Hi. We have an ESS 5.0.4.3 cluster with a CES cluster serving files with NFSv4 ACLs to NFS and SMB clients. This system is used for sensitive research data, and will the next years house thousands of research projects, which will have to be strictly separated. Each project has its own subnet for the project linux and windows hosts.
Project directories are independent filesets in file systems, each project directory has NFSv4 ACLs giving acces to only the project group. Project NFS shares are limited to each project's subnet. Project SMB shares have export ACLs (as in "mmsmb exportacl ..") limiting share access to the project's member group, in addition to the NFSv4 ACLs. We also want to limit access to SMB shares to project subnets. There is no way to specify that with "mmsmb", but we have found /usr/lpp/mmfs/bin/net conf setparm <share> "hosts allow" <subnet> to be working, at least with some limited testing: share access is actually limited to the specified subnets. The additional settings seems to be stored in CTDB under /var/lib/ctdb/persistent. We assume that the "net conf setparm" method is not officially supported by IBM. Although it seems to be working, we wonder if it is a good idea to implement it. For instance, we are wondering if the additional settings will survive later ESS code upgrades, and if it will scale to thousands of SMB shares. We are considering doing the SMB subnet limiting outside CES, but that would add complexity and overhead, so we are not very keen on that. What do other IBM ESS customers do, do you have any advice for us? Yea or nay? Regards, Helge Hauglin ---------------------------------------------------------------- Mr. Helge Hauglin, Senior Engineer System administrator Center for Information Technology, University of Oslo, Norway _______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
