Best way to access storage pool with Linux (Ubuntu Server)

[daisho]

Hi,

I am currently playing around to set up a Nextcloud server on an Ubuntu Server machine and failed hard to mount the NFS share for some reason. (want to outsource the www/nextcloud/data folder to my ZFS)

For

sudo mount -t nfs 10.0.0.101:/storage/nfs /mnt/cloud -vvvv

Always getting

mount(2): Permission denied
access denied by server while mounting 10.0.0.101:/storage/nfs

I can mount /storage alone and list backup_appliance and nfs folders as well as filebench.log there, but cannot access e.g. nfs and also cannot create new folders there (no permission).

showmount -e 10.0.0.100 on the Ubuntu server shows me:

/storage                  @10.0.0.100/24,@10.0.0.31/24
/storage/nfs              @10.0.0.100/24,@10.0.0.31/24

(.31 is the Ubuntu server, .100 is the ESXi, .101 is OmniOS - all in the same /24 subnet)

napp-it /storage and /storage/nfs sharenfs properties both show me

sec=sys,rw=@10.0.0.100/24,rw=@10.0.0.31/24,root=@10.0.0.100/24

Ubuntu user ID has same name "cloud" and userid 115 as on the napp-it appliance, on napp-it also in group "user" which should have correct rights to access the nfs folder?

/storage has:

user:root > full_set
everyone > readx_set
owner > full_set

/storage/nfs has:

user:root > full_set
user:myadmin > modify_set
group:user > readxs_set

I can only think of that for some reason the ubuntu user ("cloud" / uid 115) is not correctly matched with the napp-it user ("cloud" / uid 115) but another user (anonymous?) is used. Although I do not want to give everyone rights to read my nfs share and I also don't know if I want to give my ubuntu server IP (everyone could fake it) root rights to my nfs ...

---

Now, tl;dr - I am not even sure if NFS(3) is even a good tool to let my Ubuntu connect to my NFS share as security is only based on IP and/or UID? I am not even sure how I can prevent someone faking ESXi server IP and getting root rights ...

 

[gea]

NFS 3 does not use authentication or authorisation. You can only restrict access based on ip. A client connects either with its uid or nobody (depends on OS). I am quite sure it will work when you set the NFS share to 777 (ore ACL everyone@=modify).

If you need security, use SMB

 

[daisho]

Thanks, I tried SMB but that had it's own problems (got some CIFS VFS: ioctl error in smb_2_get_dfs_refer rc=-19 error, maybe because SMB on OmniOS is still not on a current standard? Got this info from someone about that: "No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount.")

Anyway, I solved the issue with mounting NFS from Ubuntu Server (18.04.3) to OmniOS used by napp-it:
Still works with

rw=@10.0.0.31/24

no root permission necessary.

I found that when mounting the root directory of /storage/nfs and checking files with "ls -l", that owner was still shown as "Nobody".
The Ubuntu user already had the same UID as the one on OmniOS and was also in the same GID (10 which is "users" on napp-it and "uucp" on Ubuntu).

For security measures I also added the OmniOS cloud user with Readx permission set to the /storage/nfs folder (although that should not be necessary as when the user is acknowledged in "user group" it should be ok - group:users already had that right there on my system).

Then I found a hint here: Linux NFS mount nobody user | Oracle Community

On the Solaris side set (or find the right thing to click in your GUI):
# sharectl set -p nfsmapid_domain=<YOUR DOMAIN> nfs

and making sure the following is set in your /etc/idmapd.conf of the Linux machine:
[General]
Domain = <YOUR DOMAIN>

which I think did the trick! Both set to the same domain and the user was correctly mapped on OmniOS side and chown etc. was possible without problem on subfolders etc.

Wanted to post it here in case someone else run into the same problem.

 

[gea]

about SMB version (kernelbased, multithreaded SMB server) on OmniOS/ OI/ Solaris

OmniOS >= 151018 supports SMB 2.1
OmniOS >= 151031 supports SMB 3.02

Current OpenIndiana supports SMB 3.02
Solaris 11.4 supports SMB 3.1.1

You can also use a regular SAMBA. Default on Solarish is the kernelbased, in ZFS and the OS embedded SMB server.