Skip to main content

Managing file access using NFS

After you have enabled NFS on the storage virtual machine (SVM) and configured it, there are a number of tasks you might want to perform to manage file access using NFS.

  • Enabling or disabling NFSv3
    You can enable or disable NFSv3 by modifying the -v3 option. This allows file access for clients using the NFSv3 protocol. By default, NFSv3 is enabled.
  • Enabling or disabling NFSv4.0
    You can enable or disable NFSv4.0 by modifying the -v4.0 option. This allows file access for clients using the NFSv4.0 protocol. By default, NFSv4.0 is disabled.
  • Enabling or disabling NFSv4.1
    You can enable or disable NFSv4.1 by modifying the -v4.1 option. This allows file access for clients using the NFSv4.1 protocol. By default, NFSv4.1 is disabled.
  • Enabling or disabling pNFS
    pNFS improves performance by allowing NFS clients to perform read/write operations on storage devices directly and in parallel, bypassing the NFS server as a potential bottleneck. To enable or disable pNFS (parallel NFS), you can modify the -v4.1-pnfs option. By default pNFS is enabled.
  • Controlling NFS access over TCP and UDP
    You can enable or disable NFS access to storage virtual machines (SVMs) over TCP and UDP by modifying the -tcp and -udp parameters, respectively. This enables you to control whether NFS clients can access data over TCP or UDP in your environment.
  • Controlling NFS requests from nonreserved ports
    You can reject NFS mount requests from nonreserved ports by enabling the -mount-rootonly option. To reject all NFS requests from nonreserved ports, you can enable the -nfs-rootonly option.
  • Handling NFS access to NTFS volumes or qtrees for unknown UNIX users
    If ONTAP cannot identify UNIX users attempting to connect to volumes or qtrees with NTFS security style, it therefore cannot explicitly map the user to a Windows user. You can configure ONTAP to either deny access to such users for stricter security or map them to a default Windows user to ensure a minimum level of access for all users.
  • Considerations for clients that mount NFS exports using a nonreserved port
    The -mount-rootonly option must be disabled on a storage system that must support clients that mount NFS exports using a nonreserved port even when the user is logged in as root. Such clients include Hummingbird clients and Solaris NFS/IPv6 clients.
  • Performing stricter access checking for netgroups by verifying domains
    By default, ONTAP performs an additional verification when evaluating client access for a netgroup. The additional check ensures that the client's domain matches the domain configuration of the storage virtual machine (SVM). Otherwise, ONTAP denies client access.
  • Modifying ports used for NFSv3 services
    The NFS server on the storage system uses services such as mount daemon and Network Lock Manager to communicate with NFS clients over specific default network ports. In most NFS environments the default ports work correctly and do not require modification, but if you want to use different NFS network ports in your NFSv3 environment, you can do so.
  • Commands for managing NFS servers
    There are specific ONTAP commands for managing NFS servers.
  • Troubleshooting name service issues
    When clients experience access failures due to name service issues, you can use the vserver services name-service getxxbyyy command family to manually perform various name service lookups and examine the details and results of the lookup to help with troubleshooting.
  • Verifying name service connections
    Starting in ONTAP 9.4, you can check DNS and LDAP name servers to verify that they are connected to ONTAP. These commands are available at the admin privilege level.
  • Commands for managing name service switch entries
    You can manage name service switch entries by creating, displaying, modifying, and deleting them.
  • Commands for managing name service cache
    You can manage name service cache by modifying the time to live (TTL) value. The TTL value determines how long name service information is persistent in cache.
  • Commands for managing name mappings
    There are specific ONTAP commands for managing name mappings.
  • Commands for managing local UNIX users
    There are specific ONTAP commands for managing local UNIX users.
  • Commands for managing local UNIX groups
    There are specific ONTAP commands for managing local UNIX groups.
  • Limits for local UNIX users, groups, and group members
    ONTAP introduced limits for the maximum number of UNIX users and groups in the cluster, and commands to manage these limits. These limits can help avoid performance issues by preventing administrators from creating too many local UNIX users and groups in the cluster.
  • Commands for managing local netgroups
    You can manage local netgroups by loading them from a URI, verifying their status across nodes, displaying them, and deleting them.
  • Commands for managing NIS domain configurations
    There are specific ONTAP commands for managing NIS domain configurations.
  • Commands for managing LDAP client configurations
    There are specific ONTAP commands for managing LDAP client configurations.
  • Commands for managing LDAP configurations
    There are specific ONTAP commands for managing LDAP configurations.
  • Commands for managing LDAP client schema templates
    There are specific ONTAP commands for managing LDAP client schema templates.
