Subscribe

NFS export rule for Kickstart

I'm trying to migrate our CentOS Kickstart environment from a Solaris server to a NetApp FAS 2040 running ONTAP 7.3.2, but am not having much luck.  Specifically, I'm getting stuck on finding the /etc/exports rule that is needed to allow anonymous read-only access from any client and to allow read/write access from a specific group of clients (a netgroup) for the /vol/public volume (which contains the Kickstart configuration file).  I've tried a couple of different combinations so far:

/vol/public    -sec=none,ro,nosuid

The outcome of this is that a Kickstart works, but the files cannot be edited (as expected).

/vol/public    -sec=sys,rw=@nfs-all-rw,nosuid

The outcome of this is that systems in nfs-all-rw can edit the files, but a Kickstart does not work.  Note that even for systems in nfs-all-rw, a Kickstart results in permission denied (not expected).  Systems not in nfs-all-rw also fail to Kickstart (as expected).

/vol/public    -sec=sys,rw=@nfs-all-rw,nosuid,sec=none,ro,nosuid

This was an attempt to combine the two rules.  As I understood from man na_exports, if multiple security flavors are  specified then that security flavor is used for all following options  until the next security flavor is specified.  The Kickstart environment gives pretty lousy debugging information (it just says permission denied), but a packet capture of the session shows that the NFS export gets mounted on the client, but then the NetApp filer denies access to the file (130.127.48.95 is a member of nfs-all-rw, 130.127.48.251 is the NetApp filer):

  0.000000 130.127.48.95 -> 130.127.48.251 TCP 36963 > sunrpc [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=1606691 TSER=0 WS=7
  0.000049 130.127.48.251 -> 130.127.48.95 TCP sunrpc > 36963 [SYN, ACK] Seq=0 Ack=1 Win=8760 Len=0 MSS=1460 WS=0 TSV=1948604 TSER=1606691
  0.000097 130.127.48.95 -> 130.127.48.251 TCP 36963 > sunrpc [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=1606691 TSER=1948604
  0.000147 130.127.48.95 -> 130.127.48.251 Portmap V2 DUMP Call
  0.000247 130.127.48.251 -> 130.127.48.95 Portmap V2 DUMP Reply (Call In 4)
  0.000296 130.127.48.95 -> 130.127.48.251 TCP 36963 > sunrpc [ACK] Seq=45 Ack=553 Win=7040 Len=0 TSV=1606692 TSER=1948604
  0.000302 130.127.48.95 -> 130.127.48.251 TCP 36963 > sunrpc [FIN, ACK] Seq=45 Ack=553 Win=7040 Len=0 TSV=1606692 TSER=1948604
  0.000307 130.127.48.251 -> 130.127.48.95 TCP sunrpc > 36963 [ACK] Seq=553 Ack=46 Win=8760 Len=0 TSV=1948604 TSER=1606692
  0.000344 130.127.48.95 -> 130.127.48.251 MOUNT V3 MNT Call /vol/public/kickstart/config
  0.000347 130.127.48.251 -> 130.127.48.95 TCP sunrpc > 36963 [FIN, ACK] Seq=553 Ack=46 Win=8760 Len=0 TSV=1948604 TSER=1606692
  0.000396 130.127.48.95 -> 130.127.48.251 TCP 36963 > sunrpc [ACK] Seq=46 Ack=554 Win=7040 Len=0 TSV=1606692 TSER=1948604
  0.000546 130.127.48.251 -> 130.127.48.95 MOUNT V3 MNT Reply (Call In 9)
  0.000646 130.127.48.95 -> 130.127.48.251 Portmap V2 GETPORT Call NFS(100003) V:3 UDP
  0.000651 130.127.48.251 -> 130.127.48.95 Portmap V2 GETPORT Reply (Call In 13) Port:2049
  0.000845 130.127.48.95 -> 130.127.48.251 NFS V3 NULL Call
  0.000851 130.127.48.251 -> 130.127.48.95 NFS V3 NULL Reply (Call In 15)
  0.000945 130.127.48.95 -> 130.127.48.251 NFSACL V3 NULL Call
  0.000951 130.127.48.251 -> 130.127.48.95 NFSACL V3 NULL Reply (Call In 17)
  0.001045 130.127.48.95 -> 130.127.48.251 NFS V3 FSINFO Call, FH:0x397d4ea8
  0.001095 130.127.48.251 -> 130.127.48.95 NFS V3 FSINFO Reply (Call In 19)
  0.001145 130.127.48.95 -> 130.127.48.251 NFS V3 FSINFO Call, FH:0x397d4ea8
  0.001245 130.127.48.251 -> 130.127.48.95 NFS V3 FSINFO Reply (Call In 21)
  0.001295 130.127.48.95 -> 130.127.48.251 NFS V3 ACCESS Call, FH:0x397d4ea8
  0.001345 130.127.48.251 -> 130.127.48.95 NFS V3 ACCESS Reply (Call In 23) Error:NFS3ERR_ACCES

This boggles me, since permissions on the file are 664 and permissions on all directories leading up to the file are 775.  Any idea what could be wrong?

For what it's worth, the Solaris NFS server that we're trying to migrate away from uses sec=sys,ro as NFS export options.  Obviously that doesn't allow us to modify the files over NFS, so we just edit the files on the Solaris system itself; unfortunately we don't have that capability with the files stored on a NetApp filer.

Re: NFS export rule for Kickstart

rw=@nfs-all-rw,nosuid exports to specified group only; all other clients are denied access.

Have you tried ro,rw=@nfs-all-rw,nosuid - effectively giving default read-only to everyone else?

Re: NFS export rule for Kickstart

Sometimes you just need a second pair of eyes.  That does in fact work, although sec=sys,ro is a little bit less secure than sec=anon,ro.  I don't think it will matter in this case since we're not dealing with sensitive data.  Thanks!  (And sorry for the long delay in responding).