Problems Migrating from NFSv3 to NFSv4

Problems Migrating from NFSv3 to NFSv4

[Christopher Metter]

Hi there folks!

Im trying to migrate from NFSv3 to NFSv4. I've read diverse Articles and 
Howtos, but i cant find a solution to my problem.

For better understanding: My NFSv4 Root is /srv/data/, a Folder that 
existed before and has diverse Subfolders in it. These Folders are 
really there and are not mounted by "mount --bind".

The Servers IP: 192.168.0.10
Client1: 192.168.0.1
Client2: 192.168.0.2

Setup with NFSv3:
2 Folders (scratch and software) were shared for 2 Clients. In Scratch 
both clients had full RW-access and on software only Client2 had rw, 
Client1 had RO.
Config:
/srv/data/scratch-all    *(rw,async,no_root_squash,nohide,no_subtree_check)
/srv/data/software    
10.0.12.4(ro,sync,no_root_squash,nohide,no_subtree_check) 
10.0.12.5(rw,sync,no_root_squash,nohide,no_subtree_check)

My NFSv4 Config (from Server/etc/exports)
|/srv/data/ 
192.168.0.2(rw,sync,fsid=0,insecure,no_root_squash,no_subtree_check) 
192.168.0.1(rw,sync,fsid=0,insecure,no_root_squash,no_subtree_check)
/srv/data/scratch *(rw,async,no_root_squash,no_subtree_check)
/srv/data/software 192.168.0.1(ro,sync,no_root_squash,no_subtree_check) 
192.168.0.2(rw,sync,no_root_squash,no_subtree_check)
|
After that i mounted from Client1 and Client2  the Sharefolders 
directrly (e.g. software: mount -t nfs4 -o intr,hard,rw 
192.168.0.10:/software  /targetfolder), everything works perfect, every 
Client has its specific rights and so on.

But if im mounting Servers Root (mount -t nfs4 -o intr,hard,rw 
192.168.0.10:/ /targetfolder)  from Client1 I do have complete RW Access 
to the full "Data" folder, even with RW for Software (which i set for 
RO). I also do see folders I didnot specificly share (e.g. there is a 
folder 'lost+found' in /srv/data which should not be shared).

My Question is:
What do i have to do, that even if im mounting Servers root, I only can 
see and access the specificly for this client configurated exports? 
(Also with correct access, of course)
Is it possible that way or do i have to make a complete new folder, set 
it as new root, mount --bind the needed folders in there and then share 
them?

I tried setting Roots Parameters for Client1 to RO, but after that i 
even didnt have RW to /scratch per direct mount.

What am I doing wrong? Im looking forward to any feedback.


Greetings,
Christopher

Re: Problems Migrating from NFSv3 to NFSv4

[Steve Dickson]

