How to add mount option nodev for /var/lib/nfs/rpc_pipefs partition on RHEL 7

Recently latest vulnerability found on Red Hat Enterprise Linux 7 system during audit by security team. According to audit team, 'nodev' need to be an added mount for /var/lib/nfs/rpc_pipefs partition. 

To resolve this vulnerability please perform the below steps as suggested by Red Hat.

1. We need to create Drop-In directory for var-lib-nfs-rpc_pipefs.mount

[root@redhat001:~]# mkdir -p /etc/systemd/system/var-lib-nfs-rpc_pipefs.mount.d/

2. Now we need to create configuration file adding this mount point

[root@redhat001:~]# printf '[Mount]\nOptions=nodev\n' > /etc/systemd/system/var-lib-nfs-rpc_pipefs.mount.d/99-nodev.conf

3. Please take a reload of daemon service

[root@redhat001:~]# systemctl daemon-reload

now please take a restart of mount services.

[root@redhat001:~]# systemctl restart var-lib-nfs-rpc_pipefs.mount

Using above steps we can add mount option nodev for /var/lib/nfs/rpc_pipefs parition on rhel7. To verify the mount point you can run the below command

[root@redhat001:~]#grep rpc /proc/self/mounts

sunrpc /var/lib/nfs/rpc_pipefs rpc_pipefs rw,nodev,relatime 0 0

If you see above output, nodev option has been successfully mount. This is straight steps need to follow to resolve such vulnerability. 

NFS Stale File Handle error and solution

In linux machine we have NFS mounted directories sometimes contain stale file handles. If you run command such as ls or vi you will see an error

# ls

.: Stale File Handle

Before moving to fix this issue first we need to understand the concept of Stale File Handle.

A filehandle becomes stale whenever the file or directory referenced by the handle is removed by another host.

while your client still holds an active reference to the object. A typical example occurs when the current directory of a process, running on your client, is removed on the server (either by a process running on the server or on another client).

So this can occur if the directory is modified on the NFS server, but the directories modification time is not updated.

To fixed this issue, the best solution is to remount directory from the NFS client using mount command.

# umount -f /test

# mount -t nfs nfsserver:/path/to/share /test

Job for nfs-server.service failed because the control process exited with error code. See "systemctl status nfs-server.service" and "journalctl -xe" for details. Resolution

On Red Hat Linux 7 operating system, some time you will get below NFS service failed error message.

"Job for nfs-server.service failed because the control process exited with error code. See "systemctl status nfs-server.service" and "journalctl -xe" for details."

The above error occur when you are taking restart of nfs service.

# systemctl restart nfs.service
Job for nfs-server.service failed because the control process exited with error code. See "systemctl status nfs-server.service" and "journalctl -xe" for details.
Resolution

# systemctl status nfs-server.service
nfs-server.service - NFS server and services
   Loaded: loaded (/usr/lib/systemd/system/nfs-server.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Fri 2018-04-27 09:56:08 IST; 8s ago
  Process: 21370 ExecStopPost=/usr/sbin/exportfs -f (code=exited, status=0/SUCCESS)
  Process: 21366 ExecStopPost=/usr/sbin/exportfs -au (code=exited, status=0/SUCCESS)
  Process: 21362 ExecStop=/usr/sbin/rpc.nfsd 0 (code=exited, status=0/SUCCESS)
  Process: 21273 ExecStart=/usr/sbin/rpc.nfsd $RPCNFSDARGS (code=exited, status=0/SUCCESS)
  Process: 2714 ExecStartPre=/usr/sbin/exportfs -r (code=exited, status=1/FAILURE)
 Main PID: 21273 (code=exited, status=0/SUCCESS)

Apr 27 09:56:07 localhost.redhat.com systemd[1]: Starting NFS server and services...
Apr 27 09:56:08 localhost.redhat.com exportfs[2714]: exportfs: Failed to resolve foobar.com <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Apr 27 09:56:08 localhost.redhat.com exportfs[2714]: exportfs: Failed to resolve foobar.com <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Apr 27 09:56:08 localhost.redhat.com systemd[1]: nfs-server.service: control process exited, code=exited status=1
Apr 27 09:56:08 localhost.redhat.com systemd[1]: Failed to start NFS server and services.
Apr 27 09:56:08 localhost.redhat.com systemd[1]: Unit nfs-server.service entered failed state.
Apr 27 09:56:08 localhost.redhat.com systemd[1]: nfs-server.service failed.

To resolve such issue you need to follow the below process.

You need to check which NFS version rpm is installed on the server.

#rpm -qa | grep nfs

the above command show you the installed nfs version.

Normally the above error occur due to lower version on nfs, so to resolve the issue you need to upgrade the nfs version.

installed the latest nfs rpm nfs-utils-1.3.0-0.33.el7 or later

#yum install nfs

The above command upgrade the nfs rpm, or you can download the manually rpm file and installed it through rpm -uvh command.

After that restart the nfs service again.

# systemctl restart nfs.service

it is started successfully, you can check the status via below command.

# systemctl status nfs.service

[root@localhost ~]# systemctl status nfs.service
● nfs-server.service - NFS server and services
   Loaded: loaded (/usr/lib/systemd/system/nfs-server.service; disabled; vendor preset: disabled)
  Drop-In: /run/systemd/generator/nfs-server.service.d
           └─order-with-mounts.conf
   Active: active (exited) since Thu 2018-04-27 03:47:57 IST; 18h ago
  Process: 32477 ExecStart=/usr/sbin/rpc.nfsd $RPCNFSDARGS (code=exited, status=0/SUCCESS)
  Process: 32472 ExecStartPre=/bin/sh -c /bin/kill -HUP `cat /run/gssproxy.pid` (code=exited, status=0/SUCCESS)
  Process: 32469 ExecStartPre=/usr/sbin/exportfs -r (code=exited, status=0/SUCCESS)
 Main PID: 32477 (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/nfs-server.service

Apr 26 03:47:57 localhost systemd[1]: Starting NFS server and services...
Apr 26 03:47:57 localhost systemd[1]: Started NFS server and services.

NFS mount on Solaris 11 Non-Global zones systems

In this article, we would learn how we mount folder from one Non-Global zone to another zone on Solaris 11 operating system using network file sharing.

For an example, we can use take a two local zone "sunz01" & "sunz02". We will mount one folder named "/export/backup" from "sunz01" local zone to another zone "sunz02" on "/project/export/data" location.

Step by Step method of NFS mount on Solaris 11:
 

➦ In the first step we will create the directory on "sunz02" zone where we want to mount the folder.

sunz02#mkdir /project/export/data
 

➦ In second step, we will make a configuration for this process. So for this work you need to login on global zone with root access and make an entry on the dfstb configuration file.

sun#vi /etc/dfs/dfstab

share -F nfs -o rw=sunz02 /zones/sunz01/root/export

If you see the above entry, we have provided the read/write access to directory on sunz02 server where we mount the folder from sunz01 local zone.
 

➦ In next step you need to login on sunz02 server and mount the shared folder using below command.

sunz02#mount sun:/zones/sunz01/root/export/backup /project/export/data
 

➦ Once you run the above command the folder is mount from one local zone to another zone temporarily. You can go to the directory and verify that the data which is listed on /export/backup folder is show on sunz02 directory.
 

➦ In the last step you need to restart the NFS service on the global zone so the configuration files and other changes makes affect. But these configuration are available until we are not taking reboot of the zone.

If you have any query regarding this topic, please post your comment here, we will get back to you shortly.