Opensuse 13.1 and Macosx NFS with static ports

Since my new lab setup, everything on my main opensuse Linux machine is now in a different Juniper zone to my mac laptop and thus firewalled.

This NFS setup for me was one of the few times where it was easier to do the same thing in RHEL5.  I was also unable to find any documentation for this from suse.

This brief post shows the firewall ports and software configuration I used to set up for nfs-server on opensuse and nfs client on Mountain Lion. The mac client configuration was not required for my OpenElec box.

This NFS setup is for read-only.  There may be additional requirements for rw which I have not covered.

It also makes the assumption that ports 111 and 2049 UDP and TCP have already been accounted for.  The ports I used for MountD, StatD and LockD are arbitrary.

Setting Static Ports for MountD, StatD and LockD

MountD
In /etc/sysconfig/nfs set
MOUNTD_PORT="21000"

StatdD
In /etc/sysconfig/nfs set
STATD_OPTIONS="-p 22000"

LockD / nlm
This one took me a while to work out, I was trying to trace the executable that owned the open port with lsof, and when that drew a blank I realised it must be set at kernel level.

These need to be set with sysctl.  I put my values in /etc/sysctl.conf and reloaded with sysctl -p
fs.nfs.nlm_tcpport = 23000
fs.nfs.nlm_udpport = 23000

Disable NFSv4
Theo de Raadt wrote: "NFSv4 is not on our roadmap. It is a ridiculous bloated protocol which they keep adding crap to."

I came across this on the Wikipedia page for NFS when checking to see which versions I really wanted.  Since I'm not doing authentication and Theo says it wont make it into OpenBSD  I'm keen to disable it.

In /etc/sysconfig/nfs set
NFS4_SUPPORT="no"

Restart Server
Once you restart NFS and run rpcinfo -p you should find all the ports you need can now be accounted for.

Mac client configuration
Although using a mac most days, I'm not that well versed on how to administer it.  Anyway,  with the above setup I was finding that from the command line I could read the export fine, but Finder was really not playing ball.  No directory listing makes it effectively useless unless using the cli.  I also strongly dislike most of user contributed documentation for mac on the internet (which tends to consist of "Steve Jobs didn't want you to do it like that" or "I bought this (closed source) app which works for me")

Anyway, as it turns out Mountain Lion is pretty slick to setup nfs and the man pages are pretty good.  Using rpcinfo -p and setting a block and log policy on my Juniper I was able to work out that you just need to set the LockD and StatD ports in /etc/nfs.conf

nfs.lockd.port = 23000
nfs.statd.port = 22000

Export and mount settings
For reference, these are the export and mount settings I am using

in /etc/exports
/[path] [client_ip](fsid=0,crossmnt,ro,root_squash,sync,no_subtree_check)

mount on mac
sudo mount -t  nfs -o resvport,nfc [server_ip]:[export_path] [mount_path]

Creating disk images in mac osx with DD and diskutil

I keep forgetting the diskutil commands so I've dumped them in the this post. To use dd in mac you have to remember to umount the volume first (as everything gets auto mounted)

mount - find the path for the mounted volume i.e /dev/disk3s1 (diskutil list) is also useful
sudo diskutil unmount /dev/disk3s1 - unmount it
sudo dd bs=512k if=imagefile.img of=/dev/disk3

opensuse repository for transmission 2.42

ftp://ftp5.gwdg.de/pub/opensuse/repositories/openSUSE:/Maintenance:/1433/openSUSE_12.1_Update/

Creating a new service definition for Suse firewall

I use uhare a bit at home and I wanted it to work nicely with SuSE Firewall.

All I had to do was create a new service description in /etc/sysconfig/SuSEfirewall2.d/services/ (I called mine ushare) and created the file accordingly.

I copied it from the  /etc/sysconfig/SuSEfirewall2.d/services/TEMPLATE

After a bit of reading it seems you can use a service name corresponding to an entry in /etc/services or just the port number. I used the latter. I also had to set this port appropriately in /etc/ushare.conf

## Name: ushare Server
## Description: Opens ports for ushare

# space separated list of allowed TCP ports
TCP="49200"

Now I can just select the service from the drop down in the firewall gui. For me this fits the workflow I would use from Juniper SSG (custom services)

openSUSE KVM getting started notes

Some sparse notes on installing KVM on openSUSE locally

Configure libvirtd
 Firstly, lets not have to be root every time I want to use virt-manager and without using policy kit.  In /etc/libvirt/libvirtd.conf uncomment and set

unix_sock_group = "libvirt"
unix_sock_ro_perms = "0770"
unix_sock_rw_perms = "0770"
auth_unix_ro = "none"
auth_unix_rw = "none"

(https://doc.opensuse.org/documentation/htmlsingle/openSUSE_122/opensuse-kvm.html#sec.libvirt.connect.auth.libvirt.traditional)

Set default url
I'm just using kvm locally and I don't want to have to type virsh -c qemu:///system every-time to admin on the command-line so I create

~/.config/libvirt/libvirt.conf

and add

uri_default = "qemu:///system"

Now I can just type

virsh list --all

(http://libvirt.org/uri.html)

virsh command hosts

virsh nodeinfo dump CPU and RAM info for the hypervisor 

virsh commands domain management

virsh list --all list info on all vm (domains)
virsh (start|shutdown|reboot|reset) domain
virsh (suspend|resume) domain
virt-viewer domain - open the graphical console for the domain

virsh commands domain info gathering

virsh dominfo domain - show overview of domain (name, cpu, state etc)
virsh domstate domain - show the state of the domain (shut off, running etc)
virsh dumpxml domain - dump the xml configuation for the domain to stdout
virsh edit domain - open the xml configuration for the domain in $EDITOR 
virsh define (file) - import a domain from an xml config