Articles in this section

See more

Enabling NFSv4.1 Access (with or without NFSv3)

Sara Levy
  • Updated
Follow

Follow the steps on this page to enable NFSv4.1 access. You can optionally enable NFSv3 access on the same views that you enable NFSv4.1.

Important

VAST Cluster supports NFSv4.1 client access from Linux clients. 

Note the following limitations:

  • NFSv4.1 must be enabled on the cluster at installation.

  • You can enable NFSv4.1 access on one view per Element Store directory.

  • Each client host can mount a single connection to the NFSv4.1 enabled view.

  • The same view cannot be simultaneously accessible by SMB clients.

  • The security flavor must be set to NFS or Mixed.

  • ACLs are supported only when Mixed is selected as the flavor.

  • Enabling NFSv4.1 in a view is not supported when the Suppressed Showmount feature is enabled on the cluster.

  1. Enabling NFSv4.1 During Cluster Installation

  2. Configure Authorization Provider(s) and Users

  3. Configure a View Policy

  4. Create Views as Needed

Enable NFSv4.1 During Cluster Installation

NFSv4.1 needs to be explicitly enabled on the cluster during installation. In upcoming releases, NFSv4.1 will be enabled by default.

If you installed your cluster using the Easy Install utility, please reach out to Support and ask them to enable NFSv4.1 for you. Likewise, if you are unsure if NFSv4.1 was enabled on a cluster, please ask us to verify this for you.  

Enabling NFSv4.1 is done by including the --enable-nfs4 parameter with the cluster create command. This is part of the alternate installation flow and is not usually a customer-performed procedure.

 
Configure Authorization Provider(s) and Users

File access for NFSv4.1 can be authorized through an Active Directory server. Other external providers are not supported.

It's also possible to use the local provider, which is internal to the VAST Cluster and lets you add users with their NFS user attributes. In this case, ID mapping is not supported.

If Active Directory or local users are not yet configured, see:

Important

NFSv4.1 ID mapping requires Active Directory as the authorization provider and some specific configurations. Please read our configuration guide for NFSv4.1 ID mapping in conjunction with the Active Directory configuration procedure.

 
Configure a View Policy

A view policy is a reusable set of configurations. Every view has a view policy. Multiple views may use the same view policy. Before creating a view that is exposed as an NFS export accessible by NFSv4, you need to make sure you have a view policy that is configured to support NFSv4. You can either modify a view policy or create a new one.

Creating or Modifying a View Policy via the VAST Web UI

  1. In the VAST Web UI, select Element Store from the left navigation menu and then select View Policies.

    The View Policies tab displays at least one view policy, the default view policy.

  2. To edit a view policy, click ActionsButtonGUI2.png to open the Actions menu for the policy and select Edit. Alternatively, to create a new view policy, click Create Policy at the top right of the grid.

    The Add Policy or Update Policy dialog opens with the General area expanded.

  3. In the Name field, enter a unique name for the policy.

  4. From the Security Flavor dropdown, select one of the following:

    • NFS. Supports NFSv4 without support for NFSv4 ACLs.

    • Mixed Last Wins. Required to enable support for NFSv4 ACLs.

    Security flavors determine how file permissions are managed when views are exposed to multiple file sharing protocols.

  5. To limit access to specific VIP pools, select those VIP pool(s) in the VIP Pools dropdown.

    If no VIP pools are selected, all VIP pools can access all views that are attached to this view policy.

  6. From the Group Membership Source dropdown, choose the source used for retrieving group memberships of NFS users for the purposes of authorizing access to files and directories. For NFSv4.1, you must choose one of the following options:

    • Providers. Group memberships retrieved from authorization providers are considered as the user's group memberships (as for SMB-only and multiprotocol views). The GIDs declared in the RPC are ignored.

      Important

      To enable support for NFS4 ID mapping, select Providers and make sure Active Directory is configured with the user login name and group login name attributes set to sAMAccountname in order for user and group mappings to work correctly.

    • Client and Providers. Both the GIDs declared in the RPC and group memberships retrieved from authorization providers are considered.

    For more information about the impact of this setting, see The VAST Cluster Authorization Flow.

  7. Expand the NFS section. Here you can manage which NFS hosts are allowed to access the view and the types of access you allow to different hosts.

    Two wildcard entries initially appear in the Read/Write and Root Squash rows of the grid:

    ViewPol_NFS_Hosts.png

    These wildcards represent all IPs of all hosts. This default configuration gives all hosts read/write access and root squashing.

  8. Add and remove entries in the access type grid to allow the exact host access that you want.

    1. Click the +Add new IP button for the access type you want to add hosts to.

      The IPs list for the access type becomes editable.

    2. Add hosts using any of the following expressions in a comma separated list:

      • A single IP.

