[illumos-Developer] RFE 604: Proposal to allow CIFS server to traverse mount points

Garrett D'Amore garrett at nexenta.com
Fri Jan 14 14:47:44 PST 2011 

This affects CIFS.  I'd like to have a reasonable timer on this... say 1 
week unless someone asks for more time.  If you care about CIFS and 
think this is not enough decision, please let us know!

In the absence of feedback otherwise, I propose to wait one week.    I 
also think this is an interface change and deserves wider distribution, 
so I'm posting to discuss@ as well.

If you use CIFS or care about CIFS on illumos, please read this message 
and give feedback, and if you need more than a week to do that, let us know!

Timer expires on Jan 21, 2011 unless someone asks for it to be extended.

    - Garrett

On 01/14/11 02:29 PM, Aram Hăvărneanu wrote:
> 0.  Problem: CIFS shares do not export everything under the root of the
> share, which is what CIFS users expect.
>
> Background: CIFS servers and NFS servers implement somewhat different
> ideas about what is a "share" and what it means to "share" something.
>
> In NFS, shares (exports) are essentially a property of some directory,
> and the server's path name to that directory is the share name.  In most
> NFS servers, a directory can only be exported by its pathname, and
> exporting directories below an already exported directory is either not
> allowed or requires some special handling.  In CIFS, shares have names
> independent of the directory exported (or "resource", i.e. printer,
> device). Multiple shares may export the same directory, possibly with
> different features (access, etc.).  Shares may export multiple levels of
> the directory hierarchy (and often do), i.e. both the root of the
> filesystem and subdirectories may be shared.
>
> The OpenSolaris CIFS implementation was designed to closely match NFS
> sharing semantics, and to present a consistent administrative model
> between NFS and CIFS.  Those are good goals, but the degree to which
> CIFS was made to work "just like NFS" has left CIFS users confused and
> disappointed. Probably the most common complaint goes something like:
> "It's great how I can use ZFS to create lots of filesystems, each with
> its own snapshots and quotas, etc. but when I share my filesystems for
> CIFS, none of the "child" ZFS filesystems can be seen by my clients.
> Why not?"
>
> This memo proposes modifying the behavior of ZFS "child" filesystems
> that exist below some CIFS share.  There are some options in how this
> might be done, and some of those are presented for discussion, along
> with recommendations.
>
> 1.  In the current implementation, the in-kernel CIFS server
> has the following behavior:
>
>      1.  There is a 1:1 relation between the share and exported
>      filesystems. When connecting, a client sees a separate share for
>      each exported filesystem, irrespective of the server side namespace
>      relation between exported filesystems thus creating a flat namespace
>      on the client side.
>
>      2.  While ZFS encourages a nested filesystem model, these
>      nested filesystems are allowed to have properties different from
>      their parents.  This presents problems for exporting everything
>      under some directory to CIFS clients because CIFS clients expect
>      properties like "case insensitive search" to be uniform throughout
>      the share.  Clients request these properties for shares they connect
>      to, and the server's answer constitutes a "promise" to the client
>      about what semantics can be expected.  The server could cause
>      client-side applications to break if it were to break that promise.
>
>      3.  Server side objects that are not exported to clients,
>      such as mount point directories act as invisible files. Clients
>      can't see them, but if they try to create files with that names, the
>      create will fail mysteriously.
>
> 2.  With this design, we would allow the CIFS server to
> traverse from the share's root filesystem to a child filesystem provided
> the child filesystem supports the features we guarantee to the client that
> the share supports. It does this by checking that the target filesystem
> has the same set of relevant features as the share's root filesystem.
> This set of features would be:
>
>      1.  case-(in)sensitivity: the child file system should be in
>      the same name lookup mode (from a case sensitive point of view)
>      as the share's root filesystem.
>
>      2.  ACL support: the child file system should support the same
>      type of ACLs as the share's root fileystem (if any).
>
> With this design we would also implicitly solve 1.3.  There are no more
> invisible and inaccessible files.  Server side symlinks are followed as
> long as they are expressed relative to the share's root and they point
> to a compatible filesystem. Absolute symlinks or symlinks that point
> outside of the tree continue not to work and maintain their status of
> inaccessible files.
>
> With this proposal, there will not be any case where data was previously
> shared and now it is not.  This change would causes the server to share
> a strict superset of what was previously shared, so administrators
> should not worry about some files not being shared anymore.
>
> 3.  With this proposal we do not look whether the target filesystem is
> shared explicitly or not.  For example is previously you had the
> following filesystem hierarchy:
>      /a
>      /a/1
>      /a/2
>      /a/not-shared
>      /a/not-shared/1
>
> where /a, /a/1, /a/2 have the sharesmb property set and /a/not-shared
> and /a/not-shared/1 do not.  Previously, a share for /a, /a/1 and /a/2
> will have been created and /a/not-shared and /a/not-shared/1 would be
> inaccessible on the client side.  With the proposed change, only a share
> for /a, /a/1, and /a/2 will be created, just like it was the case
> before, however you will be able to access /a/not-shared* (provided file
> permissions allow this) from the client side by connecting to /a and
> traversing the filesystem from there.  This is consistent with what both
> the Microsoft SMB server and Samba do.  However, because the smbsrv
> property is inheritable and because a child filesystem has that property
> unset, it means that an administrator explicitly reset that property, so
> it might be interpreted that he wanted that filesystem NOT to be shared
> in any way.
>
> In Windows, with the Microsoft SMB server, shares are just convenient
> names for export points.  After connecting to an SMB share, the
> Microsoft SMB server does not restrict access to the subset of files
> that reside within the share's root filesystem on the server side.
>
> This memo proposes changing the meaning of the sharesmb property in
> order to align to what Microsoft SMB server does.  At the moment it is a
> switch to enable or disable exporting namespaces over wire.  With this
> change it would only mean that an explicit share is created for that
> filesystem and nothing more.  Setting sharesmb=no underneath another
> shared directory would no longer prevent access below that point.  It
> would only cause the system to not create _another_ share at that
> directory.
>
> 4.  It is open to debate whether this change in meaning is acceptable or
> not.  Is it important that we check whether a child file system is
> explicitly shared (as with the current behavior) or can we just share
> everything underneath (as Microsoft SMB server does)?
>
> 5.  Assuming people are OK with the changed semantics of the sharesmb
> property, it might be appropriate to also consider chaning the
> inheritance rules for this property.  Rather than inherit from it's
> parent dataset, perhaps a default of sharesmb=no would be better?
>
> Signed by: Aram Hăvărneanu, Gordon Ross, Garrett D'Amore
>
>

More information about the Developer mailing list