NFS exports to different subnetworks: ports and networks

[Moviuro]

Hi all!

I have a FreeBSD 9.1 server up and running as an NFS server. Its name is "frigg". I don't care if it has to be switched to NFSv4. It has an address in our 10.3.14 subnetwork (10.3.14.2), but will have to export some directories to 10.3.16 subnetwork. 10.3.14 is a network of known and trusted machines, which names are known in our DHCP server, and don't change often. 10.3.16 is a network of some middly trusted machines, which names are unresolved and our firewall prevents networking between 10.3.14 and 10.3.16 (OpenBSD's pf; its firewall rules can be changed if necessary).

Here is what I'd like to have:

What?           | Who with?| opt?|
----------------+----------+-----+
/srv/nfs/pacman | 10.3.14  | rw  |
----------------+----------+-----+
/srv/nfs/pacman | 10.3.16  | ro  |
----------------+----------+-----+
/srv/nfs/shared | 10.3.14  | rw  |
----------------+----------+-----+
/srv/tftp/boot  | 10.3.14  | ro  |
and all subdirs | 10.3.16  |     |
----------------+----------+-----+

Right now, I have this exports file:

/srv/nfs/pacman /srv/nfs/shared -mapall=0:0 freyr geror nanna baldr fjolnir thor
/srv/tftp/boot  -alldirs -ro -network=10.3.14.0 -mask=255.255.255.0
/srv/tftp/boot  -alldirs -ro -network=10.3.16.0 -mask=255.255.255.0

So, it does not do what I'd like it to do:

root@frigg:/root # showmount -e
Exports list on localhost:
/srv/tftp/boot                     10.3.14.0 10.3.16.0 
/srv/nfs/shared                    freyr.ginfo geror.ginfo nanna.ginfo baldr.ginfo fjolnir.ginfo thor.ginfo 
/srv/nfs/pacman                    freyr.ginfo geror.ginfo nanna.ginfo baldr.ginfo fjolnir.ginfo thor.ginfo

In the best case, I'd like not to have a single name inside the exports file (because in case that list gets bigger, it's going to become a real mess)

I also understood from what I read on IRC that NFS uses some random ports; it'll be great to have a way to force it to use only some known and fixed ports (for pf's sake).

I already went on IRC and got help from @xxzz and @nowak, who were both unable to help me work this out.

Also, if ever a such topic has been answered in the forums, I didn't see it with the search tool (in the Web & Network Service).

Best Regards,
Moviuro
"Our life is the immortals' death"

 

[ShelLuser]

I read through this two times and I still have a hard time understanding your actual problem. Also because your examples show some inconsistencies.

You mention that you wish to make /srv/nfs/pacman available for two different networks. Yet in the exports file you resorted to using single hostnames, why is that? It makes little sense to me because in another example (/srv/tftp/boot) you did use a full network mask.

Why not simply add two entries for /srv/nfs/pacman and define both network masks? Even the exports(5) manual page shows you this possibility.

As to a list of ports you could use, you might want to read up on this thread.

 

[Moviuro]

Well, the problem is: I can't get the correct syntax for what I want. The man is great but does not help for my configuration (no help about exporting a same folder to two different networks).

All other syntax I ever tried failed; eg:
/etc/exports

/srv/nfs/pacman -mapall=0:0 -network=10.3.14.0 -mask=255.255.255.0
/srv/nfs/pacman -ro -network=10.3.16.0 -mask=255.255.255.0
/srv/nfs/shared -mapall=0:0 -network=10.3.14.0 -mask=255.255.255.0
/srv/tftp/boot  -alldirs -ro -network=10.3.14.0 -mask=255.255.255.0
/srv/tftp/boot  -alldirs -ro -network=10.3.16.0 -mask=255.255.255.0

Gives:

Jun 18 22:49:05 frigg mountd[65865]: can't change attributes for /srv/nfs/shared
Jun 18 22:49:05 frigg mountd[65865]: bad exports list line /srv/nfs/shared -mapall
Jun 18 22:49:05 frigg mountd[65865]: can't change attributes for /srv/tftp/boot
Jun 18 22:49:05 frigg mountd[65865]: bad exports list line /srv/tftp/boot  -alldirs -ro -network
Jun 18 22:49:05 frigg mountd[65865]: can't change attributes for /srv/tftp/boot
Jun 18 22:49:05 frigg mountd[65865]: bad exports list line /srv/tftp/boot  -alldirs -ro -network

Shall I change it a little:
/etc/exports

/srv/tftp/boot -alldirs -ro -network=10.3.14.0 -mask=255.255.255.0
/srv/tftp/boot -alldirs -ro -network=10.3.16.0 -mask=255.255.255.0
/srv/nfs/pacman /srv/nfs/shared -mapall=0:0 -network=10.3.14.0 -mask=255.255.255.0
/srv/nfs/pacman -ro -network=10.3.16.0 -mask=255.255.255.0

Jun 18 22:57:39 frigg mountd[65865]: can't change attributes for /srv/nfs/shared
Jun 18 22:57:39 frigg mountd[65865]: bad exports list line /srv/nfs/pacman /srv/nfs/shared -mapall
Jun 18 22:57:39 frigg mountd[65865]: can't change attributes for /srv/nfs/pacman
Jun 18 22:57:39 frigg mountd[65865]: bad exports list line /srv/nfs/pacman -ro -network

showmount -e

Exports list on localhost:
/srv/tftp/boot                     10.3.14.0 10.3.16.0

