General Troubleshooting for In-transit Encryption-enabled Mount Targets
Try the following troubleshooting techniques if you experience issues with in-transit encryption.
Verify that you have all the security list rules set up correctly for the mount target subnet.
In-transit encryption requires the following security list rules:
- A stateful ingress rule allowing TCP traffic to a Destination Port Range of 2051.
- A stateful egress rule allowing TCP traffic from a Source Port Range of 2051.
For more information and instructions, see Security Rules.
Verify that the oci-fss service is running for the mounted file system.
If it is not, restart the service.
When you mount a file system using the mount.oci-fss
command, it creates
a systemd
-managed service called
oci-fss<sequence_number>.service
.
<sequence_number> is an incrementing value between 2-255.
An oci-fss
service is created for every file system mounted using the
command. The exact name of the service is displayed as output when the file system is
mounted.
For example:
Created symlink from /etc/systemd/system/multi-user.target.wants/oci-fss-2.service to /usr/lib/systemd/system/oci-fss-2.service.
- Open a terminal window on the instance.
-
Verify that the service is running using the following command:
systemctl status oci-fss-<sequence_number>
- Open a terminal window on the instance.
-
Use the following command to start the service:
systemctl start oci-fss-<sequence_number>
Verify that the namespace ns1 has been created and contains a network interface.
- Open a terminal window on the instance.
-
Use the following command to verify the namespace and see the network interface:
sudo ip netns exec ns1 ip link list
You should see output displaying all the ethernet devices within namespace
ns1
. For example:1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 3: v-peer1@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000 link/ether be:5b:35:2d:e9:54 brd ff:ff:ff:ff:ff:ff link-netnsid 0
Verify that IP forwarding is running on the instance.
Installing oci-fss-utils
automatically turns on
IP forwarding
. However, you may have other processes running on the
instance that disable it.
- Open a terminal window on the instance.
-
Use the following command to view the status of
IP forwarding
:# sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1
An output value of
1
means that IP forwarding is enabled. This value is read from the/proc/sys/net/ipv4/ip_forward
file.If the output value is
0
, then IP forwarding is not enabled for the instance. EnableIP forwarding
by following the instructions in To enable IP forwarding on the instance.
If IP forwarding is not currently enabled on the instance, you must enable it and make the change permanent.
- Open a terminal window on the instance.
-
Type the following command to open the
/etc/sysctl.conf
file:sudo vi /etc/sysctl.conf
- Remove the
#
to uncomment this line:# net.ipv4.ip_forward=1
. If the value is0
, change it to1
. - Type
:wq
to save the file and exit the editor.
Use the tcpdump utility to analyze traffic between the oci-fss service and the NFS client.
- Open a terminal window on the instance.
-
Type the following command:
sudo ip netns exec ns1 tcpdump -i v-peer2 "port 2049"
Use the journalctl command to view any messages that may have been logged by systemd regarding the service.
- Open a terminal window on the instance.
-
Type the following command:
journalctl -f -u oci-fss-<version>
-f
displays the most recent journal entries, and prints new entries as
they are appended to the journal.
-u
specifies a specific systemd
service unit. In this
case, oci-fss-<sequence_number>
is the
specified unit. If no unit is specified, journalctl
returns all
systemd
entries.