Configuring and Troubleshooting Host Access Rules for NFS Exports in Qumulo Core

This section explains how host access rules work in Qumulo Core and how to configure and troubleshoot them.

In Qumulo Core 6.2.0.1, you can add a host access rule to an NFS export to restrict the export by IP address or hostname.

The following examples show the elements that a host access rule can include.

Hostnames
- Without a wildcard (name.example.com)
- With a wildcard (*.example.com)
IP Addresses
- Single IP addresses (203.0.113.0)
- IP address range (203.0.113.0-203.0.113.10 or 203.0.113.0-10)
Network Segment
- Without a subnet mask (203.0.113.0/24)
- With a subnet mask (203.0.113.0/255.255.255.0)

Important
If you don’t specify a host access rule, Qumulo Core allows access to all IP addresses.

Prerequisites

To be able to use hostnames, you must:

Enable and configure reverse lookups on your DNS server.
Use fully qualified domain names (FQDNs).
Use wildcards carefully because they match only one hostname level. For example, *.accounting.example.com matches user1.accounting.example.com but not machine.user1.accounting.example.com.
Optimize your system for reverse-dns lookups.

Adding a Host Access Rule to an Existing NFS Export

This section explains how you can add a host access rule to an existing NFS export by using the Web UI or the qq CLI.

To Add a Host Access Rule by Using the Web UI

Log in to Qumulo Core.
Click Sharing > NFS Exports.
For an NFS export, in the Actions column, click .
On the NFS Export page, in the Host Access Rules section, do the following:
1. For Allowed Hosts, enter a comma-separated host access rule.
2. (Optional) To ensure that the allowed hosts have limited access to the NFS export, click Read-only.
3. (Optional) For User mapping select one of the following:
  - No mapping: Qumulo Core doesn’t apply a user mapping when it accesses the NFS export and relies on default NFS protocol behavior.
  - Map root to…: Qumulo Core associates the root user that accesses the NFS export with a specific user in your Qumulo cluster.
  - Map all to…: Qumulo Core associates all users that access the NFS export with a specific user in your Qumulo cluster.
4. To add a new rule, click + Add a Host Access Rule.
5. Click Save.

Qumulo Core applies the host access rule to the NFS export.

To Add a Host Access Rule by Using the qq CLI

Prepare a list of host access rules in JSON format. The following is an example of the contents of root_restrictions.json.

{
  "restrictions": [{
    "host_restrictions": [
      "user1.accounting.example.com",
      "*.eng.example.com",
      "203.0.113.0"
    ]
  }]
}

Use the qq nfs_mod_export command and specify the export path and the file with the host access rules. For example:

qq nfs_mod_export \
  --export-path / \
  --restrictions root_restrictions.json

The following is example JSON output from the command.

{
  "description": "",
  "export_path": "/",
  "fields_to_present_as_32_bit": [],
  "fs_path": "/",
  "id": "1",
  "restrictions": [{
    "host_restrictions": [
      "user1.accounting.example.com",
      "*.eng.example.com",
      "203.0.113.0"
    ],
    "read_only": false,
    "require_privileged_port": false,
    "user_mapping": "NFS_MAP_NONE"
  }],
  "tenant_id": 1
}

To Troubleshoot Host Access Rules for an NFS Export

This section describes the troubleshooting steps for a scenario in which an NFS client can’t mount or access an NFS export.

Note
Currently, if you use multiple DNS servers, the dns_resolve_hostnames and dns_resolve_ips commands aren't tenant-aware and might not return the same results as the DNS resolution mechanism in NFS.

To view the NFS export’s host access rules, run the qq nfs_get_export command and specify the export path. For example:

qq nfs_get_export --export-path /

The following is example output from the command.

ID:          1
Export Path: /
Tenant ID:   1
FS Path:     /
Description: 
32bit-mapped fields: None
Host Access:
ID  Hosts                          Access Options
==  =============================  ============================
1   user1.accounting.example.com   rw, insecure, no_root_squash

In this example, only the machine user1.accounting.example.com can access the NFS export at /.

To find the client’s IP address, we recommend viewing your Qumulo cluster logs. For example:
```
Client 203.0.113.2 is not authorized to use export ExportId(1)
```
To find the client’s hostname, use the qq dns_resolve_ips command and specify the client’s IP address. For example:
```
qq dns_resolve_ips --ips 203.0.113.2
```
The following is example JSON output from the command.
```
[{
  "hostname": "user2.accounting.example.com",
  "ip_address": "203.0.113.2",
  "result": "OK"
}]
```
In this example, the 203.0.113.2 IP address maps to user2.accounting.example.com.
To troubleshoot the NFS client, you can take one or more of the following steps:
- Ensure the NFS client configuration entry is correct.
- Use the dns_resolve_ips command to verify that the IP address maps to the correct name.
- Update the host access rules for user2.accounting.example.com.
- Ensure that your Qumulo cluster’s DNS cache isn’t out of date, for example, if 203.0.113.2 should resolve to user1.accounting.example.com.
  
  To reset your Qumulo cluster’s DNS cache, use the qq dns_clear_lookup_cache command.
- Use the qq dns_resolve_hostnames command and specify the hostname to perform a lookup for user1.accounting.example.com.
  
  The following is example output from the command.
```
[{
  "hostname": "user2.accounting.example.com",
  "ip_addresses": ["203.0.113.1"],
  "result": "OK"
}]
```
- Use the qq dns_resolve_ips command to find the hostname for your client’s IP address and:
  - If the NFS client can’t access a share, but should be able to, add the IP address to the NFS export’s host access rules.
  - If the NFS client can access a share, but shouldn’t be able to, remove the IP address from the NFS export’s host access rules.

Optimizing Your System for Reverse-DNS Lookups

Qumulo Core checks hostnames by performing a reverse-DNS lookup on the cluster. Because continuous reverse-DNS lookups can affect system performance, Qumulo Core caches the results on the cluster. Because Qumulo Core’s cache abides by the DNS TTL, a low TTL can cause cache entries to expire frequently, which might require a new query.

By increasing TTL, you can reduce the number of DNS requests that your cluster makes. However, this might cause your cluster to keep outdated results for a longer time. For the most optimal configuration, list your organization’s DNS servers first in your DNS configuration.

To bypass DNS, you can set explicit IP-host mappings for your cluster by using the qq dns_set_lookup_overrides command. If Qumulo Core finds an override for an IP address or host, it uses the override instead of the DNS cache.

In the following JSON example, the IP address 203.0.113.2 binds to the host user3.accounting.qumulo.com explicitly.

{
  "lookup_overrides": [{
    "aliases": ["user3.accounting.example.com"],
    "ip_address": "203.0.113.2"
  }]
}