jails NFSv4 Server won't start inside a FreeBSD 14.2 VNET Jail

[rai.mohammed]

Hello everybody ;

I'm trying to set up a NFSv4 Server inside a FreeBSD 14.2 vnet jail, after the necessary configuration and parameters, I started the service from the consol, unfortunately I get a negative result and the nfsd server won't start, like decribed below :

Jail : [root@odoo18erp01:~] # service nfsd restart
nfsd not running?
Starting nfsd.

So I jumped into the log messages to understand the issue, and I finded an error saying that allow.nfsd is not configured,
even thought my jail.conf file has this option.

Jail : [root@odoo18erp01:~] # cat /var/log/messages
Feb  6 18:42:15 odoo18erp01 syslogd: exiting on signal 15
Feb  6 18:43:26 odoo18erp01 syslogd: kernel boot file is /boot/kernel/kernel
Feb  6 18:43:26 odoo18erp01 mountd[41593]: Can't delete exports for V4:
Feb  6 18:43:26 odoo18erp01 mountd[41593]: Exporting V4: failed
Feb  6 18:43:26 odoo18erp01 mountd[41593]: bad exports list line 'V4: /                         -sec'
Feb  6 18:43:26 odoo18erp01 mountd[41593]: Warning: exporting /usr/local/odoo_erp/odoo18ce exports entire / file system
Feb  6 18:43:26 odoo18erp01 mountd[41593]: bad opt rw
Feb  6 18:43:26 odoo18erp01 mountd[41593]: bad exports list line '/usr/local/odoo_erp/odoo18ce  -sec'
Feb  6 18:43:26 odoo18erp01 nfsd[45357]: nfssvc stablerestart failed: allow.nfsd might not be configured

The next step for me, is it to verify the security jail params, suprised by allow.nfsd is not authorized,
contrary to the allow.raw_sockets param as exposed in these commands :

Jail : [root@odoo18erp01:~] # sysctl security.jail.param.allow.nfsd
security.jail.param.allow.nfsd: 0
Jail : [root@odoo18erp01:~] # sysctl -a |grep -i security.jail.allow
security.jail.allow_raw_sockets: 1

Plus the host dmesg throw the error [mountd/nfsd requires a separate file system] :

root@desktopfreebsd:~ # dmesg
[15567] Warning jail jid=10: mountd/nfsd requires a separate file system
[15567] lo0: link state changed to UP
[15567] arp: 192.168.20.233 moved from 02:d9:63:f9:cf:0b to 02:11:b2:67:b9:0b on epair234b

root@desktopfreebsd:~ # jls
   JID  IP Address      Hostname                      Path
     1                  pg17db01.itlinker.local       /usr/local/jails/containers/pg17db01
     3                  apache24web01.itlinker.local  /usr/local/jails/containers/apache24web01
    10                  odoo18erp01.itlinker.local    /usr/local/jails/containers/odoo18erp01
root@desktopfreebsd:~ #

My setup and configuration are summerized like so :

root@desktopfreebsd:~ # cat /etc/jail.conf.d/odoo18erp01.conf
odoo18erp01 {
  # Summarized configuration :

# PERMISSIONS

  allow.raw_sockets;
  # NFSD/VNET
  allow.nfsd;

  allow.mount;
  allow.mount.devfs;
  allow.mount.fdescfs;
  mount.devfs;
  allow.mount.zfs;
  enforce_statfs = 1;
}

Jail : [root@odoo18erp01:~] # cat /etc/rc.conf
# Summarized configuration :

# DAEMONS
rpcbind_enable="YES"
rpcbind_flags="-h 192.168.20.231"
rpc_lockd_enable="YES"
rpc_lockd_flags="-h 192.168.20.231"
rpc_lockd_enable="YES"
rpc_lockd_flags="-h 192.168.20.231"
rpc_statd_enable="YES"
rpc_statd_flags="-h 192.168.20.231"
mountd_enable="YES"
mountd_flags="-h 192.168.20.231 -r -S"

nfs_server_enable="YES"
nfsv4_server_enable="YES"
nfsv4_server_only="YES"
nfs_server_flags="-h 192.168.20.231 -u -t -n 8"

Jail : [root@odoo18erp01:~] # cat /etc/sysctl.conf
# VNET/NFSD
vfs.nfs.enable_uidtostring=1
vfs.nfsd.enable_stringtouid=1

Jail : [root@odoo18erp01:~] # cat /etc/exports
V4: /                        -sec=sys                    -network 192.168.20.0/24
/usr/local/odoo_erp/odoo18ce -sec=sys -maproot=1001:1001 -network 192.168.20.0/24

Please, can someone tell me, is there any problem in my configuration, or did I forget a parameter somewhere ?!

