How are NFS export-policies evaluated in ONTAP 9?
Applies to
- ONTAP 9
- NFS
Answer
- An export-policy is evaluated when a client attempts to access the NFS namespace and no existing access rule has been cached
- During mount, the root volume export-policy is evaluated before the volume or qtree policy
- The volume policy will be evaluated for all access afterward unless it is a qtree, and qtree-exports are enabled
- When the policy is evaluated
- The process is iterative and stops on the first match
- When an error occurs in processing a clientmatch, access will be determined by preceding rules only
- Access Cache entries will be created when evaluation completes
- NAS Layer caches will store further Name Service information for the following
- hostname
- domain name
- netgroup
- Rules may be ordered to alleviate changes in Name Service availability
- Each of the following groups should be further ordered from most to least restrictive
- IP address
- subnet
- hostname
- domain name
- netgroup
- The clientmatch field further supports comma-delimited lists of IPs or hostnames
- Each change in access can be on one line
- Allows efficient grouping and evaluation for clients with the same access
- Each of the following groups should be further ordered from most to least restrictive
Additional Information
- NFS Best Practice Guide, TR-4067 Section 4 Export Policies and Rules in Clustered Data ONTAP
- Name Services Best Practice Guide, TR-4668 Section 6 Caching in ONTAP