mount.nfs4:安装时服务器拒绝访问(当相同的配置以前工作正常时)

mount.nfs4:安装时服务器拒绝访问(当相同的配置以前工作正常时)

尝试将一组 nfs 文件夹重新安装到重新启动的服务器上,现在收到“服务器拒绝访问”错误。在客户端服务器(clientserver.co.local)上我运行:

[root@clientserver ~]# mount -t nfs -vvvv 172.18.4.97:/datalake/raw/org /datalake/org/raw/
mount.nfs: timeout set for Wed Dec 30 19:41:35 2020
mount.nfs: trying text-based options 'vers=4.1,addr=172.18.4.97,clientaddr=172.18.4.98'
mount.nfs: mount(2): Permission denied
mount.nfs: trying text-based options 'vers=4.0,addr=172.18.4.97,clientaddr=172.18.4.98'
mount.nfs: mount(2): Permission denied
mount.nfs: trying text-based options 'addr=172.18.4.97'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: trying 172.18.4.97 prog 100003 vers 3 prot TCP port 2049
mount.nfs: prog 100005, trying vers=3, prot=17
mount.nfs: trying 172.18.4.97 prog 100005 vers 3 prot UDP port 20048
mount.nfs: mount(2): Permission denied
mount.nfs: access denied by server while mounting 172.18.4.97:/datalake/raw/org

并收到您在上面看到的错误。 (请注意,它尝试了所有不同版本的 nfs,但仍然失败)。不确定要使用哪种安全风格(我不记得以前指定过这一点,我们使用 SSSD 将 Windows AD 帐户链接到客户端和 nfs 服务器,所以我认为这是默认设置),但无论如何我都尝试过同时使用-o sec=sys-o sec=krb5选项并得到相同的结果。

tcmpdump在安装命令期间运行监控数据包流量(基于建议这里),但不知道如何解释日志(如果有帮助的话,可以发布最后 10 行之类的内容)。

从客户端上的托管 nfsserver.co.local 服务器检查网络上的安装情况,我看到:

[root@clientserver ~]# showmount -e
Export list for clientserver.co.local:
[root@clientserver ~]# showmount -e 172.18.4.97
Export list for 172.18.4.97:
/datalake/raw/org/HI_BRFSS               clientserver.co.local,otherclient.co.local
/datalake/raw/org                        clientserver.co.local,otherclient.co.local
/datalake/analytics/org                  clientserver.co.local,otherclient.co.local


[root@clientserver ~]# service nfs status
Redirecting to /bin/systemctl status nfs.service
● nfs-server.service - NFS server and services
   Loaded: loaded (/usr/lib/systemd/system/nfs-server.service; disabled; vendor preset: disabled)
   Active: active (exited) since Wed 2020-12-30 18:32:09 HST; 11min ago
  Process: 93274 ExecStopPost=/usr/sbin/exportfs -f (code=exited, status=0/SUCCESS)
  Process: 93271 ExecStopPost=/usr/sbin/exportfs -au (code=exited, status=0/SUCCESS)
  Process: 93266 ExecStop=/usr/sbin/rpc.nfsd 0 (code=exited, status=0/SUCCESS)
  Process: 93307 ExecStartPost=/bin/sh -c if systemctl -q is-active gssproxy; then systemctl reload gssproxy ; fi (code=exited, status=0/SUCCESS)
  Process: 93290 ExecStart=/usr/sbin/rpc.nfsd $RPCNFSDARGS (code=exited, status=0/SUCCESS)
  Process: 93288 ExecStartPre=/usr/sbin/exportfs -r (code=exited, status=0/SUCCESS)
 Main PID: 93290 (code=exited, status=0/SUCCESS)
    Tasks: 0
   CGroup: /system.slice/nfs-server.service

Dec 30 18:32:09 clientserver.co.local systemd[1]: Starting NFS server and services...
Dec 30 18:32:09 clientserver.co.local systemd[1]: Started NFS server and services.

所以一切看起来都像我想象的那样(showmount确实显示了我试图安装的 nfs 文件夹)。

运行mount命令后,我在流文件中看到的/var/log/messages只是一堆消息,例如

Jan  4 18:37:12 clientserver gssproxy: gssproxy[2557]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, Client 'host/[email protected]' not found in Kerberos database

不确定这意味着什么,但检查了 gssproxy.conf 文件,它显示

[root@mclientserver ~]# cat /etc/gssproxy/gssproxy.conf 
[gssproxy]

也不知道这意味着什么,因为我不记得过去曾与此交互过(当 nfs 安装仍然有效时)。

我们确实使用 SSSD(没有设置它)将我们的 Windows AD 帐户链接到计算机,但我不知道这是否与这里相关,或者这只是其他东西。无论如何,sssd.conf 如下所示

[root@clientserver ~]# cat /etc/sssd/sssd.conf 

[sssd]
domains = co.local
config_file_version = 2
services = nss, pam

[domain/co.local]
ad_domain = co.local
ad_server = adserver.CO.local
ad_backup_server = adserverbackup.CO.local
krb5_realm = CO.LOCAL
realmd_tags = manages-system joined-with-samba 
cache_credentials = False
enumerate = true
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = False
override_homedir = /home/%u
access_provider = ad

但除此之外,日志中似乎没有什么比我从命令错误中看到的信息更多的信息了......

