Troubleshooting NFS

January 6th, 2014

Every now and then I have issues with my NFS setup, server-side or client-side. And since I don’t usually handle NFS all that often, I always forget how to solve it and end up wasting a ton of time debugging and searching and stuff.

SO I finally, seconds before posting a long question on serverfault.com, managed to pin it down once again.

So, long story short:
– pretty much most of the problems regarding NFS come from firewall: server-side, client-side and/or router-side. So make sure to disable them all and see if that works. If it does, I’ll explain later how to make it work with your firewall enabled as well
– then, there are NFS server and NFS client configuration issues. There are plenty of how-tos out there for this

So how to troubleshoot a firewall/iptables issue? The most common flag for this problem is “connection timeout”. If you get it, it’s most likely a firewall/routing issue.

What I just did now, in my case, is to set up my firewall rules such a way that all drops are going to a special “mydrop” target, in which I drop everything.
Then, I have some scripts made which cancels, restores and enables logging in the firewall.
The logging script will cancel the firewall, then restore it (this cleans up stuff) then it adds logging like:

iptables -I mydrop -m limit --limit 2/sec -j LOG --log-prefix "IPTables-dropped: " --log-level 4 --log-tcp-options --log-ip-options

then, in another console, I do

tail -f /var/log/messages

and in the first one I start the mount/showmount/rpcinfo commands and check the tail log to see what packets are being dropped.
Then I make rules for those packets.

Now, in my personal case, I set up my NFS server to have static/dedicated ports (there are how-tos out there on how to do it, I won’t go over them here).
So, on a tight firewalled linux machine, the iptables rules for NFS client would look like this

# nfs client
-A services -s 192.168.1.4 -p tcp --sport 111 -j ACCEPT
-A services -s 192.168.1.4 -p tcp --sport 892 -j ACCEPT
-A services -s 192.168.1.4 -p tcp --sport 2049 -j ACCEPT
-A services -s 127.0.0.1 -d 127.0.0.1 -p udp --dport 111 -j ACCEPT
-A services -s 127.0.0.1 -d 127.0.0.1 -p udp --sport 111 -j ACCEPT

“services” in this context is a dedicated target for my used services (usually server/daemon stuff, but also client stuff when needed, like this scenario).
Note: 192.168.1.4 is my NFS server.

Then, on server side I have this
# nfs server
-A services -s 192.168.1.0/24 -m state --state NEW -p udp --dport 111 -j ACCEPT
-A services -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 111 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 32803 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 32769 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 892 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 892 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 875 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 875 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 662 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 662 -j ACCEPT

the rules with INPUT I have copied from another blog/site, which I can’t recall now. At the time I get these, I didn’t think about the logging idea I just wrote about, and I don’t want to kill all my machines to test it so I can figure out exactly what rules to put there.

Anyway, I hope this logging idea will help someone save some hours.

Related posts

Experts-Exchange: going at it, again

January 4th, 2014

As mentioned earlier, I’ve got congratulated on becoming a designated expert on 2 sections: http://blog.ciuly.com/?p=817
Today, they did it again. For the same 2 sections 🙂

time for another email to their support (the first time I didn’t mail them, I was hoping it was a one time slip).

Related posts

Windows XP: this file came from another computer and might be blocked

January 3rd, 2014

I thought I’ve seen them all in WinXP. So I got bumped today with not being able to access a file over a share on another computer on the local network. I hit the file properties and saw the message in the title.
Small googling, turned up to suggest it may be some zone information IE browser would set when you download a file. Some suggest using streams.exe from sysinternals to delete the extra data stream of the file.

Indeed, that solves it. But I am not one of those that just blindly deletes stuff, so before I deleted, I made sure to peek at what info I was about to delete. And it looks like this:
c:\path\DigiSign_eToken_PKI_Client_x32.msi:
:Zone.Identifier:$DATA 26

looks safe to delete. so just proceed. If you get anything else, make sure you are safe to delete it before you do it.

