Solved simple NFS server

[arveex]

Hi,

I'll try to keep the scenario as simple as possible, just what I need, and leave out all the other things that didn't work while experimenting with nfs.

I have the following working:

# /etc/exports
V4: /
/exports/pub
/exports/priv

This "works" - I can mount (from a linux machine) with mount [-t nfs4] server:/exports/pub dir
or mount server:/exports/priv dir
... and also with mount server:/exports dir, even though I have no -alldirs ?!

exports(5)

NFSv4 does not use the mount
protocol and does permit clients to cross server mount point boundaries,
although not all clients are capable of crossing the mount points.

Thank you very much. So...?

Now, as the directory names suggest, I tried this:

# /etc/exports
V4: /
/exports/pub
/exports/priv 192.168.1.123

Nothing changed, I can still mount everything from any machine (IP).

exports(5)

[...] Because NFSv4 does not use the mount
protocol, the “administrative controls” are not applied and all
directories within this server file system are mountable via NFSv4 even
if the -alldirs flag has not been specified. The third form has the
string ``V4:'' followed [...]

So I'm in "third form" and and "administrative controls" should be applied... or not?

Main question: how can I restrict priv?
Side question 1: why can I mount exports?
Side question 2: why doesn't this work (just that line changed from above):

V4: /exports

/ is on zfs... (does it matter? I read exports(5)... several times... can't say I understood half of it.), pub and priv are just 2 directories and I exported both. (question 17: why does the filesystem matter to a network service?)

 

[Mjölnir]

# /etc/exports
V4: /
/exports/pub
/exports/priv 192.168.1.123

Nothing changed, I can still mount everything from any machine (IP).
exports(5)
So I'm in "third form" and and "administrative controls" should be applied... or not?

Only to NFS version < 4. If the clients use NFSv4, the root / is unrestricted.

Main question: how can I restrict priv?
Side question 1: why can I mount exports?
Side question 2: why doesn't this work (just that line changed from above):

V4: /exports

/ is on zfs... (does it matter?

Yes. You can either use the standalone nfsd(8) NFS server (running in so-called userland) which uses the exports(5) file, or use the zfs share & zfs unshare commands, which use the sharenfs dataset property & the in-kernel NFS server. RTFM zfs(8) tells that you can set this property to the options that otherwise would be in the exports(5) file.

I read exports(5)... several times... can't say I understood half of it.), pub and priv are just 2 directories and I exported both.

For one, be patient, the process of learning takes it's time. After all it's a chemical process... 2nd, most man pages are written by the developers & they tend to silently assume the reader to have a lot of knowledge, to say it politely. The exports(5) & zfs(5) belong to better half. At least they contain examples; others do not... You'll have a lot of fun & many dejà vus when reading The UNIX Haters Handbook. Quote (page iii): “Two of the most famous products of Berkeley are LSD and Unix. I don’t think that is a coincidence.”

(question 17: why does the filesystem matter to a network service?)

Because ZFS was designed & written to fulfill the requirements of network servers. Since these often export filesystems via NFS, that was built in right from the start. BTW it's hard to image the sense of a server machine when it's not networked.

Imagine you have to do some administrative tasks (e.g. recompute some data) on a filesystem and need to temporarily deny client acess. Traditionally, you would have to edit the exports file (comment out that FS or path), restart the NFS server (or let it reread the configuration), do your stuff, and revert that after you're finished. With NFS built into ZFS, it's simply zfs unshare pool/dataset, do your stuff, zfs share pool/dataset, which is slightly more comfortable, and foremost, much less error-prone, since a typo can not not affect other exported datasets (the options stay untouched).

 

[SirDice]

or use the zfs share & zfs unshare commands, which use the sharenfs dataset property & the in-kernel NFS server.

Only on Solaris/Illumos. On FreeBSD it just kicks off a script that stores all the sharenfs options in /etc/zfs/exports. FreeBSD's nfsd(8)/mountd(8) reads both /etc/exports and /etc/zfs/exports.

Side question 2: why doesn't this work (just that line changed from above):
Code:
V4: /exports

Your exports will then be relative to /exports. So instead of mount server:/exports/pub /some/dir you need to use mount server:/pub /some/dir.

 

[arveex]

Thank you Mjölnir and SirDice!

The key was exporting (either in /etc/exports or using zfs set sharenfs=... pool/dataset) a zfs dataset and not just some directory. I still have to find the purpose/advantage of using multiple datasets on the same pool; for now, I just see the disadvantage of stuff being copied/deleted with mv. I understand why this happens, I just don't see the point of having datasets... compression and encryption... right...

So instead of mount server:/exports/pub /some/dir you need to use mount server:/pub /some/dir.

You are right. I was mislead by this:

# --- on server ---

$ cat /etc/exports

V4: /exports
/exports/pub

# --- on client ---

$ showmount -e server

Export list for server:
server:/exports/pub (everyone)

How does the client find out he has to mount server:/pub and not what showmount shows him?

 

[SirDice]

showmount(8) is a NFSv3 command. NFSv4 doesn't use RPC, so querying RPC (which is what showmount(8) does) only shows NFSv3 shares.

 

[arveex]

showmount(8) is a NFSv3 command

Indeed, after setting nfsv4_server_only="YES" in /etc/rc.conf showmount -e doesn't show anything.

Now it's a lot less confusing Thanks!