On Thu, Feb 10, 2011 at 02:47:00AM +0100, Asdo wrote: > Hello, > it's not clear to me how I can allow different access to different > machines in NFSv4. > Because nfsv4 needs a root export with fsid=0, and all other mounts > should be below that. > > However, if the line with fsid=0 is not mountable to all nodes, also the > mounts below it will fail. > And if the line with fsid=0 is mountable to all nodes, all further lines > can provide no additional security! > > Example; this is my current export: > > /virtual_machines/kvm/export > 10.48.0.0/24(rw,no_root_squash,async,subtree_check,fsid=0) > /virtual_machines/kvm/export/hwnode1 > 10.48.0.10(rw,no_root_squash,async,subtree_check) > /virtual_machines/kvm/export/hwnode2 > 10.48.0.11(rw,no_root_squash,async,subtree_check) > > I have two hardware nodes for virtual machines. Ideally each one of them > should be able to mount only its subdirectory, but the export shown > above is the only working one I could create. > However with the above export file the root user on hwnode1 can directly > mount /virtual_machines/kvm/export and see everything, even the files > that were for hwnode2 only. > OTOH if I set my fsid=0 line so that it's not mountable (e.g. changing > the IP or netmask), all lines below it stop working. Recent distros allow you to specify NFSv4 exports as you do NFSv2/v3 exports, without the need for the explicit fsid=0 export. I think that will eliminate the problem you're seeing. However, I'd strongly recommend against use of subtree_check, which can cause unnecessary ESTALE's when files are renamed. It would be better to put hwnode1 and hwnode2 on different filesystems. --b. > > How should I do? > > Thanks for your help > > -- > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
