[Linux-cluster] nfs4 kerberos
Ian Hayes
cthulhucalling at gmail.com
Thu Apr 7 05:55:19 UTC 2011
I whipped up a quick NFS4 cluster in Xen after I got home, and tried to
remember what I did to make it work. After I bit, it all fell back into
place. This is quick and dirty, and not how I would do things in production,
but it's a good start. Note that I didn't set up a shared filesystem, but
that should be academic at this point
1) Create your nfs/nfsserver.mydomain keytab
2) Copy keytab to both node1 and node2
3) Modify /etc/init.d/portmap- in the start function, add "hostname
nfsserver.mydomain". In the stop function, add "hostname nodeX.mydomain"
4) Drop something that looks like the attached cluster.conf file in
/etc/cluster
5) Set up your exports: /exports gss/krb5p(rw,async,fsid=0)
6) Start CMAN and RGManager
7) ?
8) Profit - mount -t nfs4 nfsserver.mydomain:/ /mnt/exports -o sec=krb5p
The trick here is that we change the hostname before any Kerberized services
start, so it will be happy when it tries to read the keytab. Also, I use all
Script resources instead of the NFS resource. I never really liked it, and
I'm old and set in my ways. This works, and I'm certain that it reads
/etc/exports. First, we set up the IP, then start each necessary daemon as a
dependency for the next. I've been bouncing the service back and forth for
the last 10 minutes and only suffering from a complaint of a stale NFS mount
on my client whenever I failover.
<?xml version="1.0"?>
<cluster config_version="2" name="NFS">
<fence_daemon post_fail_delay="0" post_join_delay="3"/>
<clusternodes>
<clusternode name="node1.mydomain" nodeid="1" votes="1">
<fence>
<method name="1">
<device name="Fence_Manual"
nodename="node1.mydomain"/>
</method>
</fence>
</clusternode>
<clusternode name="node2.mydomain" nodeid="2" votes="1">
<fence>
<method name="1">
<device name="Fence_Manual"
nodename="node2.mydomain"/>
</method>
</fence>
</clusternode>
</clusternodes>
<cman expected_votes="1" two_node="1"/>
<fencedevices>
<fencedevice agent="fence_manual" name="Fence_Manual"/>
</fencedevices>
<rm>
<failoverdomains>
<failoverdomain name="NFS" ordered="0"
restricted="1">
<failoverdomainnode name="node1.mydomain"
priority="1"/>
<failoverdomainnode name="node2.mydomain"
priority="1"/>
</failoverdomain>
</failoverdomains>
<resources>
<ip address="192.168.0.73" monitor_link="1"/>
<script file="/etc/init.d/portmap"
name="Portmapper"/>
<script file="/etc/init.d/rpcgssd" name="RPCGSSD"/>
<script file="/etc/init.d/rpcidmapd" name="IDMAPD"/>
<script file="/etc/init.d/nfs" name="NFS"/>
</resources>
<service autostart="1" domain="NFS" name="NFS"
recovery="relocate">
<ip ref="192.168.0.73">
<script ref="Portmapper">
<script ref="RPCGSSD">
<script ref="IDMAPD">
<script ref="NFS"/>
</script>
</script>
</script>
</ip>
</service>
</rm>
</cluster>
On Wed, Apr 6, 2011 at 6:52 PM, Ian Hayes <cthulhucalling at gmail.com> wrote:
> Shouldnt have to recompile rpc.gssd. On failover I migrated the ip address
> first, made portmapper a depend on the ip, rpc.gssd depend on portmap and
> nfsd depend on rpc. As for the hostname, I went with the inelegant solution
> of putting a 'hostname' command in the start functions of the portmapper
> script since that fires first in my config.
>
> On Apr 6, 2011 6:06 PM, "Daniel R. Gore" <danielgore at yaktech.com> wrote:
>
> I also found this thread, after many searches.
> http://linux-nfs.org/pipermail/nfsv4/2009-April/010583.html
>
> As I read through it, there appears to be a patch for rpc.gssd which
> allows for the daemon to be started and associated with multiple hosts.
> I do not want to compile rpc.gssd and it appears the patch is from over
> two years ago. I would hope that RHEL6 would have rpc.gssd patched to
> meet this requirement, but no documentation appear to exist for how to
> use it.
>
>
>
>
> On Wed, 2011-04-06 at 20:23 -0400, Daniel R. Gore wrote:
> > Ian,
> >
> > Thanks for the info.
> >
> >...
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-cluster/attachments/20110406/8f816df9/attachment.htm>
More information about the Linux-cluster
mailing list