Create an NFS export

You can create NFS exports to share files in OneFS with UNIX-based clients.

About this task

The NFS service runs in user space and distributes the load across all nodes in the cluster. This enables the service to be highly scalable and support thousands of exports. As a best practice, however, you should avoid creating a separate export for each client on your network. It is more efficient to create fewer exports, and to use access zones and user mapping to control access.

Procedure

  1. Click Protocols > UNIX Sharing (NFS) > NFS Exports.
  2. Click Create Export.
  3. For the Directory Paths setting, type or browse to the directory that you want to export.
    You can add multiple directory paths by clicking Add another directory path for each additional path.
  4. Optional: In the Description field, type a comment that describes the export.
  5. Optional: Specify the NFS clients that are allowed to access the export.
    You can specify NFS clients in any or all of the client fields, as described in the following table. A client can be identified by host name, IPv4 or IPv6 address, subnet, or netgroup. IPv4 addresses mapped into the IPv6 address space are translated and stored as IPv4 addresses to remove any possible ambiguities.

    You can specify multiple clients in each field by typing one entry per line.

    Note Image

    If you do not specify any clients, all clients on the network are allowed access to the export. If you specify clients in any of the rule fields, such as Always Read-Only Clients, the applicable rule is only applied to those clients. However, adding an entry to Root Clients does not stop other clients from accessing the export.

    If you add the same client to more than one list and the client is entered in the same format for each entry, the client is normalized to a single list in the following order of priority:

    • Root Clients
    • Always Read-Write Clients
    • Always Read-Only Clients
    • Clients

    Clients
    Specifies one or more clients to be allowed access to the export. Access level is controlled through export permissions.
    Always Read-Write Clients
    Specifies one or more clients to be allowed read/write access to the export regardless of the export's access-restriction setting. This is equivalent to adding a client to the Clients list with the Restrict access to read-only setting cleared.
    Always Read-Only Clients
    Specifies one or more clients to be allowed read-only access to the export regardless of the export's access-restriction setting. This is equivalent to adding a client to the Clients list with the Restrict access to read-only setting selected.
    Root Clients
    Specifies one or more clients to be mapped as root for the export. This setting enables the following client to mount the export, present the root identity, and be mapped to root. Adding a client to this list does not prevent other clients from mounting if clients, read-only clients, and read-write clients are unset.
  6. Select the export permissions setting to use:
    • Restrict actions to read-only.
    • Enable mount access to subdirectories. Allow subdirectories below the path(s) to be mounted.
  7. Specify user and group mappings.
    Select Use custom to limit access by mapping root users or all users to a specific user and group ID. For root squash, map root users to the username nobody.
  8. Locate the Security Flavors setting. Set the security type to use. UNIX is the default setting.
    Click Use custom to select one or more of the following security types:
    • UNIX (system)
    • Kerberos5
    • Kerberos5 Integrity
    • Kerberos5 Privacy
    Note Image

    The default security flavor (UNIX) relies upon having a trusted network. If you do not completely trust everything on your network, then the best practice is to choose a Kerberos option. If the system does not support Kerberos, it will not be fully protected because NFS without Kerberos trusts everything on the network and sends all packets in cleartext. If you cannot use Kerberos, you should find another way to protect the Internet connection. At a minimum, do the following:
    • Limit root access to the cluster to trusted host IP addresses.
    • Make sure that all new devices that you add to the network are trusted. Methods for ensuring trust include, but are not limited to, the following:
      • Use an IPsec tunnel. This option is very secure because it authenticates the devices using secure keys.
      • Configure all of the switch ports to go inactive if they are physically disconnected. In addition, make sure that the switch ports are MAC limited.

  9. Click Show Advanced Settings to configure advanced NFS export settings.
    Do not change the advanced settings unless it is necessary and you fully understand the consequences of these changes.
  10. Click Save Changes.

Results

The new NFS export is created and shown at the top of the NFS Exports list.