NFSv4 exports confusion

[Ben Whaley]

Thank you, Rick, for taking the time to reply.

In an NFSv4 server, is it possible to have multiple exports on the same
filesystem but not under the same tree without exposing the top level
directory?

E.g. if you wanted to export the following without also exporting /

/path/to/export1
/anotherpath/to/export2

Assuming export1 and export2 are both on the same server filesystem, could
they both be exported without exporting / as the NFSv4 root?

Also, exports(5) says:

> The third form has the string ``V4:’’ followed by a single absolute path
name, to specify the NFSv4 tree root.  > This line does not export any file
system, but simply marks where the root of the server’s directory tree is
for > NFSv4 clients.

Yet the V4 root seems to behave like a “normal” export with the -alldirs
option. A V4 client can mount the V4 root and any subdirectory under it,
whether the subdir was exported or not. Am I misunderstanding what the man
page says?

Thanks again,
Ben




On Sun, Oct 23, 2016 at 3:01 PM, Rick Macklem <rmacklem at uoguelph.ca> wrote:

> Ben Whaley wrote:
>
> > Hi all,
> >
> > I’m probably just misunderstanding something pretty basic here so
> apologies
> > if that’s the case.
> >
> > The NFSv4 pseudo-filesystem root is not behaving the way I’d expect.
> > Consider the following extremely simple /etc/exports (just for example
> > purposes):
> FreeBSD does not implement a pseudo-filesystem (which was just a suggested
> mechanism in the RFC that only Solaris did, as far as I know.
> The "V4:" line simply specifies where in the real server file system tree
> the NFSv4 root
> is.
>
> > V4: /exports
> > /exports/export1 /exports/export2 -network 172.28.0.0/16
> Since these paths are both on the same line, it suggests that they are the
> same
> server file system. Exports are handled by the FreeBSD kernel on a
> per-server-filesystem
> basis.
> --> As such this line exports the file system /export to 172.28.0.0 and
> anywhere in
>       that file system is exported.
> If you only want /export/export1 and /export/export2 to be exported, they
> need to
> be separate server file systems and need to be exported by separate lines
> in
> /etc/exports.
> (The two directories /export/export1 and /export/export2 on the above line
> are
>  referred to as "administrative control". In practice that means that the
> NFSv3 mount
>  protocol implemented by mountd(8) will only accept those paths. The rest
> of the
>  file system is actually exported, but a typical NFSv3 client won't be
> able to mount them.
>  A hacked or malicious one could access the rest of /export, since the
> kernel doesn't
>  know anything about subtrees of a server fiule system.)
>
> Since NFSv4 doesn't use the Mount protocol (and never talks to mountd(8)),
> it knows
> nothing about these "administrative controls". (And, yes, /etc/exports is
> complicated
> including the man page that tries to explain it.)
> --> The behaviour you describe is what is expected to happen, given
> /export/export1
>       and /export/export2 are on the same server file system.
>
> > And this directory structure:
> >
> > # tree /exports/
> > /exports/
> > |-- export1
> > |   `-- file1
> > |-- export2
> > |   `-- file2
> > `-- notanexport
> >     `— file
> >
> > Now when I mount / as the NFSv4 pseudo-fs root (from an Ubuntu Xenial
> > client):
> >
> > mount -t nfs4 server:/ /mnt
> >
> > I would expect to see only export1 and export2. But in fact I see
> If you want the client to just see export1 and export2, you can mount them
> individually. For example:
> mount -t nfs4 server:/export1 /mnt/export1
> mount -t nfs4 server:/export2 /mnt/export2
>
> > # ls /mnt
> > export1 export2 notanexport
> >
> > And the contents of /exports/notanexport/file are available to the
> client.
> >
> > Why is this? The language in RFC7530 seems explicit to me:
> >
> > Portions of the server namespace that are not exported are bridged via a
> >“pseudo-file system” that provides a view of exported directories only.
> >
> > E.g. per the spec, only exported filesystems should be visible, and the
> > path to get to them. The pseudo-fs only exposes directories that must be
> > traversed to reach all exports.
> I am not aware of exactly what the Linux server does these days. At one
> time,
> you specified a single file system as the root and the "root of the tree
> is there".
> (I once did a pseudo-file system, but the code was complicated and no one
> seemed
>  to care, so I tossed it. As I noted above, only Solaris ever did a real
> pseudo-fs as far
>  as I am aware and everyone assumed the RFC described it just to
> demonstrate it was a possible solution, not a required one.)
>
>
> > The man page also states:
> >
> > The nfsd(8) allows a limited subset of operations to be performed on
> non-exported >subtrees
>
> Subtrees are segmented on file system mount points in the server. In this
> case,
> it refers to one or more file systems that need to be traversed on the way
> to the
> file systems that are actually exported.
>
> rick