Access controls in NFS
There are some things you need to be aware of before creating and accessing an NFS datastore:
- At least one VMkernel port for NFS traffic must be created.
- The network-attached storage device should be listed on the VMware Hardware Certification List (HCL)
- NFS version 3 over TCP must be used.
- A file system must be created on the NAS device and exported.
- ESXi hosts must be able to access the NFS server in read-write mode.
- Read-write access must be allowed for the root account.
Sometimes, to protect NFS volumes from unauthorized access, the NFS volumes are exported with the root_squash option enabled. When root_squash is on, root users are downgraded to unprivileged file system access and the NFS server might refuse the ESXi host access to virtual machine files on the NFS volume. The no_root_squash option must be used instead of root_squash to export an NFS volume. This option allows root on the client (the ESXi host) to be recognized as root on the NFS server.