Most of my mounts have a single entry, root access only, to a singel IP address. I have tried adding the entry to access only, still same issue, does not seem to matter as any entry seems to result in the same, host that are given access can r-w, etc, host with no access seem to be able to mount and read even though the only entry is an IP address to the root access only.
yes - combining multiple NFS export options can be a bit confusing and most of them mean that any host not specified gets read-only access
Take a look at the "Configuring NFS on Celerra" manual - the Table 6 on page 106 specifies what exactly you get when you combine multiple options
most customers "over-do" their export options - what you typically want is to just use access= and root=
Rainer
P.S.: we now also have a parameter for "NFS export hiding" - i.e. that a client who doesnt have access cant even "see" the export listed in a showmount
This setup used to work fine. Some where, which I can only attibute to when we went to this version of Dart code, some thing changed, so where the previous settings no longer are functioning as the document states.
Can you share what your exact access list is/was that wasn't working as expected? Particularly one that you believe was working before the upgrade?
I don't believe there have been any bugs lately that would affect how the export options like this are treated.
In general the rules for access granting based on the export options have been unchanged for probably the last decade or so; so the overall logic shouldn't be different. Having no export options should give everyone access (though no one will be able to operate as a "root" user).
But depending on what version you upgraded from, there have been some changes/bugfixes that might change how the export options are treated in subtle ways. And there's a couple of bugfixes since 5.6.45 to help with some export problems. For example, in your version there is a bug where if the total length of any given export option (access=, rw=, ro=, or root=) exceeds 2048 bytes (which is the limit), then the entire option would be ignored - and depending on your access list, that might cause more access to be granted than expected.
But for sure, in ALL releases, an export with no options should give read/write access to everyone, and an export with only an "access=" option should give access only the given hosts access. If you were seeing something different, then something was wrong.
I have also set this one IP in the access field, and the RW field, but regardless the NFS mount is still see and mountable from other hosts, not in the lists.
root= isnt an export option - its merely a modiifier that says that from these clients a root user gets translated to root UID 0 on the Celerra instead of the default anon 64k UID
this is *different* from readonly - sure it might "look" like readonly if you are using root and trying to write to a directory that doesnt have write permission for everyone but itsnot the same as readonly.
just do a chmod a+rwx on that dir and try again from your "readonly" clients any you'll see that its really writeable by every client
here on the acsence of any export option you are supposed to be able to mount and read/write from every hosts
I have also set this one IP in the access field, and the RW field, but regardless the NFS mount is still see and mountable from other hosts, not in the lists.
if you are using *only* access= then there should be no mount access for any client not on the list
combining root= and rw= with the same address is kind of redundant - it should mean:
Read/write to read/write list, read-only to access list. Access is denied to all other hosts.
If you just want read/write to certain hosts I would recommend to *only* use access and root
What I need, is to set these so only a certain host or subset of host can mount these exports. Example of the ones list /ptnasdelhi_d, I only need the host at the listed IP to be able to access and r/w to the file system. I want no other host to be able to even mount it.
The "Access Hosts" field in the NFS export property page determines which hosts can mount the NFS export. So put the same host (or list of host) which you want the NFS export to be mounted in the "Access Host" field.
If you do not specify any host in the access host field - any host can mount it.
However, please do not use both Access and Read-only fields at the same time - use either one of them. The document Rainer referred earlier has all the details.
bhansen
54 Posts
0
March 30th, 2010 09:00
Most of my mounts have a single entry, root access only, to a singel IP address. I have tried adding the entry to access only, still same issue, does not seem to matter as any entry seems to result in the same, host that are given access can r-w, etc, host with no access seem to be able to mount and read even though the only entry is an IP address to the root access only.
Rainer_EMC
4 Operator
•
8.6K Posts
0
March 30th, 2010 09:00
Rainer_EMC
4 Operator
•
8.6K Posts
0
March 30th, 2010 09:00
are you sure that root= is the *only* option ?
can you post a server_export output ?
root= alone shouldnt give you any mount access it merely modifies how UID 0 is mapped
Rainer_EMC
4 Operator
•
8.6K Posts
0
March 30th, 2010 09:00
Hi,
yes - combining multiple NFS export options can be a bit confusing and most of them mean that any host not specified gets read-only access
Take a look at the "Configuring NFS on Celerra" manual - the Table 6 on page 106 specifies what exactly you get when you combine multiple options
most customers "over-do" their export options - what you typically want is to just use access= and root=
Rainer
P.S.: we now also have a parameter for "NFS export hiding" - i.e. that a client who doesnt have access cant even "see" the export listed in a showmount
bhansen
54 Posts
0
March 30th, 2010 10:00
Yes, I am sure root is the only field with an entry in it.
