2010-08-18 04:12 PM
Working with a new customer today and they are extremely security conscious. They would prefer to specify a non-root user instead of root in /etc/exports. I seem to recall we used to suggest changing this in ESX many many revs of TR-3428 ago but can no longer find it. Is it possible and if so how is it done ? If not is there a limitation where ESX must use root ?
2010-08-19 03:24 AM
From my experience root access is still required, but you allow only specific IP addresses of ESX servers to use it.
You may argue whether it is a security loophole, or not - at the end of the day ESX hosts need to write to NFS volumes, so giving them root access doesn't sound like a terribly bad thing.
2010-08-19 03:38 AM
Also at the same end of the day is that it should be an isolated and non-routable (hence more secure) network/VLAN.
Please pardon my BlackBerry thumbmanship ...
Stetson M. Webster
Professional Services Consultant
NCIE-SAN, NCIE-B&R, SCSN-E, VCP
NetApp Professional Services - East
Learn how: netapp.com/guarantee
2013-08-14 06:59 AM
As far as have seen. Root access is crucial in some cases. I've met problem on vSphere 5.x (Ess+) that without root access sometimes datastore keeps meta information of accessing hosts through takeover-giveback process so NFS share become RO. (File level RO, so i was able to create files and directories through datastore browser but as unable to write even one byte to files, without difference, newly created or existed before.)
After giving root access to share for hosts of ESX cluster - operation returned to normal.
So better give root access for ESX hosts, and better to write it in stone (/etc/exports).
And for sure - SAN network for vSphere cluster must be isolated VLAN, in optimal - unaccessible physically from outer networks. (Nothing for BlackBerry mr. Stetson - just healthy level of paranoia)
Regards, Ivan Ryabtsev (NCDA)