Cannot deploy image - Connection Time Out

grobinson2k1

Hi George. Thanks for the quick response.

@george1421 said in Cannot deploy image - Connection Time Out:

IP address of fog server?

192.168.3.200

IP address of fogclient?

192.168.121.2

Did someone enable the firewall on the FOG server?

neo@fog-server:~$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
123/udp                    ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere
443/tcp                    ALLOW       Anywhere
21,22,80,111,443,2049,20499/tcp ALLOW       192.168.121.0/24
69,111,2049,6080/udp       ALLOW       192.168.121.0/24
21,22,80,111,443,2049,20499/tcp ALLOW       192.168.122.0/24
69,111,2049,6080/udp       ALLOW       192.168.122.0/24
21,22,80,111,443,2049,20499/tcp ALLOW       192.168.11.0/24
69,111,2049,6080/udp       ALLOW       192.168.11.0/24
3000                       ALLOW       Anywhere
123/udp (v6)               ALLOW       Anywhere (v6)
80/tcp (v6)                ALLOW       Anywhere (v6)
443/tcp (v6)               ALLOW       Anywhere (v6)
3000 (v6)                  ALLOW       Anywhere (v6)

Are the needed nfs services running on the FOG server? (I think yes because showmount returned the exported directories. But it doesn’t hurt to confirm).

neo@fog-server:~$ sudo systemctl status nfs-server
● nfs-server.service - NFS server and services
     Loaded: loaded (/lib/systemd/system/nfs-server.service; enabled; vendor preset: enabled)
    Drop-In: /run/systemd/generator/nfs-server.service.d
             └─order-with-mounts.conf
     Active: active (exited) since Fri 2021-10-08 11:23:40 EDT; 5 days ago
    Process: 1042 ExecStartPre=/usr/sbin/exportfs -r (code=exited, status=0/SUCCESS)
    Process: 1043 ExecStart=/usr/sbin/rpc.nfsd $RPCNFSDARGS (code=exited, status=0/SUCCESS)
   Main PID: 1043 (code=exited, status=0/SUCCESS)

Oct 08 11:23:39 fog-server systemd[1]: Starting NFS server and services...
Oct 08 11:23:40 fog-server systemd[1]: Finished NFS server and services.

george1421

@grobinson2k1 OK good so we know a bunch more than we did a few minutes ago.

So I’m guessing that the target computer and the fog server are on different subnets? Is there any type of screening firewall between the two?

21,22,80,111,443,2049,20499/tcp
69,111,2049,6080/udp

For NFSv3 I don’t think this is enough ports open. For NFSv4 its right.

Can you drop the firewall on the FOG server and test to see if you can connect?

Also be aware that I’m building a truth table here and if I don’t focus on something then its OK. There is a logic to how we debug this.

grobinson2k1

@george1421 said in Cannot deploy image - Connection Time Out:

So I’m guessing that the target computer and the fog server are on different subnets? Is there any type of screening firewall between the two?

Correct, they are on two different subnets, but the same layer 3 switch. There was no other firewall between them.

Now as to this…

Can you drop the firewall on the FOG server and test to see if you can connect?

I dropped it and it worked, which pisses me off. I have not modified the firewall settings since when it last worked. Now, I guess I need to play with the ports to solve that issue.

george1421

@grobinson2k1 see the issue with NFSv3 is that its not very firewall friendly. You need to have a large port range open unless you can specifically define a smaller range. I have been working on a NFSv4 port for FOG that works just over the single 2048 port which is much easier to firewall off.

grobinson2k1

@george1421 Sounds good, can we mark this as solved. I hope you can get NFSv4 ported for FOG.

I guess I will either leave the firewall off for now, until I have to figure out how to make it secure later. Or when I need to deploy I will turn the firewall off and back on after I am done.

george1421

@grobinson2k1 I have a how to that I never wrote (yet). The discussion is in this tread: https://forums.fogproject.org/post/143625

The changes are pretty simple. you need to make one edit to the FOG programming code and then use the nfsv4 init.

And then you need to use my custom init (virtual hard drive for FOS Linux): https://drive.google.com/file/d/1EHLhmM9-kXpFO7kfk3H1ydEZF3q8lID1/view?usp=sharing

Read over the entire thread to make sure you understand what is happening. At the very least if you mess up FOG for some reason you can just rerun the fog installer and it will fixup what was changed.

grobinson2k1

Fortunately, I can snapshot the VM for this and I get the steps all the way until I get to the custom init file.

Where do I place your custom compiled init_nfsv4?

Sebastian Roth

@grobinson2k1 said in Cannot deploy image - Connection Time Out:

I dropped it and it worked, …

Great to see you and George figured this out so quickly!

Correct, they are on two different subnets, but the same layer 3 switch. There was no other firewall between them.

Allow me a quick comment on this. Two different subnets can be on the same layer 3 switch but they won’t be able to communication with each other unless there is a router involved! Sure router does not need to be a firewall but most often is a combined thing. So what I am saying is, that there needs to be a router in between those two subnets and this might also play a role - maybe not with the NFS issue you see now but keep that in mind if you want to do milticasting as well!!

george1421

@grobinson2k1 said in Cannot deploy image - Connection Time Out:

Where do I place your custom compiled init_nfsv4?

it goes into /var/www/html/fog/service/ipxe directory. Then in FOG Configuration->FOG Settings click on the expand all button and search for init.xz replace that with init_nfsv4.xz and save the settings. This will force the nfsv4 disk to be loaded for every computer.

grobinson2k1

@george1421 I’ve updated to NFSv4 and the firewall has been reenabled and FOG is working.