Worksheet for gathering NFS configuration information
The NFS configuration worksheet enables you to collect the required information to set up NFS access for clients.
You should complete one or both sections of the worksheet depending on the decision you made about where to provision storage:
If you are configuring NFS access to an SVM, you should complete both sections.
-
Configuring NFS access to an SVM
-
Adding storage capacity to an NFS-enabled SVM
If you are adding storage capacity to an NFS-enabled SVM, you should complete only:
-
Adding storage capacity to an NFS-enabled SVM
Configure NFS access to an SVM
Parameters for creating an SVM
You supply these values with the vserver create
command if you are creating a new SVM.
Field |
Description |
Your value |
---|---|---|
|
A name you supply for the new SVM that is either a fully qualified domain name (FQDN) or follows another convention that enforces unique SVM names across a cluster. |
|
|
The name of an aggregate in the cluster with sufficient space for new NFS storage capacity. |
|
|
A unique name you supply for the SVM root volume. |
|
|
Use the UNIX security style for the SVM. |
|
|
Use the default language setting in this workflow. |
|
|
IPspaces are distinct IP address spaces in which (storage virtual machines (SVMs)) reside. |
Parameters for creating an NFS server
You supply these values with the vserver nfs create
command when you create a new NFS server and specify supported NFS versions.
If you are enabling NFSv4 or later, you should use LDAP for improved security.
Field |
Description |
Your value |
||
---|---|---|---|---|
|
Enable NFS versions as needed.
|
|||
|
ID mapping domain name. |
|||
|
Support for numeric owner IDs (enabled or disabled). |
Parameters for enabling TLS encryption for NFS connections
You supply these values with the vserver nfs tls interface enable
command.
NFS over TLS is available in ONTAP 9.15.1 as a public preview. As a preview offering, NFS over TLS is not supported for production workloads in ONTAP 9.15.1. |
Field |
Description |
Your value |
---|---|---|
|
The vserver in which the logical interface exists. |
|
|
The name of the logical interface on which you want to enable encryption in transit using NFS over TLS. |
|
|
The name of the X.509 certificate configured within the storage VM. |
Parameters for creating a LIF
You supply these values with the network interface create
command when you are creating LIFs.
If you are using Kerberos, you should enable Kerberos on multiple LIFs.
Field |
Description |
Your value |
---|---|---|
|
A name you supply for the new LIF. |
|
|
Use the data LIF role in this workflow. |
|
|
Use only the NFS protocol in this workflow. |
|
|
The node to which the LIF returns when the |
|
|
The port or interface group to which the LIF returns when the |
|
|
The IPv4 or IPv6 address on the cluster that will be used for data access by the new LIF. |
|
|
The network mask and gateway for the LIF. |
|
|
A pool of IP addresses. Used instead of |
|
|
Use the default data firewall policy in this workflow. |
|
Parameters for DNS host name resolution
You supply these values with the vserver services name-service dns create
command when you are configuring DNS.
Field |
Description |
Your value |
---|---|---|
|
Up to five DNS domain names. |
|
|
Up to three IP addresses for each DNS name server. |
Name service information
Parameters for creating local users
You supply these values if you are creating local users by using the vserver services name-service unix-user create
command. If you are configuring local users by loading a file containing UNIX users from a uniform resource identifier (URI), you do not need to specify these values manually.
User name |
User ID |
Group ID |
Full name |
|
---|---|---|---|---|
Example |
johnm |
123 |
100 |
John Miller |
1 |
||||
2 |
||||
3 |
||||
… |
||||
n |
Parameters for creating local groups
You supply these values if you are creating local groups by using the vserver services name-service unix-group create
command. If you are configuring local groups by loading a file containing UNIX groups from a URI, you do not need to specify these values manually.
Group name ( |
Group ID ( |
|
---|---|---|
Example |
Engineering |
100 |
1 |
||
2 |
||
3 |
||
… |
||
n |
Parameters for NIS
You supply these values with the vserver services name-service nis-domain create
command.
Beginning with ONTAP 9.2, the field |
Field |
Description |
Your value |
---|---|---|
|
The NIS domain that the SVM will use for name lookups. |
|
|
The active NIS domain server. |
|
|
ONTAP 9.0, 9.1: One or more IP addresses of NIS servers used by the NIS domain configuration. |
|
|
ONTAP 9.2: A comma-separated list of IP addresses and hostnames for the NIS servers used by the domain configuration. |
Parameters for LDAP
You supply these values with the vserver services name-service ldap client create
command.
You will also need a self-signed root CA certificate .pem
file.
