General Troubleshooting for In-transit Encryption-enabled Mount Targets
Try the following troubleshooting techniques if you experience issues with in-transit encryption.
Verify that you have all the security list rules set up correctly for the mount target subnet
Test the connection to the File Storage mount target using telnet or nc.
If these connection tests fail, verify that the network security rules are set up according to the instructions found in Scenario C: Mount target and instance use TLS in-transit encryption.
Run the following telnet commands. Replace the variables in this command with a mount target's IP address and test NFS port 2051:
telnet <Mount_Target_IP_address> 2051A successful connection returns something such as:
Trying <Mount_Target_IP_address>...
Connected to <Mount_Target_IP_address>.
Escape character is '^]'.
A failure returns something such as:
Trying 10.0.0.5...
telnet: connect to address 10.0.0.5: Connection timed outRun the following nc commands. Replace the variables in this command with a mount target's IP address and test NFS port 2051:
nc -z -v <Mount_Target_IP_address> 2051A successful connection returns something such as:
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to 10.0.0.5:2048.
Ncat: 0 bytes sent, 0 bytes received in 0.01 seconds.
A failure returns something such as:
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connection timed out.By default, many Oracle Cloud Infrastructure
Compute images don't come with telnet and nc utilities installed. To install these utilities on an instance, use the following yum command:
sudo yum install telnet nc -yVerify that the oci-fss service is running for the mounted file system
If it's not, restart the service.
When you install the oci-fss-utils package, it creates three systemd-managed services called oci-fss-gc.timer, oci-fss-init.service and oci-fss-monitor.service.
- Open a terminal window on the instance.
-
Verify that the services are running using the following commands:
systemctl status oci-fss-gc.timerThe status should be active and waiting.
systemctl status oci-fss-init.serviceThe status should be active and exited.
systemctl status oci-fss-monitor.serviceThe status should be active and running.
-
After you mount a file system using the
mount.oci-fsscommand, it creates asystemd-managed service calledoci-fss-0<number>.servicewhich is the oci-fss-forwarder process. Verify it's running by using the following command:systemctl status oci-fss-0<number>The status should be active and running.
- Open a terminal window on the instance.
-
Use the following commands to start the service:
systemctl start oci-fss-gc.timersystemctl start oci-fss-monitor.service
Verify that the namespace ns1 has been created and contains a network interface
- Open a terminal window on the instance.
-
Use the following command to verify the namespace and see the network interface:
sudo ip netns exec ns1 ip link listYou should see output displaying all the ethernet devices within namespace
ns1. For example:1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 3: x-peer0@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65535 qdisc noqueue state UP mode DEFAULT group default qlen 1000 link/ether 56:e9:e0:7a:02:f6 brd ff:ff:ff:ff:ff:ff link-netnsid 0
Use the tcpdump utility to analyze traffic between the oci-fss service and the NFS client
- Open a terminal window on the instance.
-
Type the following command:
sudo ip netns exec ns1 tcpdump -i x-peer0 "port 2049" -w /tmp/TLS.pcap
Use the journalctl command to view any messages that may have been logged by systemd regarding the service
- Open a terminal window on the instance.
-
Enter the following command:
journalctl -f -u oci-fss-0<number>
-f displays the most recent journal entries, and prints new entries as
they are appended to the journal.
-u specifies a specific systemd service unit. In this case, oci-fss-0<sequence_number> is the specified unit. If no unit is specified, journalctl returns all
systemd entries.