Fail to mount during image deployment
-
We encounter this error while trying to perform image deployment over different subnet (FOG Server at subnet A, client at subnet B) & firewall with below ports whitelisted:
80/tcp
443/tcp
69/udp
1024-65535/udp
111/udp and 111/tcp
2049/udp and 2049/tcpWe tried to manually mount from the system and it failed as well
We do try to telnet 2049 ports it can connect successful
Is there any ports/configuration need to be done in order for it to work?
-
@wt_101 Here is a post that talks about firewall configuration
https://forums.fogproject.org/topic/6162/firewall-configurationThe issue is nfsv3 needs a wide port range to communicate correctly. Potentially switching over to NFSv4 will help eliminate this large firewall range requirement. FOG is not there yet but its on the roadmap.
-
Hi @george1421
We have read up the post you share but we never turn on firewall at FOG server. So we not quite sure how the firewall configuration able to resolved the issue we encounter.
Let me explain in detail to you on our setup. We have 2 Site: Site A and Site B
Site A
- FOG Server installed at Site A (192.168.10.1)
- It having multiple subnet e.g 192.168.10.0 & 192.168.20.0
- We tested client system at site A for both subnet192.168.10.0 & 192.168.20.0 able to perform image capture & deployment smoothly
Site B
- client system at subnet (175.168.10.0)
- client system (175.168.10.20) able to perform PXE boot getting FOG NBP file though the FOG Server at site A (192.168.10.1)
- client system (175.168.10.20) also able to detect the tasks(capture, deploy, debug) created from site A FOG Server
Previously client system (175.168.10.20) at Site B not even able to PXE boot to site A FOG Server (192.168.10.1) until we ask our IT team to whitelist the below port BI Direction between Site A & Site B.
80/tcp
443/tcp
69/udp
1024-65535/udp
111/udp and 111/tcp
2049/udp and 2049/tcpNow client system (175.168.10.20) at Site B Fail at “Mounting File System”
Can you advise is there any other ports need to be open to resolve this issue? Or any method we can troubleshoot on why we facing this issue?
We do refer to below site found that the port highlight in yellow is not open. Will these causing the mounting fail?
https://wiki.fogproject.org/wiki/index.php/FOGUserGuide#Full_Listing_of_Ports_used_by_FOG_server_and_clientPlease do let me know if anything is unclear
Thank You
-
@wt_101 said in Fail to mount during image deployment:
1024-65535/udp
I think the issue is here. NFS used TCP high ports. So you’d need to ask for 1024-65535/tcp as well. Though obviously this would render a firewall more or less useless.
If you can’t open the firewall then you might get involved in FOG development and help adding NFSv4 or other solutions like sshfs more quickly.
-
@wt_101 said in Fail to mount during image deployment:
We have read up the post you share but we never turn on firewall at FOG server
Previously client system (175.168.10.20) at Site B not even able to PXE boot to site A FOG Server (192.168.10.1) until we ask our IT team to whitelist the below port BI Direction between Site A & Site B.
The context was these are the ports that need to be open [on the fog server] so that you can apply the same rules to your network.
If you look at the iptables entry in the url I referenced.
echo "IPTABLES_MODULES=\"nf_conntract_tftp nf_conntrack_ftp nf_conntrack_netbios_ns\"" >> /etc/sysconfig/iptables-config for port in 80 443 21 3306 2049 20048 111 138 139 445; do iptables -I INPUT 1 -p tcp --dport $port -j ACCEPT; done for port in 69 111 4011 137; do iptables -I INPUT 1 -p udp --dport $port -j ACCEPT; done service iptables saveIt says you need to open these tcp ports {80 443 21 3306 2049 20048 111 138 139 445}
And you need to open these udp ports {69 111 4011 137}
FOG NFSv3 does use tcp for its data channels and not udp.
-
Hi @george1421
The mount is working due to the high port 1024-65535 is not open causing the mount fail.
Just to understand on NFSv4. We tested with debug task on the current FOS are able perform mount using NFSv4.
Is there any concern on changing the FOS mounting with NFSv4?
-
@wt_101 I do have a proof of concept for NFSv4 and I’m running it on one of my production FOG servers. https://forums.fogproject.org/topic/14791/feature-request-for-fog-1-6-x-configure-image-capture-to-use-nfsv4-instead-of-nfsv3/10
The tough spot is that you need different inits with NFSv4 enabled. The default inits that come with FOG have nfsv4 disabled. The other issue with nfsv4 is that the shares are changed a bit into a virtual share. My PoC thread also covers that. I really need to consolidate that into an easy to follow thread. I was going to save pushing for nfsv4 in FOG 1.6.x series but that series is getting pushed out because of the lack of dev time. Here are the inits from Jun 2021 with nfsv4 enabled: https://drive.google.com/file/d/1EHLhmM9-kXpFO7kfk3H1ydEZF3q8lID1/view?usp=sharing