« November 2009
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
     
       
Today
XML

loghyr.com
excfb.com
Serialized Science Fiction
Behind the Scenes

Neat blogs

Navigation


blogs.sun.com
Weblog
Login

Editing

Powered by Roller Weblogger.

statcounter.com

clustrmaps.com

Locations of visitors to this page

technorati.com

« [Open]Solaris' pseud... | Main | Getting a specific... »
20060327 Monday March 27, 2006
[Open]Solaris and sharing subnets and single machines

In doing [Open]Solaris' pseudo-fs, I got very frustrated in trying to share an export to a single host by IP. While I used syntax which I learned for Data ONTAP and Linux, my take-away is that the tools available did little to help me zero in on the issues at hand.

Reading the companion piece will make some of the dialog flow better.

The original set of shares was:

[tdh@wont isos]> share
-               /export/zfs   rw   ""
-               /export/zfs/nfsv2   rw   ""
-               /export/zfs/nfsv3   rw   ""
-               /export/zfs/tdh   rw   ""
-               /zoo/isos/mnt/freebsd/d2   rw   ""
-               /zoo/isos/mnt/Fedora/dvd   ro   ""
-               /export/zfs/nfsv4   rw   ""
-               /export/zfs/spud   rw   ""
-               /export/zfs/haynest   rw   ""
-               /export/zfs/coach   rw   ""
-               /export/zfs/loghyr   rw   ""
-               /export/zfs/mrx   rw   ""
-               /export/zfs/thomas   rw   ""

And I wanted to add a simple hare to just one machine as /zoo/isos:

[tdh@wont isos]> sudo share -F nfs -o rw=192.168.3.0/24 -d "For kanigix only" /zoo/isos

And try to get back in there:

[tdh@kanigix ~]> sudo umount -f /net/wont/zoo/isos
[tdh@kanigix ~]> cd /net/wont
[tdh@kanigix wont]> ls -la
total 4
dr-xr-xr-x   3 root     root           3 Mar 27 15:14 .
dr-xr-xr-x   2 root     root           2 Mar 27 15:14 ..
dr-xr-xr-x   1 root     root           1 Mar 27 15:14 export
dr-xr-xr-x   2 root     root           2 Mar 27 15:14 zoo
[tdh@kanigix wont]> cd zoo
[tdh@kanigix zoo]> ls -la
total 3
dr-xr-xr-x   2 root     root           2 Mar 27 15:14 .
dr-xr-xr-x   3 root     root           3 Mar 27 15:14 ..
dr-xr-xr-x   1 root     root           1 Mar 27 15:14 isos
[tdh@kanigix zoo]> cd isos/
isos/: I/O error.

Okay, the I/O error is the 10% drop for NFS traffic on my firewall. But:

[tdh@kanigix zoo]> sudo mount wont:/zoo/isos /mnt
[tdh@kanigix zoo]> ls -la /mnt
total 7
drwxr-xr-x  10 tdh      sys           10 Mar 27 14:52 .
drwxr-xr-x  26 root     root         512 Mar 27 13:27 ..
drwxr-xr-x   4 tdh      staff          4 Mar 22 21:30 mnt

Lets relax the share even further:

[tdh@wont isos]> sudo share -F nfs -o rw -d "For kanigix only" /zoo/isos

And try again:

[tdh@kanigix ~]> sudo umount /mnt
[tdh@kanigix ~]> sudo mount wont:/zoo/isos /mnt
[tdh@kanigix ~]> ls -la /mnt
total 21
drwxr-xr-x  10 tdh      sys           10 Mar 27 14:52 .
drwxr-xr-x  26 root     root         512 Mar 27 13:27 ..
dr-xr-xr-x   3 root     root           3 Mar 27 15:22 .zfs
drwxr-xr-x   3 tdh      staff          3 Mar 22 17:01 Fedora
drwxr-xr-x   2 tdh      staff          4 Mar 21 21:29 FreeBSD
drwxr-xr-x   3 tdh      staff          3 Mar 22 11:35 bfus
drwxr-xr-x   2 root     root           3 Mar 21 16:16 dontcare
drwxr-xr-x   2 tdh      staff          2 Mar 27 14:52 foo
drwxr-xr-x   4 tdh      staff          4 Mar 22 21:30 mnt
drwxr-xr-x   2 root     root           4 Mar 21 16:28 sparc
drwxr-xr-x   2 root     root           6 Mar 21 20:57 x86