On 11/16/2009 01:57 PM, Christopher Metter wrote:
> Hi there folks!
> 
> Im trying to migrate from NFSv3 to NFSv4. I've read diverse Articles and
> Howtos, but i cant find a solution to my problem.
> 
> For better understanding: My NFSv4 Root is /srv/data/, a Folder that
> existed before and has diverse Subfolders in it. These Folders are
> really there and are not mounted by "mount --bind".
> 
> The Servers IP: 192.168.0.10
> Client1: 192.168.0.1
> Client2: 192.168.0.2
> 
> Setup with NFSv3:
> 2 Folders (scratch and software) were shared for 2 Clients. In Scratch
> both clients had full RW-access and on software only Client2 had rw,
> Client1 had RO.
> Config:
> /srv/data/scratch-all    *(rw,async,no_root_squash,nohide,no_subtree_check)
> /srv/data/software   
> 10.0.12.4(ro,sync,no_root_squash,nohide,no_subtree_check)
> 10.0.12.5(rw,sync,no_root_squash,nohide,no_subtree_check)
> 
> My NFSv4 Config (from Server/etc/exports)
> |/srv/data/
> 192.168.0.2(rw,sync,fsid=0,insecure,no_root_squash,no_subtree_check)
> 192.168.0.1(rw,sync,fsid=0,insecure,no_root_squash,no_subtree_check)
> /srv/data/scratch *(rw,async,no_root_squash,no_subtree_check)
> /srv/data/software 192.168.0.1(ro,sync,no_root_squash,no_subtree_check)
> 192.168.0.2(rw,sync,no_root_squash,no_subtree_check)
> |
> After that i mounted from Client1 and Client2  the Sharefolders
> directrly (e.g. software: mount -t nfs4 -o intr,hard,rw
> 192.168.0.10:/software  /targetfolder), everything works perfect, every
> Client has its specific rights and so on.
> 
> But if im mounting Servers Root (mount -t nfs4 -o intr,hard,rw
> 192.168.0.10:/ /targetfolder)  from Client1 I do have complete RW Access
> to the full "Data" folder, even with RW for Software (which i set for
> RO). I also do see folders I didnot specificly share (e.g. there is a
> folder 'lost+found' in /srv/data which should not be shared).
> 
> My Question is:
> What do i have to do, that even if im mounting Servers root, I only can
> see and access the specificly for this client configurated exports?
> (Also with correct access, of course)
I'm not sure I understand your question... Are you asking is there a 
way for clients to only see particular directories on a the server's root?

steved.

> Is it possible that way or do i have to make a complete new folder, set
> it as new root, mount --bind the needed folders in there and then share
> them?
> 
> I tried setting Roots Parameters for Client1 to RO, but after that i
> even didnt have RW to /scratch per direct mount.
> 
> What am I doing wrong? Im looking forward to any feedback.
> 
> 
> Greetings,
> Christopher
> -- 
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Problems Migrating from NFSv3 to NFSv4

[Christopher Metter]

Steve Dickson schrieb:
>> My Question is:
>> What do i have to do, that even if im mounting Servers root, I only can
>> see and access the specificly for this client configurated exports?
>> (Also with correct access, of course)
>>     
> I'm not sure I understand your question... Are you asking is there a 
> way for clients to only see particular directories on a the server's root?
>
> steved.
>
>   
Hi Steve,

thats what im talking about. 
Clients should only see(+write) particular directories on the server, 
after I've set the permission for this.

Example:

/srv/data  is NFSv4Root and includes:
/srv/data/folder1
/srv/data/folder2
/srv/data/folder3

Now I set permission for Client1 to readonly folder1 and readwrite 
folder2 and no permissions for folder3.

After mounting servers root, I only see folder1 and only can write in 
folder2. And the Client doesnt know anything about folder3

Re: Problems Migrating from NFSv3 to NFSv4

[J. Bruce Fields]

On Mon, Nov 16, 2009 at 07:57:57PM +0100, Christopher Metter wrote:
> Hi there folks!
>
> Im trying to migrate from NFSv3 to NFSv4. I've read diverse Articles and  
> Howtos, but i cant find a solution to my problem.
>
> For better understanding: My NFSv4 Root is /srv/data/, a Folder that  
> existed before and has diverse Subfolders in it. These Folders are  
> really there and are not mounted by "mount --bind".
>
> The Servers IP: 192.168.0.10
> Client1: 192.168.0.1
> Client2: 192.168.0.2
>
> Setup with NFSv3:
> 2 Folders (scratch and software) were shared for 2 Clients. In Scratch  
> both clients had full RW-access and on software only Client2 had rw,  
> Client1 had RO.
> Config:
> /srv/data/scratch-all    *(rw,async,no_root_squash,nohide,no_subtree_check)
> /srv/data/software     
> 10.0.12.4(ro,sync,no_root_squash,nohide,no_subtree_check)  
> 10.0.12.5(rw,sync,no_root_squash,nohide,no_subtree_check)
>
> My NFSv4 Config (from Server/etc/exports)
> |/srv/data/  
> 192.168.0.2(rw,sync,fsid=0,insecure,no_root_squash,no_subtree_check)  
> 192.168.0.1(rw,sync,fsid=0,insecure,no_root_squash,no_subtree_check)
> /srv/data/scratch *(rw,async,no_root_squash,no_subtree_check)
> /srv/data/software 192.168.0.1(ro,sync,no_root_squash,no_subtree_check)  
> 192.168.0.2(rw,sync,no_root_squash,no_subtree_check)
> |
> After that i mounted from Client1 and Client2  the Sharefolders  
> directrly (e.g. software: mount -t nfs4 -o intr,hard,rw  
> 192.168.0.10:/software  /targetfolder), everything works perfect, every  
> Client has its specific rights and so on.
>
> But if im mounting Servers Root (mount -t nfs4 -o intr,hard,rw  
> 192.168.0.10:/ /targetfolder)  from Client1 I do have complete RW Access  
> to the full "Data" folder, even with RW for Software (which i set for  
> RO).

