Make sure that the users.local has the following entries:
BLAdmins:BLAdmin rw,map=<local admin user>
RBACAdmins:RBACAdmin rw,map=<local admin user>
System:System rw,map-=<local admin user>
And make sure <local admin user> has full read/write/execute rights recursively to the NFS directory/share.
Doesn’t matter if it’s nfs or not. the file server should map all connections from the appserver to a non-root account that owns the ‘storage’ directoDISA ry. The file server agent should not be used to manage that system.
Regarding "the file server agent should not be used to managed that system," I understand. That's why I want to be careful on how I configure the exports/users.local files. In our "traditional" setup (non-NFS), this is how the agent files are configured on the file server (blfsuser being a non-root account):
<application server IP> rw,user=blfsuser
In our "best practice" setup (using NFS), I was considering the following for the agent files on the application server (again, blfsuser being a non-root account):
<application server IP> rw,user=blfsuser #maybe this isn't needed
Is this ideal? Am I missing anything?
The File Server secure files are configured differently than targets. Here are the best practices I've been given for each.
During BBSA installation, including installing Application servers and blcontent, set:
exports = * rw,user=root (or Administrator) (users.local should be blank)
After installation and configuration is complete, lock down your secure files. Create a non-priviledged user and group (typically blfs:blfs). Change the ownership of the File Server /storage folder to blfs:blfs. Edit the following files:
users.local = <blank>
users.local = System:System rw,map=blfs
In Option 1, there is no need to have an entry in the users.local file because we are mapping hosts directly to the local administrator account. In Option 2, we are using the exports file to lock down connections from certain hosts, then using the users.local file to map to the blfs user. Either option is valid.
users.local = BLAdmins:* rw,map=root (or Administrator)
users = (pushed by ACL job)
Exports is used to lock down connections from application servers only. users.local contains BLAdmins:* (or BLAdmins:BLAdmin) in case ACLs are pushed incorrectly and users cannot access the systems. This ensures that someone belonging to the BLAdmins group can still contact the agents and isn't locked out. RBAC users and permission policies are created in BladeLogic and those rules (ACLs) are pushed to the users file on the targets.