Network and Storage Protocols

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Network and Storage Protocols

Ask a Question

Export deny mount

TimJMcCuen
‎2021-10-28 11:40 AM
2,999 Views

I have 2 Unix servers I am testing with.   I created a volume and changed the default export to only allow the IP address for Server 1.   The junction path for the volume points to the default export policy.   I can mount the volume from Server 1 as I would expect.    The problem is I can also mount the volume on server 2.   I did not include the IP address for server 2 so I am puzzled as to why I am able to run   showmount -e <IP of Data LIF> and see the volume on Server 2?

 

What did I do wrong?   I want to make sure server 2 can not mount this volume.   Thanks.

0 Kudos
1 ACCEPTED SOLUTION

pedro_rocha
‎2021-10-29 07:33 AM
In response to TimJMcCuen
2,927 Views

Hi!

 

I dig a little deeper and you cannot restrict what showmount will show based on an export policy. And this is not something with ONTAP. It's with NFS servers in general.

 

You can see though that the output, at least, does not show who has permissions (it states "everyone", even though that is not the case). So once permissions are fine, you'll be fine.

 

If your applications do not require showmout to work, I suggest disabling it: 

 

cluster ::> nfs server modify -vserver NFS83 -showmount <enabled/disabled>

 

Otherwise you may try with the security/network team to implement something on their side, but I don't know what can be done specifically.

 

This community post has other suggestions: https://community.netapp.com/t5/Network-and-Storage-Protocols/Hide-NFS-exports/td-p/13777

 

Regards,

Pedro

View solution in original post

6 REPLIES 6

pedro_rocha
‎2021-10-28 12:30 PM
2,990 Views

Hi!

 

Did you check the access rules with the below command?

 

vserver export-policy check-access -vserver VSERVERX -client-ip SERVER1/2 -volume VOLX -authentication-method sys -protocol nfs3 -access-type read-write

0 Kudos

TimJMcCuen
‎2021-10-28 01:24 PM
2,980 Views

I will check that in the morning thanks.   

0 Kudos

TimJMcCuen
‎2021-10-29 06:24 AM
2,931 Views

Pedro,

 

I ran the command vserver export-policy check-access -vserver VSERVERX -client-ip SERVER1/2 -volume VOLX -authentication-method sys -protocol nfs3 -access-type read-write    using the IP address for server 1 and under access I read read-write as expected.

 

On server 1 i can create a test folder and file on the NetApp volume folder and touch a test file - all good.

 

I ran the same command for Server 2 the one not listed in the export policy  and under access I got denied which is good.

On server 2 I can't create test file on the NetApp volume - all good

 

My question though is why if the server ip address for server 2 is not in the applied export policy why then can still do a showmount -e <NetApp LIF> and I can see all the NetApp volumes under/in that LIF?

Only the IP address for Server 1 is listed in the applied export policy

 

0 Kudos

pedro_rocha
‎2021-10-29 07:33 AM
In response to TimJMcCuen
2,928 Views

Hi!

 

I dig a little deeper and you cannot restrict what showmount will show based on an export policy. And this is not something with ONTAP. It's with NFS servers in general.

 

You can see though that the output, at least, does not show who has permissions (it states "everyone", even though that is not the case). So once permissions are fine, you'll be fine.

 

If your applications do not require showmout to work, I suggest disabling it: 

 

cluster ::> nfs server modify -vserver NFS83 -showmount <enabled/disabled>

 

Otherwise you may try with the security/network team to implement something on their side, but I don't know what can be done specifically.

 

This community post has other suggestions: https://community.netapp.com/t5/Network-and-Storage-Protocols/Hide-NFS-exports/td-p/13777

 

Regards,

Pedro

TimJMcCuen
‎2021-10-29 07:42 AM
In response to pedro_rocha
2,925 Views

Thank you for your help

0 Kudos

TimJMcCuen
‎2021-10-29 06:29 AM
2,931 Views

My Unix servers are running RH Linux release 7.9 if that helps?

 

I am just concerned that perhaps other servers will the see the export of these volumes.....it is true a server would need to know the IP of a data lif in order to try and mount and mount a volume    and It is also true without permissions they will not be do anything with these volumes.   I would rather only the server or servers I list in an applied export policy be allowed to see volumes on a LIF.    Thanks.

0 Kudos
All Community Forums
Public