[root@clientserver ~]# grep mount -rnw /var/log/messages* -e "nfs"
grep: mount: No such file or directory
/var/log/messages:2782:Jan  4 17:21:23 clientserver kernel: FS-Cache: Netfs 'nfs' registered for caching
/var/log/messages:2844:Jan  4 17:21:24 clientserver mount: mount.nfs: access denied by server while mounting nfsserver.co.local:/datalake/analytics/org
/var/log/messages:2845:Jan  4 17:21:24 clientserver mount: mount.nfs: access denied by server while mounting nfsserver.co.local:/datalake/raw/org
/var/log/messages-20201227:3590:Dec 23 17:46:04 clientserver kernel: FS-Cache: Netfs 'nfs' registered for caching
[root@clientserver ~]# 
[root@clientserver ~]# 
[root@clientserver ~]# 
[root@clientserver ~]# grep mount -rnw /var/log/messages* -e "mount"
grep: mount: No such file or directory
/var/log/messages:2380:Jan  4 17:20:55 clientserver kernel: XFS (dm-3): Ending clean mount
/var/log/messages:2530:Jan  4 17:21:07 clientserver kernel: XFS (sda1): Ending clean mount
/var/log/messages:2537:Jan  4 17:21:07 clientserver kernel: XFS (dm-5): Ending clean mount
/var/log/messages:2844:Jan  4 17:21:24 clientserver mount: mount.nfs: access denied by server while mounting nfsserver.co.local:/datalake/analytics/org
/var/log/messages:2845:Jan  4 17:21:24 clientserver mount: mount.nfs: access denied by server while mounting nfsserver.co.local:/datalake/raw/org
/var/log/messages:2846:Jan  4 17:21:24 clientserver systemd: datalake-org-analytics.mount mount process exited, code=exited status=32
/var/log/messages:2847:Jan  4 17:21:24 clientserver systemd: Failed to mount /datalake/org/analytics.
/var/log/messages:2850:Jan  4 17:21:24 clientserver systemd: Unit datalake-org-analytics.mount entered failed state.
/var/log/messages:2851:Jan  4 17:21:24 clientserver systemd: datalake-org-raw.mount mount process exited, code=exited status=32
/var/log/messages:2852:Jan  4 17:21:24 clientserver systemd: Failed to mount /datalake/org/raw.
/var/log/messages:2853:Jan  4 17:21:24 clientserver systemd: Unit datalake-org-raw.mount entered failed state.
/var/log/messages:3014:Jan  4 17:21:27 clientserver dracut: Executing: /usr/sbin/dracut --hostonly --hostonly-cmdline --hostonly-i18n -o "plymouth dash resume ifcfg" --mount "/dev/mapper/centos_mapr001-root /sysroot xfs defaults,x-systemd.device-timeout=0" --no-hostonly-default-device -f /boot/initramfs-3.10.0-862.6.3.el7.x86_64kdump.img 3.10.0-862.6.3.el7.x86_64
/var/log/messages-20201227:3669:Dec 23 17:47:35 clientserver systemd: mapr.mount mounting timed out. Stopping.
/var/log/messages-20201227:3823:Dec 23 17:47:37 clientserver systemd: Unit mapr.mount entered failed state.
[root@clientserver ~]#
[root@clientserver ~]#
[root@clientserver ~]#
[root@clientserver ~]# tail -n 15 /var/log/dmesg
[  148.561016] piix4_smbus 0000:00:01.3: SMBus Host Controller at 0x700, revision 0
[  148.643519] sd 0:0:0:0: Attached scsi generic sg0 type 0
[  148.643580] sd 0:0:1:0: Attached scsi generic sg1 type 0
[  148.643639] sd 0:0:2:0: Attached scsi generic sg2 type 0
[  148.643846] sd 0:0:3:0: Attached scsi generic sg3 type 0
[  148.643907] sd 0:0:4:0: Attached scsi generic sg4 type 0
[  148.643962] sd 0:0:5:0: Attached scsi generic sg5 type 0
[  148.644030] sr 1:0:0:0: Attached scsi generic sg6 type 5
[  148.718917] ppdev: user-space parallel port driver
[  148.723858] Adding 8900604k swap on /dev/mapper/centos_mapr001-swap.  Priority:-1 extents:1 across:8900604k FS
[  148.865301] XFS (sda1): Mounting V5 Filesystem
[  149.497874] XFS (sda1): Ending clean mount
[  150.110208] XFS (dm-5): Mounting V5 Filesystem
[  150.190558] XFS (dm-5): Ending clean mount
[  150.966314] type=1305 audit(1609816868.676:4): audit_pid=2500 old=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 res=1

我可以ping通过客户端的名称和 IP 地址来访问 nfsserver 计算机(反之亦然,从 nfsserver 计算机)。

检查 SE Linux 设置,我看到......

