Hi toasters, NFS export in CDOT (ouch) I understand I have to have a default policy and a rule.. 1. Must it have 0.0.0.0/0 read only? What if I dont want to give read-only to entire name space to all clients? 2. Qtrree exports: can I restrict qtree A to host A, and qtree B to host B, but then what about volume and it is policy? Can qtree be more restrictive than volume (and why dont qtree show up in GUI?) 3. Does showmount -e LIF of NFS filer still produce good information. It does not look like, so how do I check what my exports are? 4. What does it buy me with qtree exports, what? If I have to give access to server A and B to volume that has qtree A and B
The default can be anything you want, it doesn't have to be 0.0.0.0/0 ro.
Do keep in mind that the root mount needs to allow all the clients that need permissions for all the junction mounts below it.
I haven't played with qtree exports in cDOT, but the volume will need to have both host A and B and then you can have qtreeA and qtreeB limited to host A and host B. If the only thing in the root of the volume is qtreeA and qtreeB, all the hosts will be able to see is the name of the other qtree.
showmount isn't very useful with cDOT, unfortunately. Export changes take effect immediately, so no need to run exportfs -a any more.
Another thing to keep in mind is that exports are order dependent now. cDOT takes the first match, not the best match. I ran into this when doing some 7-mode transitions. The 7-mode export had "ro=172.16.1.0/24,rw=172.16.1.5:172.16.1.6:...." in that order, and when that was converted to cDOT, all the clients that should have been rw ended up ro. I moved the subnet match to the end and everything was back to normal.
John
On Tue, Nov 11, 2014 at 06:51:50PM -0800, Iluhes wrote:
TR-4067 covers all of these questions.
http://www.netapp.com/us/media/tr-4067.pdf
Exports are covered starting on page 21.
From: Iluhes <iluhes@yahoo.commailto:iluhes@yahoo.com> Reply-To: Iluhes <iluhes@yahoo.commailto:iluhes@yahoo.com> Date: Tuesday, November 11, 2014 at 9:51 PM To: "Toasters@teaparty.netmailto:Toasters@teaparty.net" <Toasters@teaparty.netmailto:Toasters@teaparty.net> Subject: cdot NFS exports
Hi toasters, NFS export in CDOT (ouch) I understand I have to have a default policy and a rule.. 1. Must it have 0.0.0.0/0 read only? What if I dont want to give read-only to entire name space to all clients? 2. Qtrree exports: can I restrict qtree A to host A, and qtree B to host B, but then what about volume and it is policy? Can qtree be more restrictive than volume (and why dont qtree show up in GUI?) 3. Does showmount -e LIF of NFS filer still produce good information. It does not look like, so how do I check what my exports are? 4. What does it buy me with qtree exports, what? If I have to give access to server A and B to volume that has qtree A and B
Page 31 of the TR describes limiting access to the vsroot volume.
Page 37 covers export policy rule inheritance.
The vsroot (/) export policy must allow read access to all clients to allow traversal. Data volumes must allow read access to clients that desire read access, as described on page 39:
the read-only attribute for the export policy rules needs to allow read access from the parent to allow mounts to occur. Setting rorule to "never" or not setting an export policy rule in the parent volume's export policy at all (empty policy) will disallow mounts to volumes underneath that parent.
In the above, vsroot counts as a parent volume, as it's in every path in a namespace.
From: Iluhes <iluhes@yahoo.commailto:iluhes@yahoo.com> Date: Tuesday, November 11, 2014 at 11:39 PM To: Justin Parisi <Justin.Parisi@netapp.commailto:Justin.Parisi@netapp.com> Cc: "Toasters@teaparty.netmailto:Toasters@teaparty.net" <Toasters@teaparty.netmailto:Toasters@teaparty.net> Subject: Re: cdot NFS exports
Is there a way to avoid 0.0.0.0 ro is defult policy rule
On Nov 11, 2014, at 10:12 PM, "Parisi, Justin" <Justin.Parisi@netapp.commailto:Justin.Parisi@netapp.com> wrote:
TR-4067 covers all of these questions.
http://www.netapp.com/us/media/tr-4067.pdf
Exports are covered starting on page 21.
From: Iluhes <iluhes@yahoo.commailto:iluhes@yahoo.com> Reply-To: Iluhes <iluhes@yahoo.commailto:iluhes@yahoo.com> Date: Tuesday, November 11, 2014 at 9:51 PM To: "Toasters@teaparty.netmailto:Toasters@teaparty.net" <Toasters@teaparty.netmailto:Toasters@teaparty.net> Subject: cdot NFS exports
Hi toasters, NFS export in CDOT (ouch) I understand I have to have a default policy and a rule.. 1. Must it have 0.0.0.0/0 read only? What if I dont want to give read-only to entire name space to all clients? 2. Qtrree exports: can I restrict qtree A to host A, and qtree B to host B, but then what about volume and it is policy? Can qtree be more restrictive than volume (and why dont qtree show up in GUI?) 3. Does showmount -e LIF of NFS filer still produce good information. It does not look like, so how do I check what my exports are? 4. What does it buy me with qtree exports, what? If I have to give access to server A and B to volume that has qtree A and B
Thank you: John Clear and Just Parisi and tmacToasters is an amazing resource!
On Tuesday, November 11, 2014 8:51 PM, Iluhes iluhes@yahoo.com wrote:
Hi toasters, NFS export in CDOT (ouch) I understand I have to have a default policy and a rule.. 1. Must it have 0.0.0.0/0 read only? What if I dont want to give read-only to entire name space to all clients? 2. Qtrree exports: can I restrict qtree A to host A, and qtree B to host B, but then what about volume and it is policy? Can qtree be more restrictive than volume (and why dont qtree show up in GUI?) 3. Does showmount -e LIF of NFS filer still produce good information. It does not look like, so how do I check what my exports are? 4. What does it buy me with qtree exports, what? If I have to give access to server A and B to volume that has qtree A and B
-
Iluhes -
John Clear -
Parisi, Justin