ZFS Appliance NFS exceptions

I had a situation where I wanted to restrict access to a project on my ZFS storage appliance (7320) to a small list of hosts on a private network. The project needs to be accessible r/w, with root permissions from 4 hosts that I need to specify by IP address.

192.168.28.2     
192.168.28.3    
192.168.28.6   
192.168.28.7

However, other hosts in the 192.168.28.X/22 range must not be able to mount the share.
The way to achieve this is to lock down the permissions and then explicitly grant access to the systems you need. You have 3 ways of specifying the names of hosts for exceptions:-

  • Host(FQDN) or Netgroup – This requires you to have your private hostnames registered in DNS, which was not possible in my case. You CANNOT enter an IP address in this field.
  • DNS Domain – all of my hosts are in the same domain, so this was not fine grained enough.
  • Network – Counter-intuitively, it is network that will allow me to specify individual IP addresses, using a CIDR netmask that allows only 1 host (the netmask does not have to match that of the underlying interface)

First thing – set the default NFS share mode to ‘NONE’ so that non-excepted hosts cannot mount the share.

Then add exception for each host, using a /32 netmask which limits it to a single IP.

zfs

So, a quick test. This one should work

root@myhost-d1:/stage# ifconfig stor_ipmp0
stor_ipmp0: flags=8001000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,IPMP> mtu 65520 index 3
        inet 192.168.28.2 netmask fffffc00 broadcast 192.168.31.255
        groupname stor_ipmp0
root@myhost-d1:/# mount -f nfs -o rw 192.168.28.1:/export/stage /mnt
root@myhost-d1:/# df -k /mnt
Filesystem           1024-blocks        Used   Available Capacity  Mounted on
192.168.28.1:/export/stage
                     10737418209          31 10737418178     1%    /mnt

This one should fail

root@myhost-d3:~# ifconfig stor_ipmp0
stor_ipmp0: flags=8001000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,IPMP> mtu 65520 index 3
        inet 192.168.28.4 netmask fffffc00 broadcast 192.168.31.255
        groupname stor_ipmp0
root@myhost-d3:~#  mount -f nfs -o rw 192.168.28.1:/export/stage /mnt
nfs mount: mount: /mnt: Permission denied
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s