From: "J. Bruce Fields" <bfields@fieldses.org>
To: Wangminlan <wangminlan@huawei.com>
Cc: "linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>
Subject: Re: Different sequence of "exportfs" produce different effects on nfs client mounts
Date: Tue, 15 Oct 2013 11:49:18 -0400 [thread overview]
Message-ID: <20131015154918.GA6117@fieldses.org> (raw)
In-Reply-To: <3962238FD7EA0F41B1810E7ABEAFBC314CEF9E97@szxema505-mbs.china.huawei.com>
Looking at the mountd code....
Looks like utils/mountd/cache.c makes no special effort to prioritize
exports except in the v4root and crossmnt cases, neither an issue in
your case.
So yes it depends on ordering. From man exports:
If a client matches more than one of the specifications above,
then the first match from the above list order takes precedence
- regardless of the order they appear on the export line.
However, if a client matches more than one of the same type of
specification (e.g. two netgroups), then the first match
from the order they appear on the export line takes
precedence.
The order given is: single host, IP networks, wildcards, negroups,
anonymous.
So the single host exports should have taken precedence.
The code here does look like it corectly implements the above ordering.
What version of nfs-utils are you using?
--b.
On Tue, Oct 15, 2013 at 06:39:59AM +0000, Wangminlan wrote:
> On Mon, Oct 14, 2013 at 16:46 +0000, Bruce Fields wrote:
> > On Mon, Oct 14, 2013 at 02:16:58AM +0000, Wangminlan wrote:
> > > Hi,
> > > I’ve got a problem on the nfs exportfs command. I’m not
> > sure if this is the right place to ask this, if not, can you please tell me where?
> > >
> > > Here’s what I need:
> > > 1. I have a folder named /mnt/fs1 to be exported.
> > > 2. All the host in subnetwork 192.168.0.0/16 should be able access this
> > folder, but their root should be squashed.
> > > 3. Some specified host in the same subnetwork can gain the root
> > permission on the folder, for example: 192.168.0.21, 192.168.0.22.
> > >
> > > I’ve got a SLES11SP1 box as the nfs server, the nfs clients are SLES11SP1,
> > too, and the protocol used between clients and server are NFSv3.
> > > Here are the commands I used to do the export:
> > > #exportfs –o rw,root_squash 192.168.0.0/16:/mnt/fs1
> > > #exportfs –o rw,no_root_squash 192.168.0.21:/mnt/fs1
> > > #exportfs –o rw,no_root_squash 192.168.0.22:/mnt/fs1
> > > After this, everything works as expected.
> After this, the contents of /proc/net/rpc/auth.unix.ip/content and /proc/net/rpc/nfsd.export/content are:
> NV200_01:/proc/net/rpc # cat auth.unix.ip/content
> #class IP domain
> nfsd 192.168.0.21 192.168.0.0/16,192.168.0.21
> nfsd 0.0.0.0 -test-client-
> # nfsd 100.43.189.1 -no-domain-
>
> NV200_01:/proc/net/rpc # cat nfsd.export/content
> #path domain(flags)
> /mnt/fs1 -test-client-(rw,no_root_squash,sync,no_wdelay,fsid=0,anonuid=4294967295,anongid=4294967295)
> /mnt/fs1 192.168.0.0/16,192.168.0.21(rw,no_root_squash,sync,wdelay,no_subtree_check,uuid=13266f0d:1fbd40d5:b0b5c4fe:cfe104eb)
> # /mnt/fs1 192.168.0.0/16,192.168.0.21(rw,no_root_squash,sync,wdelay,no_subtree_check,uuid=13266f0d:1fbd40d5:b0b5c4fe:cfe104eb)
> Besides, the content of /var/lib/nfs/etab is:
> NV200_01:/proc/net/rpc # cat /var/lib/nfs/etab
> /mnt/fs1 192.168.0.22(rw,sync,wdelay,hide,nocrossmnt,secure,no_root_squash,no_all_squash,no_subtree_check,secure_locks,acl,anonuid=65534,anongid=65534)
> /mnt/fs1 192.168.0.21(rw,sync,wdelay,hide,nocrossmnt,secure,no_root_squash,no_all_squash,no_subtree_check,secure_locks,acl,anonuid=65534,anongid=65534)
> /mnt/fs1 192.168.0.0/16(rw,sync,wdelay,hide,nocrossmnt,secure,root_squash,no_all_squash,no_subtree_check,secure_locks,acl,anonuid=65534,anongid=65534)
> > >
> > > But, after the following operations:
> > > #exportfs –u 192.168.0.0/16:/mnt/fs1 /* Delete this
> > export */
> > > # exportfs –o rw,root_squash 192.168.0.0/16:/mnt/fs1 /*
> > And add it again */
> > > Hosts on 192.168.0.21 and 192.168.0.22 doesn’t get root permission
> > any more. when I tried to write a file, it complains about “Permission denied”.
