Configuring and Troubleshooting Host Access Rules for NFS Exports in Qumulo Core

This section explains how host access rules work in Qumulo Core and how to configure and troubleshoot them.

In Qumulo Core 6.2.0.1, you can add a host access rule to an NFS export to restrict the export by IP address or hostname.

The following examples show the elements that a host access rule can include.

Hostnames
- Without a wildcard (name.example.com)
- With a wildcard (*.example.com)
IP Addresses
- Single IP addresses (203.0.113.0)
- IP address range (203.0.113.0-203.0.113.10 or 203.0.113.0-10)
Network Segment
- Without a subnet mask (203.0.113.0/24)
- With a subnet mask (203.0.113.0/255.255.255.0)
Allowed Kerberos Security Flavors

To restrict access to NFSv4.1 clients that use only specific Kerberos security flavors, add the following special strings to the list of host access rules. For example:
- KRB5P@: Allow only encrypted access for the specified export.
- KRB5@, KRB5I@, and KRB5P@: Allow any Kerberos-authenticated access, but not AUTH_SYS access.

Important
If you don’t specify a host access rule, Qumulo Core allows access to all IP addresses.

Prerequisites

To be able to use hostnames, you must:

Enable and configure reverse look-ups on your DNS server.
Use fully qualified domain names (FQDNs).
Use wildcards carefully because they match only one hostname level. For example, *.accounting.example.com matches user1.accounting.example.com but not machine.user1.accounting.example.com.
Optimize your system for reverse-dns look-ups.

Adding a Host Access Rule to an Existing NFS Export

This section explains how you can add a host access rule to an existing NFS export by using the Qumulo Core Web UI or the qq CLI.

To Add a Host Access Rule by Using the Qumulo Core Web UI

Log in to the Qumulo Core Web UI.
Click Sharing > NFS Exports.
For an NFS export, in the Actions column, click .
On the NFS Export page, in the Host Access Rules section:
1. For Allowed Hosts, enter a comma-separated host access rule.
2. (Optional) To ensure that the allowed hosts have limited access to the NFS export, click Read-only.
3. (Optional) For User mapping select one of the following:
  - No mapping: Qumulo Core doesn’t apply a user mapping when it accesses the NFS export and relies on default NFS protocol behavior.
  - Map root to…: Qumulo Core associates the root user that accesses the NFS export with a specific user in your Qumulo cluster.
  - Map all to…: Qumulo Core associates all users that access the NFS export with a specific user in your Qumulo cluster.
4. To add a new rule, click + Add a Host Access Rule.
5. Click Save.

Qumulo Core applies the host access rule to the NFS export.

To Add a Host Access Rule by Using the qq CLI

Prepare a list of host access rules in JSON format. The following is an example of the contents of root_restrictions.json.

{
  "restrictions": [{
    "host_restrictions": [
      "user1.accounting.example.com",
      "*.eng.example.com",
      "203.0.113.0"
    ]
  }]
}

Run the qq nfs_mod_export command and specify the export path and the file with the host access rules. For example:

qq nfs_mod_export \
  --export-path / \
  --restrictions root_restrictions.json

The following is example output.

{
  "description": "",
  "export_path": "/",
  "fields_to_present_as_32_bit": [],
  "fs_path": "/",
  "id": "1",
  "restrictions": [{
    "host_restrictions": [
      "user1.accounting.example.com",
      "*.eng.example.com",
      "203.0.113.0"
    ],
    "read_only": false,
    "require_privileged_port": false,
    "user_mapping": "NFS_MAP_NONE"
  }],
  "tenant_id": 1
}

To Troubleshoot Host Access Rules for an NFS Export

This section describes the troubleshooting steps for a scenario in which an NFS client can’t mount or access an NFS export.

Note
Currently, if you use multiple DNS servers, the dns_resolve_hostnames and dns_resolve_ips commands aren't tenant-aware and might not return the same results as the DNS resolution mechanism in NFS.

To view the NFS export’s host access rules, run the qq nfs_get_export command and specify the export path. For example:

qq nfs_get_export --export-path /

The following is example output.

ID:          1
Export Path: /
Tenant ID:   1
FS Path:     /
Description: 
32bit-mapped fields: None
Host Access:
ID  Hosts                          Access Options
==  =============================  ============================
1   user1.accounting.example.com   rw, insecure, no_root_squash

In this example, only the machine user1.accounting.example.com can access the NFS export at /.

To find the client’s IP address, we recommend viewing your Qumulo cluster logs. For example:
```
Client 203.0.113.2 is not authorized to use export ExportId(1)
```
To find the client’s hostname, run the qq dns_resolve_ips command and specify the client’s IP address. For example:
```
qq dns_resolve_ips --ips 203.0.113.2
```
The following is example output.
```
[{
  "hostname": "user2.accounting.example.com",
  "ip_address": "203.0.113.2",
  "result": "OK"
}]
```
In this example, the 203.0.113.2 IP address maps to user2.accounting.example.com.
To troubleshoot the NFS client, you can take one or more of the following steps:
- Ensure the NFS client configuration entry is correct.
- Run the dns_resolve_ips command to verify that the IP address maps to the correct name.
- Update the host access rules for user2.accounting.example.com.
- Ensure that your Qumulo cluster’s DNS cache isn’t out of date, for example, if 203.0.113.2 should resolve to user1.accounting.example.com.
  
  To reset your Qumulo cluster’s DNS cache, run the qq dns_clear_cache command.
- Run the qq dns_resolve_hostnames command and specify the hostname to perform a lookup for user1.accounting.example.com.
  
  The following is example output.
```
[{
  "hostname": "user2.accounting.example.com",
  "ip_addresses": ["203.0.113.1"],
  "result": "OK"
}]
```
- Run the qq dns_resolve_ips command to find the hostname for your client’s IP address and:
  - If the NFS client can’t access a share, but should be able to, add the IP address to the NFS export’s host access rules.
  - If the NFS client can access a share, but shouldn’t be able to, remove the IP address from the NFS export’s host access rules.

Optimizing Your System for Reverse-DNS Look-Ups

Qumulo Core checks hostnames by performing a reverse-DNS lookup on the cluster. Because continuous reverse-DNS look-ups can affect system performance, Qumulo Core caches the results on the cluster. Because Qumulo Core’s cache abides by the DNS TTL, a low TTL can cause cache entries to expire frequently, which might require a new query.

By increasing TTL, you can reduce the number of DNS requests that your cluster makes. However, this might cause your cluster to keep outdated results for a longer time. For the most optimal configuration, list your organization’s DNS servers first in your DNS configuration.

To bypass DNS, you can set explicit IP-host mappings for your cluster by using the qq dns_set_lookup_overrides command. If Qumulo Core finds an override for an IP address or host, it uses the override instead of the DNS cache.

In the following JSON example, the IP address 203.0.113.2 binds to the host user3.accounting.qumulo.com explicitly.

{
  "lookup_overrides": [{
    "aliases": ["user3.accounting.example.com"],
    "ip_address": "203.0.113.2"
  }]
}