如果导出的主机名与客户端匹配、并且DNS输入已缓存、则NFS挂载将失败

适用场景

问题描述

• 当NFS客户端(10.216.41.24)尝试挂载NFS导出时(安全模式：UNIX)失败并显示"Access denied"

[root@centos_client_1 ~]#  mount -v 10.216.41.211:/voltest_cdot -o sec=sys,nfsvers=3 /test
mount.nfs: timeout set for Wed Jan  4 05:01:05 2023
mount.nfs: trying text-based options 'sec=sys,nfsvers=3,addr=10.216.41.211'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: trying 10.216.41.211 prog 100003 vers 3 prot TCP port 2049
mount.nfs: prog 100005, trying vers=3, prot=17
mount.nfs: trying 10.216.41.211 prog 100005 vers 3 prot UDP port 635
mount.nfs: mount(2): Permission denied
mount.nfs: access denied by server while mounting 10.216.41.211:/voltest_cdot   

• 导出策略规则具有主机名/FQDN、而不是IP地址 

cdot_vsim97::> export-policy rul show -vserver svm01 -policyname new
       Policy      Rule   Access   Client         RO
Vserver    Name       Index   Protocol Match          Rule
------------ --------------- ------  -------- --------------------- ---------
svm01        new        1     any    centos_client_1.   any
                       naslab.local

• 客户端解析为IP 10.216.41.24

警告 cdot_vsim97::> set advanced Warning: These advanced commands are potentially dangerous; use them only when directed to do so by NetApp personnel. Do you want to continue? {y|n}: y

cdot_vsim97::*> getxxbyyy gethostbyname -vserver svm01 -hostname centos_client_1.naslab.local -show-source true
Source used for lookup: DNS
Host name: centos_client_1.naslab.local
Canonical name: centos_client_1.naslab.local
IPv4: 10.216.41.24

• export-policy check-access拒绝访问 

cdot_vsim97::*> export-policy check-access -vserver svm01 -volume voltest_cdot -client-ip 10.216.41.24 -authentication-method sys -protocol nfs3 -access-type read-write
                     Policy   Policy     Rule
Path              Policy    Owner    Owner Type  Index Access
----------------------------- ---------- --------- ---------- ------ ----------
/                test     svm01_root   volume    1  read
/voltest_cdot          new     voltest_cdot volume    0  denied

• 对于客户端CentOS_client_1.naslab.local、名称服务(NS)缓存显示的IP不正确

cdot_vsim97::*> vserver services name-service cache hosts forward-lookup show -vserver svm01 -host centos_client_1.naslab.local
          IP     Address IP            Create
Vserver   Host    Protocol Family  Address     Source  Time     TTL(sec)
--------- -------- -------- ------- -------------- ------- ---------- --------
svm01     centos_client_1.naslab.local Any Ipv4  dns    1/4/2023   3600
                  10.216.41.74       15:21:07        

• 对于客户端10.216.41.24、导出策略访问缓存显示负访问缓存条目极性

cdot_vsim97::*> export-policy access-cache show -node cdot_vsim97-01 -vserver svm01 -policy new -address 10.216.41.24

                     Node: cdot_vsim97-01
                   Vserver: svm01
                 Policy Name: new
                  IP Address: 10.216.41.24
           Access Cache Entry Flags: has-usable-data
                 Result Code: 0
         First Unresolved Rule Index: -
            Unresolved Clientmatch: -
        Number of Matched Policy Rules: 0
     List of Matched Policy Rule Indexes: -
                 Age of Entry: 38s
         Access Cache Entry Polarity: negative
Time Elapsed since Last Use for Access Check: 37s
    Time Elapsed since Last Update Attempt: 38s
        Result of Last Update Attempt: 0
         List of Client Match Strings: -   

注意：  只有在尝试从客户端进行挂载或访问10.216.41.24 并获得"Access denied"时、export-policy access-cache才会显示否定条目

注意： 以上输出来自实验室环境