> > >
> > > So, does the order of exportfs command has something to do the final
> > result? Or am I doing something wrong?
> After this, the contents of /proc/net/rpc/auth.unix.ip/content and /proc/net/rpc/nfsd.export/content are:
> NV200_01:/proc/net/rpc # cat auth.unix.ip/content
> #class IP domain
> nfsd 192.168.0.21 192.168.0.0/16,192.168.0.21
> nfsd 0.0.0.0 -test-client-
> # nfsd 100.43.189.1 -no-domain-
>
> NV200_01:/proc/net/rpc # cat nfsd
> nfsd nfsd.export/ nfsd.fh/
> NV200_01:/proc/net/rpc # cat nfsd
> nfsd nfsd.export/ nfsd.fh/
> NV200_01:/proc/net/rpc # cat nfsd.export/content
> #path domain(flags)
> /mnt/fs1 -test-client-(rw,no_root_squash,sync,no_wdelay,fsid=0,anonuid=4294967295,anongid=4294967295)
> /mnt/fs1 192.168.0.0/16,192.168.0.21(rw,root_squash,sync,wdelay,no_subtree_check,uuid=13266f0d:1fbd40d5:b0b5c4fe:cfe104eb)
> And the content of /var/lib/nfs/etab is:
> NV200_01:/proc/net/rpc # cat /var/lib/nfs/etab
> /mnt/fs1 192.168.0.0/16(rw,sync,wdelay,hide,nocrossmnt,secure,root_squash,no_all_squash,no_subtree_check,secure_locks,acl,anonuid=65534,anongid=65534)
> /mnt/fs1 192.168.0.22(rw,sync,wdelay,hide,nocrossmnt,secure,no_root_squash,no_all_squash,no_subtree_check,secure_locks,acl,anonuid=65534,anongid=65534)
> /mnt/fs1 192.168.0.21(rw,sync,wdelay,hide,nocrossmnt,secure,no_root_squash,no_all_squash,no_subtree_check,secure_locks,acl,anonuid=65534,anongid=65534)
> >
> > That sounds like a bug. The contents of
> > /proc/net/rpc/auth.unix.ip/content and /proc/net/rpc/nfsd.export/content
> > after getting the above "permission denied" might be interesting.
next prev parent reply other threads:[~2013-10-15 15:49 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-14 2:16 Different sequence of "exportfs" produce different effects on nfs client mounts Wangminlan
2013-10-14 17:45 ` J. Bruce Fields
2013-10-15 6:39 ` Wangminlan
2013-10-15 15:49 ` J. Bruce Fields [this message]
2013-10-16 1:22 ` Wangminlan
2013-10-17 7:16 ` Wangminlan
2013-10-17 13:14 ` Chuck Lever
2013-10-17 13:18 ` J. Bruce Fields
2013-10-17 21:32 ` NeilBrown
2013-10-20 22:49 ` NeilBrown
2013-10-21 9:47 ` Wangminlan
2013-10-17 13:16 ` J. Bruce Fields
-- strict thread matches above, loose matches on Subject: below --
2013-10-11 20:15 [PATCH] nfs: Remove useless 'error' assignment Geyslan G. Bem
2013-10-14 1:20 ` Different sequence of "exportfs" produce different effects on nfs client mounts Wangminlan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131015154918.GA6117@fieldses.org \
--to=bfields@fieldses.org \
--cc=linux-nfs@vger.kernel.org \
--cc=wangminlan@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).