take away nfs write permissions instantly

take away nfs write permissions instantly

[Kapeller Rene PSI]

Can anyone help me on the following problem:

In order to take away nfs write permissions instantly for a previously 
mounted
nfs directory called '/data', I'm changing the export options for '/data'
on the server to 'ro', while keeping the mount on the client.

exportfs -io ro,sync,wdelay,no_root_squash nfsclient:/data

exportfs -v
/data   nfsserver(ro,wdelay,no_root_squash)

Surprisingly the client can still write to /data at this point, unless I do
umount/mount of /data.

Is this the way it's suposed to work?

Changing the nfs export options on a  SunOS 5.6 while clients have mounted
a nfs path, write permissions are instantly taken away from it.

share -F nfs -o ro,root=nfsclient /data

In both cases I used the following nfs mount options:
mount -o rw,sync,nfsvers=3,wsize=32768,rsize=32768

Thanks!
- Rene




-------------------------------------------------------
                   Bringing you mounds of caffeinated joy
                   >>>     http://thinkgeek.com/sf    <<<

_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: take away nfs write permissions instantly

[Stuart Sheldon]

Did you run exportfs -r after you changed exports?

Stu


Kapeller Rene PSI wrote:
> Can anyone help me on the following problem:
> 
> In order to take away nfs write permissions instantly for a previously 
> mounted
> nfs directory called '/data', I'm changing the export options for '/data'
> on the server to 'ro', while keeping the mount on the client.
> 
> exportfs -io ro,sync,wdelay,no_root_squash nfsclient:/data
> 
> exportfs -v
> /data   nfsserver(ro,wdelay,no_root_squash)
> 
> Surprisingly the client can still write to /data at this point, unless I do
> umount/mount of /data.
> 
> Is this the way it's suposed to work?
> 
> Changing the nfs export options on a  SunOS 5.6 while clients have mounted
> a nfs path, write permissions are instantly taken away from it.
> 
> share -F nfs -o ro,root=nfsclient /data
> 
> In both cases I used the following nfs mount options:
> mount -o rw,sync,nfsvers=3,wsize=32768,rsize=32768
> 
> Thanks!
> - Rene
> 
> 
> 
> 
> -------------------------------------------------------
>                   Bringing you mounds of caffeinated joy
>                   >>>     http://thinkgeek.com/sf    <<<
> 
> _______________________________________________
> NFS maillist  -  NFS@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfs




-------------------------------------------------------
                   Bringing you mounds of caffeinated joy
                   >>>     http://thinkgeek.com/sf    <<<

_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: take away nfs write permissions instantly

[Kapeller Rene PSI]

exportfs -r did not help either!
(Since I do not fully understand the difference between exportfs -a and 
exportfs -r, I usually do both.)

Btw, I'm using RedHat-7.3 (nfs-utils-0.3.3) on the Linux side.

Rene


Stuart Sheldon wrote:
> Did you run exportfs -r after you changed exports?
> 
> Stu
> 
> 
> Kapeller Rene PSI wrote:
> 
>> Can anyone help me on the following problem:
>>
>> In order to take away nfs write permissions instantly for a previously 
>> mounted
>> nfs directory called '/data', I'm changing the export options for '/data'
>> on the server to 'ro', while keeping the mount on the client.
>>
>> exportfs -io ro,sync,wdelay,no_root_squash nfsclient:/data
>>
>> exportfs -v
>> /data   nfsserver(ro,wdelay,no_root_squash)
>>
>> Surprisingly the client can still write to /data at this point, unless 
>> I do
>> umount/mount of /data.
>>
>> Is this the way it's suposed to work?
>>
>> Changing the nfs export options on a  SunOS 5.6 while clients have 
>> mounted
>> a nfs path, write permissions are instantly taken away from it.
>>
>> share -F nfs -o ro,root=nfsclient /data
>>
>> In both cases I used the following nfs mount options:
>> mount -o rw,sync,nfsvers=3,wsize=32768,rsize=32768
>>
>> Thanks!
>> - Rene
>>
>>
>>
>>
>> -------------------------------------------------------
>>                   Bringing you mounds of caffeinated joy
>>                   >>>     http://thinkgeek.com/sf    <<<
>>
>> _______________________________________________
>> NFS maillist  -  NFS@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/nfs
> 
> 





-------------------------------------------------------
                   Bringing you mounds of caffeinated joy
                   >>>     http://thinkgeek.com/sf    <<<

_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: take away nfs write permissions instantly

[Tom McNeal]

Hi -

Since the mount has taken place, I wouldn't expect that
modifying the export would change things, unless you 
also modified the file system on the server in order to
prevent write accesses from taking place at all.  Even then,
it wouldn't necessarily take place instantly due to caches 
on the client, in PV2.  It would probably be much faster
in PV3, since you'd see the attribute change after the
next transaction, but it still wouldn't be instantaneous.   
I don't know if there is a way to do what you want to do. 
(This is my instant reaction, so take it with the standard 
grain of salt...)

