Authors:

Andrew Dahms

Yedidyah Bar David

Douglas Landgraf

Deepak C Shetty

Jason Brooks

Nicholas Kesick

Ryan Harper

Steve Gordon

Markus Stockhausen

Will Dennis

Troubleshooting NFS Storage Issues

Introduction

To attach NFS storage domains to an oVirt environment, the NFS exports must be configured in a specific way. This page is designed to outline the core requirements for configuring NFS exports, and assist in troubleshooting issues encountered when attempting to attach NFS storage domains to an oVirt environment for the first time.

Permissions

In principle, the user vdsm, with uid 36 and gid 36, must have read and write permissions on all NFS exports. However, some daemons on the hypervisor hosts (for example, sanlock) use a different uid but need access to the directory too. Therefore, all incoming NFS requests must be mapped to the aforementioned uid and gid. Two steps are required to ensure this mapping:

Change the ownership of the export directory, replacing directory_name with the name of the directory:
```
# chown 36:36 directory_name
```
Add the rw options on the export in /etc/exports.
```
/exports/directory_name       *(rw)
```
Set the permissions of the export directory, replacing directory_name with the name of the directory:
```
# chmod 0755 directory_name
```
The NFS server must actually be running.

a. Ensure that the nfs and rpcbind services are running on the NFS server, b. Ensure that showmount -e <nfs_server_ip> shows the expected export(s).

SELinux

Ensure that selinux is not interfering with NFS access.
- getsebool -a | grep virt_use_nfs should show virt_use_nfs --> on, if not then do setsebool virt_use_nfs 1 to allow NFS access for VMs
- One can also use setsebool -P virt_use_nfs 1 to make this setting persistent across reboots.

The easiest way to definitively test that an NFS export is ready for use by oVirt is to:

Create the vdsm user with uid 36 on the ovirt-engine host if it does not already exist.
Change to the vdsm user using su - vdsm -s /bin/bash

Attempt to mount the export on a temporary directory (for example, /tmpmnt) using the following command form:

$ /usr/bin/sudo -n /bin/mount -t nfs -o soft,nosharecache,timeo=600,retrans=6,nfsvers=3 *servername:/path/of/export* /tmpmnt

If the mount succeeds, then try to create a file in it via the touch command, i.e. touch /tmpmnt/tempfile

ISO Domain

TODO: Update to a current version

The engine-setup command can optionally create an ISO domain and export it.

Until oVirt 3.3, it always exported to the entire network.
In 3.4 it prompted the user for an ACL, and the default was still the entire network.
In 3.5 it still prompts the user, but the default was changed to allow access for the local machine only.

The format for the ACL is simply that of /etc/exports - see the exports(5) manpage for details. Some simple examples:

To allow access to 3 hosts host1, host2 and host3, input: host1(rw) host2(rw) host3(rw)
To allow access to the entire Internet, input: *(rw)

If you use the last example, you must ensure that other means such as a firewall are in place to protect the ISO domain. When configuring this option, also consider protecting the ISO domain from untrusted guests that you might want to run on your hosts.

nfs-check program

A new nfs-check script is now available to test whether an NFS export is ready for use by oVirt :

nfs-check.py is a python script to validate nfs targets to use with oVirt project. Some operations include: mount the nfs target, create a file as vdsm:kvm and then remove it.
nfs-check.py is available in the vdsm/contrib/ directory of the vdsm source

Run it on a node via python nfs-check.py 'server:/target'

$ git clone "https://gerrit.ovirt.org/vdsm"
$ cd vdsm/contrib
$ python nfs-check.py myNFSServer:/nfsTarget

Setting NFS Server

Debian Squeeze

TODO: Update to current Debian

     #> groupadd kvm -g 36
     #> useradd vdsm -u 36 -g kvm

     # mkdir /storage

     #> chmod 0755 /storage
     #> chown 36:36 /storage/
     #> cat /etc/exports
     /storage    *(rw)

