Worksheet for gathering NFS configuration information
The NFS configuration worksheet enables you to collect the required information to set up NFS access for clients.
You should complete one or both sections of the worksheet depending on the decision you made about where to provision storage:
If you are configuring NFS access to an SVM, you should complete both sections.
If you are adding storage capacity to an NFS-enabled SVM, you should complete only the second section.
Adding storage capacity to an NFS-enabled SVM
See the command man pages for details about the parameters.
Configuring NFS access to an SVM
Parameters for creating an SVM
You supply these values with the vserver create command if you are creating a new SVM.
| Field | Description | Your value |
|---|---|---|
| -vserver | A name you supply for the new SVM that is either a fully qualified domain name (FQDN) or follows another convention that enforces unique SVM names across a cluster. | |
| -aggregate | The name of an aggregate in the cluster with sufficient space for new NFS storage capacity. | |
| -rootvolume | A unique name you supply for the SVM root volume. | |
| -rootvolume-security-style | Use the UNIX security style for the SVM. | unix |
| -language | Use the default language setting in this workflow. | C.UTF-8 |
| ipspace | IPspaces are distinct IP address spaces in which (storage virtual machines (SVMs)) reside. |
Parameters for creating an NFS server
You supply these values with the vserver nfs create command when you create a new NFS server and specify supported NFS versions.
If you are enabling NFSv4 or later, you should use LDAP for improved security.
| Field | Description | Your value |
|---|---|---|
| -v3, -v4.0, -v4.1, -v4.1-pnfs | Enable NFS versions as needed. Note v4.2 is also supported in ONTAP 9.8 and later when | |
| -v4-id-domain | ID mapping domain name. | |
| -v4-numeric-ids | Support for numeric owner IDs (enabled or disabled). |
Parameters for creating a LIF
You supply these values with the network interface create command when you are creating LIFs.
If you are using Kerberos, you should enable Kerberos on multiple LIFs.
| Field | Description | Your value |
|---|---|---|
| -lif | A name you supply for the new LIF. | |
| -role | Use the data LIF role in this workflow. | data |
| -data-protocol | Use only the NFS protocol in this workflow. | nfs |
| -home-node | The node to which the LIF returns when the network interface revert command is run on the LIF. | |
| -home-port | The port or interface group to which the LIF returns when the network interface revert command is run on the LIF. | |
| -address | The IPv4 or IPv6 address on the cluster that will be used for data access by the new LIF. | |
| -netmask | The network mask and gateway for the LIF. | |
| -subnet | A pool of IP addresses. Used instead of -address and -netmask to assign addresses and netmasks automatically. | |
| -firewall-policy | Use the default data firewall policy in this workflow. | data |
Parameters for DNS host name resolution
You supply these values with the vserver services name-service dns create command when you are configuring DNS.
| Field | Description | Your value |
|---|---|---|
| -domains | Up to five DNS domain names. | |
| -name-servers | Up to three IP addresses for each DNS name server. |
Name service information
Parameters for creating local users
You supply these values if you are creating local users by using the vserver services name-service unix-user create command. If you are configuring local users by loading a file containing UNIX users from a uniform resource identifier (URI), you do not need to specify these values manually.
| User name (-user) | User ID (-id) | Group ID (-primary-gid) | Full name (-full-name) | |
|---|---|---|---|---|
| Example | johnm | 123 | 100 | John Miller |
| 1 | ||||
| 2 | ||||
| 3 | ||||
| ... | ||||
| n |
Parameters for creating local groups
You supply these values if you are creating local groups by using the vserver services name-service unix-group create command. If you are configuring local groups by loading a file containing UNIX groups from a URI, you do not need to specify these values manually.
| Group name (-name) | Group ID (-id) | |
|---|---|---|
| Example | Engineering | 100 |
| 1 | ||
| 2 | ||
| 3 | ||
| ... | ||
| n |
Parameters for NIS
You supply these values with the vserver services name-service nis-domain create command.
| Field | Description | Your value |
|---|---|---|
| -domain | The NIS domain that the SVM will use for name lookups. | |
| -active | The active NIS domain server. | true or false |
| -nis-servers | A comma-separated list of IP addresses and hostnames for the NIS servers used by the domain configuration. |
Parameters for LDAP
You supply these values with the vserver services name-service ldap client create command.
