Skip to main content
Close

We've Moved!

Product Documentation has moved to docs.hitachivantara.com
Hitachi Vantara Knowledge

Configuring NFS exports

  1. Last updated
  2. Save as PDF

NFS exports are configured on mounted file systems. NFS exports can be configured manually or export details can be imported from a file.

Parent Topic
  • File Services Administration Guide

    This guide explains about file system formats, and provides information about creating and managing file systems, and enabling and configuring file services (file service protocols).

Child Topics

The NFSv4 pseudo file system

NFSv4 introduces the concept of the pseudo file system, where exports appear as directories. NFSv4 clients do not connect directly to NFS exports as in NFSv2/3. Instead all clients connect to the root of the pseudo file system, which is a virtual directory. The pseudo file system is generated automatically from the NFS exports, and is maintained automatically as exports are modified and removed. You can choose to present all the file systems in a single pseudo file system.

The server allows you to create views of many file systems from one point of contact, name spaces. These views are available on a per EVS basis or for the entire cluster.

This is an example of a pseudo file system:

A server named numbers has two exports: /one and /two. If a client wishes to get access to export /one, there are two ways to mount exports:

mount -t nfs4 numbers:/ /mnt

which mounts the pseudo file system at /mnt

mount -t nfs4 numbers:/one /mnt

which mounts the export /one at /mnt

The first method is only supported in NFSv4. The second method is supported in versions 2, 3, and 4. In the first method, the client can export /one with the command cd /mnt/one, and to export /two with cd /mnt/two.

Parent Topic

Kerberos configuration

Before you begin

NoteThe Kerberos implementation has been updated with the Advanced Encryption Standard (AES). The Data Encryption Standard (DES) has been deprecated and is insufficiently secure. AES pre-requisites are:
  • Windows Server 2008 or higher is required to deploy a Microsoft Windows KDC that supports AES encryption.
  • Configuration may be required on the clients. The configuration of the KDC and clients may vary depending on their operating systems.
  • The Kerberos Principle accounts on the KDC may need to be configured to support AES.
  • Supported AES encryption types are
    • AES256: HMAC-SHA1-96
    • AES128: HMAC-SHA1-96
Configuring the server requires the following steps:

Procedure

  1. Create the principal and key of the service (the EVS) on the KDC (Key Distribution Center).

    The keytab file must contain the service principal for the NFS service for the EVS. Once the NFS service principal for the EVS has been added, you can then create a keytab file specifically for the EVS. The type of key is critical.

    • AES: To use AES, the keytab must contain an AES key to enable AES by default. If an AES only keytab is imported, DES is disabled. If an AES only keytab is imported, all clients must be configured to support AES and have an AES key in their keytabs.
    • DES:
      • To use DES, the client must perform the Kerberos authentication with any of the supported encryption types except AES.
      • The server must have a key that corresponds to whatever encryption type the client used.
    • AES and DES: The keytab must contain
      • An AES key and
      • Any old supported encryption type key (it does not have to be DES), provided that it is supported by the client as well.

    For example, with an EVS named "man" in the Kerberos realm AESIR.EXAMPLE.COM, the keytab file for the NFS service on "man" should contain a principal nfs/man.aesir.example.com@AESIR.EXAMPLE.COM. The format of the principal starts with the service (nfs), followed by a slash, then the fully-qualified-domain name of the EVS, then the symbol @, and finally the Kerberos realm. Note that case is significant. Kerberos realms are always in uppercase. Also, there must be no trailing period after the Kerberos realm.

  2. Export a keytab file from the KDC.

    Typically you will use the kadmin utility run from the master KDC to export a keytab file. For details on creating an appropriate keytab file, refer to the documentation for the tools supplied with your version of Kerberos.

  3. Import the keytab file into the server.

    Transfer the keytab file to the flash of the server.

    For example: securely move the keytab file to the NAS Manager and transfer it to the NAS server. Log on with ssc, and do the following:

    SERVER:$ ssput man.nfs.keytab man.nfs.keytab

    The first name is the local file name on the NAS Manager, the second name is the name to use on the server. Once the file has been placed on the server, import the keytab in the context of the EVS with:

    SERVER:$ krb5-keytab import man.nfs.keytab

    After the keytab has been imported, the uploaded keytab file can be safely removed with:

    SERVER:$ ssrm man.nfs.keytab

  4. Set the Kerberos realm for the server.

    Set the realm by using the command krb5-realm. For example:

    SERVER:$ krb5-realm AESIR.EXAMPLE.COM

    The server's NFS hostname must be set, per EVS, using the command nfs-hostname <hostname>.

