NFSv4 exports confusion

Rick Macklem rmacklem at uoguelph.ca
Sun Oct 23 22:02:09 UTC 2016 

Ben Whaley wrote:

> Hi all,
>
> I’m probably just misunderstanding something pretty basic here so apologies
> if that’s the case.
>
> The NFSv4 pseudo-filesystem root is not behaving the way I’d expect.
> Consider the following extremely simple /etc/exports (just for example
> purposes):
FreeBSD does not implement a pseudo-filesystem (which was just a suggested
mechanism in the RFC that only Solaris did, as far as I know.
The "V4:" line simply specifies where in the real server file system tree the NFSv4 root
is.

> V4: /exports
> /exports/export1 /exports/export2 -network 172.28.0.0/16
Since these paths are both on the same line, it suggests that they are the same
server file system. Exports are handled by the FreeBSD kernel on a per-server-filesystem
basis.
--> As such this line exports the file system /export to 172.28.0.0 and anywhere in
      that file system is exported.
If you only want /export/export1 and /export/export2 to be exported, they need to
be separate server file systems and need to be exported by separate lines in
/etc/exports.
(The two directories /export/export1 and /export/export2 on the above line are
 referred to as "administrative control". In practice that means that the NFSv3 mount
 protocol implemented by mountd(8) will only accept those paths. The rest of the
 file system is actually exported, but a typical NFSv3 client won't be able to mount them.
 A hacked or malicious one could access the rest of /export, since the kernel doesn't
 know anything about subtrees of a server fiule system.)

Since NFSv4 doesn't use the Mount protocol (and never talks to mountd(8)), it knows
nothing about these "administrative controls". (And, yes, /etc/exports is complicated
including the man page that tries to explain it.)
--> The behaviour you describe is what is expected to happen, given /export/export1
      and /export/export2 are on the same server file system.

> And this directory structure:
>
> # tree /exports/
> /exports/
> |-- export1
> |   `-- file1
> |-- export2
> |   `-- file2
> `-- notanexport
>     `— file
>
> Now when I mount / as the NFSv4 pseudo-fs root (from an Ubuntu Xenial
> client):
>
> mount -t nfs4 server:/ /mnt
>
> I would expect to see only export1 and export2. But in fact I see
If you want the client to just see export1 and export2, you can mount them
individually. For example:
mount -t nfs4 server:/export1 /mnt/export1
mount -t nfs4 server:/export2 /mnt/export2

> # ls /mnt
> export1 export2 notanexport
>
> And the contents of /exports/notanexport/file are available to the client.
> 
> Why is this? The language in RFC7530 seems explicit to me:
>
> Portions of the server namespace that are not exported are bridged via a
>“pseudo-file system” that provides a view of exported directories only.
>
> E.g. per the spec, only exported filesystems should be visible, and the
> path to get to them. The pseudo-fs only exposes directories that must be
> traversed to reach all exports.
I am not aware of exactly what the Linux server does these days. At one time,
you specified a single file system as the root and the "root of the tree is there".
(I once did a pseudo-file system, but the code was complicated and no one seemed
 to care, so I tossed it. As I noted above, only Solaris ever did a real pseudo-fs as far
 as I am aware and everyone assumed the RFC described it just to demonstrate it was a possible solution, not a required one.)


> The man page also states:
>
> The nfsd(8) allows a limited subset of operations to be performed on non-exported >subtrees 

Subtrees are segmented on file system mount points in the server. In this case,
it refers to one or more file systems that need to be traversed on the way to the
file systems that are actually exported.

rick

More information about the freebsd-net mailing list