General Troubleshooting for In-transit Encryption-enabled Mount Targets

Try the following troubleshooting techniques if you experience issues with in-transit encryption.

Verify that you have all the security list rules set up correctly for the mount target subnet.

In-transit encryption requires the following security list rules:

  • A stateful ingress rule allowing TCP traffic to a Destination Port Range of 2051.
  • A stateful egress rule allowing TCP traffic from a Source Port Range of 2051.

For more information and instructions, see Security Rules.

Verify that the oci-fss service is running for the mounted file system.

If it is not, restart the service.

To verify the service is running

When you mount a file system using the mount.oci-fss command, it creates a systemd-managed service called oci-fss<sequence_number>.service . <sequence_number> is an incrementing value between 2-255. An oci-fss service is created for every file system mounted using the command. The exact name of the service is displayed as output when the file system is mounted.

For example:

Created symlink from /etc/systemd/system/multi-user.target.wants/oci-fss-2.service to /usr/lib/systemd/system/oci-fss-2.service.
  1. Open a terminal window on the instance.
  2. Verify that the service is running using the following command:

    systemctl status oci-fss-<sequence_number>
To start the service
  1. Open a terminal window on the instance.
  2. Use the following command to start the service:

    systemctl start oci-fss-<sequence_number>

Verify that the namespace ns1 has been created and contains a network interface.

To verify the network namespace
  1. Open a terminal window on the instance.
  2. Use the following command to verify the namespace and see the network interface: 

    sudo ip netns exec ns1 ip link list

    You should see output displaying all the ethernet devices within namespace ns1. For example:

    1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    									link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    									3: v-peer1@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    								link/ether be:5b:35:2d:e9:54 brd ff:ff:ff:ff:ff:ff link-netnsid 0

Verify that IP forwarding is running on the instance.

Installing oci-fss-utils automatically turns on IP forwarding. However, you may have other processes running on the instance that disable it.

To verify that IP forwarding is running on the instance
  1. Open a terminal window on the instance.
  2. Use the following command to view the status of IP forwarding:

    # sysctl net.ipv4.ip_forward
    net.ipv4.ip_forward = 1

    An output value of 1 means that IP forwarding is enabled. This value is read from the /proc/sys/net/ipv4/ip_forward file.

    If the output value is 0, then IP forwarding is not enabled for the instance. Enable IP forwarding by following the instructions in To enable IP forwarding on the instance.

To enable IP forwarding on the instance

If IP forwarding is not currently enabled on the instance, you must enable it and make the change permanent.

  1. Open a terminal window on the instance.
  2. Type the following command to open the /etc/sysctl.conf file:

    sudo vi /etc/sysctl.conf
  3. Remove the # to uncomment this line: # net.ipv4.ip_forward=1. If the value is 0, change it to 1.
  4. Type :wq to save the file and exit the editor.

Use the tcpdump utility to analyze traffic between the oci-fss service and the NFS client.

To obtain information using TCPDUMP
  1. Open a terminal window on the instance.
  2. Type the following command:

    sudo ip netns exec ns1 tcpdump -i v-peer2 "port 2049"

Use the journalctl command to view any messages that may have been logged by systemd regarding the service.

To obtain information from the SYSTEMD journal
  1. Open a terminal window on the instance.
  2. Type the following command:

    journalctl -f -u oci-fss-<version>

-f displays the most recent journal entries, and prints new entries as they are appended to the journal.

-u specifies a specific systemd service unit. In this case, oci-fss-<sequence_number> is the specified unit. If no unit is specified, journalctl returns all systemd entries.