Hi Christof, thanks for your answer. I have added our vote for the RFE, and put us on the watchlist.
Is it possible to say anything about when the RFE might be implemented? >> Project SMB shares have export ACLs (as in "mmsmb exportacl ..")> limiting >> share access to the project's member group, in addition to the> NFSv4 >> ACLs.>> We also want to limit access to SMB shares to project subnets.> >> There is no way to specify that with "mmsmb", but we have found>> >> /usr/lpp/mmfs/bin/net conf setparm <share> "hosts allow" <subnet>>> to be >> working, at least with some limited testing: share access is> actually >> limited to the specified subnets. The additional settings> seems to be >> stored in CTDB under /var/lib/ctdb/persistent.>> We assume that the "net >> conf setparm" method is not officially supported> by IBM. Although it seems >> to be working, we wonder if it is a good idea> to implement it. For >> instance, we are wondering if the additional> settings will survive later >> ESS code upgrades, and if it will scale to> thousands of SMB shares. > > Officially Scale only supports Samba options that can be set throughthe GUI > or the mmsmb CLI. Everything else set through 'net conf' hasnot been tested > and is not supported. In this specific case, this islikely to work, and it > should also be preserved across code upgrades,but again, this is not an > official support statement. > > This is also not a new request, there is also a pending RFE to makethis an > official Scale > feature:https://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=141534 > > Regards, > > <span style="font-size:10pt;"><span > style="font-family:Arial,Helvetica,sans-serif;">Christof Schmitt</span></span> > <span style="font-size:10pt;">Software Engineer</span> > <span style="font-size:10pt;">IBM Systems, Spectrum Scale Development</span> > <span style="font-size:10pt;"><span > style="font-family:Arial,Helvetica,sans-serif;">+1 520 799 > 2469</span></span> > <span style="font-size:10pt;"><span > style="font-family:Arial,Helvetica,sans-serif;">[email protected]</span></span> > <span style="font-size:10pt;"><span > style="font-family:Arial,Helvetica,sans-serif;">@chsc Twitter</span></span> > > <span style="font-size:10pt;">IBM</span> > > > ----- Original message -----From: Helge Hauglin > <[email protected]>Sent by: > [email protected]: > [email protected]:Subject: [EXTERNAL] [gpfsug-discuss] > Limiting CES SMB shares to specific subnetsDate: Tue, Feb 9, 2021 9:10 AM > Hi.We have an ESS 5.0.4.3 cluster with a CES cluster serving files withNFSv4 > ACLs to NFS and SMB clients. This system is used forsensitive research > data, and will the next years house thousands ofresearch projects, which will > have to be strictly separated. Eachproject has its own subnet for the > project linux and windows hosts.Project directories are independent filesets > in file systems, eachproject directory has NFSv4 ACLs giving acces to only > the project group.Project NFS shares are limited to each project's > subnet.Project SMB shares have export ACLs (as in "mmsmb exportacl > ..")limiting share access to the project's member group, in addition to > theNFSv4 ACLs.We also want to limit access to SMB shares to project > subnets.There is no way to specify that with "mmsmb", but we have found > /usr/lpp/mmfs/bin/net conf setparm <share> "hosts allow" <subnet>to be > working, at least with some limited testing: share access isactually limited > to the specified subnets. The additi onal settingsseems to be stored in CTDB under /var/lib/ctdb/persistent.We assume that the "net conf setparm" method is not officially supportedby IBM. Although it seems to be working, we wonder if it is a good ideato implement it. For instance, we are wondering if the additionalsettings will survive later ESS code upgrades, and if it will scale tothousands of SMB shares.We are considering doing the SMB subnet limiting outside CES, but that wouldadd complexity and overhead, so we are not very keen on that.What do other IBM ESS customers do, do you have any advice for us?Yea or nay?Regards,Helge Hauglin----------------------------------------------------------------Mr. Helge Hauglin, Senior EngineerSystem administratorCenter for Information Technology, University of Oslo, Norway_______________________________________________gpfsug-discuss mailing listgpfsug-discuss at spectrumscale.orghttp://gpfsug.org/mailman/listinfo/gpfsug-discuss > > > _______________________________________________ > gpfsug-discuss mailing list > gpfsug-discuss at spectrumscale.org > http://gpfsug.org/mailman/listinfo/gpfsug-discuss > -- Regards, Helge Hauglin ---------------------------------------------------------------- Mr. Helge Hauglin, Senior Engineer System administrator Center for Information Technology, University of Oslo, Norway _______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
