[CentOS] NFSv4: Using fsid=0 but *not* exporting the root filesystem [solved]

Wed Jun 12 18:45:11 UTC 2019
Frank Thommen <list.centos at drosera.ch>

On 3/29/19 12:56 PM, James Pearson wrote:
> Frank Thommen wrote:
>> I would like to use the NFSv4 ability to create a "root" filesystem with
>> fsid=0, so that I don't have to refer to the whole path of the exported
>> filesystem when I mount it.  However I do *not* want this root
>> filesystem to be mountable by any host.  Is that possible and how?
>> E.g
>> Filesystem:
>>     /exports/data1
>>     /exports/data2
>>     /exports/data3
>> /etc/exports:
>>     /exports         *(ro,no_subtree_check,fsid=0)
>>     /exports/data1   host1(rw)
>>     /exports/data2   host1(rw)
>>     /exports/data3   host2(rw)
>> host1 and host2 can mount fileserver:/ and access any of the dataN
>> directories at least read-only.  That is unwanted.  I'd like
>> /exports/data1 and /exports/data2 to be exclusively accessible by host1
>> and /exports/data3 by host2.  But I'd still like to be able to mount
>> e.f. as fileserver:/data1 instead of fileserver:/exports/data1.
>> I've search around a lot and I have found the question several times,
>> but no solution yet.
> It appears to work for me ... host1 will still see data3 under the mount
> point - but its contents will be empty - similarly, host2 will see data1
> and data2 under the mount point, but their contents will be empty
> Or have I missed something ?
> James Pearson

[better late then never...]

You haven't missed anything and /we/ made a mistake:  We hadn't 
realized, that "fsid" relates to "real" filesystems and not just 
directories.  We had this

    /storage  /exports  none  bind  0  0

in /etc/fstab, which made all individual shares (subdirectories of 
/storage) members of the same fsid and hence they had the same export 
settings applied.  After changing the bind mounts to

    /storage/data1  /exports/data1  none  bind  0  0
    /storage/data2  /exports/data2  none  bind  0  0

all exports now work as expected.