nfs share missing important functionality

[peterh]

I just discovered that NFS exports is far to simple for corporate use.
In the "sharing/nfs" menu a single field is used to describe
"Authorized network or IP addresses".
There is two problems with this :
1/ not all hosts that may mount a nfs volume might be allowed -maproot=
2/ there is often a need to enter several networks/hosts each with it's own netmask

According to the documentation a "comma separated list" is allowed here, but i don't
even succeed with this. The only possibility to export a filesystem to several nets
is to leave the "Authorized network or IP address" empty, which gives away everyting to everyone.

My wish is :
1/ allow one net/mask per line ( mung to correct /etc/exports behind the curtains)
2/ make a separate box for -maproot where the user to map root may be expressed per filesystem

[peterh]

A very quick "fix" could be :
allow one to create a filesystem /mnt/pool/etc where one could store "extended configs" outside of the memory stick,
then create, on a case by case, links so normal commands would access these files.

For the export problem one could create a normal exports file with all the (endless possibilities) and have
/etc/zfs/exports ( yes it's there, it's not used and empty) be a softlink to said file.
All the gui would need to do is create said softlink and i and my fellow un*x admins could edit out familiar
exports file as we always has.

This could be repeated for other subsystems where extensions of the gui is wanted.
( thinking of swap definitions, another subject i have been questioning)

[jpaetzel]

The FreeBSD mountd will only accept one network per filesystem, as well as one maproot per filesystem. You can enter multiple IPs for a share, but only one network.

In addition you cannot have different restrictions in a filesystem path. For instance you cannot do:

/mnt/a -network 10.0.0.0/24 -maproot=0:0
/mnt/a -network 192.168.0.0/24 -maproot=1000:1000

[gcooper]

I think he was referring to what I stumbled across in ticket 634 -- in part.

[peterh]

freebsd mountd will happily export a filesystem to many networks :
/arkiv3 -network 192.168.99.0/24
/arkiv3 -network 131.97.50.0/23
/arkiv3 -network 172.28.0.0/16 -maproot=root
will be seen with showmount as:
bore# showmount -e bore
Exports list on bore:
/var/spool/sfs/root localhost
/home Everyone
/arkiv3 192.168.99.0 131.97.50.0 172.28.0.0

man 5 exports for details..

[jpaetzel]

Ah, I see what you are saying. Just create three separate shares with the different restrictions you need.

[peterh]

Don't ask me to do silly workarounds please. Why should i in a changing environmet
ask my admins to create n* copies of a share ( and create even more whenever a new
host/network accesses this share ) when one copy is all i need ?

Creating multiple shares for the same filesystems is a disaster for managemet nightmare !

The gui does'nt even works as documented, when fixing that one could take the
opportunity to create a real useful one. Such as defining export list and export
with maproot as separate items.

[jpaetzel]

I'm not asking anyone to do anything. The current GUI treats each UNIX "share" as a line in /etc/exports. You can exploit that to do what you need or not. As far as I am aware the GUI does indeed work as documented.

The main issue with redoing the GUI (which needs to be done, but probably won't happen until Q2 2012) is the rules are slightly different between filesystems and subdirectories, the former are handled by mountd, the latter by nfsd. Also the man page for exports is a couple versions of mountd out of date, and it will be another generation out of date once the new NFS v4 code trickles in, so figuring out what can or can't be done is not quite as simple as reading the man page.

[peterh]

ok, thanks for the answer.
This will prevent use of freenas at one corporate site, i'll try to introduce freebsd instead.

[PFudd]

I'm bumping against nfs multiple subnet limitations also. In particular, when I enter this:

10.10.10.0/24 = works

10.10.10.0/24 192.168.1.0/24 = The IP '10.10.10.0/24' is not valid

10.10.10.0/24
192.168.1.0/24 = The IP '10.10.10.0/24' is not valid

10.10.10.0/24,192.168.1.0/24 = The field is a not a valid IP address or network

10.10.10.2 192.168.1.14 = it works!

So, the data validation for this field isn't working correctly; netmasks don't parse correctly when there are more than one.

[PFudd]

Unfortunately, 10.10.10.0 != 10.10.10.0/24, so that's not a workaround.

[gcooper]

@PFudd: I have another bug opened for the validation issues: http://support.freenas.org/ticket/634 . Please add the items you find there.

