Understanding NFS4 (Linux server)
Great questions, highlights a bigger point with the documentation IMO. Here is an attempt at a complete answer:
What does "subsequent exports on that line only" mean?
An example's probably easiest here:
/export/stuff -rw 10.0.0.54 10.0.0.55
is equivalent to:
/export/stuff 10.0.0.54(rw) 10.0.0.55(rw)
Is fsid=0
not required anymore?
This depends on your use case. It looks like you are exporting regular disk based filesystems from the rest of your query, in that case you are best to drop fsid=0
(which in nfsv4 changes the behavior to reference the root filesystem of the export).
To change this behaviour remove the no_subtree_check option
rmtab
-related stuff
- Is the handling of
rmtab
a security risk?
I guess it depends on your use case to answer that, on my network it doesn't present a credible information leak but i can see cases where it could potentially. - Won't
rmtab
be full of stale entries?
Potentially yes, again depending on your deployment scenario / use case. - Is this why some clients running
mount -v
erroneously see "nothing was mounted"?
I've not come across this yet
drumfire
Updated on September 18, 2022Comments
-
drumfire almost 2 years
I've been a bit bothered by NFS4 on Linux. Some information 'out there' seems to conflict with other information, and other information appears hard to find. So here are a couple of things that caught my attention, hopefully someone out there can shed some light on this.
This question focuses exclusively on NFS4 without Kerberos etc.
1. Exports
There is ambiguous information in the
exports
manpage on the structure of /etc/exports.To quote from
exports(5)
:Also, each line may have one or more specifications for default options after the path name, in the form of a dash ("-") followed by an option list.
The option list is used for all subsequent exports on that line only.
What does "subsequent exports on that line only" mean?
1.2
fsid=0
not required anymore?I was searching for fsid when I found a comment on the linux-nfs list stating fsid=0 is not required anymore. Now I'm just confused, do I need it with nfs4 or not?!
2. Non-exported directory still mountable
Say I have the following tree:
/exp /exp/users /exp/distr /exp/distr/archlinux /exp/distr/debian
And I have the following entries in this fstab entry:
/dev/disk/by-label/users /mnt/users ext4 defaults 0 0 /dev/disk/by-label/distr /mnt/distr ext4 defaults 0 0 /mnt/users /exp/users none bind 0 0 /mnt/distr /exp/distr none bind 0 0
And my exports is exactly this:
/exp 192.168.1.0/24(fsid=0,rw,async,no_subtree_check,no_root_squash) /exp/distr 192.168.1.0/24(rw,async,no_subtree_check,no_root_squash)
And
exportfs -arv
shows:exporting 192.168.1.0/24:/exp/distr exporting 192.168.1.0/24:/exp
Then why am I able to do this and get no error on a client:
mount -t nfs4 server:/exp/users /tmp/test
Even though
/exp/users
is not exported? I didn't export this directory, and while I don't see the contents of/dev/disk/by-label/users
unless I specifycrossmnt
, I am still able to write to the directory. Everything I write to there goes to the underlying directory of/exp/users
which can be seen when Iumount /exp/users; ls /exp/users
..3. The odd case of
showmount -d server
As stated by
rpc.mountd(8)
, this command should display directories that are either currently mounted by clients, or stale entries in/var/lib/nfs/rmtab
, as can be read:The rpc.mountd daemon registers every successful MNT request by adding an entry to the /var/lib/nfs/rmtab file. When receivng a UMNT request from an NFS client, rpc.mountd simply removes the matching entry from /var/lib/nfs/rmtab, as long as the access control list for that export allows that sender to access the export.
(...)
Note, however, that there is little to guarantee that the contents of /var/lib/nfs/rmtab are accurate. A client may continue accessing an export even after invoking UMNT. If the client reboots without sending a UMNT request, stale entries remain for that client in /var/lib/nfs/rmtab.
After reading this I surely wonder:
- Isn't it terribly insecure to just expose this type of client information;
- Aren't unaware server admins bound to have an rmtab with a lot of stale clients;
- Is this the reason that clients that mount nfs4 directories with
mount -v
get to see output like "nothing was mounted" even though something was mounted?
I have a lot of other questions regarding nfs4, but I'll keep it at this for the moment.. :)
-
jirib about 12 yearsMaybe export list doesn't like your strange bind mounted filesystems. Try first with /mnt/users...
-
drumfire about 12 yearsThis is about nfs4, which requires a "pseudo file system" i.e. a one tree file system hierarchy. Can you clarify what you mean, please?
-
SystemParadox almost 12 yearsThis wiki page also claims that fsid=0 is not required anymore: wiki.linux-nfs.org/wiki/index.php/…, but 'man exports' still implies it is required
-
Cyclone almost 12 yearsI'd like to say I support this question. Like you I have observed many of the same things, and have the same question and more. It seems like an f*ing mess.
-
Victor Yarema over 6 yearsToo many questions in one post. @drumfire, could you please break it down into separate more simple questions-posts?
-
drumfire over 6 yearsThe question was asked in 2012. You are the first to criticize my post in over 5 years, so yeah, I'm just gonna pass. This isn't Twitter. Thanks though!
-
pgoetz over 6 yearsI also have several unanswered questions about NFS4, and can't believe people have been asking about this for over 5 years with still no clear answers. Regarding your ability to mount /exp/users even though it isn't exported; that's completely inexplicable. I wonder if this is version dependent; i.e. a bug in an earlier version of NFS4; I certainly can't duplicate this behavior.