Exports don't operate on "folders", only on filesystems: if you export
/srv/data/ read-write, and if /srv/data/software is on the same
filesystem as /srv/data, then /srv/data will also be exported, and also
writeable.

--b.

> I also do see folders I didnot specificly share (e.g. there is a  
> folder 'lost+found' in /srv/data which should not be shared).
>
> My Question is:
> What do i have to do, that even if im mounting Servers root, I only can  
> see and access the specificly for this client configurated exports?  
> (Also with correct access, of course)
> Is it possible that way or do i have to make a complete new folder, set  
> it as new root, mount --bind the needed folders in there and then share  
> them?
>
> I tried setting Roots Parameters for Client1 to RO, but after that i  
> even didnt have RW to /scratch per direct mount.
>
> What am I doing wrong? Im looking forward to any feedback.
>
>
> Greetings,
> Christopher
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Problems Migrating from NFSv3 to NFSv4

[Christopher Metter]

J. Bruce Fields schrieb:
> On Mon, Nov 16, 2009 at 07:57:57PM +0100, Christopher Metter wrote:
>   
>> Hi there folks!
>>
>> Im trying to migrate from NFSv3 to NFSv4. I've read diverse Articles and  
>> Howtos, but i cant find a solution to my problem.
>>
>> For better understanding: My NFSv4 Root is /srv/data/, a Folder that  
>> existed before and has diverse Subfolders in it. These Folders are  
>> really there and are not mounted by "mount --bind".
>>
>> The Servers IP: 192.168.0.10
>> Client1: 192.168.0.1
>> Client2: 192.168.0.2
>>
>> Setup with NFSv3:
>> 2 Folders (scratch and software) were shared for 2 Clients. In Scratch  
>> both clients had full RW-access and on software only Client2 had rw,  
>> Client1 had RO.
>> Config:
>> /srv/data/scratch-all    *(rw,async,no_root_squash,nohide,no_subtree_check)
>> /srv/data/software     
>> 10.0.12.4(ro,sync,no_root_squash,nohide,no_subtree_check)  
>> 10.0.12.5(rw,sync,no_root_squash,nohide,no_subtree_check)
>>
>> My NFSv4 Config (from Server/etc/exports)
>> |/srv/data/  
>> 192.168.0.2(rw,sync,fsid=0,insecure,no_root_squash,no_subtree_check)  
>> 192.168.0.1(rw,sync,fsid=0,insecure,no_root_squash,no_subtree_check)
>> /srv/data/scratch *(rw,async,no_root_squash,no_subtree_check)
>> /srv/data/software 192.168.0.1(ro,sync,no_root_squash,no_subtree_check)  
>> 192.168.0.2(rw,sync,no_root_squash,no_subtree_check)
>> |
>> After that i mounted from Client1 and Client2  the Sharefolders  
>> directrly (e.g. software: mount -t nfs4 -o intr,hard,rw  
>> 192.168.0.10:/software  /targetfolder), everything works perfect, every  
>> Client has its specific rights and so on.
>>
>> But if im mounting Servers Root (mount -t nfs4 -o intr,hard,rw  
>> 192.168.0.10:/ /targetfolder)  from Client1 I do have complete RW Access  
>> to the full "Data" folder, even with RW for Software (which i set for  
>> RO).
>>     
>
> Exports don't operate on "folders", only on filesystems: if you export
> /srv/data/ read-write, and if /srv/data/software is on the same
> filesystem as /srv/data, then /srv/data will also be exported, and also
> writeable.
>
> --b
Is there a workaround to this behavior? Or a trick to get an NFSv4 Setup 
corresponding to the NFSv3 Setup?