      • A subnet indicated by CIDR notation. For example: 1.1.1.1/24.

      • A range of IPs indicated by an IP address with '*' as a wildcard in place of any of the 8-bit fields in the address. For example, 3.3.3.*, or 3.3.*.*.

      The access types comprise these categories:

      • Controlling read and write operations:

        • Read / Write. Read/write access.

        • Read Only. Read only access.

      • Controlling squash policy:

        • No Squash. All operations are supported. Use this option if you trust the root user not to perform operations that will corrupt data.

        • Root Squash. The root user is mapped to nobody for all file and folder management operations on the export. This enables you to prevent the strongest super user from corrupting all user data on the VAST Cluster.

        • All Squash. All client users are mapped to nobody for all file and folder management operations on the export.

      Note

      The Trash Access option may appear if enabled on the Settings page. This access type is applicable for NFSv3 clients only. The Trash folder feature is not supported for NFSv4.1 clients.

      You can add hosts to any and all of the types, but within each category no more than one type will be applied to any given host. If a host is specified with multiple entries in mutually exclusive types, the conflict is resolved as follows:

      • An IP overrides a netgroup, a netgroup overrides a CIDR, and a CIDR overrides a wildcard expression.

      • If a conflict remains after the previous rule is applied, then:

        • Read Only overrides Read / Write.

        • All Squash overrides Root Squash.

        • Root Squash overrides No Squash.

    3. Click Add or press the ENTER key on your keyboard.

      The entries are added.

    • To remove an entry, hover to the right of the entry until a removal button appears and click it:

      removeIP.png

  9. Switch back to the General tab and (optionally) expand the Advanced section and change the following settings:

    • Atime frequency. atime is a metadata attribute of NFS files that represents the last time the file was updated. atime is updated on read operations if the difference between the current time and the file's atime value is greater than the configured atime frequency. Consider that a very low value might have a performance impact if high numbers of files are being read.

      Specify ATIME_FREQUENCY as an integer followed by a unit of time (s = seconds, m= minutes, h=hours, d=days).

      Example: 1h

    • Posix ACL. Enables full support of extended POSIX Access Control Lists (ACL). By default, VAST Cluster supports the traditional POSIX file system object permission mode bits, (minimal ACL mode) in which each file has three ACL entries defining the permissions for the owner, owning group, and others, respectively. To learn more about POSIX ACL, see https://linux.die.net/man/5/acl.

      Note

      The Posix ACL setting is relevant for NFSv3 only.

      Note

      The Posix ACL setting is supported only with the NFS security flavor.

      Note

      Thesetfacl Linux command is blocked if this option is not enabled.

    Tip

    Skip the other Advanced settings and the SMB tab. Those settings don't pertain to exclusively NFS-exposed views. The Use 32-bit File IDs is not supported for views that are enabled for NFSv4.1.

  10. Click Create.

    The policy is created and added to the list.

 
Creating/Modifying the View Policy via the VAST CLI

Use the viewpolicy create command to create a new view policy or the viewpolicy modify command to modify the default view policy. For command syntax, follow NFS Usage.

 
 
Create Views as Needed

A view exposes a specific directory to a client protocol (in this case NFSv4.1). In other words, this is how you create a directory in the file system and create an NFS export on the directory.

Important

In order for files to be accessible by NFSv4.1 clients, views on all directories along the path must have NFSv4.1 protocol enabled, including the root path “/”. Access to higher level directories along the path can be read-only for the client host.

For example, in order for NFSv4.1 clients to access /A/B, you must enable NFSv4.1 on all of the following:

  • /

  • /A

  • /A/B

Creating a View via the VAST Web UI

  1. In the VAST Web UI, select Element Store from the left navigation menu and then select Views.

  2. Click Create View to add a new view.

    The Add View dialog appears.

  3. In the Path field, enter the full path from the top level of the storage system on the cluster to the location that you want to expose. The directory may exist already, such as if it was created by a client inside a mounted parent directory. It could also be a path to a new directory which you'll create now (see step 7).

  4. Open the Protocols dropdown, select NFS4. Optionally, you can also select NFS to expose the same view to NFSv3 clients.

  5. If you selected NFS as well as NFS4 in the Protocols dropdown, then, optionally in the NFS Alias field, you can specify an alias for the mount path of the NFS export. This can be used by NFSv3 clients. An alias must begin with a forward slash ("/") and must consist of only ASCII characters.

  6. From the Policy Name dropdown, select the view policy that is configured as described in the previous step. It might be the default policy or one you created for this purpose.

  7. If the directory does not already exist in the file system, enable the Create Directory setting to create the directory.

  8. Click Create.

    The view is now created. You can see it displayed in the Views tab.

 
Creating a View via the VAST CLI

Use the view create command.

 
 
 

Related articles

Comments

0 comments

Article is closed for comments.