Articles in this section

Secure Mode for NFSv3 Connections

Sara Levy
Follow

Notice

This feature is introduced in VAST Cluster 4.2-sp3. It has no impact on NFSv4.1 client connections.

Clusters that are newly installed with VAST Cluster 4.2-sp3 globally block NFSv3 clients from communicating over sockets that use unprivileged ports. Only privileged source ports (those with port numbers under 1024) are allowed. This is equivalent to the secure option which might be configurable per NFS export in other systems, but it is a global setting for all NFSv3 exports on the cluster.

Client processes require root privileges in order to create a socket with a privileged source port. Blocking access via unprivileged ports prevents the possibility of UID spoofing via unprivileged ports.

When upgrading a cluster to VAST Cluster 4.2-sp3 from VAST Cluster 4.2 or from a previous version that supports upgrade to 4.2-sp3, unprivileged ports are not blocked by default. This is intended to support any client applications that may already rely on the use of unprivileged ports. However, it is possible and recommended to block unprivileged ports if they are not needed. Likewise, it is possible to allow unprivileged ports if needed in VAST Cluster 4.2-sp3.

To block or allow unprivileged source ports, follow the procedure below or contact Support for assistance.

  1. Open an SSH session to the management IP of one of the cluster's CNodes.

    Tip

    To find a CNode management IP, do one of the following:

    • In the VAST Web UI, navigate to the CNodes page (under Infrastructure) and find the management IPs listed for the CNodes in the Management IP column.

    • In the VAST CLI, run cnode list. In the output, find the management IPs listed under the Mgmt-ip column.

  2. Run one of the following commands as needed:

    • To allow NFSv3 access via both privileged and unprivileged ports:

      $ vtool vsettings set NFS_ALLOW_INSECURE_PORTS=true

      Note

      The setting has no impact on NFSv4.1 connections.

    • To block NFSv3 client access via unprivileged ports and allow NFSv3 client access via privileged ports only:

      $ vtool vsettings set NFS_ALLOW_INSECURE_PORTS=false

    The new setting will now propagate to the CNodes throughout the cluster. It could take several seconds until the setting has fully propagated.

    After changing the setting, you can verify it with the following command:

    $ vtool vsettings show
NFS_ALLOW_INSECURE_PORTS=false

Related articles

Comments

0 comments

Article is closed for comments.