From owner-freebsd-net@freebsd.org  Sun Oct 23 20:25:26 2016
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 36C7EC1B924
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Sun, 23 Oct 2016 20:25:26 +0000 (UTC)
 (envelope-from bwhaley@gmail.com)
Received: from mail-yw0-x232.google.com (mail-yw0-x232.google.com
 [IPv6:2607:f8b0:4002:c05::232])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id F194930F
 for <freebsd-net@freebsd.org>; Sun, 23 Oct 2016 20:25:25 +0000 (UTC)
 (envelope-from bwhaley@gmail.com)
Received: by mail-yw0-x232.google.com with SMTP id w3so145418330ywg.1
 for <freebsd-net@freebsd.org>; Sun, 23 Oct 2016 13:25:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:from:date:message-id:subject:to;
 bh=HxstiiyHWmcKaRz0V8JkT66F2FBaB3mU8p0irNpJl1A=;
 b=ur0R8Vz6c7AmS3OTbn0nAETiO9pMsakaiaWyx9fxVieve9sUtQEoW+KwPz0wu/7UYP
 T+vcxgIuDQz0ICBeOOMCqS1J71YVykw/5smOalYWah1lF25YFvvV0lDkBwYgfxeu/i6Y
 t5LVmNYQtl+gP/99pntHQkCQK3W1UvsIp4KRMU3oBQG5Ud4M/X9P5VhSnnQVwHAr8/iG
 tokXWMZjhGeSkdVQ0/WsO8Rb6ylV9u4NQ/Mf+3XcdbvS4gHNC9hIUAE+n630Ikg94wCt
 Ql2BwYbgN0mSMsRDdzF9Q0VVjhTAoWpV5bXiWj2isRLg5jNkZMk7DSjzKeusgkjCBQoO
 jQ2Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
 bh=HxstiiyHWmcKaRz0V8JkT66F2FBaB3mU8p0irNpJl1A=;
 b=BywLqIHyv9klVCmaW/J+Z/+wv8m9RwSVTHE/hLFy8U4EDT7Jq7jUn4y6B2+Pc4gODo
 FyqZ8uNFI1YZmLshIn+g9lbdgw7ZU/Q8aHinvLLA8sov/Rx6oBPBGXQ6D4CK4J4mmfuC
 8JDl7Nqs3+4BjUquEP+pBU69VXY2kkbHvXfw6xf2LjgFPYkWn0loNYv/f4tj0LHVEC8u
 F5fhM+xquRjaY7EHH2zTD3oQ6/sGBOjgUUl74MoXv7wkdYnUjz7LP7X8P7Sjri572FWY
 uc2GU9rOj9uYUiYJuksIMOBDUt11MpFRuF9VsQBhdj6CX1746MuEbOeOZl7EyuCVFO9u
 hEyg==
X-Gm-Message-State: ABUngvcUXgPkHvGWMAYsoolRsdzfFlGNsjF0UHXna713GoA4s6oNqKXycHGG654rVMbyIAL2c53L72w0Q7LVIA==
X-Received: by 10.36.220.130 with SMTP id q124mr221755itg.16.1477254324782;
 Sun, 23 Oct 2016 13:25:24 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.36.223.131 with HTTP; Sun, 23 Oct 2016 13:25:24 -0700 (PDT)
From: Ben Whaley <bwhaley@gmail.com>
Date: Sun, 23 Oct 2016 13:25:24 -0700
Message-ID: <CAOfR73h=cqd5L_=We5yABoiDx7zbmu=guSQJRa8aF3L_-YW+fQ@mail.gmail.com>
Subject: NFSv4 exports confusion
To: freebsd-net@freebsd.org
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.23
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Oct 2016 20:25:26 -0000

Hi all,

I=E2=80=99m probably just misunderstanding something pretty basic here so a=
pologies
if that=E2=80=99s the case.

The NFSv4 pseudo-filesystem root is not behaving the way I=E2=80=99d expect=
.
Consider the following extremely simple /etc/exports (just for example
purposes):

V4: /exports
/exports/export1 /exports/export2 -network 172.28.0.0/16

And this directory structure:

# tree /exports/
/exports/
|-- export1
|   `-- file1
|-- export2
|   `-- file2
`-- notanexport
    `=E2=80=94 file

Now when I mount / as the NFSv4 pseudo-fs root (from an Ubuntu Xenial
client):

mount -t nfs4 server:/ /mnt

I would expect to see only export1 and export2. But in fact I see

# ls /mnt
export1 export2 notanexport

And the contents of /exports/notanexport/file are available to the client.

Why is this? The language in RFC7530 seems explicit to me:

> Portions of the server namespace that are not exported are bridged via a
=E2=80=9Cpseudo-file system=E2=80=9D that provides a view of exported direc=
tories only.

E.g. per the spec, only exported filesystems should be visible, and the
path to get to them. The pseudo-fs only exposes directories that must be
traversed to reach all exports.

The FreeBSD exports(5) language is somewhat confusing/ambiguous. I won=E2=
=80=99t
quote it here because it=E2=80=99s too long, but see the third paragraph un=
der the
description section. I can see from a few past threads (for example, this
one: https://lists.freebsd.org/pipermail/freebsd-net/2014-July/039407.html)
that some work has been done to clarify this. I=E2=80=99m not sure the
clarification ever made it in to the man page though.

The man page also states:

> The nfsd(8) allows a limited subset of operations to be performed on
non-exported subtrees of the local file system, so that traversal of the
tree to the exported subtrees is possible.

So this all supports my understanding of how it works. But why is
=E2=80=9Cnotanexport=E2=80=9D in my example above visible, and why can I re=
ad the file in
that directory if it isn=E2=80=99t exported?

The situation on Linux is not 100% clear either. If you specify fsid=3D0 fo=
r
a mount as instructed the Linux man pages, you=E2=80=99ll have the same beh=
avior as
in FreeBSD. OTOH, if you ONLY specify the exports and do NOT have an fsid
option, eg. /etc/exports looks like:

/exports/export1
/exports/export2

Then it works as described by the RFC.

Can anyone help me to understand?

Thanks,
Ben