NFS Read Only sharing?

[norbert.hanke]

I'm trying to set up NFS shares in a way that all systems in my networks get read-only access to a certain directory, while only a few systems get write access. At the same time some other systems get write access to yet another directory.
All directories are on the same filesystem.
All configuration is done via the GUI, and the result is reflected in the /etc/exports file:
# cat /etc/exports
/mnt/mypool/fs1/tools -maproot="backupuser" adminws1.ad.mydomain.ch adminws2.ad.mydomain.ch
/mnt/mypool/fs1/backups -maproot="backupuser" dc1.ad.mydomain.ch dc2.ad.mydomain.ch
/mnt/mypool/fs1/tools -ro -maproot="backupuser" -network 192.168.77.0/24
/mnt/mypool/fs1/tools -ro -maproot="backupuser" -network 192.168.78.0/24

Much to my surprise, the systems that have write access to /mnt/mypool/fs1/backups also have write access to /mnt/mypool/fs1/tools which they should not have.

Is this a bug? Or a limitation of how NFS exporting works?

 

[Samuel Tai]

Without knowing which subnets dc1 and dc2 occupy, I would guess you'd need to add a line like

/mnt/mypool/fs1/tools -ro -maproot="backupuser" dc1.ad.mydomain.ch dc2.ad.mydomain.ch

to get the behavior you want.

 

[norbert.hanke]

dc1 and dc2 are in those subnets, so they should be covered by the existing -ro export.
Trying to add one more ro export for exactly these two systems resuls in two messages on the GUI
Another NFS share already exports this dataset for this host
Another NFS share already exports this dataset for this host
The two exported directories are in the same dataset and this sounds like the export is on the dataset level. That means the two existings exports are already in conflict with each other?

Expressed differently: giving write-access to one part of an exported dataset gives write-access to anywhere.

I solved it by making /mnt/mypool/fs1/backups a separate dataset and now it works as expected.