Related posts

Apache on linux: Could not open configuration file Permission denied

January 2nd, 2014

I don’t do configuration every day so some things elude me. Especially when selinux is involved.

So this happened to me the other day when I setup a new web site on my server and as usual, I added a config file for it. Immediately after reloading apache, I got the Permission Denied error when reading the config file for the newly created default.conf file.

Took some googling to get to the bottom of it:

(just to confirm it’s selinux)
[root@localhost conf]# sestatus
SELinux status: enabled

[root@localhost conf]# [root@localhost sites]# ls -Z
-rw-r–r– root root root:object_r:default_t default.conf
-rw-r–r– root root root:object_r:httpd_config_t site1.conf
-rw-r–r– root root root:object_r:httpd_config_t site2.conf

[root@localhost sites]# chcon -t httpd_config_t default.conf

[root@localhost sites]# ls -Z
-rw-r–r– root root root:object_r:httpd_config_t default.conf
-rw-r–r– root root root:object_r:httpd_config_t site1.conf
-rw-r–r– root root root:object_r:httpd_config_t site2.conf

Same goes on the site folders and files.

And it’s all good now. I’ll probably make some script to create these things automatically so I won’t have to deal with these issues every other year when I decide to put up a new site.

Related posts

CentOS modulez.cgz

January 2nd, 2014

So I was trying to install startech 1 port PCI Express eSATA II Controller Card in one of my linux servers and according to the included readme/manual, one would do:
modules.cgz | gunzip | cpio -ivH crc
as one of the first steps to copy out the proper files for the current kernel.
Unfortunately, there are a few issues with the zip file you download from their site:
1. – the executable files are not executable (the bit is not set) so one must chmod +x on them
2. – the command above fails with
-bash: modules.cgz: command not found

So after googling a bit, I found that one should do:
gunzip < modules.cgz | cpio -ivH crc That takes care of that issue. The next problem I bumped into was that the "copy the modules.cgz to a destination directory" instruction was not clear enough. We're not talking about any destinations here. The problem started from the insmod call, which would report that insmod: can't read 'si3531r5': No such file or directory same for insmod: can't read 'si3531r5.ko': No such file or directory even when copying into /lib/modules/`uname -r`/kernel/drivers/scsi/ which seemed the logical thing to do Then it hit me: there's a list of modules that are loaded, which was not updated. so I echo kernel/drivers/scsi/si3531r5.ko >>/lib/modules/`uname -r`/modules.dep
and then
depmod -a

and finally, I did
modprobe si3531r5
which, obviously, failed:
FATAL: Error inserting si3531r5 (/lib/modules/2.6.32-358.11.1.el6.x86_64/kernel/drivers/scsi/si3531r5.ko): Invalid module format

so I hit dmesg which shows:
si3531r5: version magic ‘2.6.9-22.ELsmp SMP gcc-3.4’ should be ‘2.6.32-358.11.1.el6.x86_64 SMP mod_unload modversions ‘

Trying to find sources for the driver in order to recompile it, failed. Nothing, nowhere.

So, it is time to appeal to their technical support. Hopefully, it will be a positive experience.

Related posts

Experts-Exchange. So you’re account is suspended? How about helping us out anyway?

December 10th, 2013

Well, well, well. So I got a few emails today from Experts-Exchange (other than the usual, hey, look, a new question. I filter those to the trash auto-magically; Also, I emailed them about the issue and asked them to do something so I wont’ get notifications. To no avail.). For those who don’t know, my account was suspended there quite some years ago, and is still suspended.

So, first email looks like this:

Congratulations ciuly!

Because of your expertise, you have been selected to be a designated expert for the following topics:

Delphi Components

You will automatically receive email alerts for questions that become neglected in these topics. If your solution is accepted, you will receive bonus points.

To add or remove topics, visit the Designated Expert section in your Account Settings.

Thanks for your participation, and welcome to the Designated Expert program!

Sincerely,
The Experts Exchange Team

The second email is almost identical, but for the “Delphi IDE” section.

