VMware Solutions Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

VMware Solutions Discussions

Ask a Question

Does ESX over NFS require root access in the exports file ?

nollman
NetApp
‎2010-08-18 04:12 PM
3,391 Views

Working with a new customer today and they are extremely security conscious. They would prefer to specify a non-root user instead of root in /etc/exports. I seem to recall we used to suggest changing this in ESX many many revs of TR-3428 ago but can no longer find it. Is it possible and if so how is it done ? If not is there a limitation where ESX must use root ?

Thanks,

Bill

0 Kudos
3 REPLIES 3

radek_kubka
‎2010-08-19 03:24 AM
3,391 Views

Hi,

From my experience root access is still required, but you allow only specific IP addresses of ESX servers to use it.

You may argue whether it is a security loophole, or not - at the end of the day ESX hosts need to write to NFS volumes, so giving them root access doesn't sound like a terribly bad thing.

Regards,
Radek

0 Kudos

stetson
NetApp
‎2010-08-19 03:38 AM
In response to radek_kubka
3,391 Views

Also at the same end of the day is that it should be an isolated and non-routable (hence more secure) network/VLAN.

Please pardon my BlackBerry thumbmanship ...

Stetson M. Webster

Professional Services Consultant

NCIE-SAN, NCIE-B&R, SCSN-E, VCP

NetApp Professional Services - East

919.250.0052 Mobile

Stetson.Webster@netapp.com

Learn how: netapp.com/guarantee

RYABTSEV_IVAN
‎2013-08-14 06:59 AM
3,391 Views

As far as have seen. Root access is crucial in some cases. I've met problem on vSphere 5.x (Ess+) that without root access sometimes datastore keeps meta information of accessing hosts through takeover-giveback process so NFS share become RO. (File level RO, so i was able to create files and directories through datastore browser but as unable to write even one byte to files, without difference, newly created or existed before.)

After giving root access to share for hosts of ESX cluster - operation returned to normal.

So better give root access for ESX hosts, and better to write it in stone (/etc/exports).

And for sure - SAN network for vSphere cluster must be isolated VLAN, in optimal - unaccessible physically from outer networks. (Nothing for BlackBerry mr. Stetson - just healthy level of paranoia)

Regards, Ivan Ryabtsev (NCDA)

0 Kudos
All Community Forums
Public