Subscribe

Does ESX over NFS require root access in the exports file ?

Working with a new customer today and they are extremely security conscious. They would prefer to specify a non-root user instead of root in /etc/exports. I seem to recall we used to suggest changing this in ESX many many revs of TR-3428 ago but can no longer find it. Is it possible and if so how is it done ? If not is there a limitation where ESX must use root ?

Thanks,

Bill

Re: Does ESX over NFS require root access in the exports file ?

Hi,

From my experience root access is still required, but you allow only specific IP addresses of ESX servers to use it.

You may argue whether it is a security loophole, or not - at the end of the day ESX hosts need to write to NFS volumes, so giving them root access doesn't sound like a terribly bad thing.

Regards,
Radek

Re: Does ESX over NFS require root access in the exports file ?

Also at the same end of the day is that it should be an isolated and non-routable (hence more secure) network/VLAN.

Please pardon my BlackBerry thumbmanship ...

Stetson M. Webster

Professional Services Consultant

NCIE-SAN, NCIE-B&R, SCSN-E, VCP

NetApp Professional Services - East

919.250.0052 Mobile

Stetson.Webster@netapp.com

Learn how: netapp.com/guarantee

Re: Does ESX over NFS require root access in the exports file ?

As far as have seen. Root access is crucial in some cases. I've met problem on vSphere 5.x (Ess+) that without root access sometimes datastore keeps meta information of accessing hosts through takeover-giveback process so NFS share become RO. (File level RO, so i was able to create files and directories through datastore browser but as unable to write even one byte to files, without difference, newly created or existed before.)

After giving root access to share for hosts of ESX cluster - operation returned to normal.

So better give root access for ESX hosts, and better to write it in stone (/etc/exports).

And for sure - SAN network for vSphere cluster must be isolated VLAN, in optimal - unaccessible physically from outer networks. (Nothing for BlackBerry mr. Stetson - just healthy level of paranoia)

Regards, Ivan Ryabtsev (NCDA)