Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
This project is now read‑only. Starting Monday, February 2, please use https://ibm-ceph.atlassian.net/ for all bug tracking management.

Bug 2376756

Summary: [9.0][NFS-Ganesha][BYOK] BYOK export allows enabling encryption on non-empty directory; junk entries shown on NFS mount for existing files and dirs
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Manisha Saini <msaini>
Component: NFS-GaneshaAssignee: Sachin Punadikar <spunadik>
NFS-Ganesha sub component: Ceph QA Contact: Manisha Saini <msaini>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: unspecified CC: cephqe-warriors, kkeithle, tserlin
Version: 8.1Keywords: Tracking
Target Milestone: ---   
Target Release: 9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: nfs-ganesha-7.0-0.6.3.el9cp Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2376757 (view as bug list) Environment:
Last Closed: 2026-01-29 06:50:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2376757    

Description Manisha Saini 2025-07-07 09:45:09 UTC 
Description of problem:
======================

A CephFS subvolume was created with an encryption tag and used via a Ceph-Fuse mount to create a few files and dirs.
The same subvolume path was then exported via NFS using a BYOK-enabled export.
Mount via NFS worked successfully. I was able to create new files from the NFS client, which were encrypted as expected.
However, when listing files via NFS, the entries created via the Fuse mount show as junk output (e.g., '???'), while files created from the NFS mount appear encrypted:

# ls
'???'   file_from_nfs

Expected behavior is that BYOK encryption should not be enabled on non-empty directories (as confirmed in internal discussions). If attempted, it should fail. Instead, in this case, it allows mounting and results in junk file listings.



Version-Release number of selected component (if applicable):
==============

# rpm -qa | grep nfs
libnfsidmap-2.5.4-34.el9.x86_64
nfs-utils-2.5.4-34.el9.x86_64
nfs-ganesha-selinux-6.5-23.el9cp.noarch
nfs-ganesha-6.5-23.el9cp.x86_64
nfs-ganesha-rgw-6.5-23.el9cp.x86_64
nfs-ganesha-ceph-6.5-23.el9cp.x86_64
nfs-ganesha-rados-grace-6.5-23.el9cp.x86_64
nfs-ganesha-rados-urls-6.5-23.el9cp.x86_64
nfs-ganesha-utils-6.5-23.el9cp.x86_64

# ceph --version


How reproducible:
===========
Always


Steps to Reproduce:
=================
Mentioned above

Actual results:
=============
Export creation succeeds even when the subvolume is not empty.
Mount also succeeds.
Listing directory contents via NFS shows junk characters for files written via Fuse.


Expected results:
===============
Export creation using BYOK should fail if the target directory/subvolume is not empty.
Alternatively, NFS mount should fail if the underlying directory contains content incompatible with encryption.
No junk characters should be seen on ls if the mount succeeds.


Additional info:
Comment 6 errata-xmlrpc 2026-01-29 06:50:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Red Hat Ceph Storage 9.0 Security and Enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2026:1536