Tom 


Kapeller Rene PSI wrote:
> 
> exportfs -r did not help either!
> (Since I do not fully understand the difference between exportfs -a and
> exportfs -r, I usually do both.)
> 
> Btw, I'm using RedHat-7.3 (nfs-utils-0.3.3) on the Linux side.
> 
> Rene
> 
> Stuart Sheldon wrote:
> > Did you run exportfs -r after you changed exports?
> >
> > Stu
> >
> >
> > Kapeller Rene PSI wrote:
> >
> >> Can anyone help me on the following problem:
> >>
> >> In order to take away nfs write permissions instantly for a previously
> >> mounted
> >> nfs directory called '/data', I'm changing the export options for '/data'
> >> on the server to 'ro', while keeping the mount on the client.
> >>
> >> exportfs -io ro,sync,wdelay,no_root_squash nfsclient:/data
> >>
> >> exportfs -v
> >> /data   nfsserver(ro,wdelay,no_root_squash)
> >>
> >> Surprisingly the client can still write to /data at this point, unless
> >> I do
> >> umount/mount of /data.
> >>
> >> Is this the way it's suposed to work?
> >>
> >> Changing the nfs export options on a  SunOS 5.6 while clients have
> >> mounted
> >> a nfs path, write permissions are instantly taken away from it.
> >>
> >> share -F nfs -o ro,root=nfsclient /data
> >>
> >> In both cases I used the following nfs mount options:
> >> mount -o rw,sync,nfsvers=3,wsize=32768,rsize=32768
> >>
> >> Thanks!
> >> - Rene

--
------------------------------------------------------------
Tom McNeal       trmcneal@attbi.com     (650)906-0761 (cell) 
------------------------------------------------------------


-------------------------------------------------------
                   Bringing you mounds of caffeinated joy
                   >>>     http://thinkgeek.com/sf    <<<

_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: take away nfs write permissions instantly

[Neil Brown]

On Thursday June 20, rene.kapeller@psi.ch wrote:
> Can anyone help me on the following problem:
> 
> In order to take away nfs write permissions instantly for a previously 
> mounted
> nfs directory called '/data', I'm changing the export options for '/data'
> on the server to 'ro', while keeping the mount on the client.
> 
> exportfs -io ro,sync,wdelay,no_root_squash nfsclient:/data
                                             ^^^^^^^^^
> 
> exportfs -v
> /data   nfsserver(ro,wdelay,no_root_squash)
          ^^^^^^^^^

Presumably both should read "nfsclient" - yes?

This should work.

What version of nfs-utils are you using?? (showmount -v)

What does /proc/fs/nfs/exports say for nfsclient after you try to
re-export it?

Can you give more details?  What is in /etc/exports that relates to
the client (is it a wildcard export, a netgroup export...)..

NeilBrown


-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: take away nfs write permissions instantly

[Kapeller Rene PSI]

Neil Brown wrote:
> On Thursday June 20, rene.kapeller@psi.ch wrote:
> 
>>Can anyone help me on the following problem:
>>
>>In order to take away nfs write permissions instantly for a previously 
>>mounted
>>nfs directory called '/data', I'm changing the export options for '/data'
>>on the server to 'ro', while keeping the mount on the client.
>>
>>exportfs -io ro,sync,wdelay,no_root_squash nfsclient:/data
> 
>                                              ^^^^^^^^^
> 
>>exportfs -v
>>/data   nfsserver(ro,wdelay,no_root_squash)
> 
>           ^^^^^^^^^
> 
> Presumably both should read "nfsclient" - yes?
> 
> This should work.
> 
> What version of nfs-utils are you using?? (showmount -v)
> 
> What does /proc/fs/nfs/exports say for nfsclient after you try to
> re-export it?
> 
> Can you give more details?  What is in /etc/exports that relates to
> the client (is it a wildcard export, a netgroup export...)..
> 
> NeilBrown


To be precise, the entry in the /etc/exports looks like this:
/data2  172.19.0.0/255.255.0.0(ro,sync,no_root_squash)

exportfs -v
/data2        	172.19.0.0/255.255.0.0(ro,wdelay,no_root_squash)

cat /proc/fs/nfs/exports
/data2 
pc3691.slspn.psi.ch(rw,no_root_squash,sync,wdelay) # 172.19.84.51

Ooops ...!