    After performing these steps, the NAS server is able to complete the configuration. However, you may choose to create mappings between the Kerberos users/groups and the Active Directory users/groups.

Parent Topic

Viewing NFS exports

You can view existing NFS exports and also add, modify and delete them on the NAS Manager NFS Exports page. This page can be configured to display all the exports associated with:

  • The global cluster name space (CNS)
  • An individual name space for an EVS
  • A specific file system

Procedure

  1. Navigate to Home File Services NFS Exports to display the NFS Exports page.

    GUID-8141D5BD-EA7E-4DB5-99C1-EE5B84B3EE6C-low.png

    The following table describes the fields on this page:

    Field/Item Description
    Cluster Name Space or EVS / File System Displays the currently selected name space or EVS/File System
    • When Cluster Name Space is displayed, the cluster (global) name space has been selected.
    • When EVS / File System is displayed, a particular EVS (and optionally a particular file system) has been selected.

    The currently selected name space controls which NFS exports are displayed on this page.

    change Enables the user to select a different name space or EVS / File System.
    Filter A subset of the exports on the EVS or file system can be viewed. Use the Name and Path text fields and the Transfer to Object Replication Target list to define the criteria for the selection. Valid selections for Transfer to Object Replication Target are None, Enable, Disable, or Use FS Default. To apply the filter to the list of exports, click filter.
    NoteIf a field is left blank, it is ignored in the filtering process. When specifying a name to be matched, the wildcard character '*' may be used.
    Name The name of the NFS export.
    File System The name of the file system (or CNS link to a file system) to which the NFS exports is assigned.
    Path The path and directory to which the NFS export is directed.
    details Opens the NFS Export Details page in which you can display detailed information about the NFS export.
    add Advances to the Add Export page.
    delete Deletes the selected NFS export.
    refresh cache Clears the NAS Manager cache, and then repopulates it with the relevant objects. Note that this is different than clicking the browser refresh button, which picks up any recent updates without clearing the cache.
    Download Exports Downloads a CSV file containing a list of all configured NFS exports on the selected EVS and file system. Note that the downloaded file cannot be used to restore NFS exports (you must restore NFS exports from an NFS exports backup file). To download a list of exports from another file system, click change.
    Backup & Restore Displays the NFS Export Backup & Restore page.
    Read Cache Options Advances to the Read Cache Options page.
    Read Cache Statistics Advances to the Read Cache Statistics page.
Parent Topic

Adding an NFS export

You can add an NFS export in the NAS Manager.

  1. Navigate to Home File Services NFS Exports to display the NFS Exports page.

  2. Click add to display the Add Export page.

    GUID-710BDCA2-6DD1-4367-B6DD-74DB9013BEAB-low.png

    The following table describes the fields on the page:

    Field/Item Description
    EVS/File System Currently selected file system, to which the NFS Export will link.
    Cluster Namespace Currently selected cluster namespace, to which the NFS Export will link.
    change / browse (depending on Web browser) Enables the user to select a different file system or (on a cluster) a different cluster namespace.
    Export Name Name of the export.
    Path / CNS Path Path to the source directory for the export. To locate a source directory for the export, click the browse/change button.
    Path Options Determines the path options:
    • Create path if it does not exist to create the path entered in the Path field (filesystems only).
    • Allow this export to overlap other exports if nested NFS exports are allowed.

    NoteIf the file system is mounted read-only, for example it is an object replication target, it is not possible to create a new directory. Select a path to an existing directory.
    Show snapshots Determines how to show snapshots:
    • Show and Allow Access, to display and allow access to snapshots.
    • Hide and Allow Access, to hide snapshots, but still allow access to the hidden snapshots.
    • Hide and Disable Access, to hide and disallow access to snapshots.
    Local Read Cache (file systems only) Allows caching of files or cross file system links from the file system to which this export points:
    • Cache all files. Allows caching of files and cross file system links in the file system of the export. Cross file system links are local links that point to a data file in a remote file system. The remote file system may be on a remote server or storage device.
    • Cache cross-file system links. Allows only cross file system links to be cached
    • Do not cache files. Do not allow read caching of files and cross file system links.

    Local read caching is not supported for NFSv4 clients.

    Transfer to Object Replication Target (file systems only) When a file system is recovered from a snapshot, one of the final steps is to import the NFS exports found in the snapshot representing the selected version of the file system. Only those NFS exports marked as transferable will be imported.
    • Enable: NFS exports will be transferred to recovered file systems.
    • Disable: NFS exports will not be transferred to recovered file systems.
    • Use FS default: When the target file system is brought online, NFS exports will be transferred if Transfer Access Points During Object Replication option is enabled for the file system.
    Access Configuration IP addresses, host names, or the NIS netgroups of the clients who are allowed to access the NFS export (up to 5957 characters). If the system has been set up to work with a name server, you can enter the NIS netgroup to which the clients belong, or the client’s computer name rather than its IP address (not case sensitive).

    You can also specify the required flavors of NFS security in a colon-separated list using the option (sec=<list>).

    The supported flavors are:

    • none - Connect as a null user
    • sys - The traditional security flavor used by NFS, users are not authenticated by the server
    • krb5 - Kerberos authentication
    • krb5i - Kerberos authentication with per-messaging integrity
    • krb5p - Kerberos authentication with per-message privacy

    For example: 10.1.*.*(sec=sys:krb5:krb5i)

    See the mount-point-access-configuration man page for further information.

  3. To add an export to a new EVS or file system, click change next to that line and make a selection from the Select a File System page.

  4. Enter the Export Name through which clients will access the export.

  5. Type the path to the directory being exported or click browse... to locate an existing directory.

  6. Set Path Options as follows:

    • To create the path automatically when it does not already exist, fill the Create path if it does not exist check box.
      NoteAutomatically created directories will be owned by the root user and group (UID:0 / GID:0) and will be accessible to all users (that is, the permissions are set to rwxrwxrwx). It is recommended that such directories be created via CIFS or NFS, or that such directories are given the desired permissions explicitly after being created by this option.
    • To allow this export path to overlap other exports, fill the Allow this export path to overlap other exports check box.

      This option is useful if you expect to set up future, nested exports. For example, suppose you export the root directory of a volume and make it available to managerial staff only. By selecting this option, you can later export subdirectories of the root directory and make each of them available to different groups of users.

  7. If snapshots are present, make them visible to clients by selecting from the list:

    • Show and Allow Access, to display and allow access to snapshots.
    • Hide and Allow Access, to hide snapshots, but still allow access to the hidden snapshots.
    • Hide and Disable Access, to hide and disallow access to snapshots.

    In order for this change to become effective on NFS clients, all NFS clients should unmount and then remount the export, or the administrator must run ʹ touch . ʹ from within the root directory of the export.

  8. Select the Local Read Cache setting. To allow caching of files or cross file system links from the file system to which this export points, select one of the following:

    • Cache all files. Allows caching of files and cross file system links in the file system of the export. Cross file system links are local links that point to a data file in a remote file system. The remote file system may be on a remote server or storage device.
    • Cache cross-file system links. Allows only cross file system links to be cached.

    Local read caching is not supported for NFSv4 clients.

  9. Choose the Transfer to Object Replication Target option.

    When a file system is recovered from a snapshot, one of the final steps is to import the NFS exports found in the snapshot representing the selected version of the file system. Only those NFS exports marked as transferable will be imported.

    Use the list to specify one of the following:

    • Enable: NFS exports will be transferred to recovered file systems.
    • Disable: NFS exports will not be transferred to recovered file systems.
    • Use FS default: When the target file system is brought online, NFS exports will be transferred if Transfer Access Points During Object Replication option is enabled for the file system.

  10. In the Access Configuration field, type the IP addresses, host names, or the NIS netgroups of the clients who are allowed to access the NFS export (up to 5,957 characters). If the system has been set up to work with a name server, you can enter the NIS netgroup to which the clients belong, or the client’s computer name rather than its IP address (not case sensitive). You can also specify the flavor of NFS security using the option (sec=<mode>). The table outlines what to type in this field.

    What to Type Means
    Blank or *

    All clients can access the export.

    Specific address or name. Examples: 192.0.2.0, client.dept.example.com Only clients with the specified names or addresses can access the export.
    A range of addresses using Classless Inter-Domain Routing (CIDR) notation.

