Continuing with the theme of deploying systems automatically this chapter deals with using an NFS share to hold your iso images.
The problem I faced was the Ubuntu system I was hosting the iso’s on comes ready prepared with an iptables firewall. This denied my attempts to view or mount the nfs share from a client.
Sorting out NFS through the firewall is a little tricky as the services NFS provides use a dynamic port. This makes it impossible to handle through a port based firewall – unless we tie the services down to use a specific port.
The key to this is reading a very old document on the Debian wiki, which is even referenced in the files we need to edit – http://wiki.debian.org/SecuringNFS
/etc/default/nfs-common
Add specific ports to be used to STATDOPTS, "--port 32765 --outgoing-port 32766"
# If you do not set values for the NEED_ options, they will be attempted # autodetected; this should be sufficient for most people. Valid alternatives # for the NEED_ options are "yes" and "no". # Options for rpc.statd. # Should rpc.statd listen on a specific port? This is especially useful # when you have a port-based firewall. To use a fixed port, set this # this variable to a statd argument like: "--port 4000 --outgoing-port 4001". # For more information, see rpc.statd(8) or http://wiki.debian.org/SecuringNFS STATDOPTS="--port 32765 --outgoing-port 32766" # Do you want to start the gssd daemon? It is required for Kerberos mounts. NEED_GSSD=
/etc/default/nfs-kernel-server
Add a specific port to RPCMOUNTDOPTS, --port 32767
# Number of servers to start up RPCNFSDCOUNT=8 # Runtime priority of server (see nice(1)) RPCNFSDPRIORITY=0 # Options for rpc.mountd. # If you have a port-based firewall, you might want to set up # a fixed port here using the --port option. For more information, # see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS # To disable NFSv4 on the server, specify '--no-nfs-version 4' here RPCMOUNTDOPTS="--manage-gids --port 32767" # Do you want to start the svcgssd daemon? It is only required for Kerberos # exports. Valid alternatives are "yes" and "no"; the default is "no". NEED_SVCGSSD="" # Options for rpc.svcgssd. RPCSVCGSSDOPTS=""
You’ll have to restart the NFS server after the changes:
$ sudo systemctl restart nfs-server.service
Rpcinfo should then show you the ports things are listening on are now static:
$ sudo rpcinfo -p program vers proto port service 100000 4 tcp 111 portmapper 100000 3 tcp 111 portmapper 100000 2 tcp 111 portmapper 100000 4 udp 111 portmapper 100000 3 udp 111 portmapper 100000 2 udp 111 portmapper 100005 1 udp 32767 mountd 100005 1 tcp 32767 mountd 100005 2 udp 32767 mountd 100005 2 tcp 32767 mountd 100005 3 udp 32767 mountd 100005 3 tcp 32767 mountd 100003 3 tcp 2049 nfs 100003 4 tcp 2049 nfs 100227 3 tcp 2049 100003 3 udp 2049 nfs 100227 3 udp 2049 100021 1 udp 33488 nlockmgr 100021 3 udp 33488 nlockmgr 100021 4 udp 33488 nlockmgr 100021 1 tcp 35675 nlockmgr 100021 3 tcp 35675 nlockmgr 100021 4 tcp 35675 nlockmgr
Now you need to allow those ports through the firewall. The easiest way I found was to install the GUI Firewall Configuration tool from the Ubuntu repository:
$ sudo apt install firewall-config
Under the “Permanent” configuration for the “public” zone I selected the following services on the Services tab:
mountd, nfs, nfs3, rpc-bind
Then added the port I chose to the Ports tab as both tcp and udp.
32767 | tcp 32767 | udp
From my client system I can then see and mount my NFS shares:
$ showmount -e 192.168.0.22 Export list for 192.168.0.22: /home/iso 192.168.0.0/16 $ sudo mount -t nfs 192.168.0.22:/home/iso /mnt/iso
This now means I can proceed with using NFS for the home of my iso’s for my automated deployment project.