This post is more than 5 years old
3 Posts
0
5435
Securing default /ifs NFS export
Hello,
can someone please advise, how to manage the default /ifs NFS export security? I have been searching the forums and could not find an answer.
Situation is that we have 3 following exports:
/ifs - default export
/ifs/data - access restricted to subnet 10.0.50.0/24
/ifs/data2 - access restricted to subnet 10.0.60.0/24
If the /ifs export is mounted all data is accessible.
My question is:
- Is it possible to remove the /ifs NFS export keeping the other exports operational?
- If not possible to remove it, how can I achieve that it is not mountable?
Running OneFS 7.0.2.2
Thank you!
Marek
Markofo
3 Posts
0
November 18th, 2014 01:00
I got information from an Isilon expert and tested that each NFS export is independent, therefore the /ifs can be safely deleted without affecting any sub-export such as /ifs/data.
Peter_Sero
1.2K Posts
0
March 13th, 2014 03:00
It seems to be common practice to delete the default exports (NFS, SMB) for /ifs
and create more specific exports, at least for any serious use other
than demo or testing,
(If you use InsightIQ, make sure it can NFS-mount /ifs/.ifsvar/modules/fsa)
Cheers
-- Peter
Markofo
3 Posts
0
March 13th, 2014 04:00
Thank you for your prompt answer! We are not using InsightIQ. However in one of the NFS exports vmware is running. Can I safely remove the /ifs NFS export not interrupting any operations?
Best,
Marek
Peter_Sero
1.2K Posts
1
March 13th, 2014 04:00
See what you mean.. can you test it as follows?
create and export (allow sub-mounts) /ifs/test
create /ifs/test/sub and mount it from client, run a VM on it
export /ifs/test/sub
delete export for /ifs/test
check mounted /ifs/test/sub on client/VM
-- P.
crklosterman
450 Posts
0
November 18th, 2014 11:00
Gentlemen, while you're correct that deleting an export (the default /ifs) won't affect a lower-level export. It's important to understand that most client OSes if told to mount /ifs/data, and they find an export at /ifs, they will mount /ifs, and then the subdirectory data. So if you remove the export from the cluster you might see stale mounts, I have seen this in the field. It has nothing to do with Isilon and is specific to the ClientOS's NFS client.
~Chris Klosterman
Senior SA, EMC Isilon Offer & Enablement Team
chris.klosterman@emc.com
twitter: @croaking
dynamox
1 Rookie
1 Rookie
•
20.4K Posts
0
November 18th, 2014 11:00
Chris,
what if /ifs export is set to not allow mounting of subdirectories ?
osaddict
110 Posts
0
November 20th, 2014 08:00
Then it shouldn't matter. However, the /ifs export, by default, does have mounting sub directories enabled