Saturday, 4 July 2015

More Examples of 7MTT (2.0) Translating NFS Exports

This post expands on Examples of 7MTT 1.4 Translating NFS Exports. Something missing from that post was how to handle ro=.

We have this exported qtree on a 7-Mode system (line from rdfile /etc/exports):

/vol/VOLUME001/QTREE001
-sec=sys,
ro=172.0.0.0/8:129.0.0.0/8:128.0.0.0/7:128.129.130.131,
rw=svr01.domain.priv:svr02.domain.priv,
root=svr01.domain.priv:svr02.domain.priv:172.0.0.0/8:129.0.0.0/8:128.0.0.0/7:128.129.130.131

Which 7MTT translates to the 6 rules displayed below.
The only difference between hosts specified ro or rw, is -
ro hosts have: RW Access Rule: never
rw hosts have: RW Access Rule: sys
- and notice how the ro hosts have later indices (since export rules are processed from top {1} to bottom).

::> vserver export-policy rule show -policyname EXPORTPOL10 -instance

                     Vserver: SVM1
                 Policy Name: EXPORTPOL10
                  Rule Index: 1
             Access Protocol: any
            Client Match ...: svr01.domain.priv
              RO Access Rule: sys
              RW Access Rule: sys
      ... Anon. Users Mapped: 65534
    Superuser Security Types: sys
Honor SetUID Bits in SETATTR: true
   Allow Creation of Devices: true

                     Vserver: SVM1
                 Policy Name: EXPORTPOL10
                  Rule Index: 2
             Access Protocol: any
            Client Match ...: svr02.domain.priv
              RO Access Rule: sys
              RW Access Rule: sys
      ... Anon. Users Mapped: 65534
    Superuser Security Types: sys
Honor SetUID Bits in SETATTR: true
   Allow Creation of Devices: true

                     Vserver: SVM1
                 Policy Name: EXPORTPOL10
                  Rule Index: 3
             Access Protocol: any
            Client Match ...: 172.0.0.0/8
              RO Access Rule: sys
              RW Access Rule: never
      ... Anon. Users Mapped: 65534
    Superuser Security Types: sys
Honor SetUID Bits in SETATTR: true
   Allow Creation of Devices: true

                     Vserver: SVM1
                 Policy Name: EXPORTPOL10
                  Rule Index: 4
             Access Protocol: any
            Client Match ...: 129.0.0.0/8
              RO Access Rule: sys
              RW Access Rule: never
      ... Anon. Users Mapped: 65534
    Superuser Security Types: sys
Honor SetUID Bits in SETATTR: true
   Allow Creation of Devices: true

                     Vserver: SVM1
                 Policy Name: EXPORTPOL10
                  Rule Index: 5
             Access Protocol: any
            Client Match ...: 128.0.0.0/7
              RO Access Rule: sys
              RW Access Rule: never
      ... Anon. Users Mapped: 65534
    Superuser Security Types: sys
Honor SetUID Bits in SETATTR: true
   Allow Creation of Devices: true

                     Vserver: SVM1
                 Policy Name: EXPORTPOL10
                  Rule Index: 6
             Access Protocol: any
            Client Match ...: 128.129.130.131
              RO Access Rule: sys
              RW Access Rule: never
      ... Anon. Users Mapped: 65534
    Superuser Security Types: sys
Honor SetUID Bits in SETATTR: true
   Allow Creation of Devices: true

6 entries were displayed.

No comments:

Post a Comment