Why is the iptables drop 2049 port rule automatically added when using linstor-gateway to export nfs services? #28
Comments
|
Just guessing, but are you using iptables version 1.8.9 by any chance? There is a bug in that iptables version that formats See ClusterLabs/resource-agents#1924 for more details. Solution: upgrade resource-agents to a version containing that commit, or use an older version of iptables. (The bug was fixed in upstream iptables, but they did not yet publish a new release with the fix included) Edit: just saw your example output above, which confirms you are affected by the iptables bug. (See the |
I do use iptables1.8.9, because this is the default version of pve. It seems that there is only this version in the apt library, and resource-agents is also the latest version (1:4.12.0-2). `root@lab-pve1:~# apt list iptables -a root@lab-pve1:~# apt list resource-agents -a |
|
Yes, unfortunately Debian stable (so pve too) is affected by this. We do have a bug report with Debian in progress to hopefully get this patched, but there has not been much activity yet. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067733 Unfortunately there's not much else we can do, it's in the distros hands. Maybe it helps if you also complain to Debian 🙂 A quick fix would of course be to just overwrite the portblock resource agent script in |
|
So do this on all your nodes: ~# git clone https://github.com/ClusterLabs/resource-agents.git
Cloning into 'resource-agents'...
remote: Enumerating objects: 63268, done.
remote: Counting objects: 100% (345/345), done.
remote: Compressing objects: 100% (183/183), done.
remote: Total 63268 (delta 190), reused 301 (delta 162), pack-reused 62923
Receiving objects: 100% (63268/63268), 32.73 MiB | 17.55 MiB/s, done.
Resolving deltas: 100% (41918/41918), done.
~# cp resource-agents/heartbeat/portblock /usr/lib/ocf/resource.d/heartbeat/portblock Just to be sure everything was reloaded I rebooted all nodes one by one (that is probably not needed). |
I found that my nfs export could not be mounted using virtual ip on the client, but the shared directory could indeed be discovered using showmount -e.
I can mount nfs normally using the IP of the physical network card.
I checked all the configurations until I accidentally checked iptables and found that a rule to drop port 2049 was automatically added.
This rule prevented me from using it. After I deleted it, I found that it could be done immediately. Use, why do this?
root@lab-pve1:~# iptables -vnL Chain INPUT (policy ACCEPT 172K packets, 45M bytes) pkts bytes target prot opt in out source destination 0 0 DROP 6 -- * * 0.0.0.0/0 192.168.128.30 multiport dports 2049root@lab-pve3:~# linstor-gateway nfs list +----------+-------------------+--------------------+--------------------------+---------------+ | Resource | Service IP | Service state | NFS export | LINSTOR state | +----------+-------------------+--------------------+--------------------------+---------------+ | nfs | 192.168.128.30/32 | Started (lab-pve1) | /srv/gateway-exports/nfs | OK | +----------+-------------------+--------------------+--------------------------+---------------+The text was updated successfully, but these errors were encountered: