Tuesday, 17 March 2020

NFS Terminate -V

In Data ONTAP 7-Mode we had a command “cifs terminate -v” to terminate CIFS access to a volume. There never was an “nfs terminate -v”.

Image: Thou (NFS) shall not pass!

Q: In Clustered ONTAP, if you want to terminate all NFS access to just one NFS volume, how do you do it?

Intuitively you might think running the “volume unmount” command will do the trick, but no. This is explained by this NetApp KB:

Symptom
Users might notice that after removing a volume from the SVM namespace on the cluster, existing NFS sessions will continue to be able to read and write to the unmounted volume. However, other clients will be unable to start new sessions accessing the volume.

Cause
NFS clients obtain a FileHandle for each export root, directory, and file that the client is currently accessing. Due to the FH referencing the data volume's MSID (Master Data Set ID), any existing FH that is obtained from the NFS server continues to be able to read and write to the data volume after it is removed from the SVM namespace.

The answer is to add an export-policy rule with index 1 (the lowest index number, the first rule read) for 0.0.0.0/0 and do not allow any ro/rw access, for all the exports of the volume. And remember to update your root Loading Sharing mirrors too if you have them.

export-policy rule create -policyname exp_vol01 -vserver svm1 -clientmatch 0.0.0.0/0 -ruleindex 1 -protocol any -rorule never -rwrule never

snapmirror update-ls-set -source-path //vs1.example.com/svm_root


Note: In the above I’ve gone for ‘-protocol any’ because I don’t think many people will be using export-policies with cifs - if you are and don’t want to terminate cifs access too, then use ‘-protocol nfs’.

Explanation of never from the man pages

-rorule
never - For an incoming request from a client matching the clientmatch criteria, do not allow any access to the volume regardless of the security type of that incoming request.

-rwrule
‌never - For an incoming request from a client matching the clientmatch criteria, do not allow write access to the volume regardless of the effective security type (determined from rorule) of that incoming request.

BONUS: cifs terminate -v in Clustered ONTAP

Yes ‘cifs terminate -v’ does not exist in ONTAP, but what you can do - if you want to terminate CIFS access to just one volume - is add everyone no_access on all the shares ACLs of that volume. For example:


cluster1::> cifs share access-control create/modify -vserver svm4 -share finance -user-or-group Everyone -permission No_access

cluster1::> cifs share access-control show -vserver svm4 -share finance -user-or-group Everyone
            Share       User/Group   User/Group  Access
Vserver     Name        Name         Type        Permission
----------- ----------- ------------ ----------- -----------
svm4        finance     Everyone     windows     No_access


Note: If you already have an Everyone share ACL, then the command is ‘modify’, otherwise it is ‘create’.

Credit:

My colleague Ejos Zida (this is an anagram)

No comments:

Post a comment