Date: Tue, 01 May 2012 08:15:29 +0300 From: clutton <clutton0@gmail.com> To: Robert Simmons <rsimmons0@gmail.com> Cc: freebsd-fs@freebsd.org Subject: Re: NFSv4 Questions amd Message-ID: <1335849329.2363.10.camel@localhost> In-Reply-To: <CA%2BQLa9BfKkZU8aJ%2BO7A_eYGgo7GyEq231bFe--YtnBXfYGh1KQ@mail.gmail.com> References: <CA%2BQLa9B4Xxc-4pCo8y4pgU1BBoBvC2xG4vA3Kydr-Q2dXWRpNw@mail.gmail.com> <1494135294.103829.1335731763653.JavaMail.root@erie.cs.uoguelph.ca> <CA%2BQLa9BfKkZU8aJ%2BO7A_eYGgo7GyEq231bFe--YtnBXfYGh1KQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-TBq+IJIXWfx87wjwlQDC Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable All your thought was interesting. I also had all those problem (exports, rpcbind, sysctl). But now, I work with third version, because I need working amd(8). Does anyone has suggestion how make it work with nfsv4? On Sun, 2012-04-29 at 17:23 -0400, Robert Simmons wrote: > On Sun, Apr 29, 2012 at 4:36 PM, Rick Macklem <rmacklem@uoguelph.ca> wrot= e: > > Robert Simmons wrote: > >> On Sun, Apr 29, 2012 at 9:09 AM, Rick Macklem <rmacklem@uoguelph.ca> > >> wrote: > >> > Robert Simmons wrote: > >> >> I've been digging and digging to find sources to clarify the > >> >> exports(5) man page with no luck. What I have read differs from > >> >> what > >> >> I see on my server. From the man page examples section: > >> >> > >> >> V4: / -sec=3Dkrb5:krb5i:krb5p -network 131.104.48 -mask 255.255.255= .0 > >> >> > >> >> Now, here is what I have put as an experiment to try to understand > >> >> what's happening here (my /etc/exports): > >> >> > >> >> V4: / -sec=3Dkrb5 -network 192.168.1 -mask 255.255.255.0 > >> >> / > >> >> > >> >> In this case, -sec=3Dkrb5 is totally ignored. I can mount / using > >> >> sys. > >> >> > >> > The "-sec=3Dkrb5" restriction applies to state related operations th= at > >> > don't > >> > use file handles. > >> > The FreeBSD mount doesn't do any of those, so it is the options on > >> > the second line > >> > "/" that control whether or not the mount succeeds. > >> > > >> > With the above exports, the first Open of a file should fail when > >> > attempted via auth_sys, > >> > at least for the FreeBSD client. (The FreeBSD client doesn't try and > >> > establish > >> > state via SetClientID until the first Open. Some other clients do so > >> > at mount time.) > >> > > >> > I know this is ugly, but I thought it would be confusing to have the > >> > semantics > >> > of the other export lines (like "/") different for NFSv4 than > >> > NFSv2,3. For NFSv2,3 > >> > all RPCs involve a file handle, so they can be associated with a > >> > server volume. > >> > For NFSv4, this is not the case, since some state related operations > >> > (SetClientID/SetClientIDConfirm/Renew and maybe a couple of others) > >> > do not use > >> > a file handle and, as such, can't be associated with an exported > >> > volume. I put > >> > the options in the "V4:" for those, since I couldn't think of where > >> > else to put > >> > them. > >> > >> I think a rewrite of exports(5) might help out quite a lot. > >> Especially if the EXAMPLES section was scrapped entirely and replaced > >> with a set of examples each one more granular in explaining one > >> feature or use case instead of lumping all of it into explaining one > >> huge export file. > >> > >> Since I'm working on setting up a pair of NFS servers with a set of > >> clients, I volunteer. May I contact you offlist if I have questions? > >> > > Sure. However, I'd