NFSv4 without ldap | NetApp | Page 1

grand prairie May 1, 2025, 9:04 PM

#

Possibly dumb (or new guy) question. We are standing up OpenShift for the first time with an ontap-nas backend. NFSv3 works, but NFSv4 was requested by the OpenShift admin so trying to fulfill that request. My only experience with NFSv4 is in scenarios where we are using SSSD to do it's authentication magic with LDAP, but I was told in OpenShift (CoreOS nodes) that isn't really a thing as the nodes are not using LDAP. We also plan on using AutoExport to create the export policies. How is Trident handling mapping users/IDs for NFSv4? I was going to try to simulate this in one of the Netapp Trident labs but I was signed into one when Netapp disabled it, and now I can't delete/cancel the lab so I'm waiting for it to time out over the weekend.

Thanks

echo minnow May 1, 2025, 11:06 PM

#

you can use the same UID/GID mechanisms that you know from NFSv3 for NFSv4 too. It's called "numeric IDs" and can be enabled with -nfsv4-numeric-ids enabled on the NFS server

grave crown May 2, 2025, 5:55 AM

#

May I ask why NFSv4 was specifically requested?
Usually a request like that comes from someone who simply thinks "bigger number = better" when in this case it is simply different features.

echo minnow May 2, 2025, 6:29 AM

#

I certainly don't know in this case, but some software might require the use of XATTRs which NFSv3 cannot do. We have some customers who switched their k8s environment to NFSv4 for that reason

rare yarrow May 2, 2025, 11:38 AM

#

You again need to make sure the nfs4 domain id is the same on both sides or else even with numeric ids users all map to nobody: nobody

echo minnow May 2, 2025, 11:58 AM

#

it actually works fine even if the Domain IDs mismatch, but not for users that exist on both the storage system and client (like "root"). Depending on your container runtime and settings (user namespaces or not? rootless containers or not? etc.) this might matter or not

Generally, TR-4067 has all the gory details, Justin Parisi has done a fantastic job of putting this all together. Every non-standard NFS implementation we did, we always used this TR and followed it to the letter.

rare yarrow May 2, 2025, 3:01 PM

#

if you want/need all users to work (including root) you must make sure the client nfsid and the netapp SVM nfs4 id match. Otherwise, root will always be nobody

#

otherwise, users will look/work correctly, but root will not.

grand prairie May 2, 2025, 4:08 PM

#

Thanks everybody for that information. I don't think there was a hard and fast demand for nfsv4, more of just a want of the option in the situations where its features make sense. I'll play around with -nfsv4-numeric-ids.

#NFSv4 without ldap