[root@clientserver /]$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31

我没有设置这些(或者确实对SE Linux有很多经验),但是“宽容”让我认为这应该不是防火墙问题。

我听说可能存在端口问题导致这种情况。当我使用时rpcinfo我看到

[root@clientserver ~]# rpcinfo -p
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  34584  status
    100024    1   tcp  53605  status
    100005    1   udp  20048  mountd
    100005    1   tcp  20048  mountd
    100005    2   udp  20048  mountd
    100005    2   tcp  20048  mountd
    100005    3   udp  20048  mountd
    100005    3   tcp  20048  mountd
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100227    3   tcp   2049  nfs_acl
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100227    3   udp   2049  nfs_acl
    100021    1   udp  36667  nlockmgr
    100021    3   udp  36667  nlockmgr
    100021    4   udp  36667  nlockmgr
    100021    1   tcp  39608  nlockmgr
    100021    3   tcp  39608  nlockmgr
    100021    4   tcp  39608  nlockmgr

但我真的不太了解网络知识,无法判断这是否正常。

查看 nfsserver 服务器,我看到:

[root@nfsserver ~]# cat /etc/exports
/datalake/analytics/org         otherclient(rw,no_root_squash,sync) clientserver(rw,root_squash,sync)
/datalake/raw/org               otherclient(rw,no_root_squash,sync) clientserver(ro,root_squash,sync)
/datalake/raw/org/HI_BRFSS      otherclient(ro,no_root_squash,sync) clientserver(ro,root_squash,sync)
[root@nfsserver ~]# exportfs -rav
exporting otherclient.co.local:/datalake/raw/org/HI_BRFSS
exporting clientserver.co.local:/datalake/raw/org/HI_BRFSS
exporting otherclient.co.local:/datalake/raw/org
exporting clientserver.co.local:/datalake/raw/org
exporting otherclient.co.local:/datalake/analytics/org
exporting clientserver.co.local:/datalake/analytics/org


[root@nfsserver ~]# systemctl status nfs
● nfs-server.service - NFS server and services
   Loaded: loaded (/usr/lib/systemd/system/nfs-server.service; enabled; vendor preset: disabled)
   Active: active (exited) since Wed 2020-12-30 18:38:00 HST; 22min ago
  Process: 135417 ExecStopPost=/usr/sbin/exportfs -f (code=exited, status=0/SUCCESS)
  Process: 135414 ExecStopPost=/usr/sbin/exportfs -au (code=exited, status=0/SUCCESS)
  Process: 135412 ExecStop=/usr/sbin/rpc.nfsd 0 (code=exited, status=0/SUCCESS)
  Process: 135447 ExecStartPost=/bin/sh -c if systemctl -q is-active gssproxy; then systemctl reload gssproxy ; fi (code=exited, status=
0/SUCCESS)
  Process: 135430 ExecStart=/usr/sbin/rpc.nfsd $RPCNFSDARGS (code=exited, status=0/SUCCESS)
  Process: 135428 ExecStartPre=/usr/sbin/exportfs -r (code=exited, status=0/SUCCESS)
 Main PID: 135430 (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/nfs-server.service

Dec 30 18:38:00 nfsserver.co.local systemd[1]: Starting NFS server and services...
Dec 30 18:38:00 nfsserver.co.local systemd[1]: Started NFS server and services.

再说一次,一切似乎都是根据需要配置的。 (我已经看到一些建议特定配置的答案,/etc/exports但我更愿意保持原样,并且此配置到目前为止一直有效)。并且将nfsserver文件中的DNS名称更改为IP/etc/exports并运行exportfs -rav并没有改变情况。

有更多经验的人知道这里可能出了什么问题吗?任何进一步的调试建议/信息可以使这个问题变得更好(例如,任何人在这篇文章中看到任何应该对某种可能性进行进一步调查的内容)?

答案1

如果 NFS 服务器上的系统驱动器空间不足:

  1. 您将收到mount.nfs: access denied by server while mounting有关客户的消息
  2. nfs 服务看起来不错,通过systemctl status nfs-kernel-server
  3. 日志可能不会显示任何错误(尽管您的日志可能有明显的错误,因为您的空间不足)

发布此答案是因为症状非常相似(尝试在响应 ping 且看起来正常的服务器上挂载本来正常的 NFS 服务器资源时突然出现无法解释的“访问被拒绝”错误)

当空间不足时,补救措施就是所有常用的东西——日志、Docker 容器等。

相关内容