NFSv4 has been around for a long time but it still seems a bit foreign to me. The following is a quick rundown of things I recent learned related to NFSv4 from limited experience in implementing it.
Is it possible to setup NFSv4 along side NFSv3 on the same server, serving the same volumes? Of course. However, it might not always work exactly as expected with legacy clients.
/etc/exports for NFSv3/v4 interoperability might look like so:
/export 10.0.0.0/8(rw,no_subtree_check,fsid=0) /export/namespace 10.0.0.0/8(rw,no_subtree_check) /export/namespace/share1 10.0.0.0/8(rw,no_subtree_check) /export/namespace/share2 10.0.0.0/8(rw,no_subtree_check)
With this configuration, we have the “virtual root” export (
fsid=0), the namespace export (for mounting the whole namespace with one mount) and the individual “share” exports (for mounting individual shares, most likely with automount). The NFSv4 clients can perform mounts using the
servername:/namepace syntax and the NFSv3 clients can mount the whole root, namepace or individual “shares” with
All is well in the NFS world… or so it seems at first. It turns out that an older SunOS does not entirely like how this RHEL 6 NFS server is exporting the file systems:
hostname% cd /namespace
share1 Â Â share2 Â Â share3 Â Â share4
ubcpetnxi% cd share1
Notice the final line. I was just in
/namespace then I changed into
pwd tells me the path is only
/share1. I was expecting
/namespace/share1. It looks to me like the SunOS NFS client is not behaving well with how the NFS server exporting the file systems and/or how the bind mounts are setup locally on the server to map the storage into the NFSv4 “virtual root”.
Please leave a comment to if you know of a different
/etc/exports and/or mount configuration that would alleviate the SunOS NFS client issues noted here!
Access Control Lists
NFSv4 defines a model for Access Control Lists (ACLs) that has similarities to that of Microsoft’s NTFS. But don’t worry about interoperability: NFSv4 translates your existing “POSIX” ACLs on ext3,ext4,xfs,etc. to NFSv4 ACLs automatically.
The main gotcha with exporting a filesystem with “POSIX” ACLs with the NFSv4 server is that the normal
setfacl tools don’t seem to work on the NFS client side! Because the NFSv4 server only presents the translated NFSv4 ACLs to the clients, the
nfs4-progs package must be installed and the
nfs4_setfacl commands used instead to view and manipulate the ACLs on NFSv4 clients.
Also, the little
+ at the end of the
rwxrwxrwx permissions listing you can see with some variant of
ls -l, the symbol that normally indicates the presence of an ACL, it simply doesn’t appear on a (Linux?) NFSv4 mount where ACLs exist. Sadness.
Automount on RHEL 6 (and clones) appears to have a bug related to bind mounts. NFSv4 exports cannot (trivially?) be mounted locally on the NFSv4 server on itself with bind mounts as is possible with NFSv3 (or lower) exports. I have read that this inability is due to the “virtual root” abstraction that NFSv4 employs. Instead, automount should be performing true NFSv4 mounts when operating locally on the server… but it doesn’t do that on CentOS 6 (and in my experience RHEL 6):
The workaround is to specify
port=2049 in the NFS mount options of the automount map in use (where 2049 is the port the NFS server is listening on). This appears to cause automount to immediately attempt an NFS mount, bypassing the (failing) attempt at a bind mount.