NFS server

One way to provision storage for Red Hat OpenShift Container Platform (OpenShift) to use an NFS Server.

Setup

For more information, here are some major sources:

OpenShift documentation, Persistent storage
Don't miss the additional section: OpenShift documentation, Additional configuration and troubleshooting

Decisions:

Go with NFSv4 only server.
Add security later.
Add automatic NFS storage provisioning later.

Perform on NFS KVM guest:

Set the static IP address as planned in plan to make the host reachable.
```
nmcli c modify ipv4.method manual ipv4.addresses "..."
```
Install the NFS server package:
```
yum install nfs-utils -y
```
Disable NFSv3 permanently by editing the /etc/nfs.conf:
```
# disable nfs3
# vim /etc/nfs.conf  
[nfsd]
vers3=no   
```
Note: NFSv3 is disabled because under OCP4.x on x390s only NFSv4 is tested and supported. More information is available here.

Mask services that are not required by NFSv4 (only needed for NFSv3):

systemctl mask --now rpc-statd.service rpcbind.service rpcbind.socket

Configure the folder you want to export (make available/mountable from outside) by editing /etc/exports. A folder for export is created:
```
mkdir /nfs_share
touch /etc/exports
```
Add the following line to /etc/exports:
```
/nfs_share *(rw,no_root_squash,insecure,sync)
```
If you change /etc/exports later, use systemctl reload nfs-server to update the NFS service without restarting the service completely.

Note: These options are not secure and should be changed as soon as you have smooth OpenShift environment running. To secure NFS, check out the following link: Exporting NFS File Systems.
Set the permissions on the /nfs_share folder to something that allows OpenShift later to access the folder.
```
chown -R root:1000340000 /nfs_share
chmod -R 775 /nfs_share
```
The group identifier used in the above example is the group identifier that could be used to run the OpenShift image registration pod. This pod is set up during the installation. How to read the group ID used in your case is explained in later steps during the installation.

Configure the firewall to allow incoming NFS traffic. Reload the firewall afterwards:

# (NFS lock daemon) opens 20048/tcp and 20048/udp 
firewall-cmd --permanent --add-service mountd
# (NFSv4 protocol) opens 2049/tcp
firewall-cmd --permanent --add-service nfs
firewall-cmd --reload

Enable and start the NFS server. After that, check the status:

systemctl enable nfs-server --now  
systemctl status nfs-server

Run the following command to disable ID mapping (refer to this source). This option tells Linux to use the original numerical values for the user and group for all folders and files under the exported path instead of mapping the number to a user/group, for example, root.
```
echo 'Y' > /sys/module/nfsd/parameters/nfs4_disable_idmapping
```
Note: This option must be enabled on both the client and the server. For OpenShift pods you don't have to configure this as this option should be the default. It may be required in some special circumstances, for example, custom pods that mount NFS directly.

Verification steps:

Optionally test mounting the nfs share on a separate test machine that can reach the NFS server (replace {IP-of-NFS-SERVER} with the IP address of your NFS KVM guest:

yum install nfs-utils -y
mkdir /nfs_share
# ignore error when file does not exist:
echo 'Y' > /sys/module/nfsd/parameters/nfs4_disable_idmapping
mount {IP-OF-NFS-SERVER}:/nfs_share /nfs_share

Verify that the user and group is root: 1000340000.
```
ls -ldZ /nfs_share
```

Create a temporary group and user with the ID 1000340000 (ignore warnings):

groupadd --gid 1000340000 nfs-test-group
adduser --no-create-home --uid 1000340000 --gid 1000340000 nfs-test

Touch a file and see if it appears on the server-side:

/bin/su -c "/bin/bash -c 'touch /nfs_share/test-file'" - "nfs-test"
ls -lZ /nfs_share

When verification is complete, clean up and unmount the files, and clean up user and group:
```
rm /nfs_share/test-file
umount /nfs_share

userdel nfs-test
groupdel nfs-test-group
```