4 Replies Latest reply on Apr 14, 2012 4:26 PM by Joe Piotrowski

    Recommended agent config for using NFS as a file server

    David Crim

      I am testing the "NFS as a file server" best practice by exporting a NFS from a file server and mounting it on the application server.  "Localhost" is designated as the BladeLogic file server.  Wat is the recommended users.local and exports configuration when using NFS as a file server?

        • 1. Recommended agent config for using NFS as a file server
          Vinnie Lima

          Make sure that the users.local has the following entries:

           

          BLAdmins:BLAdmin rw,map=<local admin user>

          RBACAdmins:RBACAdmin rw,map=<local admin user>

          System:System rw,map-=<local admin user>

           

          And make sure <local admin user> has full read/write/execute rights recursively to the NFS directory/share.

          • 2. Re: Recommended agent config for using NFS as a file server
            Bill Robinson

            Doesn’t matter if it’s nfs or not.  the file server should map all connections from the appserver to a non-root account that owns the ‘storage’ directoDISA ry.  The file server agent should not be used to manage that system.

            • 3. Recommended agent config for using NFS as a file server
              David Crim

              Regarding "the file server agent should not be used to managed that system," I understand.  That's why I want to be careful on how I configure the exports/users.local files.  In our "traditional" setup (non-NFS), this is how the agent files are configured on the file server (blfsuser being a non-root account):

               

              exports

              -----------

              <application server IP> rw,user=blfsuser

               

              users.local

              ----------------

              System:System rw,user=blfsuser

               

               

              In our "best practice" setup (using NFS), I was considering the following for the agent files on the application server (again, blfsuser being a non-root account):

               

              exports

              -----------

              <application server IP> rw,user=blfsuser  #maybe this isn't needed

              127.0.0.1 rw,user=blfsuser

               

              users.local

              ----------------

              System:System rw,user=blfsuser

               

               

              Is this ideal?  Am I missing anything?

              • 4. Re: Recommended agent config for using NFS as a file server
                Joe Piotrowski

                The File Server secure files are configured differently than targets. Here are the best practices I've been given for each.

                 

                File Server

                During BBSA installation, including installing Application servers and blcontent, set:

                exports = * rw,user=root (or Administrator) (users.local should be blank)

                 

                After installation and configuration is complete, lock down your secure files. Create a non-priviledged user and group (typically blfs:blfs). Change the ownership of the File Server /storage folder to blfs:blfs. Edit the following files:

                 

                Option 1

                exports =

                <appservername1> rw,user=blfs

                <appservername2> rw,user=blfs

                etc

                 

                users.local = <blank>

                 

                Option 2

                exports =

                <appservername1> rw

                <appservername1> rw

                etc

                 

                users.local = System:System rw,map=blfs

                 

                In Option 1, there is no need to have an entry in the users.local file because we are mapping hosts directly to the local administrator account. In Option 2, we are using the exports file to lock down connections from certain hosts, then using the users.local file to map to the blfs user. Either option is valid.

                 

                -----

                 

                Targets

                Best practice

                exports =

                <appservername1> rw

                <appservername1> rw

                etc

                 

                users.local = BLAdmins:* rw,map=root (or Administrator)

                 

                users = (pushed by ACL job)

                 

                Exports is used to lock down connections from application servers only. users.local contains BLAdmins:* (or BLAdmins:BLAdmin) in case ACLs are pushed incorrectly and users cannot access the systems. This ensures that someone belonging to the BLAdmins group can still contact the agents and isn't locked out. RBAC users and permission policies are created in BladeLogic and those rules (ACLs) are pushed to the users file on the targets.