Skip to main content
NetApp Knowledge Base

How are NFS export-policies evaluated in ONTAP 9?

  1. Last updated
  2. Save as PDF
Views:
2,573
Visibility:
Public
Votes:
1
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

  • ONTAP 9
  • NFS

Answer

  1. An export-policy is evaluated when a client attempts to access the NFS namespace and no existing access rule has been cached
    • During mount, the root volume export-policy is evaluated before the volume or qtree policy
    • The volume policy will be evaluated for all access afterward unless it is a qtree, and qtree-exports are enabled
  2. Request from NFS client is received
  3. NBLADE will decode filehandle to find appropriate volume and identify appropriate export-policy-ruleset to evaluate access against.
    • NBLADE may reference VLDB during this time
  4. NBLADE check AccessCache for the client in question, against the ruleset-id associated with the QTREE/Volume export policy.
  5. If client is not cache, NBLADE sends query to MGWD to evaluate export-policy for this client
    • IP export rule
      • IP address received is compared as a string match against the ip address in export rule
      • No DNS in use
    • Hostname Export rule
      • MGWD performs forward lookup for all hostname rules.
        • MGWD evaluates the received IP against the DNS response as an IP string match
        • name-service cache is updated
    • Subnet export rule
      • IP addresses are compared to subnet rules
      • DNS service not in use
    • Domain Name export rule
      • Requires PTR of the ip to determine hostname and domain
      • Access is granted based on the domain retruned in PTR lookup
    • Netgroup export rule      
      • ONTAP will perform a PTR (reverse DNS lookup) of the ip of client to obtain hostname to check in netgroups
      • MGWD will check its cache to determine if there is a netgroup.byhost cache entry for the client
      • If no cache, mgwd will leverage libc to send requests to NIS/ns-switch netgroup server. 
        • Priority of NIS servers is based on which ip’s are listed first
        • MGWD will update netgroup cache once response is given for all netgroups that a host is a part of.
        • MGWD will use this list of netgroups to continue evaluation of export policy rules
  6. MGWD will evaluate each rule one by one, in numerical order, until it matches the client to a rule.
    • Once a rule is matched, no further evaluation is done for this client.
    • If MGWD is not able to resolve the request in a timely manner, ONTAP will respond with a ‘jukebox’ error.  NFSv4 ERR Delay. 
      • This indicates that ONTAP can’t complete the operation within a timely manner, and we are giving up on this call. 
      • Client will need to resubmit the request if it wishes for it to be performed. 
      • Clients then will resend the op after X time (5seconds is common)
        1. This looks like a HANG to clients.
        2. MOUNT protocol has no error for this and ONTAP will appear to not respond at all.

Additional Information

 

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.