  • Commands for managing NFS Kerberos interface configurations
    There are specific ONTAP commands for managing NFS Kerberos interface configurations.
  • Commands for managing NFS Kerberos realm configurations
    There are specific ONTAP commands for managing NFS Kerberos realm configurations.
  • Commands for managing export policies
    There are specific ONTAP commands for managing export policies.
  • Commands for managing export rules
    There are specific ONTAP commands for managing export rules.
  • Configuring the NFS credential cache
    ONTAP uses a credential cache to store information needed for user authentication for NFS export access to provide faster access and improve performance. You can configure how long information is stored in the credential cache to customize it for your environment.
  • Managing export policy caches
    ONTAP uses several export policy caches to store information related to export policies for faster access. There are certain tasks you can perform to manage export policy caches for troubleshooting purposes.
  • Managing file locks
    You can display information about the current locks for an SVM as a first step to determining why a client cannot access a volume or file. You can use this information if you need to break file locks.
  • How FPolicy first-read and first-write filters work with NFS
    NFS clients experience high response time during high traffic of read/write requests when the FPolicy is enabled using an external FPolicy server with read/write operations as monitored events. For NFS clients, the use of first-read and first-write filters in the FPolicy reduces the number of FPolicy notifications and improves performance.
  • Modifying the NFSv4.1 server implementation ID
    The NFSv4.1 protocol includes a server implementation ID that documents the server domain, name, and date. You can modify the server implementation ID default values. Changing the default values can be useful, for example, when gathering usage statistics or troubleshooting interoperability issues. For more information, see RFC 5661.
  • Managing NFSv4 ACLs
    You can enable, disable, set, modify, and view NFSv4 access control lists (ACLs).
  • Managing NFSv4 file delegations
    You can enable and disable NFSv4 file delegations and retrieve NFSv4 file delegation statistics.
  • Configuring NFSv4 file and record locking
    You can configure NFSv4 file and record locking by specifying the locking lease period and grace period.
  • How NFSv4 referrals work
    When you enable NFSv4 referrals, ONTAP provides intra-SVM referrals to NFSv4 clients. Intra-SVM referral is when a cluster node receiving the NFSv4 request refers the NFSv4 client to another logical interface (LIF) on the storage virtual machine (SVM).
  • Enabling or disabling NFSv4 referrals
    You can enable NFSv4 referrals on storage virtual machines (SVMs) by enabling the options -v4-fsid-change and -v4.0-referrals or -v4.1-referrals . Enabling NFSV4 referrals can result in faster data access for NFSv4 clients that support this feature.
  • Displaying NFS statistics
    You can display NFS statistics for storage virtual machines (SVMs) on the storage system to monitor performance and diagnose issues.
  • Displaying DNS statistics
    You can display DNS statistics for storage virtual machines (SVMs) on the storage system to monitor performance and diagnose issues.
  • Displaying NIS statistics
    You can display NIS statistics for storage virtual machines (SVMs) on the storage system to monitor performance and diagnose issues.
  • Support for VMware vStorage over NFS
    ONTAP supports certain VMware vStorage APIs for Array Integration (VAAI) features in an NFS environment.
  • Enabling or disabling VMware vStorage over NFS
    You can enable or disable support for VMware vStorage over NFS on storage virtual machines (SVMs) by using the vserver nfs modify command.
  • Enabling or disabling rquota support
    ONTAP supports the remote quota protocol version 1 (rquota v1). The rquota protocol enables NFS clients to obtain quota information for users from a remote machine. You can enable rquota on storage virtual machines (SVMs) by using the vserver nfs modify command.
  • NFSv3 and NFSv4 performance improvement by modifying the TCP transfer size
    You can improve the performance of NFSv3 and NFSv4 clients connecting to storage systems over a high-latency network by modifying the TCP maximum transfer size.
  • Modifying the NFSv3 and NFSv4 TCP maximum transfer size
    You can modify the -tcp-max-xfer-size option to configure maximum transfer sizes for all TCP connections using the NFSv3 and NFSv4.x protocols.
  • Configuring the number of group IDs allowed for NFS users
    By default, ONTAP supports up to 32 group IDs when handling NFS user credentials using Kerberos (RPCSEC_GSS) authentication. When using AUTH_SYS authentication, the default maximum number of group IDs is 16, as defined in RFC 5531. You can increase the maximum up to 1,024 if you have users who are members of more than the default number of groups.
  • Controlling root user access to NTFS security-style data
    You can configure ONTAP to allow NFS clients access to NTFS security-style data and NTFS clients to access NFS security-style data. When using NTFS security style on an NFS data store, you must decide how to treat access by the root user and configure the storage virtual machine (SVM) accordingly.