This is one of the more common issues we see when troubleshooting NFS access. The SVM root volume needs read access to the host for traverse. I would create a root policy with read any and none for read/write and none for superuser as part of your SVM creation. You could allow read to 0.0.0.0/0 for all hosts since only specific hosts will have access to volumes mounted to root, or allow specific hosts or a subnet...whatever makes sense for security. Also, if using LS mirrors for SVM root protection (I prefer using DP if there is a snapmirror license) then make sure to update the LS mirrors so clients get the updated permission.
From: Daniel Taylor Daniel_Taylor@ajg.com To: "toasters@teaparty.net" toasters@teaparty.net Sent: Wednesday, April 5, 2017 6:20 AM Subject: NFS Export Policy
<!--#yiv2244031595 _filtered #yiv2244031595 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;} _filtered #yiv2244031595 {font-family:Tahoma;panose-1:2 11 6 4 3 5 4 4 2 4;}#yiv2244031595 #yiv2244031595 p.yiv2244031595MsoNormal, #yiv2244031595 li.yiv2244031595MsoNormal, #yiv2244031595 div.yiv2244031595MsoNormal {margin:0cm;margin-bottom:.0001pt;font-size:11.0pt;font-family:"Calibri", "sans-serif";}#yiv2244031595 a:link, #yiv2244031595 span.yiv2244031595MsoHyperlink {color:blue;text-decoration:underline;}#yiv2244031595 a:visited, #yiv2244031595 span.yiv2244031595MsoHyperlinkFollowed {color:purple;text-decoration:underline;}#yiv2244031595 p.yiv2244031595MsoAcetate, #yiv2244031595 li.yiv2244031595MsoAcetate, #yiv2244031595 div.yiv2244031595MsoAcetate {margin:0cm;margin-bottom:.0001pt;font-size:8.0pt;font-family:"Tahoma", "sans-serif";}#yiv2244031595 span.yiv2244031595EmailStyle17 {font-family:"Calibri", "sans-serif";color:windowtext;}#yiv2244031595 span.yiv2244031595BalloonTextChar {font-family:"Tahoma", "sans-serif";}#yiv2244031595 .yiv2244031595MsoChpDefault {font-family:"Calibri", "sans-serif";} _filtered #yiv2244031595 {margin:72.0pt 72.0pt 72.0pt 72.0pt;}#yiv2244031595 div.yiv2244031595WordSection1 {}-->Hello, We have an volume with an export policy applied: volA = policy1 The policy has client match rules for the ESXi hosts. However when we try and add this volume to an ESXi host we get an error saying mount request denied. If we add a rule to the default export policy within the same SVM the volume is then added without issue. Similarly if we apply ‘policy1’ to the root volume in the associated SVM we are able to mount ‘volA’ on the ESXi hosts. Doesn’t this kind of defeat the object of having an export policy associated with the volume if the underlying root volume controls the export access? Or is this a bug? We are running 9.1P1. Thanks _______________________________________________ Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters