Problem with NFS and read-only hosts

Question

I had a requirement to export nfs to a host read-only. So i go into Celerra manager, find my nfs export and add this particular host to the "Read-Only Hosts" box. Fifteen minutes later my sysadmin runs up to me saying that this nfs export is now read-only for everybody ..even for the hosts that are listed under "Root Hosts" and "Access hosts". So i ended up adding this host to "Root Hosts" and "Access hosts" and the sysadmin mounted the nfs read-only on that particular server. NFS is export to dns names. What i am doing wrong ?

Thanks

Rainer_EMC · Accepted Answer

no, forget root= for a second - it DOES NOT give any NFS client access privileges. All it does it that it governs how root users are mapped if the hosts they are coming from already have access thru rw=,ro= or access=

Here the basics

ro
Exports the path for all NFS clients as read-only.

ro=
Exports the path for specified NFS client(s) as read-only.

rw=
Exports the path as read/write for a specified client(s). If no other options are specified, all clients will have read-only access.

access=
Provides default access for the specified client(s). Denies access to those NFS clients not given explicit access.

the combinations get more interesting:

ro= rw=
Read/write to read/write list, read-only to read-only list. Access is denied to all other hosts.

rw= access=
Read/write to read/write list, read-only to access list. Access is denied to all other hosts.

ro rw=
Read/write to the read/write list hosts. Read-only access to all other hosts.

ro rw= access=
Read-only to access list hosts, read/write to read/write list hosts. Access is denied to all other hosts.

So in your case I think the easiest solution is to use ro= and rw= and forget about access= altogether

Unless you want non-mentioned clients to get readonly

Rainer_EMC · Answer

what options did you use before adding the ro host ?

take a look at Configuring NFS Appendix A

I think you got bitten by thinking access= would mean rw access. It doesnt - it provides "default" access to the hosts listed there so when you start using ro= the default turns into ro

bottom line - you shouldnt use ro= and access= in the same export

the differences are subtle but very visible - BTW root= itself doesnt give you "mount" privileges - it just controls the mapping of root users so adding a host to root= alone normally is not enough

dynamox · Answer

I have not exported nfs read-only before, so i figured i just pull up celerra manager and add the new system dns name to the 'read-only' section. I see your point about using ro= and access= at the same time. Right now combination of root= and access= provides read/write to my hosts, if access= is used by itself does it provide read/write ? So to properly export nfs where it can be mounted read/write by root users, yet allow me to add other systems read-only, i would use the 'Read/Write hosts' box and 'Root hosts' box in Celerra manager ?

Rainer_EMC · Answer

or look at it another way - the only reason access= is there because the default rw= allows all non-mentioned hosts in clients to have readonly access (unless you also specify ro= )

Since most customers dont want this the access= allows read-write to the clients but denies access to all other hosts. You could achieve the same thing with the combination of rw= and ro= but thats not really obvious

sorry - the way rw/ro works has been set by Sun almost 20 years ago when NFS was invented and its not going to change due to compatibility reasons

dynamox · Answer

take a look at Configuring NFS Appendix A that helped ..Thank you

Celerra

Problem with NFS and read-only hosts

Was this post helpful?

Register Now! for Secure Secrets with Kubernetes & DevSecOps - and grab a lab!