Describes the prerequisites and the process of starting the mapr-loopbacknfs service
to access a secure cluster.
The following instructions explain how to start the loopbacknfs service so you can access
either a non-secure or secure cluster.
To access multiple clusters, ensure that the first cluster that you configure is a HPE Ezmeral Data Fabric 4.0.2 or
later cluster, with available POSIX client licenses.
Prerequisites for accessing a secure cluster:
- Ensure that the stock Linux NFS service is not running. Linux NFS and HPE Ezmeral Data Fabric NFS
cannot run concurrently.
- Disable the lock manager (
nlockmgr).
- Check that the
rpcbind service is running on RHEL and CentOS v6.0
and higher. You can use the command ps ax | grep rpcbind to
check.
- Check that the
portmapper service is running on RHEL and CentOS
v5.x and lower, and on Ubuntu and SUSE. You can use the command ps ax | grep
portmap to check.
- Make sure you have applied a Community Edition (M3) license or an Enterprise Edition
(M5) license (paid or trial) to the cluster. See Adding a License.
- Enable security for the cluster. See Enabling Wire-level Security and
Disabling Wire-level Security wire-level security.
- Generate a user ticket. See Generating a HPE Ezmeral Data Fabric User Ticket for
instructions. If you do not already have a HPE Ezmeral Data Fabric user ticket, with full control
Access Control List (ACL) authorization on the
cluster, you must have a cluster administrator do this for you.
- In the HPE Ezmeral Data
Fabric cluster, navigate to the server node to which you want to
connect.
- First, run
maprlogin password to login. The user who logs in
must be a privileged user, such as the mapr superuser.
- Next, run
maprlogin generateticket -type service -user <user>
-duration 365:0:0 -out <file> to generate the user ticket. The
<user> for whom the ticket is generated can be any user. If the service
ticket expires, the POSIX client:
- Automatically uses the renewed service ticket without requiring a
restart, if the ticket is replaced before expiration (ticket expiry time
+ grace period of 55 minutes). If the ticket is replaced after expiration
(which is ticket expiry time + grace period of 55 minutes), the POSIX
loopbacknfs client does not refresh the ticket as the mount becomes
stale.
- Allows impersonation if a service ticket is replaced before ticket
expiration (which is ticket expiry time + grace period of 55 minutes)
with a
servicewithimpersonation ticket.
- Honor all changes in user/group IDs of the renewed ticket.
- Copy the user ticket file from the cluster server node where you generated it to the
/usr/local/mapr-loopbacknfs/conf directory on the client machine
where the HPE Ezmeral Data
Fabric POSIX client runs.
Note: Since the NFS server runs based on a single user's ticket, it can act on behalf of only one
user. Therefore, the UID or GID associated with the ticket must match the UID or GID of
any user who accesses the NFS server through the HPE Ezmeral Data Fabric POSIX Client.
Note: Securing the cluster so that only one user can have secure access provides
tight control over cluster access, but it also means that any user on the client who is
able to read the generated ticket has read access to all data in the
cluster.
Start the mapr-loopbacknfs service and mount the volume
Complete the following steps from your client node, except where noted, to start the
mapr-loopbacknfs service and mount the volume:
Note: If cluster
security is enabled, the ticket that you generated using the preceding procedure,
must be available or the NFS server does not start.
- Start the
mapr-loopbacknfs service from the command line.
service mapr-loopbacknfs start
- Create a mount point at
/mapr and mount the client node to
it.mkdir /mapr
mount localhost:/mapr /mapr
- You can also automate the mounting of the volume with every launch of the
mapr-loopbacknfs service. On the POSIX client node, create
/usr/local/mapr-loopbacknfs/conf/mapr_fstab and add the following
line:localhost:/mapr /mapr hard,nolock