    Example: 192.0.2.0/24

    		Clients with addresses within the range can access the export.
    Partial address or name using wildcards.

    Examples: 192.0.*.*, *.example.com

    		Clients with matching names or addresses can access the export.

  11. Click OK.

Parent Topic
Child Topics

IP address export qualifiers

The following table describes qualifiers that can be appended to IP addresses when specifying client access to an NFS export:

Qualifier Description
read_write, readwrite, rw Grants read/write access. This is the default setting.
read_only, readonly, ro Grants read-only access.
root_squash, rootsquash Maps user and group IDs of 0 (zero) to the anonymous user or group. This is the default setting.
no_root_squash, norootsquash Turns off root squashing.
all_squash, allsquash Maps all user IDs and group IDs to the anonymous user or group.
no_all_squash, noallsquash Turns off all squashing. This is the default setting.
secure Requires requests to originate from an IP port less than 1024. Access to such ports is normally restricted to administrators of the client machine. To turn it off, use the insecure option.
insecure Turns off the secure option. This is the default setting.
anon_uid, anonuid Explicitly sets an anonymous user ID.
anon_gid, anongid Explicitly sets an anonymous group ID.
noaccess, no_access Denies the specified clients access to the export.
(sec=<mode>) Allows you to specify the flavor of NFS security, where <mode> is a colon delimited list of allowed security flavors (sys:krb5:krb5i:krb5p).

Here are some examples:

  • 10.1.2.38(ro)

    Grants read-only access to the client whose IP address is 10.1.2.38.

  • 10.1.2.0/24(ro)

    Grants read-only access to all clients whose IP address is within the range 10.1.2.0 to 10.1.2.255.

  • yourcompanydept(ro)

    Grants read-only access to all members of the NIS group yourcompanydept.

  • *.mycompany.com(ro, anonuid=20)

    Grants read-only access to all clients whose computer name ends.mycompany.com. All squashed requests are to be treated as if they originated from user ID 20.

  • 10.1.*.* (readonly, allsquash, anonuid=10, anongid=10)

    Grants read-only access to all the matching clients. All requests are squashed to the anonymous user, which is explicitly set as user ID 10 and group ID 10.

  • The order in which the entries are specified is important. Take the following two lines:

    *(ro)

    10.1.2.38(rw)

    The first grants read-only access to all clients, whereas the second grants read/write access to the specified client. The second line is redundant, however, as the first line matches all clients. These lines must be transposed to grant write access to 10.1.2.38.

  • 10.1.1.*(sec=sys),10.1.2.*(sec=krb5:krb5i:krb5p),*(sec=krb5p)
    • Clients in the 10.1.1.* subnet use sys authentication.
    • Clients in the 10.1.2.* subnet to use krb5, krb5i, or krb5p.
    • All other clients use krb5p.
    NoteTo improve performance, when specifying clients that can access an export, it is recommended that you specify IP addresses or IP address ranges, including those that include wildcards, before specifying host names or NIS netgroups.
Parent Topic

Specifying clients by name

The following list describes how to specify clients by name, and not an IP address.

  • Full Qualified Domain Name Required.

    Be sure to specify the fully qualified domain name of the client. For example, use aclient.dept.example.com rather than simply aclient.

  • Leading Wildcard Allowed.

    To specify a partial name, a single wildcard, located at the start of the name, may be used.

  • Export Options Change Requires Remount.

    When the client mounts the NFS export, it determines which export option to apply to a specific client. Subsequent changes to DNS, WINS, or NIS that would resolve the client’s IP address to a different computer name are only applied to mounted exports when the client unmounts the exports and then remounts them.

  • Name Service Order is Significant.

    Application of export options to a client’s mount request may be affected by the order in which the system applies DNS, WINS, and NIS information to resolve IP addresses. The first service in name order sequence that can resolve the client name supplies the name and searches configuration options for the export.

Parent Topic

Modifying NFS Export Details

You can modify properties of the selected NFS export for either a cluster name space (CNS) or a file system (shown in two different tables) in the NAS Manager.

