[gpfsug-discuss] Limiting CES SMB shares to specific subnets

Helge Hauglin helge.hauglin at usit.uio.no
Wed Feb 10 09:09:01 GMT 2021


Hi Christof, thanks for your answer.

I have added our vote for the RFE, and put us on the watchlist.

Is it possible to say anything about when the RFE might be implemented?

>> Project SMB shares have export ACLs (as in "mmsmb exportacl ..")> limiting share access to the project's member group, in addition to the> NFSv4 ACLs.>> We also want to limit access to SMB shares to project subnets.> There is no way to specify that with "mmsmb", but we have found>>   /usr/lpp/mmfs/bin/net conf setparm <share> "hosts allow" <subnet>>> to be working, at least with some limited testing: share access is> actually limited to the specified subnets.   The additional settings> seems to be stored in CTDB under /var/lib/ctdb/persistent.>> We assume that the "net conf setparm" method is not officially supported> by IBM.  Although it seems to be working, we wonder if it is a good idea> to implement it.   For instance, we are wondering if the additional> settings will survive later ESS code upgrades, and if it will scale to> thousands of SMB shares.
>  
> Officially Scale only supports Samba options that can be set throughthe GUI or the mmsmb CLI. Everything else set through 'net conf' hasnot been tested and is not supported. In this specific case, this islikely to work, and it should also be preserved across code upgrades,but again, this is not an official support statement.
>  
> This is also not a new request, there is also a pending RFE to makethis an official Scale feature:https://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=141534
>  
> Regards,
>  
> <span style="font-size:10pt;"><span style="font-family:Arial,Helvetica,sans-serif;">Christof Schmitt</span></span>
> <span style="font-size:10pt;">Software Engineer</span>
> <span style="font-size:10pt;">IBM Systems, Spectrum Scale Development</span>
> <span style="font-size:10pt;"><span style="font-family:Arial,Helvetica,sans-serif;">+1 520 799 2469</span></span>
> <span style="font-size:10pt;"><span style="font-family:Arial,Helvetica,sans-serif;">christof.schmitt at us.ibm.com</span></span>
> <span style="font-size:10pt;"><span style="font-family:Arial,Helvetica,sans-serif;">@chsc Twitter</span></span>
>  
> <span style="font-size:10pt;">IBM</span>
>  
>  
> ----- Original message -----From: Helge Hauglin <helge.hauglin at usit.uio.no>Sent by: gpfsug-discuss-bounces at spectrumscale.orgTo: gpfsug-discuss at spectrumscale.orgCc:Subject: [EXTERNAL] [gpfsug-discuss] Limiting CES SMB shares to specific subnetsDate: Tue, Feb 9, 2021 9:10 AM 
> Hi.We have an ESS 5.0.4.3 cluster with a CES cluster serving files withNFSv4 ACLs to NFS and SMB clients.      This system is used forsensitive research data, and will the next years house thousands ofresearch projects, which will have to be strictly separated.   Eachproject has its own subnet for the project linux and windows hosts.Project directories are independent filesets in file systems, eachproject directory has NFSv4 ACLs giving acces to only the project group.Project NFS shares are limited to each project's subnet.Project SMB shares have export ACLs (as in "mmsmb exportacl ..")limiting share access to the project's member group, in addition to theNFSv4 ACLs.We also want to limit access to SMB shares to project subnets.There is no way to specify that with "mmsmb", but we have found  /usr/lpp/mmfs/bin/net conf setparm <share> "hosts allow" <subnet>to be working, at least with some limited testing: share access isactually limited to the specified subnets.   The additional settingsseems to be stored in CTDB under /var/lib/ctdb/persistent.We assume that the "net conf setparm" method is not officially supportedby IBM.  Although it seems to be working, we wonder if it is a good ideato implement it.   For instance, we are wondering if the additionalsettings will survive later ESS code upgrades, and if it will scale tothousands of SMB shares.We are considering doing the SMB subnet limiting outside CES, but that wouldadd complexity and overhead, so we are not very keen on that.What do other IBM ESS customers do, do you have any advice for us?Yea or nay?Regards,Helge Hauglin----------------------------------------------------------------Mr. Helge Hauglin, Senior EngineerSystem administratorCenter for Information Technology, University of Oslo, Norway_______________________________________________gpfsug-discuss mailing listgpfsug-discuss at spectrumscale.orghttp://gpfsug.org/mailman/listinfo/gpfsug-discuss  
>  
>
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at spectrumscale.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
>

-- 
Regards,

Helge Hauglin

----------------------------------------------------------------
Mr. Helge Hauglin, Senior Engineer
System administrator
Center for Information Technology, University of Oslo, Norway



More information about the gpfsug-discuss mailing list