Beginning with ONTAP 9.2, the field |
Field | Description | Your value |
---|---|---|
|
The name of the SVM for which you want to create an LDAP client configuration. |
|
|
The name you assign for the new LDAP client configuration. |
|
|
ONTAP 9.0, 9.1: One or more LDAP servers by IP address in a comma-separated list. |
|
|
ONTAP 9.2: A comma-separated list of IP addresses and hostnames for the LDAP servers. |
|
|
Use the default |
|
|
The minimum bind authentication level. The default is |
|
|
One or more preferred Active Directory servers by IP address in a comma-delimited list. |
|
|
The Active Directory domain. |
|
|
The schema template to use. You can use a default or custom schema. |
|
|
Use the default LDAP server port |
|
|
The Bind user distinguished name. |
|
|
The base distinguished name. The default is |
|
|
Use the default base search scope |
|
|
Enables LDAP signing or signing and sealing. The default is |
|
|
Enables LDAP over TLS. The default is |
Parameters for Kerberos authentication
You supply these values with the vserver nfs kerberos realm create
command. Some of the values will differ depending on whether you use Microsoft Active Directory as a Key Distribution Center (KDC) server, or MIT or other UNIX KDC server.
Field |
Description |
Your value |
---|---|---|
|
The SVM that will communicate with the KDC. |
|
|
The Kerberos realm. |
|
|
Permitted clock skew between clients and servers. |
|
|
KDC IP address. |
|
|
KDC port number. |
|
|
Microsoft KDC only: AD server name. |
|
|
Microsoft KDC only: AD server IP address. |
|
|
UNIX KDC only: Admin server IP address. |
|
|
UNIX KDC only: Admin server port number. |
|
|
UNIX KDC only: Password server IP address. |
|
|
UNIX KDC only: Password server port. |
|
|
KDC vendor. |
{ |
|
Any desired comments. |
You supply these values with the vserver nfs kerberos interface enable
command.
Field |
Description |
Your value |
---|---|---|
|
The name of the SVM for which you want to create a Kerberos configuration. |
|
|
The data LIF on which you will enable Kerberos. You can enable Kerberos on multiple LIFs. |
|
|
The Service Principle Name (SPN) |
|
|
The permitted encryption types for Kerberos over NFS; |
|
|
The KDC administrator credentials to retrieve the SPN secret key directly from the KDC. A password is required |
|
|
The keytab file from the KDC containing the SPN key if you do not have KDC administrator credentials. |
|
|
The organizational unit (OU) under which the Microsoft Active Directory server account will be created when you enable Kerberos using a realm for Microsoft KDC. |
Adding storage capacity to an NFS-enabled SVM
Parameters for creating export policies and rules
You supply these values with the vserver export-policy create
command.
Field |
Description |
Your value |
---|---|---|
|
The name of the SVM that will host the new volume. |
|
|
A name you supply for a new export policy. |
You supply these values for each rule with the vserver export-policy rule create
command.
Field |
Description |
Your value |
---|---|---|
|
Client match specification. |
|
|
Position of export rule in the list of rules. |
|
|
Use NFS in this workflow. |
|
|
Authentication method for read-only access. |
|
|
Authentication method for read-write access. |
|
|
Authentication method for superuser access. |
|
|
User ID to which anonymous users are mapped. |
You must create one or more rules for each export policy.
|
|
|
|
|
|
---|---|---|---|---|---|
Examples |
0.0.0.0/0,@rootaccess_netgroup |
any |
krb5 |
sys |
65534 |
1 |
|||||
2 |
|||||
3 |
|||||
… |
|||||
n |
Parameters for creating a volume
You supply these values with the volume create
command if you are creating a volume instead of a qtree.
Field |
Description |
Your value |
---|---|---|
|
The name of a new or existing SVM that will host the new volume. |
|
|
A unique descriptive name you supply for the new volume. |
|
|
The name of an aggregate in the cluster with sufficient space for the new NFS volume. |
|
|
An integer you supply for the size of the new volume. |
|
|
Name or ID of the user that is set as the owner of the volume's root. |
|
|
Name or ID of the group that is set as the owner of the volume's root. |
|
|
Use the UNIX security style for this workflow. |
|
|
Location under root (/) where the new volume is to be mounted. |
|
|
If you are planning to use an existing export policy, you can enter its name when you create the volume. |
Parameters for creating a qtree
You supply these values with the volume qtree create
command if you are creating a qtree instead of a volume.
Field |
Description |
Your value |
---|---|---|
|
The name of the SVM on which the volume containing the qtree resides. |
|
|
The name of the volume that will contain the new qtree. |
|
|
A unique descriptive name you supply for the new qtree, 64 characters or less. |
|
|
The qtree path argument in the format |
|
|
Optional: The UNIX permissions for the qtree. |
|
|
If you are planning to use an existing export policy, you can enter its name when you create the qtree. |