Bug 237108 - [RHEL4 U4][NFSv4] Exporting mounts across filesystems fails
[RHEL4 U4][NFSv4] Exporting mounts across filesystems fails
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
All Linux
high Severity high
: ---
: 4.9
Assigned To: Steve Dickson
Martin Jenner
Depends On: 247759
  Show dependency treegraph
Reported: 2007-04-19 09:43 EDT by Jeff Burke
Modified: 2011-04-26 09:39 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-04-26 09:39:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jeff Burke 2007-04-19 09:43:09 EDT
Description of problem:
 When exporting mounts across files systems. nfsv4 does not work properly.

Version-Release number of selected component (if applicable):

How reproducible:
 Always (in my test setup)

Steps to Reproduce:
Build a REHL4-U4 server, create several partitions,enable nfs

Disk confguration:
 /dev/hda1  /boot
 /dev/hda2  /
 /dev/hda3  /export

In the local mounted filesystem /export create directory /export/home

 /              *(rw,fsid=0,sync,nohide,no_root_squash)
 /export/home   *(rw,fsid=1,sync,nohide,no_root_squash)
Actual results:
 From a client you will not be able to mount the server via nfsv4.
You will get an error.

Expected results:
 This should work fine

Additional info:
 Basically what it looks like is NFSv4 can't export off of the root filesystem.
 Spoke with SteveD about this already.  He can reproduce the error case.
Comment 1 Steve Dickson 2007-04-19 15:24:20 EDT
I believe I know what the problem is..

There are to exports '/' and '/export/home'
with '/' being the pseudo root. Both have
nohide set and both have different fsids
which is needed.

Now reason 'mount -tnfs 4 server:/export/home' fails 
with permission denied is because even though '/' 
and '/export/home' are exported the middle 
directory '/export' is not. So when the server
try to access /export on its why to /export/home
the access is denied. 

Now the reason 'mount -tnfs3 server:/export'
succeeds but the directory is empty is because
the server is seeing the export directory on '/'
but not the mount point. 

So by exporting middle directory 'export' should
take care of this problem:

 /              *(rw,fsid=0,sync,nohide,no_root_squash)
 /export/       *(rw,fsid=1,sync,nohide,no_root_squash)
 /export/home   *(rw,fsid=2,sync,nohide,no_root_squash)
Comment 2 Jeff Burke 2007-04-27 08:50:01 EDT
Exporting the middle directory did work.
Comment 3 Jeff Layton 2007-06-22 12:06:30 EDT
Looks like an upstream and RHEL5 issue as well...
Comment 4 Jeff Layton 2007-06-22 15:30:48 EDT
Yikes, this is a sticky problem. 4.6 seems doubtful -- setting to 4.7.

RFC 3530 has quite a bit to say about this issue (around chapter 7). The server
is expected to create a 'pseudo' export when there are gaps in the namespace
like this, but it seems like no version of Linux so far actually does.

I can see why -- you need to detect when a mountpoint might have exports that
are below it and treat that differently than the case when one doesn't. I don't
see how to do that without some fairly complex logic. Perhaps we can fix this up
by making implicit exports for mountpoints that lie in between the namespace
root and the actual export.

We'd have to flag them so they'd be invisible to users, but the lookups could
then cross them...
Comment 5 Jeff Layton 2007-06-25 10:14:56 EDT
Actually, it looks like Bruce Fields posted a status update to the NFS4 list and
mentioned this problem specifically:

	- export paths consistent with nfsv2/v3:  No really promising
	  progress, though (thanks mainly to Bryce Harrington), we do
	  now have some prototype code at:

	  git://linux-nfs.org/~bfields/nfs-tuils.git pseudo-export

	  which attempts to solve the whole problem in userspace by
	  automatically loopback-mounting a file to serve as the NFSv4
	  root, bind-mounting under it everything listed in the exports,
	  and faking up corresponding exports in mountd.  The code
	  more or less works, but I'm not sure it's the right approach.

This is a really important problem, and not one I've had a lot of time
to work on lately, so we could definitely still use help here.

I need to have a closer look, but this looks like it's really still in the
design phase. I'm going to see if I can get involved with it, but I don't have a
good idea so far of the right approach for solving this. I don't really like
this userspace hackery either, but we might can use that as a model of how to
fix this in kernel space.
Comment 6 Jeff Layton 2007-07-10 10:53:06 EDT
I figure we're going to have to do something similar to the approach
that Bryce has done here. When exports are done, we need to fill in the gaps
with a pseudo filesystem of some sort.

Some possible approaches:

1) use Bryce's approach whole-hog. Do it all in userspace with
a /dev/loop ext2 fs as the base.

2) use Bryce's basic approach, but use tmpfs as the underlying
filesystem (may require kernel work to make sure that tmpfs is up to
the job). I'd prefer this rather than dealing with losetup.

3) move all of it into the kernel, perhaps with a new filesystem type
as the underlying pseudo-rootfs. We could maintain a separate pseudofs root
directory with appropriate bind mounts that's disconnected from the
actual root dir.

4) don't do any sort of pseudo-rootfs. When a directory is exported, check to
see if it's "disconnected". If it is, backtrack dentries until we get to
something that is exported. Tag those dentries with a flag that indicates that
they are only to be used for LOOKUP calls and fix up LOOKUP to recognize a dir
that has been tagged this way. Only do lookups in it for entries that are valid
exports or similarly tagged entries.

This is still all very much in the blue-sky stage. While doing this in kernel
somehow feels cleaner to me, I don't know of a good reason to *not* do it in
userspace. Perhaps #2 is the best thing to do?

Comment 7 Jeff Layton 2007-07-10 11:08:15 EDT
#4 might be really tough when mixed in with subtree-check.

Note You need to log in before you can comment on or make changes to this bug.