Now isn’t that funny? They kicked me out and now they want me to help them a bit. So I go to Account Settings, thinking maybe they un-suspended my account. Really? Keep dreaming.
Ok, so I expect to receive some question notifications as a designated expert. A new trash filter should take care of those.

So next 2 emails. Now these are the topping.

Congratulations, ciuly!

You have achieved a Guru ranking in Delphi IDE by earning 0 points! To celebrate your new rank, we’d like to send you a free Experts Exchange t-shirt.

Redeem your shirt here:
http://www.experts-exchange.com/editProfile.jsp?ts=rewards&ts=shirts&cid=384

Certification Level: Guru
Topic Area: Delphi IDE
Points: 0

While you are waiting to get your shirt, you can preview your new certification here:
http://www.experts-exchange.com/editProfile.jsp?ts=rewards&ts=certificates&cid=2358

Share the news:

Share on Facebook Share on Twitter Share on Linked In Share on Google Plus

Thanks for all your hard work!

Sincerely,
The Experts Exchange Team

and the same for the next email but with

Certification Level: Master
Topic Area: Delphi Components
Points: 0

Well, they can be sure of one thing: I am sharing this with everyone, right now 🙂
Who would have thought you can get a certification with 0 points? And a t-shirt to match it?
Too bad I can’t redeem them because, hey, my account is still suspended. I had some other t-shirts and stuff wasted because of this same problem with account suspension, so I don’t cry over them.

But I can’t stop laughing. certification for 0 points? Damn I’m good.

Related posts

Fix firefox/chrome password save and autofill on yahoo and other sites using autocomplete=off

November 4th, 2013

As the title says. The fix is a greasemonkey script for firefox (userscript for other browsers) which will simply turn the autocomplete=off to autocomplete=on and solving this part of the problem with yahoo sites and maybe others.
The fix is a fix of an lready existing script I made a few years back. Check it on http://www.ciuly.com/gm/

Related posts

So I am switching from yahoo email to gmail

October 31st, 2013

I gave the new yahoo interface a try. I let it run for a while. Tried to use it, be friends with it. But it just isn’t working out.
I am relying heavily on filters and folders. So my email gets into folders. Which is not made visible in any way, or at least I wasn’t able to figure it out.
The should have made the Folder group report unread emails just as Inbox and the rest do, so that I know that hey, some folders have some unread emails.

I missed on a few pretty important emails (the kind that could make money). So with loosing a few, I am officially dropping this new “crap” yahoo email interface and moving over to gmail.

Why couldn’t they have left the option of using the old interface in parallel as they did other times, is beyond me.

Related posts

TWICImage Access Violation in Delphi 2010 on second usage

August 11th, 2013

Been playing a bit with TWICImage in Delphi 2010 for a scaling thing and noticed there was an access violation when using it the “regular” way: create – use – free, create again – use – free
Googling didn’t explain it so I took a peak at the code and noticed it was using a singleton for a private member which would be destroyed once the reference count reached 0.

There is one valid workaround for it (well, more, but I’ll present one):
– define a global variable of type TWICImage.
– in the initialization section of the unit, create a TWICImage instance and assign it to this:
– in finalization, destroy it


implementation
var dummy : TWICImage = nil;

initialization
dummy := TWICImage.create;
finalization
dummy.free;
end.

No more AV since the refcount will always be 0 until the app closes.

Related posts

So all these sites around the net get hacked these days

July 26th, 2013

The method? Stupid people, like myself, using the same password on many sites. Ups 😐

Ok, so I’ve been on the internet since like .. 15 years or so and back then my security paranoia wasn’t this advanced. My short memory wasn’t this short either so back then I would use a set of the same passwords. I can really only recall 2 of them now and they were maybe like 10 or so back in the day.

Anyway, I’ve got a lot of accounts since then which use that same old password. Correction. Had 😀

I just went over my keepass list (god do I have many accounts) and changed each and every one of them to a password that is unique to that account.

Phew.

So … sites getting hacked, ha? Ok, paranoia level increased.

Related posts