how to set NFS RO or RW to NULL with nfs-exportfs-modify-rule-2; all-hosts = false?

chris_algar · ‎2018-02-01

I am using to manage the NFS export permissions on 7-mode filers, mostly 8.2.x from a perl client.

To do this we include NaElements of type "export-hostsname-info" with a string of 'all-hosts' => 'true', or "name" => "hostname or netgroup".

In code this looks like:

for my $host (@{$args{read_only}}) {

my $read_only_host = NetAppApi::NaElement->new("exports-hostname-info");

if ($host eq 'all-hosts') {

$read_only_host->child_add_string("all-hosts", 'true');

} else {

$read_only_host->child_add_string("name", $host);

}

$read_only_rule->child_add($read_only_host);

}

This works well for setting a new value for root=, rw= and ro=, unless I want to undefine root, rw or ro. For example, I have a requirement to make an export RO for a data migration. That is to change this:

/vol/myvol/myqtree -sec=sys,ro=fpolicy,rw,root=fpolicy,anon=6001

to:

/vol/myvol/myqtree -sec=sys,ro,root=fpolicy,anon=6001

updating RO to 'all-hosts' => 'true' is simple. But what do I use to remove the existing rw? all-hosts is descibed as a boolean, but sending 'all-hosts' => 'false' raises an error.

The current read-write returned by fetching the security rule-info-2 for the export shows this for read-write:

bless( {
'content' => '',
'name' => 'read-write',
'children' => [
bless( {
'content' => '',
'name' => 'exports-hostname-info',
'children' => [
bless( {
'content' => 'true',
'name' => 'all-hosts',
'children' => [],
'attrvals' => [],
'attrkeys' => []
}, 'NetAppApi::NaElement' )
],

But if I send this as an update I get an error:

bless( {
'content' => '',
'name' => 'read-write',
'children' => [
bless( {
'content' => '',
'name' => 'exports-hostname-info',
'children' => [
bless( {
'content' => 'false',
'name' => 'all-hosts',
'children' => [],
'attrvals' => [],
'attrkeys' => []
}, 'NetAppApi::NaElement' )
],

Debug: Response $VAR1 = bless( {
'content' => '',
'name' => 'results',
'children' => [],
'attrvals' => [
'failed',
'13114',
'Error no valid name found with exports-hostname-info. '
],

which in my code would be something like:

} elsif ($host eq 'no-hosts') {

$read_write_host->child_add_string("all-hosts", 'false')

I have confirmed that setting read-write => 'somethingthatdoesnotexit' is a workaround for my RO use case, but it results in an export entry of:

/vol/myvol/myqtree -sec=sys,ro,rw=somethingthatdoesnotexit,root=fpolicy,anon=6001

rather than the format that I would like:

/vol/myvol/myqtree -sec=sys,ro,root=fpolicy,anon=6001

(and introduces an issue if someone ever made ahost of that name!).

any advice on how to remove rw,ro or root with this method?

Thanks,

Chris

mpittman · ‎2018-02-23

Perform a modify without the "read-write" element to remove it from the existing entry like below.

<?xml version="1.0" encoding="UTF-8"?>
<netapp  xmlns="http://www.netapp.com/filer/admin" version="1.31">
  <nfs-exportfs-modify-rule-2>
    <persistent>true</persistent>
    <rule>
      <exports-rule-info-2>
        <pathname>/vol/myvol/myqtree</pathname>
        <security-rules>
          <security-rule-info>
            <anon>6001</anon>
            <read-only>
              <exports-hostname-info>
                <all-hosts>true</all-hosts>
              </exports-hostname-info>
            </read-only>
            <root>
              <exports-hostname-info>
                <name>fpolicy</name>
              </exports-hostname-info>
            </root>
            <sec-flavor>
              <sec-flavor-info>
                <flavor>sys</flavor>
              </sec-flavor-info>
            </sec-flavor>
          </security-rule-info>
        </security-rules>
      </exports-rule-info-2>
    </rule>
  </nfs-exportfs-modify-rule-2>
</netapp>

Before:

/vol/myvol/myqtree -sec=sys,ro=fpolicy,rw,root=fpolicy,anon=6001

After:

/vol/myvol/myqtree -sec=sys,ro,root=fpolicy,anon=6001

chris_algar · ‎2018-03-01

I found that this only works if I am specifying a RO component in the same update. I my use case I am attempting to undef rw and then set ro in sequential calls.

setting rw=’undef’ (or calling nfs-exportfs-modify-rule-2 with no rw component) does not work if read-only=’undef’, even though the API call returns success (which is not good, a bug?).It returns sucess but leave the rw export to all-hosts.

In my example the export does not have ro defined at all.

I also cannot set read-only = ‘all-hosts’ first, I get a reasonable error.

Unable to update nfs_export /vol/nyn197f2v2/cda_test246,

Both 'read-write' and 'read-only' have 'all-hosts' true.

so I can set ro to a temporary value of a host that does not exist, set rw to undef, then set ro to all-hosts in separate calls.

$nfs_export = $nfs_export->set_read_only(['unicorns']); # does not exist

$nfs_export = $nfs_export->set_read_write(); # does this drop clients?

$nfs_export = $nfs_export->set_read_only(['all-hosts']); # all read-only now

I could hide the temp host and all-hosts in my API by substituting on 'undef' and '*'. Or I will have to modify my API to handle these as a single call.

I'm not a fan of returing sucess when a default was applied rather than the instruction in the ReST call.

mpittman · ‎2018-03-04

Modifying your API to make a single call sounds like the best approach.