"Connection timed out" when mouting file storage service on OCI instances

 

Issue - 

Recently faced below 'Connection Timed Out' Error when trying to mount a freshly created OCI file system. Would like to share my experience and document this for future references.

I am using public and private subnets with security lists defined for each. File system is created in the private subnet and faced below issue when trying to mount it from an instance in the same private subnet,


sudo mount -v 10.3.2.10:/fssfortestcomp /mnt/fssfortestcomp

mount.nfs: timeout set for Wed Sep  9 06:27:20 2020

mount.nfs: trying text-based options 'vers=4.1,addr=10.3.2.10,clientaddr=10.3.2.2'

mount.nfs: mount(2): Connection timed out


Documenting list of ports that need to be open for mounting a file storage service on OCI instances on private/public subnet


Solution - 

Update Security List Rules -

Please note to open destination ports for  respective subnet where you created filesystem. These ports are opened to make sure our source oci instances can access nfs services like nfsd, rpcbind, etc running on file system storage.


Ingress Rules -

Rule TypeProtocolSource Port RangeDestination Port RangeStateful/Stateless
IngressTCPAll111Stateful
IngressTCPAll2048Stateful
IngressTCPAll2049Stateful
IngressTCPAll2050Stateful
IngressUDPAll111Stateful
IngressUDPAll2048Stateful


Egress rules -

Rule TypeProtocolSource Port RangeDestination Port RangeStateful/Stateless
Egress TCP All111Stateful
Egress TCP All2048Stateful
Egress TCP All2049Stateful
Egress TCP All2050Stateful
Egress UDP All111 Stateful
Egress UDP All2048Stateful


Next time when trying to mount  - 

$ sudo mount -v 10.3.2.10:/fssfortestcomp /mnt/fssfortestcomp
mount.nfs: timeout set for Wed Sep  9 06:42:49 2020
mount.nfs: trying text-based options 'vers=4.1,addr=10.3.2.10,clientaddr=10.3.2.2'
mount.nfs: mount(2): Protocol not supported
mount.nfs: trying text-based options 'vers=4.0,addr=10.3.2.10,clientaddr=10.3.2.2'
mount.nfs: mount(2): Protocol not supported
mount.nfs: trying text-based options 'addr=10.3.2.10'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: trying 10.3.2.10 prog 100003 vers 3 prot TCP port 2049
mount.nfs: prog 100005, trying vers=3, prot=17
mount.nfs: trying 10.3.2.10 prog 100005 vers 3 prot UDP port 2048
mount.nfs: portmap query retrying: RPC: Timed out
mount.nfs: prog 100005, trying vers=3, prot=6
mount.nfs: trying 10.3.2.10 prog 100005 vers 3 prot TCP port 2048


Check newly added mount -
showmount -e 10.3.2.10
Export list for 10.3.2.10:
/fssfortestcomp (everyone)

A question may arise here that why are we explicitly creating egress rules when we already have stateful ingress rules in place -

You should look at it as if there were firewalls attached to every (virtual) network card. 
traffic goes like so:

Request
Instance1(request)===>VNIC_instance1===>network===>VNIC_nfsfilesystem===>nfsfilesystem 

Response
nfsfilesystem(answer)===>VNIC_nfsfilesystem===>network===>VNIC_instance1===>Instance 1 


First you need to exit from the oci instance 1 to the network, you should therefore first do an egress from instance 1. At this point in time the ingress rules weren't evaluated yet (there were no inrgress traffic anywhere), and therefore the state of the stateful ingress rule doesn't exist.

Happy OCI Learning :)

References -

https://docs.cloud.oracle.com/en-us/iaas/Content/File/Tasks/securitylistsfilestorage.htm

https://cloudcustomerconnect.oracle.com/posts/7eb3f888e6


at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)