Exporting NFSv4.1/4.2 shares on Tumbleweed vs Leap and fsid=0

I’m running a few Leap and Tumbleweed machines in a freeIPA domain with
kerberized NFSv4. My problem is that I cannot mount NFSv4.1/4.2 shares that
are exported by Tumbleweed machines unless I specify a root via fsid=0, which
is not necessary on Leap.


tumbleweed # cat /proc/fs/nfsd/versions
-2 -3 +4 +4.1 +4.2

tumbleweed # zypper if nfs-kernel-server
...
Version        : 2.1.1-3.1

tumbleweed # cat /etc/sysconfig/nfs
...
NFS3_SERVER_SUPPORT="no"
...
NFS4_SUPPORT="yes"
...
NFS_SECURITY_GSS="yes"

tumbleweed # cat /etc/nfs.conf
...
vers4.1=yes
vers4.2=yes
...

tumbleweed # cat /etc/exports
# cat /etc/exports
/export/test    *.mydomain.com(rw,root_squash,sync,no_subtree_check,sec=krb5p)
/export/test    127.0.0.1(rw,root_squash,sync,no_subtree_check,sec=krb5p)

tumbleweed # exportfs -v
/export/test    127.0.0.1(rw,sync,wdelay,hide,no_subtree_check,sec=krb5p,secure,root_squash,no_all_squash)
/export/test    *.mydomain.com(rw,sync,wdelay,hide,no_subtree_check,sec=krb5p,secure,root_squash,no_all_squash)

tumbleweed # mount -v -t nfs4 -o minorversion=2 127.0.0.2:/export/test /mnt
mount.nfs4: timeout set for Tue Oct 10 16:12:55 2017
mount.nfs4: trying text-based options 'minorversion=2,proto=tcp,vers=4,addr=127.0.0.2,clientaddr=127.0.0.1'
mount.nfs4: mount(2): Operation not permitted

tumbleweed # mount -v -t nfs4 127.0.0.2:/export/test /mnt
mount.nfs4: timeout set for Tue Oct 10 16:14:29 2017
mount.nfs4: trying text-based options 'proto=tcp,vers=4,addr=127.0.0.2,clientaddr=127.0.0.1'

tumbleweed # mount | grep nfs
nfsd on /proc/fs/nfsd type nfsd (rw,relatime)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime)
127.0.0.2:/export/test on /mnt type nfs4 (rw,relatime,vers=4.0,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5p,clientaddr=127.0.0.1,local_lock=none,addr=127.0.0.2)

Enabling debug output and looking up a mount attempt in journalctl gave me a
hint that it is related to the file system root.


tumbleweed # rpcdebug -m nfs all


NFS: nfs mount opts='minorversion=2,proto=tcp,vers=4,addr=127.0.0.2,clientaddr=127.0.0.1'
NFS:   parsing nfs mount option 'minorversion=2'
NFS:   parsing nfs mount option 'proto=tcp'
NFS:   parsing nfs mount option 'vers=4'
NFS:   parsing nfs mount option 'addr=127.0.0.2'
NFS:   parsing nfs mount option 'clientaddr=127.0.0.1'
NFS: MNTPATH: '/export/test'
...
nfs4_get_root: getcaps error = 1
nfs_get_root: getattr error = 1
<-- nfs_xdev_mount() = -1
NFS: dentry_delete(/test, 32008c)
NFS: dentry_delete(/export, 32008c)
<-- nfs4_try_mount() = -1 [error]
...

I also looked into the nfsd debug output, but there was only one line that
looked suspicious.


tumbleweed # rpcdebug -m nfsd all


...
NFSD: warning: no callback path to client Linux NFSv4.2 tumbleweed: error -22
...

