Examples of ONTAP export policies

Contributors

You can review example export policies to better understand how export policies work in ONTAP.

Sample ONTAP implementation of a 7-Mode export

The following example shows a 7-Mode export as it appears in the /etc/export file:

/vol/vol1 -sec=sys,ro=@readonly_netgroup,rw=@readwrite_netgroup1:
@readwrite_netgroup2:@rootaccess_netgroup,root=@rootaccess_netgroup

To reproduce this export as a clustered export policy, you have to create an export policy with three export rules, and then assign the export policy to the volume vol1.

Rule Element Value

Rule 1

-clientmatch (client specification)

@readonly_netgroup

-ruleindex(position of export rule in the list of rules)

1

-protocol

nfs

-rorule(allow read-only access)

sys (client authenticated with AUTH_SYS)

-rwrule(allow read-write access)

never

-superuser(allow superuser access)

none(root squashed to anon)

Rule 2

-clientmatch

@rootaccess_netgroup

-ruleindex

2

-protocol

nfs

-rorule

sys

-rwrule

sys

-superuser

sys

Rule 3

-clientmatch

@readwrite_netgroup1,@readwrite_netgroup2

-ruleindex

3

-protocol

nfs

-rorule

sys

-rwrule

sys

-superuser

none

  1. Create an export policy called exp_vol1:

    vserver export-policy create -vserver NewSVM -policyname exp_vol1

  2. Create three rules with the following parameters to the base command:

    • Base command:
      vserver export-policy rule create -vserver NewSVM -policyname exp_vol1

    • Rule parameters:
      -clientmatch @readonly_netgroup -ruleindex 1 -protocol nfs -rorule sys -rwrule never -superuser none
      -clientmatch @rootaccess_netgroup -ruleindex 2 -protocol nfs -rorule sys -rwrule sys -superuser sys
      -clientmatch @readwrite_netgroup1,@readwrite_netgroup2 -ruleindex 3 -protocol nfs -rorule sys -rwrule sys -superuser none

  3. Assign the policy to the volume vol1:

    volume modify -vserver NewSVM -volume vol1 -policy exp_vol1

Sample consolidation of 7-Mode exports

The following example shows a 7-Mode /etc/export file that includes one line for each of 10 qtrees:

/vol/vol1/q_1472 -sec=sys,rw=host1519s,root=host1519s
/vol/vol1/q_1471 -sec=sys,rw=host1519s,root=host1519s
/vol/vol1/q_1473 -sec=sys,rw=host1519s,root=host1519s
/vol/vol1/q_1570 -sec=sys,rw=host1519s,root=host1519s
/vol/vol1/q_1571 -sec=sys,rw=host1519s,root=host1519s
/vol/vol1/q_2237 -sec=sys,rw=host2057s,root=host2057s
/vol/vol1/q_2238 -sec=sys,rw=host2057s,root=host2057s
/vol/vol1/q_2239 -sec=sys,rw=host2057s,root=host2057s
/vol/vol1/q_2240 -sec=sys,rw=host2057s,root=host2057s
/vol/vol1/q_2241 -sec=sys,rw=host2057s,root=host2057s

In ONTAP, one of two policies is needed for each qtree: one with a rule including -clientmatch host1519s, or one with a rule including -clientmatch host2057s.

  1. Create two export policies called exp_vol1q1 and exp_vol1q2:

    • vserver export-policy create -vserver NewSVM -policyname exp_vol1q1

    • vserver export-policy create -vserver NewSVM -policyname exp_vol1q2

  2. Create a rule for each policy:

    • vserver export-policy rule create -vserver NewSVM -policyname exp_vol1q1 -clientmatch host1519s -rwrule sys -superuser sys

    • vserver export-policy rule create -vserver NewSVM -policyname exp_vol1q2 -clientmatch host1519s -rwrule sys -superuser sys

  3. Apply the policies to the qtrees:

    • volume qtree modify -vserver NewSVM -qtree-path /vol/vol1/q_1472 -export-policy exp_vol1q1

    • [next 4 qtrees…​]

    • volume qtree modify -vserver NewSVM -qtree-path /vol/vol1/q_2237 -export-policy exp_vol1q2

    • [next 4 qtrees…​]

If you need to add additional qtrees for those hosts later, you would use the same export policies.