Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

NFS: directory rw for subset of servers, ro for all others

6 views
Skip to first unread message

estienne

unread,
Apr 23, 2008, 4:33:41 PM4/23/08
to
I'm trying to do this "simple" thing:

- Directory /export/rw is exported with read-write for a subset of
servers (server1, server2, server3)
- The same directory needs to be Read-Only for all servers, including
server1, server2, server3 (more than 200 servers in read-only)

You cannot export the same directory twice. What I did:

ln -s /export/rw /export/ro

and then I exported the /export/ro as read-only. Many tests later, I
found that only server1, server2 and server3 can mount /export/ro!!!
It is as if AIX export only the "real" directory, no matter on many
links I put.

Any ideas, any suggestions?

What I really want to do: permit only a subset of server to write to
this directory, but any server can read it. This space will contain
"configuration files", and I want to be sure that only the servers I
control can write to this directory. I don't care if any servers, or
linux workstation, or Windows with Unix services access it to read the
content.

Thanks.

AIX 5.3.3, TL5 SP4, jfs2

Hajo Ehlers

unread,
Apr 23, 2008, 7:24:49 PM4/23/08
to
On Apr 23, 10:33 pm, estienne <ste...@gmail.com> wrote:
> I'm trying to do this "simple" thing:
>
> - Directory /export/rw is exported with read-write for a subset of
> servers (server1, server2, server3)

That the solution in case you are using the option -o rw=clien1:....

> - The same directory needs to be Read-Only for all servers, including
> server1, server2, server3 (more than 200 servers in read-only)
>
> You cannot export the same directory twice. What I did:

Not quite correct. You can not export the same directory with the same
NFS version

>
> ln -s /export/rw /export/ro
?

>
> and then I exported the /export/ro as read-only. Many tests later, I
> found that only server1, server2 and server3 can mount /export/ro!!!
> It is as if AIX export only the "real" directory, no matter on many
> links I put.
>
> Any ideas, any suggestions?
>
> What I really want to do: permit only a subset of server to write to
> this directory, but any server can read it. This space will contain
> "configuration files", and I want to be sure that only the servers I
> control can write to this directory. I don't care if any servers, or
> linux workstation, or Windows with Unix services access it to read the
> content.
>
> Thanks.
>
> AIX 5.3.3, TL5 SP4, jfs2

Short:
man exportfs
..... -o rw=Client1:Client2:clientN # Also other nodes have only ro
access.

Also beware of security limitations with NFS v2/v3 regarding hostname/
ip take over.
A secure approach would be to export ro with NFS v3 and rw with NFS v4/
dce as mentioned in the example section of the man page for exportfs

You should read also
Securing NFS in AIX
An Introduction to NFS v4 in AIX 5L Version 5.3
http://www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/SG247204.html

hth
Hajo

Jose Pina Coelho

unread,
Apr 23, 2008, 6:32:42 PM4/23/08
to
estienne wrote:
> I'm trying to do this "simple" thing:
>
> - Directory /export/rw is exported with read-write for a subset of
> servers (server1, server2, server3)
> - The same directory needs to be Read-Only for all servers, including
> server1, server2, server3 (more than 200 servers in read-only)

Check the smit nfs screens. The option is read-mostly

0 new messages