#NFS export-policies

Just wondering how the masses are doing their access rules for client matches.

• Hostnames
• ip addresses
• subnets
• netgroups
• what else?

Also what processes or solutions have you came up for managing all of it?

If you're doing it for vmware, our tools in the past have specified individual hosts

in reality, for ESX your datacenter L2 should be secure, so subnets should be fine. If you're doing it for client access, you can't trust clients, so hopefully you're doing kerberos too, so again, subnets are ok

export policy with policy rule for each accessing client, vlan tagging, broadcast-domain

for vmware, a default export-policy inclunding the entire subnet.
again, vlan-tagged lif

Depends on the client requirements. Many rules are subnet-wide since we have thousands of compute servers. netgroup syntax limitations are too archaic to manage these (eg, 192.168.0.0/16 is syntactically invalid in a netgroup file). For trusted servers that require root access, we have them identified in our configuration database and then generate netgroups from there and push out to the SVMs. For other clients that need to write to specific volumes as root, they're identified by hostname in specific export policies. So it's a combination of hostnames, subnets, and netgroups.

What do you host the netgroups in if using? Or is this on the cluster netgroups?

I personally wish I could just use Active Directory Groups. They have a ton of flexibility and they are naturally replicated. Computer Accounts in said group and group applied to export rule as ro, rw, root.