Skip to main content

NFS Security and the Delphix Engine (KBA1654)



NOTE: This article has been archived as it is no longer valid for current supported versions of the Delphix Continuous Data platform.  


The /public NFS Share

The Delphix Engine provides one NFS share, /public, which is accessible to any server with connectivity to the Delphix Engine via NFS.

This may be raised as an issue by automated vulnerability scanning software, but poses little security risk. In versions prior to 4.1 the share runs with a very small quota (100k), and therefore it should not be possible for an NFS client to run the Delphix Engine out of space and deny service to legitimate activity on the Delphix Engine. In versions 4.1 and later the share was made read-only and removed from the list of exported filesystems.

The /public share is used by the "hostchecker" tool, which is run on new target systems before they are added to Delphix. This tool attempts to mount /public and transfer a test file to it, to validate network connectivity. Because this check is performed before the Delphix Engine has any information about the new target, it would not be possible to modify an ACL with information about the new target. In 

IP restrictions on NFS exports

By default, when a VDB is provisioned, all NFS shares exported from the Delphix Engine to support that VDB are restricted to the IP address of the target host(s).

Removing IP restrictions on NFS exports 

When a target server has multiple IP addresses or interfaces on the same network as the Delphix Engine, the target's network stack is likely to send traffic via multiple interfaces in an attempt to spread the load.

Due to the IP restrictions on NFS exports mentioned above, the Delphix Engine will only accept requests coming from the IP address configured in Delphix for that target. This may result in unexpected failures of NFS operations, including failure to mount NFS shares during VDB provisioning.

Wherever feasible, Delphix recommends configuring static host routes on the target server, ensuring that all traffic to the Delphix Engine is sent via the IP address configured for that target. 

As a last resort in cases where this is not possible, Delphix may offer to make a configuration change which removes the IP restrictions on NFS exports. This setting is global, affecting all NFS mounts presented by that engine.

This configuration change has implications for data security, and should not be taken lightly.

When IP restrictions on NFS exports are removed:

  • Any server with connectivity to the Delphix Engine via NFS will be able to mount any volume exported by the Delphix Engine, if the appropriate IP address and mount name are known
  • In versions of the Delphix Engine prior to, devices with NFS access to the Delphix Engine may be able to list accessible NFS mounts
  • The Delphix Engine does not perform any validation on which NFS shared are mounted by which target environments

If IP restrictions are removed, implementing restrictions at the network level (via firewalls or ACLs) is essential to maintaining data security on the Delphix Engine. Even with appropriate controls in place at the network level, these changes should be carefully considered.