Using PowerShell to Manage NetApp NFS Export Permissions (ACLs)

Although I have a relatively small number of NFS exports to manage, I still dislike the various methods for modifying Access Control Lists (ACLs) for existing volumes. It’s kinda a pain in the rear to do via GUI. Fortunately, NetApp has a great set of PowerShell cmdlets available for download that allows you to very easily manage ACLs.

In this post, I’ll go over how to look up the existing ACLs, modify the list, and go over some pitfalls that I’ve encountered.

Listing the ACLs for Exports

Let’s start by looking at the code I’ve written to list out ACLs:

[sourcecode language=”powershell”]
$vcenter = "yourserver.local"
$controllerA = "192.168.1.1"
$controllerB = "192.168.2.1"

#region Connection
cls
### Get NetApp credentials if none exist
If ($nacreds -eq $null) {$nacreds = Get-Credential -Credential root}
### Connect to vCenter
Connect-VIServer $vcenter | Out-Null
#endregion

function ConnectController ($controller) {
If ($controller -eq "A") {Connect-NaController $controllerA -Credential $nacreds | Out-Null}
ElseIf ($controller -eq "B") {Connect-NaController $controllerB -Credential $nacreds | Out-Null}
Else {Write-Error -Message "INVALID CONTROLLER SPECIFIED" -ErrorAction:Stop}
Set-Variable -Scope Global -Name Controller -Force:$true -Value "NetApp Controller $($controller)"
}

function NFSList{
### List out the current ACLs
$ControllerList = %{"A","B"}
Foreach ($letter in $ControllerList)
{
ConnectController $letter
Write-Host -ForegroundColor:DarkRed "$($Controller): Current ACL list"
$exportlist = Get-NaNfsExport
Foreach ($export in $exportlist) {Write-Host "$($export.pathname) – $($export.SecurityRules[0].ReadWrite)"}
}
}
[/sourcecode]

This code performs 4 basic functions:

  1. The first segment contains variables for your vCenter server and controller IPs (I’m assuming 2 controllers in HA)
  2. The “Connection” region actually executes the connections to the vCenter server and gathers credentials for the NetApp filer (to avoid saving them in the script).
  3. The ConnectController function is used to connect to the filer, as you can only connect to a single controller at a time. It takes the $controller variable to determine which one you want and is called by other functions.
  4. The final function, NFSList, is a function you would call to actually begin the process of listing ACLs. It loops through any number of controllers in the %ControllerList table.

You should be able to copy and paste this into a PowerShell script, enter in your vCenter and NetApp IPs, and it will work. While it doesn’t contain any “set” type of commands, use at your own risk, etc.

 Setting ACL Values for Exports

Now that you have the framework of a script written, it’s time for the hard (and sometimes scary part) – setting ACLs.

I say scary because a poorly written command can easily cause chaos in your system. Fortunately, it’s pretty straightforward, but I still double check all of my “set” cmdlets just to be safe.

The first task is to create a variable that contains the IPs you are going to assign. The quick and dirty way is:
[sourcecode language=”powershell”]
Set-Variable -Scope Global -Name nfsips -Force:$true
[array]$global:nfsips += "192.168.100.1"
[array]$global:nfsips += "192.168.100.2"
[/sourcecode]
… and so on. Each IP is represented in a line. I tend to avoid fancy loops or adding scripts for this, as I like to “see” every IP that will be added. I’m old school.

Next, connect to the controller and set the ACL for your export:
[sourcecode language=”powershell”]
function NFSACL{
ConnectController A
Set-NaNfsExport -Path "/vol/NAMEOFPATH" -Confirm:$true -ReadWrite $nfsips -Root $nfsips -Persistent
}
[/sourcecode]
Note the “-persistent” argument? Yes, for some reason, commands you give to the filer will not stay unless you add this flag. I found this out the hard way. You can also use the “-whatif” flag if you want to just see what would happen instead of committing it. I’ve set the “-confirm” flag to ensure that I’m always asked before a commit, to avoid job loss during code writing (sometimes the enter key is 40 miles wide). 🙂

Thoughts

NetApp has a surprisingly robust suite of PowerShell cmdlets available for script junkies. When setting the ACLs, there is no feedback to let you know the commit was successful. It just issues a carriage return. If you want to play around with this in a non production environment, NetApp also has a simulated filer of OnTap 8 in 7-mode. It’s handy for taking the stress out of the script writing. The sim is available on the NOW site.