What is going on here? Lets remove the pseudofs by going strictly to NFSv3:

[tdh@kanigix ~]> sudo mount -o vers=3 wont:/zoo/isos /mnt
nfs mount: wont:/zoo/isos: Permission denied
[tdh@kanigix ~]> snoop -i k2m3.snoop
  1   0.00000      kanigix -> wont.internal.excfb.com PORTMAP C GETPORT prog=100005 (MOUNT) vers=3 proto=UDP
  2   0.00054 wont.internal.excfb.com -> kanigix      PORTMAP R GETPORT port=51896
  3   0.00029      kanigix -> wont.internal.excfb.com MOUNT3 C Null
  4   0.00029 wont.internal.excfb.com -> kanigix      MOUNT3 R Null
  5   0.00101      kanigix -> wont.internal.excfb.com MOUNT3 C Mount /zoo/isos
  6   0.00045 wont.internal.excfb.com -> kanigix      MOUNT3 R Mount Permission denied

So it is from the mount protocol. We need a snoop trace from the server:

[tdh@wont ~]> snoop -i k2w3.snoop
  1   0.00000 kanigix.internal.excfb.com -> wont         PORTMAP C GETPORT prog=100005 (MOUNT) vers=3 proto=UDP
  2   0.00032         wont -> kanigix.internal.excfb.com PORTMAP R GETPORT port=51896
  3   0.00050 kanigix.internal.excfb.com -> wont         MOUNT3 C Null
  4   0.00011         wont -> kanigix.internal.excfb.com MOUNT3 R Null
  5   0.00123 kanigix.internal.excfb.com -> wont         MOUNT3 C Mount /zoo/isos
  6   0.00080         wont -> kanigix.internal.excfb.com MOUNT3 R Mount Permission denied
[tdh@wont ~]> host kanigix.internal.excfb.com
kanigix.internal.excfb.com has address 192.168.3.109
[tdh@wont ~]> share | grep isos
-               /zoo/isos/mnt/freebsd/d2   rw   ""
-               /zoo/isos/mnt/Fedora/dvd   ro   ""
-               /zoo/isos   rw=192.168.3.0/24   "For kanigix only"

Lets try the following share:

[tdh@wont isos]> sudo share -F nfs -o rw=kanigix.internal.excfb.com -d "For kanigix only" /zoo/isos

And we get:

[tdh@kanigix ~]> sudo mount -o vers=3 wont:/zoo/isos /mnt
[tdh@kanigix ~]> ls -la /mnt
total 21
drwxr-xr-x  10 tdh      sys           10 Mar 27 14:52 .
drwxr-xr-x  26 root     root         512 Mar 27 13:27 ..
dr-xr-xr-x   3 root     root           3 Mar 27 15:31 .zfs
drwxr-xr-x   3 tdh      staff          3 Mar 22 17:01 Fedora
drwxr-xr-x   2 tdh      staff          4 Mar 21 21:29 FreeBSD
drwxr-xr-x   3 tdh      staff          3 Mar 22 11:35 bfus
drwxr-xr-x   2 root     root           3 Mar 21 16:16 dontcare
drwxr-xr-x   2 tdh      staff          2 Mar 27 14:52 foo
drwxr-xr-x   4 tdh      staff          4 Mar 22 21:30 mnt
drwxr-xr-x   2 root     root           4 Mar 21 16:28 sparc
drwxr-xr-x   2 root     root           6 Mar 21 20:57 x86

Okay, something somewhere is just plain busted. Alright, reading the man pages, they state for an access list:

     network                 The network or subnet  component  is
                             preceded  by  an at-sign (@). It can
                             be  either  a  name  or   a   dotted
                             address.  If a name, it is converted
                             to    a    dotted     address     by
                             getnetbyname(3SOCKET). For example,


                             =@mynet

                             would be equivalent to:


                             =@172.16 or =@172.16.0.0

Does the '@' sign work for the subnet?