Rainer_EMC
4 Operator
•
8.6K Posts
0
March 30th, 2010 11:00
ok - according to the table (case 16) no optiona means that all hosts are allowed to mount read/write
try access=host and root=host and nothing else
that should give you what you want
Rainer_EMC
4 Operator
•
8.6K Posts
0
March 30th, 2010 11:00
Hmmh,
then I would suggest to open a service request - support can take a look what the export table really looks like and search if there is a bug open.
Rainer
bhansen
54 Posts
0
March 30th, 2010 11:00
I have attempted access = IP root = IP, this option allowed the other non listed IP addresses to mount the file system
bhansen
54 Posts
0
March 30th, 2010 11:00
This setup used to work fine. Some where, which I can only attibute to when we went to this version of Dart code, some thing changed, so where the previous settings no longer are functioning as the document states.
IanSchorr
117 Posts
0
April 5th, 2010 22:00
Did you end up finding the answer?
Can you share what your exact access list is/was that wasn't working as expected? Particularly one that you believe was working before the upgrade?
I don't believe there have been any bugs lately that would affect how the export options like this are treated.
In general the rules for access granting based on the export options have been unchanged for probably the last decade or so; so the overall logic shouldn't be different. Having no export options should give everyone access (though no one will be able to operate as a "root" user).
But depending on what version you upgraded from, there have been some changes/bugfixes that might change how the export options are treated in subtle ways. And there's a couple of bugfixes since 5.6.45 to help with some export problems. For example, in your version there is a bug where if the total length of any given export option (access=, rw=, ro=, or root=) exceeds 2048 bytes (which is the limit), then the entire option would be ignored - and depending on your access list, that might cause more access to be granted than expected.
But for sure, in ALL releases, an export with no options should give read/write access to everyone, and an export with only an "access=" option should give access only the given hosts access. If you were seeing something different, then something was wrong.
bhansen
54 Posts
0
April 6th, 2010 07:00
No, I have not found a fix for this.
If I setup up as this;
export "/ptnasdelhi_d" root=10.168.11.25
Can still be mounted and read on other hosts.
I have also set this one IP in the access field, and the RW field, but regardless the NFS mount is still see and mountable from other hosts, not in the lists.
Brian Hansen
Rainer_EMC
4 Operator
•
8.6K Posts
0
April 6th, 2010 08:00
HI Brian,
that is as its expected and documented
root= isnt an export option - its merely a modiifier that says that from these clients a root user gets translated to root UID 0 on the Celerra instead of the default anon 64k UID
this is *different* from readonly - sure it might "look" like readonly if you are using root and trying to write to a directory that doesnt have write permission for everyone but itsnot the same as readonly.
just do a chmod a+rwx on that dir and try again from your "readonly" clients any you'll see that its really writeable by every client
here on the acsence of any export option you are supposed to be able to mount and read/write from every hosts
if you are using *only* access= then there should be no mount access for any client not on the list
combining root= and rw= with the same address is kind of redundant - it should mean:
Read/write to read/write list, read-only to access list. Access is denied to all other hosts.
If you just want read/write to certain hosts I would recommend to *only* use access and root
Rainer
bhansen
54 Posts
0
April 6th, 2010 08:00
What I need, is to set these so only a certain host or subset of host can mount these exports. Example of the ones list /ptnasdelhi_d, I only need the host at the listed IP to be able to access and r/w to the file system. I want no other host to be able to even mount it.
Brian Hansen
nandas
4 Operator
•
1.5K Posts
0
April 6th, 2010 08:00
The "Access Hosts" field in the NFS export property page determines which hosts can mount the NFS export. So put the same host (or list of host) which you want the NFS export to be mounted in the "Access Host" field.
If you do not specify any host in the access host field - any host can mount it.
However, please do not use both Access and Read-only fields at the same time - use either one of them. The document Rainer referred earlier has all the details.
My 2 cents
Sandip
Rainer_EMC
4 Operator
•
8.6K Posts
0
April 6th, 2010 08:00
so just put that host(s) into access= and root= and do not use any other options like rw= or ro=