Christopher


__________ Information from ESET Smart Security, version of virus signature database 4539 (20091024) __________

The message was checked by ESET Smart Security.

http://www.eset.com

Re: Problems Migrating from NFSv3 to NFSv4

[J. Bruce Fields]

On Thu, Nov 19, 2009 at 02:58:16PM +0100, Christopher Metter wrote:
> J. Bruce Fields schrieb:
>> On Mon, Nov 16, 2009 at 07:57:57PM +0100, Christopher Metter wrote:
>>   
>>> Hi there folks!
>>>
>>> Im trying to migrate from NFSv3 to NFSv4. I've read diverse Articles 
>>> and  Howtos, but i cant find a solution to my problem.
>>>
>>> For better understanding: My NFSv4 Root is /srv/data/, a Folder that  
>>> existed before and has diverse Subfolders in it. These Folders are   
>>> really there and are not mounted by "mount --bind".
>>>
>>> The Servers IP: 192.168.0.10
>>> Client1: 192.168.0.1
>>> Client2: 192.168.0.2
>>>
>>> Setup with NFSv3:
>>> 2 Folders (scratch and software) were shared for 2 Clients. In 
>>> Scratch  both clients had full RW-access and on software only Client2 
>>> had rw,  Client1 had RO.
>>> Config:
>>> /srv/data/scratch-all    *(rw,async,no_root_squash,nohide,no_subtree_check)
>>> /srv/data/software      
>>> 10.0.12.4(ro,sync,no_root_squash,nohide,no_subtree_check)   
>>> 10.0.12.5(rw,sync,no_root_squash,nohide,no_subtree_check)
>>>
>>> My NFSv4 Config (from Server/etc/exports)
>>> |/srv/data/   
>>> 192.168.0.2(rw,sync,fsid=0,insecure,no_root_squash,no_subtree_check)  
>>> 192.168.0.1(rw,sync,fsid=0,insecure,no_root_squash,no_subtree_check)
>>> /srv/data/scratch *(rw,async,no_root_squash,no_subtree_check)
>>> /srv/data/software 
>>> 192.168.0.1(ro,sync,no_root_squash,no_subtree_check)   
>>> 192.168.0.2(rw,sync,no_root_squash,no_subtree_check)
>>> |
>>> After that i mounted from Client1 and Client2  the Sharefolders   
>>> directrly (e.g. software: mount -t nfs4 -o intr,hard,rw   
>>> 192.168.0.10:/software  /targetfolder), everything works perfect, 
>>> every  Client has its specific rights and so on.
>>>
>>> But if im mounting Servers Root (mount -t nfs4 -o intr,hard,rw   
>>> 192.168.0.10:/ /targetfolder)  from Client1 I do have complete RW 
>>> Access  to the full "Data" folder, even with RW for Software (which i 
>>> set for  RO).
>>>     
>>
>> Exports don't operate on "folders", only on filesystems: if you export
>> /srv/data/ read-write, and if /srv/data/software is on the same
>> filesystem as /srv/data, then /srv/data will also be exported, and also
>> writeable.
>>
>> --b
> Is there a workaround to this behavior? Or a trick to get an NFSv4 Setup  
> corresponding to the NFSv3 Setup?

If you add a trivial mountpoint there with:

	"mount --bind /srv/data/software /srv/data/software"

I think that will do the job.

Note this isn't really secure--this will prevent users on 192.168.0.1
from accidentally modifying software/, but won't do anything against
someone malicious with access to the network.

--b.