     #>/etc/init.d/nfs-kernel-server restart

Fedora 26 or higher

      #> groupadd kvm -g 36
      #> useradd vdsm -u 36 -g kvm

      # mkdir /storage

      # chmod 0755 /storage
      # chown 36:36 /storage/

      # yum -y install nfs-utils

      # cat /etc/exports
      /storage    *(rw)

      # systemctl start rpcbind.service
      # systemctl start nfs-server.service

      # Relevant only for NFS v3
      # systemctl start nfs-lock.service

      # systemctl enable rpcbind.service
      # systemctl enable nfs-server.service

      # Relevant only for NFS v3
      # systemctl enable nfs-lock.service

RHEL7 based distro

      #> groupadd kvm -g 36
      #> useradd vdsm -u 36 -g kvm

      # mkdir /storage

      # chmod 0755 /storage
      # chown 36:36 /storage/

      # cat /etc/exports
      /storage    *(rw)

      # systemctl enable rpcbind
      # systemctl enable nfs-server
      # systemctl start rpcbind
      # systemctl start nfs-server

Synology DSM 6.2.4-25556 Update 2 and later

Synology DSM 6.2.4-25556 Update 2 / DSM 7 extends Access Control Lists (ACLs) on all shared folders, and removes groupadd and useradd commands. To allow ovirt nodes to connect via NFS the ACL permissions and /etc/exports file need to be updated manually (take backups before editing!).

Create the shared folder required as usual and allow your oVirt host IP’s in the NFS permissions section
Login to your Synology NAS via SSH (search the web for ‘synology enable ssh access’) as root or sudo to root once logged in
Add a line for the kvm group (id 36) to /etc/group

kvm:x:36
Add a line for the vdsm user (id 36) to /etc/passwd

vdsm:x:36:36::/dev/null:/bin/false

Update the Synology ACLs to allow access to kvm:vdsm

    EXPORT_DIR=/volumeX/...
    ALLOW_USER='user:vdsm:allow:rwxpdDaARWcCo:fd--'
    ALLOW_GROUP='group:kvm:allow:rwxpdDaARWcCo:fd--'

    synoacltool -get "$EXPORT_DIR" | grep -q "$ALLOW_USER" || synoacltool -add "$EXPORT_DIR" $ALLOW_USER > /dev/null
    synoacltool -get "$EXPORT_DIR" | grep -q "$ALLOW_GROUP" || synoacltool -add "$EXPORT_DIR" $ALLOW_GROUP > /dev/null
    synoacltool -get "$EXPORT_DIR"

Edit /etc/exports and replace the anonuid and anongid values with 36, e.g.

/volume1/ovirt 1.1.1.1(<Synology defined options>,anonuid=1025,anongid=100) 1.1.1.2(<Synology defined options>anonuid=1025,anongid=100)

Would become

    /volume1/ovirt 1.1.1.1(<Synology defined options>,anonuid=36,anongid=36) 1.1.1.2(<Synology defined options>,anonuid=36,anongid=36)

Warning any edits (i.e. adding a new host) to the NFS share in the Synology UI will reset the anonuid and anongid back to Synology defatuls.

Workarounds for known issues

TODO: update for the newer supported releases

NFS Lockups

Normally the NFS server of any distro should work out of the box. Using older NFS servers or following different tuning advices throughout the internet may lead to a misconfiguration that gives lockups/freezes/stalls. Rule of thumb is to always ensure that the tcp window size parameters of your server are larger than the wsize and rsize mount option of your hypervisor hosts. E.g. using Fedora 19 as a hypervisor node these parameters are set to 1 MB.

       # df
      ...
      10.10.30.253:/var/nas3/ovirt on /rhev/data-center/mnt/10.10.30.253:_var_nas3_ovirt type nfs (...,rsize=1048576,wsize=1048576,...)
      ...

In this case it is a good idea to set the tcp window parameters on the NFS server to at least 4 MB in /etc/sysctl.conf.

       # cat /etc/sysctl.conf
      net.ipv4.tcp_mem=4096 65536 4194304
      net.ipv4.tcp_rmem=4096 65536 4194304
      net.ipv4.tcp_wmem=4096 65536 4194304
      net.core.rmem_max=8388608
      net.core.wmem_max=8388608

To activate these settings for the running server reload them with

       # sysctl -p