[tdh@wont isos]> sudo share -F nfs -o rw=@192.168.3.0/24 -d "For kanigix only" /zoo/isos

Yes. How about to just the one IP:

[tdh@wont isos]> sudo share -F nfs -o rw=@192.168.3.109 -d "For kanigix only" /zoo/isos

No:

[tdh@kanigix ~]> sudo mount -o vers=3 wont:/zoo/isos /mnt
nfs mount: wont:/zoo/isos: Permission denied

Can we get tricky?

[tdh@wont isos]> sudo share -F nfs -o rw=@192.168.3.109/32 -d "For kanigix only" /zoo/isos

Which works.

And we can go back and show that it also works for NFSv4.

Summary

All of the tools, showmount and share, gave back to me output which indicated that everything was hunky-dory:

[tdh@wont isos]> sudo share -F nfs -o rw=192.168.3.0/24 -d "For kanigix only" /zoo/isos
[tdh@wont isos]> share | grep kanigix
-               /zoo/isos   rw=192.168.3.0/24   "For kanigix only"
[tdh@wont isos]> sudo share -F nfs -o rw=192.168.3.109 -d "For kanigix only" /zoo/isos
[tdh@wont isos]> share | grep kanigix
-               /zoo/isos   rw=192.168.3.109   "For kanigix only"
[tdh@wont isos]> sudo share -F nfs -o rw=@192.168.3.109 -d "For kanigix only" /zoo/isos
[tdh@wont isos]> share | grep kanigix
-               /zoo/isos   rw=@192.168.3.109   "For kanigix only"
[tdh@wont isos]> sudo share -F nfs -o rw=@192.168.3.109/32 -d "For kanigix only" /zoo/isos
[tdh@wont isos]> share | grep kanigix
-               /zoo/isos   rw=@192.168.3.109/32   "For kanigix only"

And on the client:

 showmount -e wont | grep "/zoo/isos"
/zoo/isos                192.168.3.0/24
[tdh@kanigix isos]> showmount -e wont | grep "/zoo/isos"
/zoo/isos                192.168.3.109
[tdh@kanigix isos]> showmount -e wont | grep "/zoo/isos"
/zoo/isos                @192.168.3.109
[tdh@kanigix isos]> showmount -e wont | grep "/zoo/isos"
/zoo/isos                @192.168.3.109/32

The '@' symbol is not in any published standard, Data ONTAP uses it to denote netgroups. But even the first 2 outputs read to me like the machine '192.168.3.109' is allowed access. In reality, it is the host with the name of 192.168.3.109 or the netgroup with the name of 192.168.3.109 which is allowed access. Also, having to add '/32' to mean a single machine is not intuitive.


Technorati Tags:
Orginally posted on Kool Aid Served Daily
Copyright (C) 2006, Kool Aid Served Daily
Permalink Comments [0] Posted by tdh ( Aug 18 2008, 01:08:31 PM CDT / Mar 27 2006, 04:11:30 PM CST )
Trackback: http://blogs.sun.com/tdh/entry/open_solaris_and_sharing_subnets
Trackback URL: http://blogs.sun.com/tdh/entry/open_solaris_and_sharing_subnets
Comments:

Post a Comment:

Name:
E-Mail:
URL:

Your Comment:

HTML Syntax: NOT allowed
Copyright (C) 2009, Kool Aid Served Daily