So I changed the export options to


tumbleweed # cat /etc/exports
/export/test -rw,root_squash,sync,no_subtree_check,sec=krb5p,fsid=0 127.0.0.1 *.mydomain.com

tumbleweed # exportfs -v
/export/test    127.0.0.1(rw,sync,wdelay,hide,no_subtree_check,fsid=0,sec=krb5p,secure,root_squash,no_all_squash)
/export/test    *.mydomain.com(rw,sync,wdelay,hide,no_subtree_check,fsid=0,sec=krb5p,secure,root_squash,no_all_squash)

and it works when mounting “/”


tumbleweed # mount -v -t nfs4 -o minorversion=2 127.0.0.2:/ /mnt
mount.nfs4: timeout set for Wed Oct 11 13:15:15 2017
mount.nfs4: trying text-based options 'minorversion=2,proto=tcp,vers=4,addr=127.0.0.2,clientaddr=127.0.0.1'

tumbleweed # mount | grep nfs
nfsd on /proc/fs/nfsd type nfsd (rw,relatime)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime)
127.0.0.2:/ on /mnt type nfs4 (rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5p,clientaddr=127.0.0.1,local_lock=none,addr=127.0.0.2)

On a Leap 42.3 machine, “it just works”.


leap # cat /proc/fs/nfsd/versions
-2 -3 +4 +4.1 +4.2

leap # zypper if nfs-kernel-server
...
Version        : 1.3.0-28.1
...

leap # cat /etc/sysconfig/nfs
...
NFS_SECURITY_GSS="yes"
...
NFS3_SERVER_SUPPORT="no"
...
NFS4_SUPPORT="yes"
...
NFS4_SERVER_MINOR_VERSION="2"
...

leap # cat /etc/exports
/export/shared  *.mydomain.com(ro,root_squash,sync,no_subtree_check,sec=krb5p)

leap # exportfs -v
/export/shared    *.mydomain.com(rw,wdelay,root_squash,no_subtree_check,sec=krb5p,rw,secure,root_squash,no_all_squash)

Mounting the Leap share on Tumbleweed.


tumbleweed # mount -t nfs4 -o minorversion=2 leap.mydomain.com:/export/shared /mnt
mount.nfs4: timeout set for Tue Oct 10 16:21:54 2017
mount.nfs4: trying text-based options 'minorversion=2,proto=tcp,vers=4,addr=xxx.xxx.xxx.xxx,clientaddr=xxx.xxx.xxx.xxx'

tumbleweed # mount | grep nfs
nfsd on /proc/fs/nfsd type nfsd (rw,relatime)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime)
leap.mydomain.com:/export/shared on /mnt type nfs4 (rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5p,clientaddr=xxx.xxx.xxx.xxx,local_lock=none,addr=xxx.xxx.xxx.xxx)

(The rw in mount output is wrong, it’s actually not possible to write.)

Why is the necessity of fsid=0 so inconsistent? On Leap it’s not needed at all,
on Tumbleweed it’s required for NFSv4.1 and 4.2. Is there some option in the
newer nfs-kernel-server version that I’m missing?

Late reply.

I’m still not sure why the difference, but I think that the problem
might be related to the export being located on an LVM volume. According
to man exports:

fsid=num|root|uuid
NFS needs to be able to identify each filesystem that it exports.
Normally it will use a UUID for the filesystem (if the filesystem has
such a thing) or the device number of the device hold- ing the
filesystem (if the filesystem is stored on the device).

   As not all filesystems are stored on devices, and not all filesystems
   have UUIDs, it is sometimes necessary to explicitly tell NFS how to
   identify a filesystem.  This is done  with  the  fsid= option.

   Other filesystems can be identified with a small integer, or a UUID
   which should  contain 32 hex digits and arbitrary punctuation.

   Linux  kernels  version  2.6.20 and earlier do not understand the UUID
   setting so a small integer must be used if an fsid option needs to be
   set for such kernels.  Setting both  a small number and a UUID is
   supported so the same configuration can be made to work on old and new
   kernels alike.

Though the logical volume does have an LV UUID (according to lvdisplay), so
maybe it’s something else entirely.

My solution for now is to use fsid=1 (I didn’t understand properly the use of
non-zero/-root fsid back in October) for the export in question:


/export/test -rw,root_squash,sync,no_subtree_check,sec=krb5p,fsid=1 127.0.0.1 *.mydomain.com

Any other non-zero fsid (e.g. an UUID in 32 hex digits as written in the man
page) would work as well, but I currently don’t see this needed in my use case.

This allows me to mount the export with the full path


tumbleweed # mount -t nfs4 -o minorversion=2 127.0.0.2:/export/test /mnt