Date: Sun, 23 Oct 2016 22:01:59 +0000 From: Rick Macklem <rmacklem@uoguelph.ca> To: Ben Whaley <bwhaley@gmail.com>, "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: Re: NFSv4 exports confusion Message-ID: <YTXPR01MB0189DB96028EFB59128F6C03DDD60@YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM> In-Reply-To: <CAOfR73h=cqd5L_=We5yABoiDx7zbmu=guSQJRa8aF3L_-YW%2BfQ@mail.gmail.com> References: <CAOfR73h=cqd5L_=We5yABoiDx7zbmu=guSQJRa8aF3L_-YW%2BfQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Ben Whaley wrote:
> Hi all,
>
> I=92m probably just misunderstanding something pretty basic here so apolo=
gies
> if that=92s the case.
>
> The NFSv4 pseudo-filesystem root is not behaving the way I=92d expect.
> Consider the following extremely simple /etc/exports (just for example
> purposes):
FreeBSD does not implement a pseudo-filesystem (which was just a suggested
mechanism in the RFC that only Solaris did, as far as I know.
The "V4:" line simply specifies where in the real server file system tree t=
he NFSv4 root
is.
> V4: /exports
> /exports/export1 /exports/export2 -network 172.28.0.0/16
Since these paths are both on the same line, it suggests that they are the =
same
server file system. Exports are handled by the FreeBSD kernel on a per-serv=
er-filesystem
basis.
--> As such this line exports the file system /export to 172.28.0.0 and any=
where in
that file system is exported.
If you only want /export/export1 and /export/export2 to be exported, they n=
eed to
be separate server file systems and need to be exported by separate lines i=
n
/etc/exports.
(The two directories /export/export1 and /export/export2 on the above line =
are
referred to as "administrative control". In practice that means that the N=
FSv3 mount
protocol implemented by mountd(8) will only accept those paths. The rest o=
f the
file system is actually exported, but a typical NFSv3 client won't be able=
to mount them.
A hacked or malicious one could access the rest of /export, since the kern=
el doesn't
know anything about subtrees of a server fiule system.)
Since NFSv4 doesn't use the Mount protocol (and never talks to mountd(8)), =
it knows
nothing about these "administrative controls". (And, yes, /etc/exports is c=
omplicated
including the man page that tries to explain it.)
--> The behaviour you describe is what is expected to happen, given /export=
/export1
and /export/export2 are on the same server file system.
> And this directory structure:
>
> # tree /exports/
> /exports/
> |-- export1
> | `-- file1
> |-- export2
> | `-- file2
> `-- notanexport
> `=97 file
>
> Now when I mount / as the NFSv4 pseudo-fs root (from an Ubuntu Xenial
> client):
>
> mount -t nfs4 server:/ /mnt
>
> I would expect to see only export1 and export2. But in fact I see
If you want the client to just see export1 and export2, you can mount them
individually. For example:
mount -t nfs4 server:/export1 /mnt/export1
mount -t nfs4 server:/export2 /mnt/export2
> # ls /mnt
> export1 export2 notanexport
>
> And the contents of /exports/notanexport/file are available to the client=
.
>=20
> Why is this? The language in RFC7530 seems explicit to me:
>
> Portions of the server namespace that are not exported are bridged via a
>=93pseudo-file system=94 that provides a view of exported directories only=
.
>
> E.g. per the spec, only exported filesystems should be visible, and the
> path to get to them. The pseudo-fs only exposes directories that must be
> traversed to reach all exports.
I am not aware of exactly what the Linux server does these days. At one tim=
e,
you specified a single file system as the root and the "root of the tree is=
there".
(I once did a pseudo-file system, but the code was complicated and no one s=
eemed
to care, so I tossed it. As I noted above, only Solaris ever did a real ps=
eudo-fs as far
as I am aware and everyone assumed the RFC described it just to demonstrat=
e it was a possible solution, not a required one.)
> The man page also states:
>
> The nfsd(8) allows a limited subset of operations to be performed on non-=
exported >subtrees=20
Subtrees are segmented on file system mount points in the server. In this c=
ase,
it refers to one or more file systems that need to be traversed on the way =
to the
file systems that are actually exported.
rick=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YTXPR01MB0189DB96028EFB59128F6C03DDD60>