Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


โ€บ How To: Securely Share Storage using NFS - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

How To: Securely Share Storage using NFS

2ยป

Comments

  • @Daniel15 said:
    If you're using HostHatch, make sure you enable "jumbo frames" by setting the MTU to 9000, for best performance. On Debian, edit /etc/network/interfaces and add mtu 9000 under the relevant section (I think both their public and internal networks support jumbo frames).

    You can double-check the MTU values by checking /sys/class/net/<device>/mtu:

    root@chi03:~#  cat /sys/class/net/eth1/mtu
    9000
    root@chi03:~#  cat /sys/class/net/wg0/mtu
    8920
    

    (as per https://lists.zx2c4.com/pipermail/wireguard/2017-December/002201.html, WireGuard has overhead of 80 bytes per packet, hence the slightly lower MTU for the WireGuard interface).

    I was getting 380 Mb/s using WireGuard between two VPSes (measured using iperf3), but after bumping the MTU from 1500 to 9000 I'm now getting 1.4 Gb/s over the VPN.

    Both vps are Host Hatch?

    how to know if other providers aside Hosthatch supports this?

  • @ravenchad said:

    @Daniel15 said:
    If you're using HostHatch, make sure you enable "jumbo frames" by setting the MTU to 9000, for best performance. On Debian, edit /etc/network/interfaces and add mtu 9000 under the relevant section (I think both their public and internal networks support jumbo frames).

    You can double-check the MTU values by checking /sys/class/net/<device>/mtu:

    root@chi03:~#  cat /sys/class/net/eth1/mtu
    9000
    root@chi03:~#  cat /sys/class/net/wg0/mtu
    8920
    

    (as per https://lists.zx2c4.com/pipermail/wireguard/2017-December/002201.html, WireGuard has overhead of 80 bytes per packet, hence the slightly lower MTU for the WireGuard interface).

    I was getting 380 Mb/s using WireGuard between two VPSes (measured using iperf3), but after bumping the MTU from 1500 to 9000 I'm now getting 1.4 Gb/s over the VPN.

    Both vps are Host Hatch?

    how to know if other providers aside Hosthatch supports this?

    Both are with HostHatch, yes. I was testing via the internal network (even though it's internal, it's not isolated and is shared between other hosthatch customers at the same location, so encryption is still beneficial).

    You'd need to ask the provider whether they support "jumbo frames". If they don't support jumbo frames and you increase the MTU, it'll actually hurt performance quite a bit, as each frame will need to be fragmented (or rejected altogether)

    Thanked by 1ravenchad
  • Another tip: Create a drop-in service configuration file /etc/systemd/system/nfs-server.service.d/after-wireguard.conf

    [Unit]
    [email protected]
    

    to make nfs server start after WireGuard is up. This can reduce chance of errors/problems during server reboot

  • Thank you for the tutorial. I will use this now on my flimsy HostSolutions 2TB server.

  • I always end up with a Read Only file system when I try NFS via Wireguard tutorials ๐Ÿ˜‘

    Makes me lose my shit ๐Ÿค

  • Using AUTH_SYS and Export Controls can securely share storage

  • @icry said:
    I always end up with a Read Only file system when I try NFS via Wireguard tutorials ๐Ÿ˜‘

    Makes me lose my shit ๐Ÿค

    Make sure you have rw in the export and that the clients user id (id command) is one that has access the exported folder.

  • @Chocoweb said:
    Another tip: Create a drop-in service configuration file /etc/systemd/system/nfs-server.service.d/after-wireguard.conf

    [Unit]
    [email protected]
    

    to make nfs server start after WireGuard is up. This can reduce chance of errors/problems during server reboot

    This is a great tip! Thank you :)

    @sumeethannurkar said: Using AUTH_SYS and Export Controls can securely share storage

    I think AUTH_SYS is what's used by default. The connection is unencrypted so you'll want to use encryption (eg. WireGuard) for it to be secure, unless you're on an isolated private network. Not sure which provider isolate their private network... BuyVM definitely do.

    @icry said:
    I always end up with a Read Only file system when I try NFS via Wireguard tutorials ๐Ÿ˜‘

    Makes me lose my shit ๐Ÿค

    What error are you getting? You likely need to chown the directory to the correct uid, or use idmap to map it across to the right ID.

  • ravenchadravenchad Member
    edited January 2021

    @Daniel15 said:

    @Chocoweb said:
    Another tip: Create a drop-in service configuration file /etc/systemd/system/nfs-server.service.d/after-wireguard.conf

    [Unit]
    [email protected]
    

    to make nfs server start after WireGuard is up. This can reduce chance of errors/problems during server reboot

    This is a great tip! Thank you :)

    @sumeethannurkar said: Using AUTH_SYS and Export Controls can securely share storage

    I think AUTH_SYS is what's used by default. The connection is unencrypted so you'll want to use encryption (eg. WireGuard) for it to be secure, unless you're on an isolated private network. Not sure which provider isolate their private network... BuyVM definitely do.

    @icry said:
    I always end up with a Read Only file system when I try NFS via Wireguard tutorials ๐Ÿ˜‘

    Makes me lose my shit ๐Ÿค

    What error are you getting? You likely need to chown the directory to the correct uid, or use idmap to map it across to the right ID.

    I think i got same write permission issue as well with ubuntu at the client side. so i changed folder to chmod -r 777 and it solved my issue. Kindly let me know if there's a better solution to this. This are the small things that are missing in the guide ;)

  • @Chocoweb said: to make nfs server start after WireGuard is up. This can reduce chance of errors/problems during server reboot

    It may be worth looking at a Requires= line as well if you don't want it to come up if that interface doesn't.

  • Tnx

  • @Daniel15 said:
    @youandri For backups I use Borgbackup and [Backupninja
    command="borg serve --append-only --restrict-to-path /backup/syd01",restrict ssh-ed25519 AAAA........ [email protected]
    ```

    You should mention that in --append-only mode you cannot prune backups in Borg.

    You sending prune command from another server as cronjob or sth like this?

    Hope that Borg will work as server > client mode in future OOTB :)

  • Daniel15Daniel15 Veteran
    edited January 2021

    @lyb9b said: You should mention that in --append-only mode you cannot prune backups in Borg.

    That's a good point. I use --append-only mode so that if someone gains access to any of the backed up servers, they can't just delete all the backups :)

    @lyb9b said: You sending prune command from another server as cronjob or sth like this?

    I'm currently not pruning at all. My backups are going to a storage VPS with 2TB space, and less than 400 GB space is used at the moment. I'll figure out the best way to prune them when I get closer to running out of space :tongue:

    One approach is to have two SSH keys: One key for regular backups in --append-only mode, and one key for management that does not run in --append-only mode and thus gets full access (which I'd keep more secure). This is what is documented in Borg's docs: https://borgbackup.readthedocs.io/en/stable/usage/notes.html#append-only-mode.

  • Using AUTH_SYS and Export Controls can securely share storage

  • benj0xbenj0x Member
    edited February 2021

    Thank you for publishing such a nice tutorial.

    I'm having some issues with the cache part explained in your tutorial. After adding "fsc" to my fstab file, I'm facing, whilst the remounting, the following problem:
    "mount.nfs4: an incorrect mount option was specified"

    I have strictly followed your tutorial to achieve similar conditions and a more likely success, but it didn't really work out.

    Could you help me with this issue? I'm running a fresh Ubuntu 20.04 LTS installation on the client and Debian 10 on the host & went strictly with your tutorial.

    My mount works fine without having "fsc" in my fstab file.
    cachefilesd is installed, the "RUN=yes" is uncommented.

Sign In or Register to comment.