I'm using RedHat-7.3 on the server and on the client (nfs-utils-0.3.3-5)

Rene




-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: take away nfs write permissions instantly

[Neil Brown]

On Friday June 21, rene.kapeller@psi.ch wrote:
> 
> 
> To be precise, the entry in the /etc/exports looks like this:
> /data2  172.19.0.0/255.255.0.0(ro,sync,no_root_squash)
> 
> exportfs -v
> /data2        	172.19.0.0/255.255.0.0(ro,wdelay,no_root_squash)
> 
> cat /proc/fs/nfs/exports
> /data2 
> pc3691.slspn.psi.ch(rw,no_root_squash,sync,wdelay) # 172.19.84.51
> 
> Ooops ...!
> 
> I'm using RedHat-7.3 on the server and on the client (nfs-utils-0.3.3-5)
> 
> Rene
> 

I've just tried that version of nfs-utils and it seems to do the right
thing.

I can either:
    edit /etc/exports, and run "exportfs -r"
or run
    exportfs -io new,option,list hostname:/directory

and it will set the options properly.


Maybe a little explanation of how it all works will help:

/etc/exports contains information about how file systems should
     normally be exported.  This is only read by exportfs.

/var/lib/nfs/etab contains information about what filesystems should
     be exported to whom at the moment.

/var/lib/nfs/rmtab contains a list of which filesystems actually are
     mounted by certain clients at the moment.

/proc/fs/nfs/exports contains information about what filesystems are
     exported to actual client (individual, not subnet or whatever)
     at the moment.

/var/lib/nfs/xtab is the same information as /proc/fs/nfs/exports but
     is maintained by nfs-utils instead of directly by the kernel.  It
     is only used if /proc isn't mounted.

When a mount request arrives, mountd check .../etab to see if that
host is allowed access.  If it is, an entry is placed in .../rmtab and
the filesystem is exported thus creating an entry in
/proc/fs/nfs/exports.


When you run
    exportfs -io  options host:/dir

then the entry in ../etab is changed, or a new one is added.
If it is a subnet/wildcard/netgroup entry, then every line in ../rmtab
is checked to see if it matches.  When a match is found, a
host-specific entry is given to (or changed in) the kernel.

When you run
    exportfs -a

it makes sure that all entries in /etc/exports are properly reflected
in .../etab.  Any extra entries in etab are left alone.  Once the
correct content of etab has been determined, rmtab is examine to
create a list of specific-host entries for any new entries in etab.
This host-specific entries are given to the kernel.

When you run
    exportfs -r
it ignores the prior contents of .../etab and initialises etab to the
contents of /etc/exportfs.  Then it inspects rmtab and make an changes
to /proc/fs/nfs/export that are necessary.


In general, the safest thing to do is edit /etc/exports and run
   exportfs -r

If this leaves you will /proc/fs/nfs/exports containing something that
you didn't expect, please show me the details (exportfs,etab,rmtab)
and I will look again.

NeilBrown


-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: take away nfs write permissions instantly

[Bernd Schubert]

Hi,

thanks for these detailed information, could you please put this on the faq 
site? 

Thanks,

Bernd



-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: take away nfs write permissions instantly

[Tom McNeal]

Done.  BTW, there was a request a while ago to have the FAQ
pay a little more attention to client vs. server related 
questions; I still mean to address that, but thought I'd
wait until the latest NFS utils package is released.  I'll
need to update things a little bit anyway when that happens.

Tom


Bernd Schubert wrote:
> 
> Hi,
> 
> thanks for these detailed information, could you please put this on the faq
> site?
> 
> Thanks,
> 
> Bernd
> 
> -------------------------------------------------------
> Sponsored by:
> ThinkGeek at http://www.ThinkGeek.com/
> _______________________________________________
> NFS maillist  -  NFS@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfs

--
------------------------------------------------------------
Tom McNeal       trmcneal@attbi.com     (650)906-0761 (cell) 
------------------------------------------------------------


-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs