Skip to content

Instantly share code, notes, and snippets.

@jperkin

jperkin/nfs-root-zone.md

Last active December 14, 2016 18:51
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jperkin/0e48e8bcd8d670eaf594a5fbf504a766 to your computer and use it in GitHub Desktop.
Save jperkin/0e48e8bcd8d670eaf594a5fbf504a766 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
nfs-root-zone.md

GZ. "ssd" is my scratch pool, mounted at /nfs/scratch

$ zfs set sharenfs=ro=@192.168.1.0/24 ssd
$ >/nfs/scratch/testfile
$ ls -l /nfs/scratch/testfile
-rw-r--r--   1 root     root           0 Nov  7 14:47 /nfs/scratch/testfile

Create zone and test read-only mount

$ test-image 70e3ae72-96b6-11e6-9056-9737fd4d0764 nfs-test
Successfully created VM 9e1717c2-dd43-ca29-bc26-f5b6612c09ba
$ zlogin 9e1717c2-dd43-ca29-bc26-f5b6612c09ba
[Connected to zone '9e1717c2-dd43-ca29-bc26-f5b6612c09ba' pts/5]
   __        .                   .
 _|  |_      | .-. .  . .-. :--. |-
|_    _|     ;|   ||  |(.-' |  | |
  |__|   `--'  `-' `;-| `-' '  ' `-'
                   /  ; Instance (base-64 16.3.1)
                   `-'  https://docs.joyent.com/images/smartos/base

[root@9e1717c2-dd43-ca29-bc26-f5b6612c09ba ~]# ipadm show-addr
ADDROBJ           TYPE     STATE        ADDR
lo0/v4            static   ok           127.0.0.1/8
net0/?            dhcp     ok           192.168.1.251/24
lo0/v6            static   ok           ::1/128
[root@9e1717c2-dd43-ca29-bc26-f5b6612c09ba ~]# mkdir /var/tmp/nfs
[root@9e1717c2-dd43-ca29-bc26-f5b6612c09ba ~]# mount 192.168.1.10:/nfs/scratch /var/tmp/nfs
[root@9e1717c2-dd43-ca29-bc26-f5b6612c09ba ~]# ls -l /var/tmp/nfs/testfile
-rw-r--r-- 1 nobody nobody 0 Nov  7 14:47 /var/tmp/nfs/testfile
[root@9e1717c2-dd43-ca29-bc26-f5b6612c09ba ~]# echo blah >/var/tmp/nfs/testfile
-bash: /var/tmp/nfs/testfile: Permission denied

Back to GZ, give zone root access

$ zfs set sharenfs=ro=@192.168.1.0/24,rw=@192.168.1.251,root=@192.168.1.251 ssd

Switch back to zone

[root@9e1717c2-dd43-ca29-bc26-f5b6612c09ba ~]# svcs -xv
svc:/network/rpc/bind:default (RPC bindings)
 State: disabled since Mon Nov  7 14:45:28 2016
Reason: Disabled by an administrator.
   See: http://illumos.org/msg/SMF-8000-05
   See: man -M /usr/share/man -s 1M rpcbind
Impact: 4 dependent services are not running:
        svc:/network/nfs/nlockmgr:default
        svc:/network/nfs/status:default
        svc:/network/nfs/cbd:default
        svc:/network/nfs/mapid:default
[root@9e1717c2-dd43-ca29-bc26-f5b6612c09ba ~]# svcadm enable rpc/bind
[root@9e1717c2-dd43-ca29-bc26-f5b6612c09ba ~]# ls -l /var/tmp/nfs/testfile
-rw-r--r-- 1 root root 0 Nov  7 14:47 /var/tmp/nfs/testfile
[root@9e1717c2-dd43-ca29-bc26-f5b6612c09ba ~]# echo blah >/var/tmp/nfs/testfile
-bash: /var/tmp/nfs/testfile: Permission denied

Users now mapped correctly but permissions cached, remount (no doubt there's a cleaner way to do this).

[root@9e1717c2-dd43-ca29-bc26-f5b6612c09ba ~]# umount /var/tmp/nfs
[root@9e1717c2-dd43-ca29-bc26-f5b6612c09ba ~]# mount 192.168.1.10:/nfs/scratch /var/tmp/nfs
[root@9e1717c2-dd43-ca29-bc26-f5b6612c09ba ~]# ls -l /var/tmp/nfs/testfile
-rw-r--r-- 1 root root 0 Nov  7 14:47 /var/tmp/nfs/testfile
[root@9e1717c2-dd43-ca29-bc26-f5b6612c09ba ~]# echo blah >/var/tmp/nfs/testfile
[root@9e1717c2-dd43-ca29-bc26-f5b6612c09ba ~]# cat /var/tmp/nfs/testfile
blah
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment