
Please enter the name or IP address of the administration host: <just hit enter here>
Do you want to run DNS resolver? [n]:
Do you want to run NIS client? [n]:
Default password for root on vfiler vpspcsqa_vfiler is "".
New password:
Retype new password:
Do you want to setup CIFS? [y]:
netapp> vfiler status
vfiler0 running
vpspcsqa_vfiler running

Now we will enter the newly created vfiler, create a qtree, and enable NFSv4:
netapp> vfiler context vpspcsqa_vfiler
vpspcsqa_vfiler@netapp> qtree create /vol/vpspcsqa/vps4 -m 755
vpspcsqa_vfiler@netapp> options nfs.v4.enable on
vpspcsqa_vfiler@netapp> options localdomain

Now that the vfiler has been created, we can continue preparation of the filer for setting up NFS.  This is where the piece of green text output from the vfiler create output comes into play.  The etc configuration directory needs to be accessed in order to correctly perform NFSv4 ID domain mappings from the NFSv4 server code whereby the /etc/passwd and /etc/group files are required to be present.  In a MultiStore environment, the default does not include these files.  It is only included in the default vfiler, vfiler0.

Next, mount volume created for the vfiler on the client machine.  (In my case, this is /vol/vpspcsqa.)  Copy the vfiler0 /etc/passwd and /etc/group file to the newly created vfiler's /etc/ directory and restart the new vfiler.

* refer NetApp KB ID: 2012567

netapp> rdfile /etc/passwd
ftp::65533:65533:FTP Anonymous:/home/ftp:
netapp> rdfile /etc/group
netapp> wrfile /vol/vpspcsqa/etc/passwd
<paste in content from rdfile /etc/passwd output above>
<hit ctrl-c on new line to save file>
netapp> wrfile /vol/vpspcsqa/etc/group
<paste in content from rdfile /etc/group output above>
<hit ctrl-c on new line to save file>
netapp> vfiler stop vpspcsqa_vfiler
netapp> vfiler start vpspcsqa_vfiler

* you may also mount the vfiler volume to the NFS client with mount -o nfsvers=3 option and use vi to create the files

Setting up NFS client server for NFSv4

Ensure the client and server have matching UID's and GID's. It is a common misconception that the UID's and GID's can differ when using NFSv4. The sole purpose of id mapping is to map an id to a name and vice-versa.  For example, if you need to have the directory ownerships be mysql:mysql, then make sure the UID and GID for the mysql user/group match the entry you created in the etc configuration directory for the vfiler you created.  In my case, I needed the qtree contents to be owned by root:root, so the root user is all I really need to match in /etc/passwd on both the server and NetApp (both being uid 0 and gid 0)

Next, modify the /etc/idmapd.conf file with the proper domain.  Above, we specified "localdomain" when we enabled NFSv4 within the vfiler referenced by the command "options localdomain".  So the "Domain=" directive within /etc/idmapd.conf should read:

Domain = localdomain

Note: If this value remains commented out, the default is the host's DNS domain name (output from 'domainname' command).  I haven't tried, but if this is set, and as long as the option is set to this value during the vfiler setup, it may work without having to set this value directly in idmapd.conf.  Again, I have not tried, but it may work.

In order for the changes to take effect, restart rpcidmapd service and mount (or remount if already mounted) the NFSv4 filesystem:

# service rpcidmapd restart
# mount -o remount /nfs/mnt/point

of, if not yet mounted

# mount -t nfs4 netapp:/vol/vpspcsqa/vps4 /vz

If, in RHEL 6, the mapping is still nobody:nobody, you may need to clear the idmpad cache via:

# nfsidmap -c

The permissions should now be mapped appropriately for the user whose permissions you set for that mount point.

* refer

The following output is shown in /var/log/messages when the mount has been completed and the system shows nobody:nobody as user and group permissions on directories and files:

Jun  3 20:22:08 node1 rpc.idmapd[1874]: nss_getpwnam: name '' does not map into domain 'localdomain'
Jun  3 20:25:44 node1 rpc.idmapd[1874]: nss_getpwnam: name '' does not map into domain 'localdomain'

This article was:   Helpful | Not Helpful
Prev   Next
snapmirror : could not read from socket     How to delete a qtree on a NetApp filer