>> /gpfs/filesystem1/directory1/sub-directory1 is exported to client2 as read-write.
>> client2 is not included in the export for /gpfs/filesystem1/directory1.
>> Mounting /gpfs/filesystem1/directory1/sub-directory1 on client2 does not work and results in a permission denied
Any NFSv4 implementation needs to traverse the pseudo path for being able to mount an export. One would expect "client2" to traverse over /gpfs/filesystem1/directory1/ but not list its content/other files. I strongly think this is a bug in Ganesha implementation, it is probably looking at the real-export object than the pseudo-object for permission checking.
One option is to change the Pseudo file system layout. For example, "/gpfs/client2" as "Pseudo" option for export with path " /gpfs/filesystem1/directory1/sub-directory1". This is directly not possible with Spectrum CLI command mmnfs unless you are using the latest and greatest ("mmnfs export add" usage would show if it supports Pseudo option). Of course, you can manually do it (using CCR) as Ganesha itself allows it.
Yes, NFSv3 has no pseudo traversal, it should work.
Regards, Malahal.
----- Original message -----
From: "Dietrich, Stefan" <[email protected]>
Sent by: [email protected]
To: [email protected]
Cc:
Subject: [gpfsug-discuss] Nested NFSv4 Exports
Date: Thu, Oct 25, 2018 5:52 PM
Hi,
I am currently fiddling around with some nested NFSv4 exports and the differing behaviour to NFSv3.
The environment is a GPFS 5.0.1 with enabled CES, so Ganesha is used as the NFS server.
Given the following (pseudo) directory structure:
/gpfs/filesystem1/directory1
/gpfs/filesystem1/directory1/sub-directory1
/gpfs/filesystem1/directory1/sub-directory2
Now to the exports:
/gpfs/filesystem1/directory1 is exported to client1 as read-only.
/gpfs/filesystem1/directory1/sub-directory1 is exported to client2 as read-write.
client2 is not included in the export for /gpfs/filesystem1/directory1.
Mounting /gpfs/filesystem1/directory1 on client1 works as expected.
Mounting /gpfs/filesystem1/directory1/sub-directory1 on client2 does not work and results in a permission denied.
If I change the protocol from NFSv4 to NFSv3, it works.
There is a section about nested NFS exports in the mmnfs doc:
Creating nested exports (such as /path/to/folder and /path/to/folder/subfolder) is strongly discouraged since this might lead to serious issues in data consistency. Be very cautious when creating and using nested exports.
If there is a need to have nested exports (such as /path/to/folder and /path/to/folder/inside/subfolder), NFSv4 client that mounts the parent (/path/to/folder) export will not be able to see the child export subtree (/path/to/folder/inside/subfolder) unless the same client is explicitly allowed to access the child export as well. This is okay as long as the client uses only NFSv4 mounts.
The Linux kernel NFS server and other NFSv4 servers do not show this behaviour.
Is there a way to bypass this with CES/Ganesha? Or is the only solution to add client2 to /gpfs/filesystem1/directory1?
Regards,
Stefan
--
------------------------------------------------------------------------
Stefan Dietrich Deutsches Elektronen-Synchrotron (IT-Systems)
Ein Forschungszentrum der Helmholtz-Gemeinschaft
Notkestr. 85
phone: +49-40-8998-4696 22607 Hamburg
e-mail: [email protected] Germany
------------------------------------------------------------------------
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss
_______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