You will also need a self-signed root CA certificate .pem file.
| Field | Description | Your value |
|---|---|---|
| -vserver | The name of the SVM for which you want to create an LDAP client configuration. | |
| -client-config | The name you assign for the new LDAP client configuration. | |
| -ldap-servers | A comma-separated list of IP addresses and hostnames for the LDAP servers. | |
| -query-timeout | Use the default 3 seconds for this workflow. | 3 |
| -min-bind-level | The minimum bind authentication level. The default is anonymous . Must be set to sasl if signing and sealing is configured. | |
| -preferred-ad-servers | One or more preferred Active Directory servers by IP address in a comma-delimited list. | |
| -ad-domain | The Active Directory domain. | |
| -schema | The schema template to use. You can use a default or custom schema. | |
| -port | Use the default LDAP server port 389 for this workflow. | 389 |
| -bind-dn | The Bind user distinguished name. | |
| -base-dn | The base distinguished name. The default is "" (root). | |
| -base-scope | Use the default base search scope subnet for this workflow. | subnet |
| -session-security | Enables LDAP signing or signing and sealing. The default is none . | |
| -use-start-tls | Enables LDAP over TLS. The default is false . |
Parameters for Kerberos authentication
You supply these values with the vserver nfs kerberos realm create command. Some of the values will differ depending on whether you use Microsoft Active Directory as a Key Distribution Center (KDC) server, or MIT or other UNIX KDC server.
| Field | Description | Your value |
|---|---|---|
| -vserver | The SVM that will communicate with the KDC. | |
| -realm | The Kerberos realm. | |
| -clock-skew | Permitted clock skew between clients and servers. | |
| -kdc-ip | KDC IP address. | |
| -kdc-port | KDC port number. | |
| -adserver-name | Microsoft KDC only: AD server name. | |
| -adserver-ip | Microsoft KDC only: AD server IP address. | |
| -adminserver-ip | UNIX KDC only: Admin server IP address. | |
| -adminserver-port | UNIX KDC only: Admin server port number. | |
| -passwordserver-ip | UNIX KDC only: Password server IP address. | |
| -passwordserver-port | UNIX KDC only: Password server port. | |
| -kdc-vendor | KDC vendor. | { Microsoft | Other } |
| -comment | Any desired comments. |
You supply these values with the vserver nfs kerberos interface enable command.
| Field | Description | Your value |
|---|---|---|
| -vserver | The name of the SVM for which you want to create a Kerberos configuration. | |
| -lif | The data LIF on which you will enable Kerberos. You can enable Kerberos on multiple LIFs. | |
| -spn | The Service Principle Name (SPN) | |
| -permitted-enc-types | The permitted encryption types for Kerberos over NFS; aes-256 is recommended, depending on client capabilities. | |
| -admin-username | The KDC administrator credentials to retrieve the SPN secret key directly from the KDC. A password is required | |
| -keytab-uri | The keytab file from the KDC containing the SPN key if you do not have KDC administrator credentials. | |
| -ou | The organizational unit (OU) under which the Microsoft Active Directory server account will be created when you enable Kerberos using a realm for Microsoft KDC. |
Adding storage capacity to an NFS-enabled SVM
Parameters for creating export policies and rules
You supply these values with the vserver export-policy create command.
| Field | Description | Your value |
|---|---|---|
| -vserver | The name of the SVM that will host the new volume. | |
| -policyname | A name you supply for a new export policy. |
You supply these values for each rule with the vserver export-policy rule create command.
| Field | Description | Your value |
|---|---|---|
| -clientmatch | Client match specification. | |
| -ruleindex | Position of export rule in the list of rules. | |
| -protocol | Use NFS in this workflow. | nfs |
| -rorule | Authentication method for read-only access. | |
| -rwrule | Authentication method for read-write access. | |
| -superuser | Authentication method for superuser access. | |
| -anon | User ID to which anonymous users are mapped. |
You must create one or more rules for each export policy.
| -ruleindex | -clientmatch | -rorule | -rwrule | -superuser | -anon |
|---|---|---|---|---|---|
| Examples | 0.0.0.0/0,@rootaccess_netgroup | any | krb5 | sys | 65534 |
| 1 | |||||
| 2 | |||||
| 3 | |||||
| ... | |||||
| n |
Parameters for creating a volume
You supply these values with the volume create command if you are creating a volume instead of a qtree.
| Field | Description | Your value |
|---|---|---|
| -vserver | The name of a new or existing SVM that will host the new volume. | |
| -volume | A unique descriptive name you supply for the new volume. | |
| -aggregate | The name of an aggregate in the cluster with sufficient space for the new NFS volume. | |
| -size | An integer you supply for the size of the new volume. | |
| -user | Name or ID of the user that is set as the owner of the volume's root. | |
| -group | Name or ID of the group that is set as the owner of the volume's root. | |
| --security-style | Use the UNIX security style for this workflow. | unix |
| -junction-path | Location under root (/) where the new volume is to be mounted. | |
| -export-policy | If you are planning to use an existing export policy, you can enter its name when you create the volume. |
Parameters for creating a qtree
You supply these values with the volume qtree create command if you are creating a qtree instead of a volume.
| Field | Description | Your value |
|---|---|---|
| -vserver | The name of the SVM on which the volume containing the qtree resides. | |
| -volume | The name of the volume that will contain the new qtree. | |
| -qtree | A unique descriptive name you supply for the new qtree, 64 characters or less. | |
| -qtree-path | The qtree path argument in the format /vol/volume_name/qtree_name> can be specified instead of specifying volume and qtree as separate arguments. | |
| -unix-permissions | Optional: The UNIX permissions for the qtree. | |
| -export-policy | If you are planning to use an existing export policy, you can enter its name when you create the qtree. |