Re: Problems Migrating from NFSv3 to NFSv4

["J. Bruce Fields" <bfields@fieldses.org>]

On Thu, Nov 19, 2009 at 02:58:16PM +0100, Christopher Metter wrote:
> J. Bruce Fields schrieb:
>> On Mon, Nov 16, 2009 at 07:57:57PM +0100, Christopher Metter wrote:
>>   
>>> Hi there folks!
>>>
>>> Im trying to migrate from NFSv3 to NFSv4. I've read diverse Articles 
>>> and  Howtos, but i cant find a solution to my problem.
>>>
>>> For better understanding: My NFSv4 Root is /srv/data/, a Folder that  
>>> existed before and has diverse Subfolders in it. These Folders are   
>>> really there and are not mounted by "mount --bind".
>>>
>>> The Servers IP: 192.168.0.10
>>> Client1: 192.168.0.1
>>> Client2: 192.168.0.2
>>>
>>> Setup with NFSv3:
>>> 2 Folders (scratch and software) were shared for 2 Clients. In 
>>> Scratch  both clients had full RW-access and on software only Client2 
>>> had rw,  Client1 had RO.
>>> Config:
>>> /srv/data/scratch-all    *(rw,async,no_root_squash,nohide,no_subtree_check)
>>> /srv/data/software      
>>> 10.0.12.4(ro,sync,no_root_squash,nohide,no_subtree_check)   
>>> 10.0.12.5(rw,sync,no_root_squash,nohide,no_subtree_check)
>>>
>>> My NFSv4 Config (from Server/etc/exports)
>>> |/srv/data/   
>>> 192.168.0.2(rw,sync,fsid=0,insecure,no_root_squash,no_subtree_check)  
>>> 192.168.0.1(rw,sync,fsid=0,insecure,no_root_squash,no_subtree_check)
>>> /srv/data/scratch *(rw,async,no_root_squash,no_subtree_check)
>>> /srv/data/software 
>>> 192.168.0.1(ro,sync,no_root_squash,no_subtree_check)   
>>> 192.168.0.2(rw,sync,no_root_squash,no_subtree_check)
>>> |
>>> After that i mounted from Client1 and Client2  the Sharefolders   
>>> directrly (e.g. software: mount -t nfs4 -o intr,hard,rw   
>>> 192.168.0.10:/software  /targetfolder), everything works perfect, 
>>> every  Client has its specific rights and so on.
>>>
>>> But if im mounting Servers Root (mount -t nfs4 -o intr,hard,rw   
>>> 192.168.0.10:/ /targetfolder)  from Client1 I do have complete RW 
>>> Access  to the full "Data" folder, even with RW for Software (which i 
>>> set for  RO).
>>>     
>>
>> Exports don't operate on "folders", only on filesystems: if you export
>> /srv/data/ read-write, and if /srv/data/software is on the same
>> filesystem as /srv/data, then /srv/data will also be exported, and also
>> writeable.
>>
>> --b
> Is there a workaround to this behavior? Or a trick to get an NFSv4 Setup  
> corresponding to the NFSv3 Setup?

If you add a trivial mountpoint there with:

	"mount --bind /srv/data/software /srv/data/software"

I think that will do the job.

Note this isn't really secure--this will prevent users on 192.168.0.1
from accidentally modifying software/, but won't do anything against
someone malicious with access to the network.

--b.