But if I ever change order:
/etc/exports

/srv/nfs/pacman /srv/nfs/shared -mapall=0:0 -network=10.3.14.0 -mask=255.255.255.0
/srv/nfs/pacman -ro -network=10.3.16.0 -mask=255.255.255.0
/srv/tftp/boot -alldirs -ro -network=10.3.14.0 -mask=255.255.255.0
/srv/tftp/boot -alldirs -ro -network=10.3.16.0 -mask=255.255.255.0

Jun 18 23:00:16 frigg mountd[65865]: can't change attributes for /srv/tftp/boot
Jun 18 23:00:16 frigg mountd[65865]: bad exports list line /srv/tftp/boot -alldirs -ro -network
Jun 18 23:00:16 frigg mountd[65865]: can't change attributes for /srv/tftp/boot
Jun 18 23:00:16 frigg mountd[65865]: bad exports list line /srv/tftp/boot -alldirs -ro -network

showmount -e

Exports list on localhost:
/srv/nfs/shared                    10.3.14.0 
/srv/nfs/pacman                    10.3.14.0 10.3.16.0

So eventually, nothing works and I am seeking a way to get this to work as I want it to.

And yes, I posted an inconsistent file, telling

So, it does not do what I'd like it to do

I tried really many things and none of them worked. So I stick with something not perfect but still suitable for some of our usage.

 

[Moviuro]

I managed to have it working: since same folders with different options doesn't work, I mount those folders as nullfs and exported them instead.

% mount
/srv/nfs/pacman on /srv/nfs/314/pacman (nullfs, NFS exported, local)
/srv/nfs/pacman on /srv/nfs/316/pacman (nullfs, NFS exported, local)

and the working /etc/exports

/srv/nfs/shared -mapall=0:0 -network=10.3.14.0 -mask=255.255.255.0
/srv/nfs/314/pacman -mapall=0:0 -network=10.3.14.0 -mask=255.255.255.0
/srv/tftp/boot  -alldirs -ro -network=10.3.14.0 -mask=255.255.255.0
/srv/nfs/316/pacman -ro -network=10.3.16.0 -mask=255.255.255.0
/srv/tftp/boot  -alldirs -ro -network=10.3.16.0 -mask=255.255.255.0

And eventually,

% showmount -e
Exports list on localhost:
/srv/nfs/316/pacman                10.3.16.0 
/srv/nfs/shared                    10.3.14.0 
/srv/nfs/314/pacman                10.3.14.0 
/srv/tftp/boot                     10.3.14.0 10.3.16.0

 

[ShelLuser]

Well, the problem is: I can't get the correct syntax for what I want. The man is great but does not help for my configuration (no help about exporting a same folder to two different networks).

From the exports(5) manualpage (I'm skipping non-relevant parts):

[B]FILES[/B]
     /etc/exports  the default remote mount-point file

[B]EXAMPLES[/B]
           /usr /usr/local -maproot=0:10 friends
           /usr -maproot=daemon grumpy.cis.uoguelph.ca 131.104.48.16
           /usr -ro -mapall=nobody

---<SKIP

Given that /usr, /u, /a and /u2 are local file system mount points, the
above example specifies the following:

The file system rooted at /usr is exported to hosts friends where friends
is specified in the netgroup file with users mapped to their remote cre-
dentials and root mapped to UID 0 and group 10.  It is exported read-
write and the hosts in ``friends'' can mount either /usr or /usr/local.
It is exported to 131.104.48.16 and grumpy.cis.uoguelph.ca with users
mapped to their remote credentials and root mapped to the user and groups
associated with ``daemon''; it is exported to the rest of the world as
read-only with all users mapped to the user and groups associated with
``nobody''.

How is that not showing you both the syntax as well as how to make this work?

Better yet, you even got the syntax right when it comes to the third share option (in which you specify the network and optional mask).

All other syntax I ever tried failed; eg:
/etc/exports

/srv/nfs/pacman -mapall=0:0 -network=10.3.14.0 -mask=255.255.255.0
/srv/nfs/pacman -ro -network=10.3.16.0 -mask=255.255.255.0
/srv/nfs/shared -mapall=0:0 -network=10.3.14.0 -mask=255.255.255.0
/srv/tftp/boot  -alldirs -ro -network=10.3.14.0 -mask=255.255.255.0
/srv/tftp/boot  -alldirs -ro -network=10.3.16.0 -mask=255.255.255.0

Gives:

Jun 18 22:49:05 frigg mountd[65865]: can't change attributes for /srv/nfs/shared
Jun 18 22:49:05 frigg mountd[65865]: bad exports list line /srv/nfs/shared -mapall
Jun 18 22:49:05 frigg mountd[65865]: can't change attributes for /srv/tftp/boot
Jun 18 22:49:05 frigg mountd[65865]: bad exports list line /srv/tftp/boot  -alldirs -ro -network
Jun 18 22:49:05 frigg mountd[65865]: can't change attributes for /srv/tftp/boot
Jun 18 22:49:05 frigg mountd[65865]: bad exports list line /srv/tftp/boot  -alldirs -ro -network

Which then raises the question: are these local file systems? I get the impression they're not since your last post suddenly mentioned things like nullfs (which is where you completely lost me ).

Because if I copy your first two export lines and apply them to /usr or any other local file system on my server then it works without any problems. Obviously there is a difference if you're trying to export non-local file systems, but your posts never mentioned anything about that.

Alas, good to hear you got it working though I still don't quite understand what you did exactly