Annoying behavior with Veeam / DirectNFS / Netapp e0M

[orb]

Hi,

We noticed a very annoying behaviour of the NetApp integration into the product.

Here is the situation, we have 2 proxy appliances. One does have a dedicated network for NFS access, the other does have only access to the e0M (MGMT interface) of the NetApp.
We discovered NFS permissions are automatically inserted to the /etc/exports (ro + root) if the proxy doesn’t have required access. Since the second proxy doesn’t have access to the NFS network, it finds itself added and connected to the management interface (e0M). This port is not suited for transfers since it does operate at 100Mbits.

They are 2 options to block traffic on the NetApp: options interface.blocked.nfs or interface.blocked.mgmt_data_traffic. Even if they are enabled to refuse connections, they are still added to the NFS exports.

In the meantime, we can only remove the proxy automatic selection to avoid this situation.

Please consider fixing this behaviour by adding a check if the interface is part of the mgmt, and also an option to disable the automatic insert in the /etc/exports. We are using netgroups and it creates quite a mess in our file.

Thank you,
Oli

[orb]

Case Opened : 01752798

[Vitaliy S.]

Hi Olivier,

Thanks for bringing this to our attention. Currently, the behavior you have described is indeed the expected one, however we are considering having an option that would allow to select which proxy servers can work with the storage. Hope that this should address your concern.

Thanks!

[orb]

Vitaly,

I would welcome such an option, would not it be better to check if the IP is registered to a Management interface ? Reading the option value might be too restrictive since you would denied the usage of some (or all) protocols for administration purposes.

a registry setting to block exports insertion would be lovely too.

Oli

[Vitaliy S.]

Yes, other options might be indeed a better choice, but I'm just thinking on the most reliable and easy/quicker (keep in mind both dev and QA time) to deliver solution for your problem. Thanks for the suggestions though.

[orb]

And hope.it does not break people using the the management port without know it.

[orb]

Vitali,

It strikes to me on Netapp the cli cmd (and not only) exportfs -c IP,[:IP] volume allows to verify the AC against an existing volume. It could be be a way to handle existing netgroups usage and avoid unnecessary inserts.

Oli

[Vitaliy S.]

Oli, thanks for sharing this. I will give a heads up to our dev team.