  1. Navigate to Home File Services NFS Exports to display the NFS Exports page.

  2. Select the check box next to the NFS export to display, and click details to display the NFS Export Details page.

    The following table describes the fields and items on this page:

    Field/Item Description
    EVS/File System Currently selected file system, to which the NFS Export will link.
    Cluster Namespace Currently selected cluster namespace, to which the NFS Export will link.
    change / browse (depending on Web browser) Enables the user to select a different file system or (on a cluster) a different cluster namespace.
    Export Name Name of the export.
    Path / CNS Path Path to the source directory for the export. To locate a source directory for the export, click the browse/change button.
    Path Options Determines the path options:
    • Create path if it does not exist to create the path entered in the Path field (filesystems only).
    • Allow this export to overlap other exports if nested NFS exports are allowed.

    NoteIf the file system is mounted read-only, for example it is an object replication target, it is not possible to create a new directory. Select a path to an existing directory.
    Show snapshots Determines how to show snapshots:
    • Show and Allow Access, to display and allow access to snapshots.
    • Hide and Allow Access, to hide snapshots, but still allow access to the hidden snapshots.
    • Hide and Disable Access, to hide and disallow access to snapshots.
    Local Read Cache (file systems only) Allows caching of files or cross file system links from the file system to which this export points:
    • Cache all files. Allows caching of files and cross file system links in the file system of the export. Cross file system links are local links that point to a data file in a remote file system. The remote file system may be on a remote server or storage device.
    • Cache cross-file system links. Allows only cross file system links to be cached
    • Do not cache files. Do not allow read caching of files and cross file system links.

    Local read caching is not supported for NFSv4 clients.

    Transfer to Object Replication Target (file systems only) When a file system is recovered from a snapshot, one of the final steps is to import the NFS exports found in the snapshot representing the selected version of the file system. Only those NFS exports marked as transferable will be imported.
    • Enable: NFS exports will be transferred to recovered file systems.
    • Disable: NFS exports will not be transferred to recovered file systems.
    • Use FS default: When the target file system is brought online, NFS exports will be transferred if Transfer Access Points During Object Replication option is enabled for the file system.
    Access Configuration IP addresses, host names, or the NIS netgroups of the clients who are allowed to access the NFS export (up to 5957 characters). If the system has been set up to work with a name server, you can enter the NIS netgroup to which the clients belong, or the client’s computer name rather than its IP address (not case sensitive).

    You can also specify the required flavors of NFS security in a colon-separated list using the option (sec=<list>).

    The supported flavors are:

    • none - Connect as a null user
    • sys - The traditional security flavor used by NFS, users are not authenticated by the server
    • krb5 - Kerberos authentication
    • krb5i - Kerberos authentication with per-messaging integrity
    • krb5p - Kerberos authentication with per-message privacy

    For example: 10.1.*.*(sec=sys:krb5:krb5i)

    See the mount-point-access-configuration man page for further information.

  3. Make changes as necessary.

  4. Click OK.

Parent Topic

Deleting an NFS export

You can delete an NFS export in the NAS Manager.

CautionExport Deletion Alert! Before carrying out the instructions that follow for deleting an export, verify that it is not currently being accessed. If an export is deleted while users are accessing it, their NFS sessions will be terminated and any unsaved data may be lost.

When replacing a storage enclosure, delete all the exports associated with it. Then, when the replacement enclosure is available, add new exports on the new system drives.

Procedure

  1. Navigate to Home File Services NFS Exports to display the NFS Exports page.

  2. Select the check box(es) next to the NFS export(s) to delete, and click delete.

  3. To confirm the deletion, click OK.

Parent Topic

Backing up or restoring NFS exports

You can back up and restore NFS exports in the NAS Manager.

  1. Navigate to Home File Services NFS Exports to display the NFS Exports page.

  2. Click Backup & Restore to display the NFS Exports Backup & Restore page.

    GUID-1D9C93DD-AA99-4EFB-A412-7D000004971C-low.png

  3. Choose from the following options:

    • To backup, click backup. In the browser, specify the name and location of the backup file, and click OK or Save (the buttons displayed and the method you use to save the backup file depend on the browser you use).

      A backup file name is suggested, but you can customize it. The suggested file name uses the syntax:

      NFS_EXPORTS_<YYYY>-<MM>-<DD>_<HH><MM><UTC-diff>.txt

      For example,

      NFS_EXPORTS_2015-11-04_1615+0000.txt

    • To restore, navigate to the directory in which the backup file is stored, select the file, click Open and then click restore.
Parent Topic

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Reference
    Page Type
    Documentation Article
  2. Tags
    1. administrator
    2. HNAS 13.9