Date: Mon, 24 Oct 2016 07:58:57 -0700 From: Ben Whaley <bwhaley@gmail.com> To: Rick Macklem <rmacklem@uoguelph.ca> Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: Re: NFSv4 exports confusion Message-ID: <CAOfR73jet5vB4XgyE%2B8qUDjGxD5-nQiA=icWeSU96hLkLFLFUQ@mail.gmail.com> In-Reply-To: <YTXPR01MB0189DB96028EFB59128F6C03DDD60@YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM> References: <CAOfR73h=cqd5L_=We5yABoiDx7zbmu=guSQJRa8aF3L_-YW%2BfQ@mail.gmail.com> <YTXPR01MB0189DB96028EFB59128F6C03DDD60@YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM>
next in thread | previous in thread | raw e-mail | index | archive | help
Thank you, Rick, for taking the time to reply. In an NFSv4 server, is it possible to have multiple exports on the same filesystem but not under the same tree without exposing the top level directory? E.g. if you wanted to export the following without also exporting / /path/to/export1 /anotherpath/to/export2 Assuming export1 and export2 are both on the same server filesystem, could they both be exported without exporting / as the NFSv4 root? Also, exports(5) says: > The third form has the string ``V4:=E2=80=99=E2=80=99 followed by a singl= e absolute path name, to specify the NFSv4 tree root. > This line does not export any file system, but simply marks where the root of the server=E2=80=99s directory t= ree is for > NFSv4 clients. Yet the V4 root seems to behave like a =E2=80=9Cnormal=E2=80=9D export with= the -alldirs option. A V4 client can mount the V4 root and any subdirectory under it, whether the subdir was exported or not. Am I misunderstanding what the man page says? Thanks again, Ben On Sun, Oct 23, 2016 at 3:01 PM, Rick Macklem <rmacklem@uoguelph.ca> wrote: > Ben Whaley wrote: > > > Hi all, > > > > I=E2=80=99m probably just misunderstanding something pretty basic here = so > apologies > > if that=E2=80=99s the case. > > > > The NFSv4 pseudo-filesystem root is not behaving the way I=E2=80=99d ex= pect. > > Consider the following extremely simple /etc/exports (just for example > > purposes): > FreeBSD does not implement a pseudo-filesystem (which was just a suggeste= d > mechanism in the RFC that only Solaris did, as far as I know. > The "V4:" line simply specifies where in the real server file system tree > the NFSv4 root > is. > > > V4: /exports > > /exports/export1 /exports/export2 -network 172.28.0.0/16 > Since these paths are both on the same line, it suggests that they are th= e > same > server file system. Exports are handled by the FreeBSD kernel on a > per-server-filesystem > basis. > --> As such this line exports the file system /export to 172.28.0.0 and > anywhere in > that file system is exported. > If you only want /export/export1 and /export/export2 to be exported, they > need to > be separate server file systems and need to be exported by separate lines > in > /etc/exports. > (The two directories /export/export1 and /export/export2 on the above lin= e > are > referred to as "administrative control". In practice that means that the > NFSv3 mount > protocol implemented by mountd(8) will only accept those paths. The rest > of the > file system is actually exported, but a typical NFSv3 client won't be > able to mount them. > A hacked or malicious one could access the rest of /export, since the > kernel doesn't > know anything about subtrees of a server fiule system.) > > Since NFSv4 doesn't use the Mount protocol (and never talks to mountd(8))= , > it knows > nothing about these "administrative controls". (And, yes, /etc/exports is > complicated > including the man page that tries to explain it.) > --> The behaviour you describe is what is expected to happen, given > /export/export1 > and /export/export2 are on the same server file system. > > > And this directory structure: > > > > # tree /exports/ > > /exports/ > > |-- export1 > > | `-- file1 > > |-- export2 > > | `-- file2 > > `-- notanexport > > `=E2=80=94 file > > > > Now when I mount / as the NFSv4 pseudo-fs root (from an Ubuntu Xenial > > client): > > > > mount -t nfs4 server:/ /mnt > > > > I would expect to see only export1 and export2. But in fact I see > If you want the client to just see export1 and export2, you can mount the= m > individually. For example: > mount -t nfs4 server:/export1 /mnt/export1 > mount -t nfs4 server:/export2 /mnt/export2 > > > # ls /mnt > > export1 export2 notanexport > > > > And the contents of /exports/notanexport/file are available to the > client. > > > > Why is this? The language in RFC7530 seems explicit to me: > > > > Portions of the server namespace that are not exported are bridged via = a > >=E2=80=9Cpseudo-file system=E2=80=9D that provides a view of exported di= rectories only. > > > > E.g. per the spec, only exported filesystems should be visible, and the > > path to get to them. The pseudo-fs only exposes directories that must b= e > > traversed to reach all exports. > I am not aware of exactly what the Linux server does these days. At one > time, > you specified a single file system as the root and the "root of the tree > is there". > (I once did a pseudo-file system, but the code was complicated and no one > seemed > to care, so I tossed it. As I noted above, only Solaris ever did a real > pseudo-fs as far > as I am aware and everyone assumed the RFC described it just to > demonstrate it was a possible solution, not a required one.) > > > > The man page also states: > > > > The nfsd(8) allows a limited subset of operations to be performed on > non-exported >subtrees > > Subtrees are segmented on file system mount points in the server. In this > case, > it refers to one or more file systems that need to be traversed on the wa= y > to the > file systems that are actually exported. > > rick
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOfR73jet5vB4XgyE%2B8qUDjGxD5-nQiA=icWeSU96hLkLFLFUQ>