export NFS share with AND without no_root_squash

Printable View

09-04-2009, 12:49 PM
mcr

export NFS share with AND without no_root_squash

Hi!

We have two DSS 5 servers which have to be backuped to an external storage system (IBM Tivoli):

Model: Data Storage Server
Version: 5.0up62.7102.3518 64bit
Release date: 2009-05-26

The NFS shares have therefore to be exported with the no_root_squash option. The goal is to have the no_root_squash option only set for a specific host (which runs the backup client). The workstations (192.168.1.x subnet) shall use root squashing. To do this I tried the following:

One logical volume "lvdss100" with two NAS shares, "home" and "nrs", which export the same directory "/lvdss100/home/", without and with no_root_squash, respectively.

First share: "home"
Path: /lvdss100/home/
[x] Use NFS
Allow access IP: 192.168.0.16/32;192.168.1.0/27
Allow write IP: 192.168.0.16/32;192.168.1.0/27
[ ] No root squash
Squash User: nobody
Squash Group: nogroup

Second share: "nrs"
Path: /lvdss100/home/
[x] Use NFS
Allow access IP: 192.168.0.16/32 <- The backup host.
Allow write IP: 192.168.0.16/32
[x] No root squash
Squash User: nobody <- irrelevant
Squash Group: nogroup <- irrelevant

This does not work, unfortunately. The "nrs" share is mounted properly:
dss1:/share/nrs on /mnt/dss/nrs1 type nfs (rw,acl,rsize=8192,wsize=8192,addr=192.168.4.1)

But "root" does not have root privileges.

To have "no_root_squash" work properly, I also have to check the "No root squash" option for the first share "home". But then all client "root" users have root access to the NFS directories.

If, e.g., the "nrs" mountpoint is changed to a subdirectory of /lvdss100/home/, everything works fine. But this is useless in this context.

Any hint what I did wrong?

Best regards,
-mcr
09-07-2009, 11:08 AM
mcr

workaround: exporting shares with and without no_root_squash

Hi

Finally, I found a workaround how to export a directory via NFS with two different shares, one with and one with no_root_squash:

First share: "home"
Path: /lvdss100/home/
[x] Use NFS
Allow access IP: 192.168.0.16/32;192.168.1.0/27
Allow write IP: 192.168.0.16/32;192.168.1.0/27
[ ] No root squash
Squash User: nobody
Squash Group: nogroup

Second share: "nrs"
Path: /lvdss100/ <- Here the "home" is missing.
[x] Use NFS
Allow access IP: 192.168.0.16/32 <- The backup host.
Allow write IP: 192.168.0.16/32
[x] No root squash

After mounting both shares,
dss1:/share/home on /dss/home1 type nfs (rw,acl,rsize=8192,wsize=8192,addr=192.168.4.1)
dss1:/share/nrs/home on /dss/nrs1 type nfs (rw,acl,rsize=8192,wsize=8192,addr=192.168.4.1)

everything works as expected:
fkt:/dss # touch /dss/home1/test_rw
touch: cannot touch `/dss/home1/test_rw': Permission denied
fkt:/dss # touch /dss/nrs1/test_rw

The only drawback is that the "nrs" share has to be mounted with the additional path fragment "home/", i.e. "dss1:/share/nrs/home" instead of "dss1:/share/nrs".

If someone has a more elegant solution (or can explain why the original straightforward attempt didn't work), please post. I will be able to check alternative concepts for the next days (before the servers go online again).

Best regards,
-mcr
09-08-2009, 01:21 PM
jmo

Quote:

Originally Posted by mcr

Hi
[...]
If someone has a more elegant solution (or can explain why the original straightforward attempt didn't work), please post. I will be able to check alternative concepts for the next days (before the servers go online again).

Best regards,
-mcr

Hi,

I have a strong suspicion why the first attempt won't work: You're using NFS (DSS acts as a NFS server) and NFS does not have the concept of "shares" but that of "export directories" - you were trying to export the same directory twice but the NFS server daemon can only use one set of parameters.

Obviously, either the NFS server only took the first (or last) set of parameters or DSS didn't put the second set into the NFS config file in the first place. Either way DSS should have given at least a warning, IMO.

With regards

Jens
09-10-2009, 10:07 AM
mcr

Hi Jens!

Thanks for your answer:

Quote:

Originally Posted by jmo

I have a strong suspicion why the first attempt won't work: You're using NFS (DSS acts as a NFS server) and NFS does not have the concept of "shares" but that of "export directories" - you were trying to export the same directory twice but the NFS server daemon can only use one set of parameters.

Obviously, either the NFS server only took the first (or last) set of parameters or DSS didn't put the second set into the NFS config file in the first place. Either way DSS should have given at least a warning, IMO.

This sounds very plausible, and was confirmed by the technical support meanwhile. To have this in the forum, I cite their answer:

Quote:

Originally Posted by Technical Support

If two or more shares are pointed to the same path, all will have the same permissions as the first one in /etc/exports. As a workaround it's possible to point the "no_root_squash" share to the higher folder. In this case it will be Logical volume.

This is actually the workaround I used in my post above. Of course, it would be nice to have a per-host configuration of the root_squashing. But mabybe, this would blow up the configuration interface. Nevertheless, I believe that the scenario I ran into should be fairly generic (for external backups, i.e.).

Best regards,
-mcr