I’m running a few Leap and Tumbleweed machines in a freeIPA domain with
kerberized NFSv4. My problem is that I cannot mount NFSv4.1/4.2 shares that
are exported by Tumbleweed machines unless I specify a root via fsid=0, which
is not necessary on Leap.
tumbleweed # cat /proc/fs/nfsd/versions
-2 -3 +4 +4.1 +4.2
tumbleweed # zypper if nfs-kernel-server
...
Version : 2.1.1-3.1
tumbleweed # cat /etc/sysconfig/nfs
...
NFS3_SERVER_SUPPORT="no"
...
NFS4_SUPPORT="yes"
...
NFS_SECURITY_GSS="yes"
tumbleweed # cat /etc/nfs.conf
...
vers4.1=yes
vers4.2=yes
...
tumbleweed # cat /etc/exports
# cat /etc/exports
/export/test *.mydomain.com(rw,root_squash,sync,no_subtree_check,sec=krb5p)
/export/test 127.0.0.1(rw,root_squash,sync,no_subtree_check,sec=krb5p)
tumbleweed # exportfs -v
/export/test 127.0.0.1(rw,sync,wdelay,hide,no_subtree_check,sec=krb5p,secure,root_squash,no_all_squash)
/export/test *.mydomain.com(rw,sync,wdelay,hide,no_subtree_check,sec=krb5p,secure,root_squash,no_all_squash)
tumbleweed # mount -v -t nfs4 -o minorversion=2 127.0.0.2:/export/test /mnt
mount.nfs4: timeout set for Tue Oct 10 16:12:55 2017
mount.nfs4: trying text-based options 'minorversion=2,proto=tcp,vers=4,addr=127.0.0.2,clientaddr=127.0.0.1'
mount.nfs4: mount(2): Operation not permitted
tumbleweed # mount -v -t nfs4 127.0.0.2:/export/test /mnt
mount.nfs4: timeout set for Tue Oct 10 16:14:29 2017
mount.nfs4: trying text-based options 'proto=tcp,vers=4,addr=127.0.0.2,clientaddr=127.0.0.1'
tumbleweed # mount | grep nfs
nfsd on /proc/fs/nfsd type nfsd (rw,relatime)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime)
127.0.0.2:/export/test on /mnt type nfs4 (rw,relatime,vers=4.0,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5p,clientaddr=127.0.0.1,local_lock=none,addr=127.0.0.2)
Enabling debug output and looking up a mount attempt in journalctl gave me a
hint that it is related to the file system root.
tumbleweed # rpcdebug -m nfs all
NFS: nfs mount opts='minorversion=2,proto=tcp,vers=4,addr=127.0.0.2,clientaddr=127.0.0.1'
NFS: parsing nfs mount option 'minorversion=2'
NFS: parsing nfs mount option 'proto=tcp'
NFS: parsing nfs mount option 'vers=4'
NFS: parsing nfs mount option 'addr=127.0.0.2'
NFS: parsing nfs mount option 'clientaddr=127.0.0.1'
NFS: MNTPATH: '/export/test'
...
nfs4_get_root: getcaps error = 1
nfs_get_root: getattr error = 1
<-- nfs_xdev_mount() = -1
NFS: dentry_delete(/test, 32008c)
NFS: dentry_delete(/export, 32008c)
<-- nfs4_try_mount() = -1 [error]
...
I also looked into the nfsd debug output, but there was only one line that
looked suspicious.
tumbleweed # rpcdebug -m nfsd all
...
NFSD: warning: no callback path to client Linux NFSv4.2 tumbleweed: error -22
...
So I changed the export options to
tumbleweed # cat /etc/exports
/export/test -rw,root_squash,sync,no_subtree_check,sec=krb5p,fsid=0 127.0.0.1 *.mydomain.com
tumbleweed # exportfs -v
/export/test 127.0.0.1(rw,sync,wdelay,hide,no_subtree_check,fsid=0,sec=krb5p,secure,root_squash,no_all_squash)
/export/test *.mydomain.com(rw,sync,wdelay,hide,no_subtree_check,fsid=0,sec=krb5p,secure,root_squash,no_all_squash)
and it works when mounting “/”
tumbleweed # mount -v -t nfs4 -o minorversion=2 127.0.0.2:/ /mnt
mount.nfs4: timeout set for Wed Oct 11 13:15:15 2017
mount.nfs4: trying text-based options 'minorversion=2,proto=tcp,vers=4,addr=127.0.0.2,clientaddr=127.0.0.1'
tumbleweed # mount | grep nfs
nfsd on /proc/fs/nfsd type nfsd (rw,relatime)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime)
127.0.0.2:/ on /mnt type nfs4 (rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5p,clientaddr=127.0.0.1,local_lock=none,addr=127.0.0.2)
On a Leap 42.3 machine, “it just works”.
leap # cat /proc/fs/nfsd/versions
-2 -3 +4 +4.1 +4.2
leap # zypper if nfs-kernel-server
...
Version : 1.3.0-28.1
...
leap # cat /etc/sysconfig/nfs
...
NFS_SECURITY_GSS="yes"
...
NFS3_SERVER_SUPPORT="no"
...
NFS4_SUPPORT="yes"
...
NFS4_SERVER_MINOR_VERSION="2"
...
leap # cat /etc/exports
/export/shared *.mydomain.com(ro,root_squash,sync,no_subtree_check,sec=krb5p)
leap # exportfs -v
/export/shared *.mydomain.com(rw,wdelay,root_squash,no_subtree_check,sec=krb5p,rw,secure,root_squash,no_all_squash)
Mounting the Leap share on Tumbleweed.
tumbleweed # mount -t nfs4 -o minorversion=2 leap.mydomain.com:/export/shared /mnt
mount.nfs4: timeout set for Tue Oct 10 16:21:54 2017
mount.nfs4: trying text-based options 'minorversion=2,proto=tcp,vers=4,addr=xxx.xxx.xxx.xxx,clientaddr=xxx.xxx.xxx.xxx'
tumbleweed # mount | grep nfs
nfsd on /proc/fs/nfsd type nfsd (rw,relatime)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime)
leap.mydomain.com:/export/shared on /mnt type nfs4 (rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5p,clientaddr=xxx.xxx.xxx.xxx,local_lock=none,addr=xxx.xxx.xxx.xxx)
(The rw in mount output is wrong, it’s actually not possible to write.)
Why is the necessity of fsid=0 so inconsistent? On Leap it’s not needed at all,
on Tumbleweed it’s required for NFSv4.1 and 4.2. Is there some option in the
newer nfs-kernel-server version that I’m missing?