nfs4: unexpected permission denied
When listing non-shared subdirectories via nfs, nfs isn't able to recover from "permission denied" error when the subdirectories are shared at some later point on the server. We often hit this problem while mounting+sharing thousands of mountpoints and clients start listing directories immediately. One workaround is to ls the parent directory.
### umount and unshare on server ssh nfsserver unshare /mnt/export/mgmt ssh nfsserver umount /mnt/export/mgmt ### mount but don't share ssh nfsserver mount -F zfs export/mgmt /mnt/export/mgmt ### ls will return permission denied error ls -l /mnt/export/mgmt ls: error reading directory /mnt/export/mgmt: Permission denied total 0 ### now share the subdirectory on server ssh nfsserver share /mnt/export/mgmt ### still a permission denied -> wrong ls -l /mnt/export/mgmt ls: error reading directory /mnt/export/mgmt: Permission denied total 0 ### ls parent dir ls -l /mnt/export > /dev/null ### the error is gone now ls -l /mnt/export/mgmt total 30 drwxr-xr-x 2 root root 2 Nov 27 2013 wrstftr (...)
It looks like the listing result of the first ls is somewhere cached even when the ls wasn't successful.
Updated by Marcel Telka over 3 years ago
There are two separate, but tightly related bugs contributing to the issue:
- At the NFSv4 server side we do not notify the NFSv4 client when the NFSv4 namespace changes. According the RFC 7530 we should do that by changing the change attribute for the particular file system object.
- The NFSv4 client completely ignores the change attribute during the attribute cache validity evaluation.
Updated by Electric Monk over 3 years ago
- Status changed from Pending RTI to Closed
- % Done changed from 0 to 100
commit 4a6959565df1e2af817732421764a9da2f446da9 Author: Marcel Telka <firstname.lastname@example.org> Date: 2016-11-29T16:08:04.000Z 6911 nfs4: unexpected permission denied Reviewed by: Simon Klinkert <email@example.com> Reviewed by: Igor Kozhukhov <firstname.lastname@example.org> Approved by: Dan McDonald <email@example.com>