[william]

@PFudd

It is not correct to say the validation doesnt work... it just follow /etc/exports limitation

Or you use ONE subnet or a list o IPs, you cannot mix them...

[gcooper]

@PFudd: The issue that peterh described and the one you're describing are in the same ballpark, but not the same issue.

[PFudd]

It's baffling that a program (nfsd) can understand netmasks, and can understand multiple ip addresses, but can't understand multiple netmasks.

Is the Freenas team allowed to modify nfsd, or does that open a ton of maintenance issues that you can't afford to have?

[peterh]

nfsd has nothing to do with /etc/exports - it mountd that is reading this.
And mountd has no problems with netmasks just read the manpage.

My view is that allowing a hierarkial "exports" tab where the first part
is simular to the current ( describing which filesystem to export) the followed
by 0 to many descriptions of hosts / nets that are allowed to mount the filesystem.

( note that the notation "share" is a misnomer, it's a filesystem that is exported. The
combination might be called "share" if you are inclined that way :-)

[william]

@peterh, yes, mountd has problems with netmasks... (note the plural)

Check: ​http://www.freebsd.org/cgi/man.cgi?query=exports&sektion=5&apropos=0
Or you specify one netmask or a list of IP addresses, one or another, not both...

[peterh]

Well, reading manpages and understanding them is two different things.

The following two lines in /etc/exports:
/arkiv4 -network 192.160.1.0/24
/arkiv4 -network 128.16.0.0/16

will be exported as shown by showmount -e :
bore# showmount -e
Exports list on localhost:
/var/spool/sfs/root localhost
/home Everyone
/arkiv4 Everyone
/arkiv3 192.168.99.0 131.97.50.0 172.28.0.0

mountd has no problems with netmasks. Just don't put them on the same line!

[peterh]

sorry ( how do i edit this ?))
exports reads :
/arkiv3 -network 192.168.99.0/24
/arkiv3 -network 131.97.50.0/23
/arkiv3 -network 172.28.0.0/16 -maproot=root

showmount -e shows :
/arkiv3 192.168.99.0 131.97.50.0 172.28.0.0

[william]

In any moment whatsoever I've stated you cannot have two lines in /etc/exports that is worth for the same filesystem...

I just stated the one line at /etc/exports is equivalent to one "nfs share" in the GUI, which for me seems the right behavior compared to what the OS gives us...

Patches are very welcome as you claim this is a super big missing feature and will prevent freenas at corporative use, otherwise i think it is ok to leave it as a low priority ticket...

[peterh]

You can have several lines in /etc/exports . Look in the example in exports(5) there
is several !
And my example above is a real living ( and working ) filesystem with a real live and
working exports with real and live clients. Come to sweden and i'll show you in real life!

I do not know where you have got the idea that only one line per filesystem is allowed in /etc/exports, but its wrong. Sorry.

[william]

Can you read english at all? Thats not what I'm saying, for god sake, take a time to read carefully!! Google translator is not as good as you think!

[peterh]

mountd happlily accepts several lines in /etc/exports in the above ( and manpage examples), the
effect will be several "exports"in nfs parleance.
The freenas GUI will not allow this - thats the problem.

Your comment "In any moment whatsoever I've stated you cannot have two lines in /etc/exports that is worth for the same filesystem..." makes me belive that you don't know the syntax of /etc/exports. Contrary to this comments can you have two lines in /etc/exports reffering to the save filesystem ( and with different nets )
Are we mis-understanding each other ? In that case i'm sorry( english is not my native language)

[william]

Yes we are definitely misunderstanding each other.
I've _never_ said /etc/exports does _NOT_ accept several lines in /etc/exports for the same path/filesystem.

Either way, I'm leaving this thread, my point was not argue with you, just explain how/why it is like it is.

[gcooper]

Just to be clear:

The way things were done originally in 8.0.x were done for the sake of simplicity, but as several folks have pointed out here (including William) there is a gap where the simplistic assumption that there's a 1:1 mapping between filesystem and all applicable shares. That is the first part that can and should be enhanced (and william agrees in comment # 22).

There are other things to watch out for though because there's a limit on how many filesystems can be mounted in FreeBSD via mountd (I can't find the limiting factor right now, but I vaguely remember there being one somewhere in sys/nfs*, etc).

[peterh]

Ok, we agree on this, mountd accepts several nets and masks. freenas GUI does not. And i reiterate THIS IS THE PROBLEM.
My humble request is "fix the GUI".

[william]

r12243