 

[Ole]

where is your

vnet

option?

 

[rai.mohammed]

where is your

vnet

option?

As I said the config above is a summarized one.
I use a jail with multiple vnet interfaces, please see below :

cat /etc/jail.conf.d/odoo18erp01.conf
...
....
.....

# NETWORKS/INTERFACES - The order must be respected
  $id1 = "231";
  $ip1 = "192.168.20.${id1}/24";

  $id2 = "233";
  $ip2 = "192.168.20.${id2}/24";

  $gateway = "192.168.20.1";
  $bridge = "bridge0";

  $epair1 = "epair${id1}";
  $epair2 = "epair${id2}";

  # VNET/VIMAGE - The order must be respected
  vnet;
  vnet.interface += "${epair2}b";
  vnet.interface += "${epair1}b";

...
...
...

 

[JohnK]

I see that you have nfs flags:

nfs_server_flags="-h 192.168.20.231 -u -t -n 8"

Per:

nfsd

man.freebsd.org

When nfsd is run in an appropriately configured vnet jail, the server is
restricted to TCP transport and no pNFS service. Therefore, the -t option must
be specified and none of the -u, -p and -m options can be specified when run
in a vnet jail. See jail(8) for more information.

So, could it be the U switch?

 

[rai.mohammed]

I see that you have nfs flags:

nfs_server_flags="-h 192.168.20.231 -u -t -n 8"

Per:

nfsd

man.freebsd.org

When nfsd is run in an appropriately configured vnet jail, the server is
restricted to TCP transport and no pNFS service. Therefore, the -t option must
be specified and none of the -u, -p and -m options can be specified when run
in a vnet jail. See jail(8) for more information.

So, could it be the U switch?

I tested the config with :
nfs_server_flags="-h 192.168.20.231 -t -n 8"

The result was the same.

 

[JohnK]

Try and removing "-n 8" But'll read some more.

 

[rai.mohammed]

Try and removing "-n 8" But'll read some more.

I tested the config without "-n 8", and the error persist.

 

[JohnK]

Is this a ZFS dataset (-i.e. do you think you should be using zfs share instead of exports)?

ZFS/ShareNFS - FreeBSD Wiki

 

[rai.mohammed]

Is this a ZFS dataset (-i.e. do you think you should be using zfs share instead of exports)?

ZFS/ShareNFS - FreeBSD Wiki

Yes, my ZFS dataset is activated with sharenfs option :

zfs set sharenfs="-rw,maproot=root,-network=192.168.20.0/24" zroot/jails/containers/odoo18erp01

 

[JohnK]

I'm about out of ideas but then, wouldn't it be (/etc/rc.conf):

rpcbind_enable="YES"
rpcbind_flags="-h 192.168.20.231"

rpc_lockd_enable="YES"
rpc_lockd_flags="-h 192.168.20.231"

rpc_statd_enable="YES"
rpc_statd_flags="-h 192.168.20.231"

mountd_enable="YES"
mountd_flags="-h 192.168.20.231 -r -S"

nfs_server_enable="YES"

# In a jail, only TCP, no pNFS.
#nfsv4_server_enable="YES"
#nfsv4_server_only="YES"
#nfs_server_flags="-h 192.168.20.231 -u -t -n 8"

I assume the other options/and flags have been looked at.

And then...

# service nfsd start
# service mountd reload

 

[rai.mohammed]

I'm about out of ideas but then, wouldn't it be (/etc/rc.conf):

rpcbind_enable="YES"
rpcbind_flags="-h 192.168.20.231"

rpc_lockd_enable="YES"
rpc_lockd_flags="-h 192.168.20.231"

rpc_statd_enable="YES"
rpc_statd_flags="-h 192.168.20.231"

mountd_enable="YES"
mountd_flags="-h 192.168.20.231 -r -S"

nfs_server_enable="YES"

# In a jail, only TCP, no pNFS.
#nfsv4_server_enable="YES"
#nfsv4_server_only="YES"
#nfs_server_flags="-h 192.168.20.231 -u -t -n 8"

I assume the other options/and flags have been looked at.

And then...

# service nfsd start
# service mountd reload

Thank you for your help, and I'm sorry if I disturbed you, your replaying was very appreciated.

 

[JohnK]

Not a problem. But does it work now?

 

[rai.mohammed]

Not a problem. But does it work now?

Furthermore, I disabled the config for NFSv4, unlucky I am, the test resulted in an error like before.

 

[JohnK]

Ah, sorry. Well, I tried. Good luck.

 

[rai.mohammed]

Ah, sorry. Well, I tried. Good luck.

Thank again for your help and kindness.