suggest that you get others to review it as well, si= nce > > I kinda know how it works and won't spot "missing bits", although I sho= uld > > be able to catch most inaccuracies. > > > > Also, be sure to check "man nfsv4" and maybe reference it (it is curren= tly > > in the See Also list, but that might not be strong enough). >=20 > Understood. >=20 > >> >> If I use this: > >> >> > >> >> V4: / > >> >> / -sec=3Dkrb5 > >> >> > >> >> It requires proper kerberos authentication. > >> >> > >> > Yep, as explained above. If you really want to restrict NFSv4 use to > >> > kerberos, > >> > then you should put the "-sec=3Dkrb5" on the V4: line and all lines > >> > exporting > >> > volumes. For example: > >> > V4: / -sec=3Dkrb5 > >> > / -sec=3Dkrb5 > >> > >> Got it. > >> > >> >> My next question is can I reject NFSv3/v2 clients/connections? > >> >> > >> > sysctl vfs.nfsd.server_min_nfsvers=3D4 > >> > >> Perfect. > >> > >> >> Third question is: how can I disable rpcbind? It seems that the > >> >> following does not work in rc.conf: > >> >> rpcbind_enable=3D"NO" > >> >> When I'm running NFSv4 rpcbind is not needed, but it seems that > >> >> mountd > >> >> always starts rpcbind no matter what I do: > >> >> /etc/rc.d/rpcbind stop > >> >> is the only way to do it, and that is only after boot, or mountd > >> >> starting. > >> >> _ > >> > Yea, I suppose there should be a -nfsv4-only option on mountd, so it > >> > knows that it only needs to do exports and doesn't need rpcbind. > >> > Since you are probably the first person wanting an NFSv4 only > >> > server, > >> > I hadn't thought to do this. I'll put it on my "to do" list. > >> > >> If I may, perhaps a switch in /etc/rc.conf: > >> nfsv4_only=3D"YES" > >> > > I might call it nfsv4_server_only, but sounds like a good suggestion. > > > >> This would set the -nfsv4-only switch you mention for mountd, and it > >> would set vfs.nfsd.server_min_nfsvers=3D4 > >> > > It could also be used by /etc/rc.d/mountd to indicate "don't force rpcb= ind". > > > > Have fun with it, rick >=20 > Another thing to note about the behavior of mountd and the > instructions in nfsv4(4): > The three recommended lines to add to rc.conf are: > nfs_server_enable=3D"YES" > nfsv4_server_enable=3D"YES" > nfsuserd_enable=3D"YES" >=20 > With only these three, if you change something in /etc/exports and > want to kick mountd to have it reread the file, you get the following > error: > Cannot 'restart' mountd. Set mountd_enable to YES in /etc/rc.conf or > use 'onerestart' instead of 'restart'. >=20 > Would there be a drawback to suggesting setting mountd_enable in man > page to avoid this? In other words, is there a reason this is setup > this way? > _______________________________________________ > freebsd-fs@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-fs > To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org" --=-TBq+IJIXWfx87wjwlQDC Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iQEcBAABAgAGBQJPn3FxAAoJEKC15pvo+84RGMkH+gNyjp1nEj14r04Ff/dkfbBm M+hjEXJ8p0IpcK5F7M8QOTrlB46wpLAcMZcgvUk8z05DdESmnZfZNre97j3HshWm sa2a5y75lGTvRdUaJsxlhq34ViJZpECrqSgS7JUWQGcba8EPkzBm/z7fcKbEha+M iNIF1CYLeVZunewL+4QSHNplvrNWGZQFmdz7b+ducdLHx1V9OIGWNv20j7737T2x 3Up+NdgVzWZUjls6kSRc/Of6DdinM6CGMBm0tcCg1HcsSWJFJvV7JWEt8Sm9qGAk naoOZ+HEM1I5UgErH+OdbEW2MTr9IQn+8T5dwJGfjo1HyzBE5Ntg+cu9/kA9KII= =5PXH -----END PGP SIGNATURE----- --=-TBq+IJIXWfx87wjwlQDC--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1335849329.2363.10.camel>