Network and Storage Protocols

Export deny mount

TimJMcCuen
3,968 Views

I have 2 Unix servers I am testing with.   I created a volume and changed the default export to only allow the IP address for Server 1.   The junction path for the volume points to the default export policy.   I can mount the volume from Server 1 as I would expect.    The problem is I can also mount the volume on server 2.   I did not include the IP address for server 2 so I am puzzled as to why I am able to run   showmount -e <IP of Data LIF> and see the volume on Server 2?

 

What did I do wrong?   I want to make sure server 2 can not mount this volume.   Thanks.

1 ACCEPTED SOLUTION

pedro_rocha
3,896 Views

Hi!

 

I dig a little deeper and you cannot restrict what showmount will show based on an export policy. And this is not something with ONTAP. It's with NFS servers in general.

 

You can see though that the output, at least, does not show who has permissions (it states "everyone", even though that is not the case). So once permissions are fine, you'll be fine.

 

If your applications do not require showmout to work, I suggest disabling it: 

 

cluster ::> nfs server modify -vserver NFS83 -showmount <enabled/disabled>

 

Otherwise you may try with the security/network team to implement something on their side, but I don't know what can be done specifically.

 

This community post has other suggestions: https://community.netapp.com/t5/Network-and-Storage-Protocols/Hide-NFS-exports/td-p/13777

 

Regards,

Pedro

View solution in original post

6 REPLIES 6

pedro_rocha
3,959 Views

Hi!

 

Did you check the access rules with the below command?

 

vserver export-policy check-access -vserver VSERVERX -client-ip SERVER1/2 -volume VOLX -authentication-method sys -protocol nfs3 -access-type read-write

TimJMcCuen
3,949 Views

I will check that in the morning thanks.   

TimJMcCuen
3,900 Views

Pedro,

 

I ran the command vserver export-policy check-access -vserver VSERVERX -client-ip SERVER1/2 -volume VOLX -authentication-method sys -protocol nfs3 -access-type read-write    using the IP address for server 1 and under access I read read-write as expected.

 

On server 1 i can create a test folder and file on the NetApp volume folder and touch a test file - all good.

 

I ran the same command for Server 2 the one not listed in the export policy  and under access I got denied which is good.

On server 2 I can't create test file on the NetApp volume - all good

 

My question though is why if the server ip address for server 2 is not in the applied export policy why then can still do a showmount -e <NetApp LIF> and I can see all the NetApp volumes under/in that LIF?

Only the IP address for Server 1 is listed in the applied export policy

 

pedro_rocha
3,897 Views

Hi!

 

I dig a little deeper and you cannot restrict what showmount will show based on an export policy. And this is not something with ONTAP. It's with NFS servers in general.

 

You can see though that the output, at least, does not show who has permissions (it states "everyone", even though that is not the case). So once permissions are fine, you'll be fine.

 

If your applications do not require showmout to work, I suggest disabling it: 

 

cluster ::> nfs server modify -vserver NFS83 -showmount <enabled/disabled>

 

Otherwise you may try with the security/network team to implement something on their side, but I don't know what can be done specifically.

 

This community post has other suggestions: https://community.netapp.com/t5/Network-and-Storage-Protocols/Hide-NFS-exports/td-p/13777

 

Regards,

Pedro

TimJMcCuen
3,894 Views

Thank you for your help

TimJMcCuen
3,900 Views

My Unix servers are running RH Linux release 7.9 if that helps?

 

I am just concerned that perhaps other servers will the see the export of these volumes.....it is true a server would need to know the IP of a data lif in order to try and mount and mount a volume    and It is also true without permissions they will not be do anything with these volumes.   I would rather only the server or servers I list in an applied export policy be allowed to see volumes on a LIF.    Thanks.

Public