[gpfsug-discuss] Limiting CES SMB shares to specific subnets

Helge Hauglin helge.hauglin at usit.uio.no
Tue Feb 9 15:46:39 GMT 2021


We have an ESS cluster with a CES cluster serving files with
NFSv4 ACLs to NFS and SMB clients.      This system is used for
sensitive research data, and will the next years house thousands of
research projects, which will have to be strictly separated.   Each
project has its own subnet for the project linux and windows hosts.

Project directories are independent filesets in file systems, each
project directory has NFSv4 ACLs giving acces to only the project group.
Project NFS shares are limited to each project's subnet.

Project SMB shares have export ACLs (as in "mmsmb exportacl ..")
limiting share access to the project's member group, in addition to the

We also want to limit access to SMB shares to project subnets.
There is no way to specify that with "mmsmb", but we have found

  /usr/lpp/mmfs/bin/net conf setparm <share> "hosts allow" <subnet>

to be working, at least with some limited testing: share access is
actually limited to the specified subnets.   The additional settings
seems to be stored in CTDB under /var/lib/ctdb/persistent. 

We assume that the "net conf setparm" method is not officially supported
by IBM.  Although it seems to be working, we wonder if it is a good idea
to implement it.   For instance, we are wondering if the additional
settings will survive later ESS code upgrades, and if it will scale to
thousands of SMB shares.

We are considering doing the SMB subnet limiting outside CES, but that would
add complexity and overhead, so we are not very keen on that.

What do other IBM ESS customers do, do you have any advice for us?
Yea or nay?


Helge Hauglin

Mr. Helge Hauglin, Senior Engineer
System administrator
Center for Information Technology, University of Oslo, Norway

More information about the gpfsug-discuss mailing list