Skip to main content
Start a Conversation

This post is more than 5 years old

Solved!

Go to Solution

Markofo

3 Posts

5435

March 13th, 2014 03:00

Securing default /ifs NFS export

Hello,

can someone please advise, how to manage the default /ifs NFS export security? I have been searching the forums and could not find an answer.

Situation is that we have 3 following exports:

/ifs - default export

/ifs/data - access restricted to subnet 10.0.50.0/24

/ifs/data2 - access restricted to subnet 10.0.60.0/24

If the /ifs export is mounted all data is accessible.

My question is:

- Is it possible to remove the /ifs NFS export keeping the other exports operational?

- If not possible to remove it, how can I achieve that it is not mountable?

Running OneFS 7.0.2.2

Thank you!

Marek

Markofo

3 Posts

November 18th, 2014 01:00

I got information from an Isilon expert and tested that each NFS export is independent, therefore the /ifs can be safely deleted without affecting any sub-export such as /ifs/data.

Peter_Sero

1.2K Posts

March 13th, 2014 03:00

It seems to be common practice to delete the default exports (NFS, SMB) for /ifs

and create more specific exports, at least for any serious use other

than demo or testing,

(If you use InsightIQ, make sure it can NFS-mount /ifs/.ifsvar/modules/fsa)

Cheers

-- Peter

Markofo

3 Posts

March 13th, 2014 04:00

Thank you for your prompt answer! We are not using InsightIQ. However in one of the NFS exports vmware is running. Can I safely remove the /ifs NFS export not interrupting any operations?

Best,

Marek

Peter_Sero

1.2K Posts

March 13th, 2014 04:00

See what you mean.. can you test it as follows?

create and export (allow sub-mounts) /ifs/test

create  /ifs/test/sub and mount it from client, run a VM on it

export /ifs/test/sub

delete export for /ifs/test

check mounted /ifs/test/sub on client/VM

-- P.

crklosterman

450 Posts

November 18th, 2014 11:00

Gentlemen, while you're correct that deleting an export (the default /ifs) won't affect a lower-level export. It's important to understand that most client OSes if told to mount /ifs/data, and they find an export at /ifs, they will mount /ifs, and then the subdirectory data.  So if you remove the export from the cluster you might see stale mounts, I have seen this in the field.  It has nothing to do with Isilon and is specific to the ClientOS's NFS client.

~Chris Klosterman

Senior SA, EMC Isilon Offer & Enablement Team

chris.klosterman@emc.com

twitter: @croaking

dynamox

1 Rookie

 • 

20.4K Posts

November 18th, 2014 11:00

Chris,

what if /ifs export is set to not allow mounting of subdirectories ?

osaddict

110 Posts

November 20th, 2014 08:00

Then it shouldn't matter. However, the /ifs export, by default, does have mounting sub directories enabled

View More

View All

No Events found!

Top