ONTAP Discussions

SVM Root Volume Default Export Policy

TAO1
3,295 Views

Hi,

 

For SMB and NFS clients, does the 'default' policy that is associated with the SVM root volume have to have an open rule as per the documentation? https://docs.netapp.com/us-en/ontap/nfs-config/open-export-policy-svm-root-volume-task.html

 

 

When a new SVM is created, a default export policy (called default) is created automatically for the root volume of the SVM. You must create one or more rules for the default export policy before clients can access data on the SVM.

You should verify that access is open to all NFS clients in the default export policy, and later restrict access to individual volumes by creating custom export policies for individual volumes or qtrees

 

 I have some NFS exports mounted and seemingly functional at the moment with rules applied at the volume level, but without the open default rule. There doesn't seem to be any implications at the moment, however I'm concerned about deviating from the documentation. Or is the documentation incorrect?

 

Thanks

4 REPLIES 4

Ontapforrum
3,278 Views

It's very good question. I think the logic here is that - Having “default” export-policy rule 'open' to all - Allows reading and traversing through the 'root' /junction, which is the gateway for any volumes (data) accessed.

 

Following rule will prevent writing to the root volume but allow reading and traversing through junction:
clientmatch 0.0.0.0/0
RO Access Rule: none
RW Access Rule: never

TAO1
3,272 Views

Thanks.

 

I read the documentation and understood the principle of root volume default ('open') rule, similar to how you've outlined it above,  however given my scenario at the moment, there is no default rule and the exports seem to be functioning fine against the rules applied at the data volume level. 

 

How does that work, unless the documentation is incorrect?

Ontapforrum
3,266 Views

I think the answer seems to be in the text that says 'Alternatively, you can create a custom export policy with rules. You can modify and rename the default export policy, but you cannot delete the default export policy.' You can use the default export policy for all volumes contained in the SVM, or you can create a unique export policy for each volume. You can associate multiple volumes with the same export policy.

 

https://docs.netapp.com/us-en/ontap/nfs-admin/default-export-policy-svms-concept.html#:~:text=When%20you%20create%20an%20SVM%2C%20the%20storage%20syst....

TAO1
3,262 Views

...but the excerpt that I quoted above, seems to state that you do need a rule in the default policy:

 

You must create one or more rules for the default export policy before clients can access data on the SVM.

You should verify that access is open to all NFS clients in the default export policy, and later restrict access to individual volumes by creating custom export policies for individual volumes or qtrees

Public