Most of my mounts have a single entry, root access only, to a singel IP address. I have tried adding the entry to access only, still same issue, does not seem to matter as any entry seems to result in the same, host that are given access can r-w, etc, host with no access seem to be able to mount and read even though the only entry is an IP address to the root access only.

are you sure that root= is the *only* option ?

can you post a server_export output ?

root= alone shouldnt give you any mount access it merely modifies how UID 0 is mapped

Hi,

yes - combining multiple NFS export options can be a bit confusing and most of them mean that any host not specified gets read-only access

Take a look at the "Configuring NFS on Celerra" manual - the Table 6 on page 106 specifies what exactly you get when you combine multiple options

most customers "over-do" their export options - what you typically want is to just use access= and root=

Rainer

P.S.: we now also have a parameter for "NFS export hiding" - i.e. that a client who doesnt have access cant even "see" the export listed in a showmount

Yes, I am sure root is the only field with an entry in it.

ok - according to the table (case 16) no optiona means that all hosts are allowed to mount read/write

try access=host and root=host and nothing else

that should give you what you want

Hmmh,

then I would suggest to open a service request - support can take a look what the export table really looks like and search if there is a bug open.

Rainer

I have attempted access = IP root = IP, this option allowed the other non listed IP addresses to mount the file system

This setup used to work fine. Some  where, which I can only attibute to when we went to this version of Dart code, some thing changed, so where the previous settings no longer are functioning as the document states.

Did you end up finding the answer?

Can you share what your exact access list is/was that wasn't working as expected?  Particularly one that you believe was working before the upgrade?

I don't believe there have been any bugs lately that would affect how the export options like this are treated.

In general the rules for access granting based on the export options have been unchanged for probably the last decade or so; so the overall logic shouldn't be different.  Having no export options should give everyone access (though no one will be able to operate as a "root" user).

But depending on what version you upgraded from, there have been some changes/bugfixes that might change how the export options are treated in subtle ways.  And there's a couple of bugfixes since 5.6.45 to help with some export problems.  For example, in your version there is a bug where if the total length of any given export option (access=, rw=, ro=, or root=) exceeds 2048 bytes (which is the limit), then the entire option would be ignored - and depending on your access list, that might cause more access to be granted than expected.

But for sure, in ALL releases, an export with no options should give read/write access to everyone, and an export with only an "access=" option should give access only the given hosts access.  If you were seeing something different, then something was wrong.

No, I have not found a fix for this.

If I setup up as this;

export "/ptnasdelhi_d" root=10.168.11.25

Can still be mounted and read on other hosts.

I have also set this one IP in the access field, and the RW field, but regardless the NFS mount is still see and mountable from other hosts, not in the lists.

Brian Hansen

HI Brian,

If I setup up as this; export "/ptnasdelhi_d" root=10.168.11.25 Can still be mounted and read on other hosts.

that is as its expected and documented

root= isnt an export option - its merely a modiifier that says that from these clients a root user gets translated to root UID 0 on the Celerra instead of the default anon 64k UID

this is *different* from readonly - sure it might "look" like readonly if you are using root and trying to write to a directory that doesnt have write permission for everyone but itsnot the same as readonly.

just do a chmod a+rwx on that dir and try again from your "readonly" clients any you'll see that its really writeable by every client

here on the acsence of any export option you are supposed to be able to mount and read/write from every hosts

I have also set this one IP in the access field, and the RW field, but regardless the NFS mount is still see and mountable from other hosts, not in the lists.

if you are using *only* access= then there should be no mount access for any client not on the list

combining root= and rw= with the same address is kind of redundant - it should mean:

Read/write to read/write list, read-only to access list. Access is denied to all other hosts.

If you just want read/write to certain hosts I would recommend to *only* use access and root

Rainer

What I need, is to set these so only a certain host or subset of host can mount these exports. Example of the ones list /ptnasdelhi_d, I only need the host at the listed IP to be able to access and r/w to the file system. I want no other host to be able to even mount it.

Brian Hansen

The "Access Hosts" field in the NFS export property page determines which hosts can mount the NFS export. So put the same host (or list of host) which you want the NFS export to be mounted in the "Access Host" field.

If you do not specify any host in the access host field - any host can mount it.

However, please do not use both Access and Read-only fields at the same time - use either one of them. The document Rainer referred earlier has all the details.

My 2 cents
Sandip

so just put that host(s) into access= and root= and do not use any other options like rw= or ro=