Understanding NFS4 (Linux server)

nfs nfs4

I've been a bit bothered by NFS4 on Linux. Some information 'out there' seems to conflict with other information, and other information appears hard to find. So here are a couple of things that caught my attention, hopefully someone out there can shed some light on this.

This question focuses exclusively on NFS4 without Kerberos etc.

1. Exports

There is ambiguous information in the exports manpage on the structure of /etc/exports.

To quote from exports(5):

Also, each line may have one or more specifications for default options after the path name, in the form of a dash ("-") followed by an option list.

The option list is used for all subsequent exports on that line only.

What does "subsequent exports on that line only" mean?

1.2 fsid=0 not required anymore?

I was searching for fsid when I found a comment on the linux-nfs list stating fsid=0 is not required anymore. Now I'm just confused, do I need it with nfs4 or not?!

2. Non-exported directory still mountable

Say I have the following tree:

/exp
/exp/users
/exp/distr
/exp/distr/archlinux
/exp/distr/debian

And I have the following entries in this fstab entry:

/dev/disk/by-label/users  /mnt/users  ext4  defaults  0  0
/dev/disk/by-label/distr  /mnt/distr  ext4  defaults  0  0
/mnt/users                /exp/users  none  bind      0  0
/mnt/distr                /exp/distr  none  bind      0  0

And my exports is exactly this:

/exp       192.168.1.0/24(fsid=0,rw,async,no_subtree_check,no_root_squash)
/exp/distr 192.168.1.0/24(rw,async,no_subtree_check,no_root_squash)

And exportfs -arv shows:

exporting 192.168.1.0/24:/exp/distr
exporting 192.168.1.0/24:/exp

Then why am I able to do this and get no error on a client:

mount -t nfs4 server:/exp/users /tmp/test

Even though /exp/users is not exported? I didn't export this directory, and while I don't see the contents of /dev/disk/by-label/users unless I specify crossmnt, I am still able to write to the directory. Everything I write to there goes to the underlying directory of /exp/users which can be seen when I umount /exp/users; ls /exp/users..

3. The odd case of showmount -d server

As stated by rpc.mountd(8), this command should display directories that are either currently mounted by clients, or stale entries in /var/lib/nfs/rmtab, as can be read:

The rpc.mountd daemon registers every successful MNT request by adding an entry to the /var/lib/nfs/rmtab file. When receivng a UMNT request from an NFS client, rpc.mountd simply removes the matching entry from /var/lib/nfs/rmtab, as long as the access control list for that export allows that sender to access the export.

(...)

Note, however, that there is little to guarantee that the contents of /var/lib/nfs/rmtab are accurate. A client may continue accessing an export even after invoking UMNT. If the client reboots without sending a UMNT request, stale entries remain for that client in /var/lib/nfs/rmtab.

After reading this I surely wonder:

  1. Isn't it terribly insecure to just expose this type of client information;
  2. Aren't unaware server admins bound to have an rmtab with a lot of stale clients;
  3. Is this the reason that clients that mount nfs4 directories with mount -v get to see output like "nothing was mounted" even though something was mounted?

I have a lot of other questions regarding nfs4, but I'll keep it at this for the moment.. :)


Solution 1:

Great questions, highlights a bigger point with the documentation IMO. Here is an attempt at a complete answer:

What does "subsequent exports on that line only" mean?

An example's probably easiest here:

/export/stuff -rw 10.0.0.54 10.0.0.55

is equivalent to:

/export/stuff 10.0.0.54(rw) 10.0.0.55(rw)

Is fsid=0 not required anymore?

This depends on your use case. It looks like you are exporting regular disk based filesystems from the rest of your query, in that case you are best to drop fsid=0 (which in nfsv4 changes the behavior to reference the root filesystem of the export).

To change this behaviour remove the no_subtree_check option

rmtab-related stuff

  • Is the handling of rmtab a security risk?
    I guess it depends on your use case to answer that, on my network it doesn't present a credible information leak but i can see cases where it could potentially.
  • Won't rmtab be full of stale entries?
    Potentially yes, again depending on your deployment scenario / use case.
  • Is this why some clients running mount -v erroneously see "nothing was mounted"?
    I've not come across this yet

Related

How can I separate my personal Amazon account from my AWS account?
Can cron write job output to a log *by default* (instead of mail)?
CentOS thinks Disk is busy, can't mount or fsck
Which permissions should I set to dhparam.pem?
Assigning a domain name to an AWS Fargate task
SSL for devices in local network
Configure nginx for jboss/tomcat
Is it possible to configure the location of "Temporary ASP.NET Files" folder in IIS?
SSH: Permission denied (publickey,gssapi-with-mic,password)
NTP is running, system clock still not in time - what gives?
How to tell which Ubuntu package a tool is in
nginx reverse proxy - try upstream A, then B, then A again