Image: Thou (NFS) shall not pass!
Q: In Clustered ONTAP, if you want to terminate all NFS access to just one NFS volume, how do you do it?
Intuitively you might think running the “volume unmount” command will do the trick, but no. This is explained by this NetApp KB:
Users might notice that after removing a volume from the SVM namespace on the cluster, existing NFS sessions will continue to be able to read and write to the unmounted volume. However, other clients will be unable to start new sessions accessing the volume.
NFS clients obtain a FileHandle for each export root, directory, and file that the client is currently accessing. Due to the FH referencing the data volume's MSID (Master Data Set ID), any existing FH that is obtained from the NFS server continues to be able to read and write to the data volume after it is removed from the SVM namespace.
The answer is to add an export-policy rule with index 1 (the lowest index number, the first rule read) for 0.0.0.0/0 and do not allow any ro/rw access, for all the exports of the volume. And remember to update your root Loading Sharing mirrors too if you have them.
export-policy rule create -policyname exp_vol01 -vserver svm1 -clientmatch 0.0.0.0/0 -ruleindex 1 -protocol any -rorule never -rwrule never
snapmirror update-ls-set -source-path //vs1.example.com/svm_root
Note: In the above I’ve gone for ‘-protocol any’ because I don’t think many people will be using export-policies with cifs - if you are and don’t want to terminate cifs access too, then use ‘-protocol nfs’.
Explanation of never from the man pages
never - For an incoming request from a client matching the clientmatch criteria, do not allow any access to the volume regardless of the security type of that incoming request.
never - For an incoming request from a client matching the clientmatch criteria, do not allow write access to the volume regardless of the effective security type (determined from rorule) of that incoming request.
BONUS: cifs terminate -v in Clustered ONTAP
Yes ‘cifs terminate -v’ does not exist in ONTAP, but what you can do - if you want to terminate CIFS access to just one volume - is add everyone no_access on all the shares ACLs of that volume. For example:
cluster1::> cifs share access-control create/modify -vserver svm4 -share finance -user-or-group Everyone -permission No_access
cluster1::> cifs share access-control show -vserver svm4 -share finance -user-or-group Everyone
Share User/Group User/Group Access
Vserver Name Name Type Permission
----------- ----------- ------------ ----------- -----------
svm4 finance Everyone windows No_access
Note: If you already have an Everyone share ACL, then the command is ‘modify’, otherwise it is ‘create’.
My colleague Ejos Zida (this is an anagram)