Microsoft Virtualization Discussions

Add NFS export permissions

james_willing
7,052 Views

Hi,

Can anyone tell me if I am doing something wrong?

I am trying to add some more IPs to root & Read-write access on the NFS export (For a VMware datastore).

The command I am using is

Set-NaNfsExport -Path /vol/my_test -ReadWrite "192.168.0.1" -Root "192.168.0.1" -persistent -Controller (Connect-NaController -name mynetapp -Transient)

And everytime it overwrites the values in the readWrite and Root it nevver appends or adds to the list.

Is there anyway to do this?

Or am I just doing it workng?

1 ACCEPTED SOLUTION

timothyn
7,052 Views

Unfortunately, Set-NaNfsExport will replace the permissions, and there is nothing to add permisions built in to the toolkit.  It's also not trivial because the input to Set-NaNfsExport & Add-NaNfsExport can't handle all of the permutations that Get-NaNfsExport can return (allow vs. deny, sys vs. user, multiple levels, etc).  But if you are creating all of your NFS exports with powershell (or you are using very simple one rule exports) then we can get pretty close.

*WARNING* this example could break existing exports if they are not configured by the toolkit.

Here's a very ugly function that will get the rules in a format that can be used by Set-NaNfsExport and eliminate rules that are not compatible:

#Expects the NFS Export info returned by Get-NaNfsExport
#Returns output that can be passed directly to Set-NaNfsExport
function getSimpleNfsExport ($export) {
    $exportParams = @{
        Path = $export.Pathname;
        ActualPath = $export.ActualPathname;
        Persistent = $false;
        ReadOnly = @($export.SecurityRules[0].ReadOnly |  ?{$_} |
                    % { if ($_.AllHosts) {"all-hosts"} else {$_.Name} });
        ReadWrite = @($export.SecurityRules[0].ReadWrite |  ?{$_} |
                    % { if ($_.AllHosts) {"all-hosts"} else {$_.Name} });
        Root = @($export.SecurityRules[0].Root | ?{$_} |
                    % { if ($_.AllHosts) {"all-hosts"} else {$_.Name} });
        NoSuid = $export.SecurityRules[0].NoSuid -eq $true;
        Anon = $export.SecurityRules[0].Anon;
        SecurityFlavors = $export.SecurityRules[0].SecFlavor[0].Flavor;
    }
    return $exportParams
}

Once you have that loaded or in your script you can do something like this:

PS C:\> $params = getSimpleNfsExport (Get-NaNfsExport /vol/testvol)

PS C:\> $params.ReadOnly += "10.61.169.80"

PS C:\> Set-NaNfsExport @params

PS C:\> getSimpleNfsExport (Get-NaNfsExport /vol/testvol)

Name                           Value                                                                                                    
----                           -----                                                                                                    
ReadWrite                      {all-hosts}                                                                                              
ReadOnly                       {10.61.169.3, 10.16.169.4, 10.61.169.80}                                                                               
Path                           /vol/testvol                                                                                             
NoSuid                         False                                                                                                    
Anon                                                                                                                                    
Persistent                     False                                                                                                    
ActualPath                                                                                                                              
Root                           {10.61.169.76}                                                                                           
SecurityFlavors                sys 

View solution in original post

3 REPLIES 3

timothyn
7,053 Views

Unfortunately, Set-NaNfsExport will replace the permissions, and there is nothing to add permisions built in to the toolkit.  It's also not trivial because the input to Set-NaNfsExport & Add-NaNfsExport can't handle all of the permutations that Get-NaNfsExport can return (allow vs. deny, sys vs. user, multiple levels, etc).  But if you are creating all of your NFS exports with powershell (or you are using very simple one rule exports) then we can get pretty close.

*WARNING* this example could break existing exports if they are not configured by the toolkit.

Here's a very ugly function that will get the rules in a format that can be used by Set-NaNfsExport and eliminate rules that are not compatible:

#Expects the NFS Export info returned by Get-NaNfsExport
#Returns output that can be passed directly to Set-NaNfsExport
function getSimpleNfsExport ($export) {
    $exportParams = @{
        Path = $export.Pathname;
        ActualPath = $export.ActualPathname;
        Persistent = $false;
        ReadOnly = @($export.SecurityRules[0].ReadOnly |  ?{$_} |
                    % { if ($_.AllHosts) {"all-hosts"} else {$_.Name} });
        ReadWrite = @($export.SecurityRules[0].ReadWrite |  ?{$_} |
                    % { if ($_.AllHosts) {"all-hosts"} else {$_.Name} });
        Root = @($export.SecurityRules[0].Root | ?{$_} |
                    % { if ($_.AllHosts) {"all-hosts"} else {$_.Name} });
        NoSuid = $export.SecurityRules[0].NoSuid -eq $true;
        Anon = $export.SecurityRules[0].Anon;
        SecurityFlavors = $export.SecurityRules[0].SecFlavor[0].Flavor;
    }
    return $exportParams
}

Once you have that loaded or in your script you can do something like this:

PS C:\> $params = getSimpleNfsExport (Get-NaNfsExport /vol/testvol)

PS C:\> $params.ReadOnly += "10.61.169.80"

PS C:\> Set-NaNfsExport @params

PS C:\> getSimpleNfsExport (Get-NaNfsExport /vol/testvol)

Name                           Value                                                                                                    
----                           -----                                                                                                    
ReadWrite                      {all-hosts}                                                                                              
ReadOnly                       {10.61.169.3, 10.16.169.4, 10.61.169.80}                                                                               
Path                           /vol/testvol                                                                                             
NoSuid                         False                                                                                                    
Anon                                                                                                                                    
Persistent                     False                                                                                                    
ActualPath                                                                                                                              
Root                           {10.61.169.76}                                                                                           
SecurityFlavors                sys 

james_willing
7,052 Views

Thanks for that. Is there any plan to make the Set-NaNfsExport anymore friendly?

As it would a really great feature if you could add security rules using powershell, without overwriting the current settings..

It would work really well with ESX configuration scripts, being able to add new hosts to the NFS share and then mount it as part of a scripted setup.

skiser
7,052 Views

I updated my volume creation script.  It has an NFS export function in it.  Check it out at https://communities.netapp.com/docs/DOC-23751

Public