Date: Sun, 23 Oct 2016 22:01:59 +0000 From: Rick Macklem <rmacklem@uoguelph.ca> To: Ben Whaley <bwhaley@gmail.com>, "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: Re: NFSv4 exports confusion Message-ID: <YTXPR01MB0189DB96028EFB59128F6C03DDD60@YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM> In-Reply-To: <CAOfR73h=cqd5L_=We5yABoiDx7zbmu=guSQJRa8aF3L_-YW%2BfQ@mail.gmail.com> References: <CAOfR73h=cqd5L_=We5yABoiDx7zbmu=guSQJRa8aF3L_-YW%2BfQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Ben Whaley wrote: > Hi all, > > I=92m probably just misunderstanding something pretty basic here so apolo= gies > if that=92s the case. > > The NFSv4 pseudo-filesystem root is not behaving the way I=92d expect. > Consider the following extremely simple /etc/exports (just for example > purposes): FreeBSD does not implement a pseudo-filesystem (which was just a suggested mechanism in the RFC that only Solaris did, as far as I know. The "V4:" line simply specifies where in the real server file system tree t= he NFSv4 root is. > V4: /exports > /exports/export1 /exports/export2 -network 172.28.0.0/16 Since these paths are both on the same line, it suggests that they are the = same server file system. Exports are handled by the FreeBSD kernel on a per-serv= er-filesystem basis. --> As such this line exports the file system /export to 172.28.0.0 and any= where in that file system is exported. If you only want /export/export1 and /export/export2 to be exported, they n= eed to be separate server file systems and need to be exported by separate lines i= n /etc/exports. (The two directories /export/export1 and /export/export2 on the above line = are referred to as "administrative control". In practice that means that the N= FSv3 mount protocol implemented by mountd(8) will only accept those paths. The rest o= f the file system is actually exported, but a typical NFSv3 client won't be able= to mount them. A hacked or malicious one could access the rest of /export, since the kern= el doesn't know anything about subtrees of a server fiule system.) Since NFSv4 doesn't use the Mount protocol (and never talks to mountd(8)), = it knows nothing about these "administrative controls". (And, yes, /etc/exports is c= omplicated including the man page that tries to explain it.) --> The behaviour you describe is what is expected to happen, given /export= /export1 and /export/export2 are on the same server file system. > And this directory structure: > > # tree /exports/ > /exports/ > |-- export1 > | `-- file1 > |-- export2 > | `-- file2 > `-- notanexport > `=97 file > > Now when I mount / as the NFSv4 pseudo-fs root (from an Ubuntu Xenial > client): > > mount -t nfs4 server:/ /mnt > > I would expect to see only export1 and export2. But in fact I see If you want the client to just see export1 and export2, you can mount them individually. For example: mount -t nfs4 server:/export1 /mnt/export1 mount -t nfs4 server:/export2 /mnt/export2 > # ls /mnt > export1 export2 notanexport > > And the contents of /exports/notanexport/file are available to the client= . >=20 > Why is this? The language in RFC7530 seems explicit to me: > > Portions of the server namespace that are not exported are bridged via a >=93pseudo-file system=94 that provides a view of exported directories only= . > > E.g. per the spec, only exported filesystems should be visible, and the > path to get to them. The pseudo-fs only exposes directories that must be > traversed to reach all exports. I am not aware of exactly what the Linux server does these days. At one tim= e, you specified a single file system as the root and the "root of the tree is= there". (I once did a pseudo-file system, but the code was complicated and no one s= eemed to care, so I tossed it. As I noted above, only Solaris ever did a real ps= eudo-fs as far as I am aware and everyone assumed the RFC described it just to demonstrat= e it was a possible solution, not a required one.) > The man page also states: > > The nfsd(8) allows a limited subset of operations to be performed on non-= exported >subtrees=20 Subtrees are segmented on file system mount points in the server. In this c= ase, it refers to one or more file systems that need to be traversed on the way = to the file systems that are actually exported. rick=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YTXPR01MB0189DB96028EFB59128F6C03DDD60>