ostree.sync + composefs failed

[HuijingHei]

See #1735 (comment)

Seems client can not mount nfs server shared directories when composefs is enabled.

 --- FAIL: ostree.sync (161.55s)
        cluster.go:151: mount.nfs4: mounting 10.0.2.2:/var/nfs1/share failed, reason given by server: No such file or directory
        cluster.go:151: mount.nfs4: mounting 10.0.2.2:/var/nfs2/share failed, reason given by server: No such file or directory
        cluster.go:151: mount.nfs4: mounting 10.0.2.2:/var/nfs3/share failed, reason given by server: No such file or directory
        cluster.go:151: mount.nfs4: mounting 10.0.2.2:/var/nfs4/share failed, reason given by server: No such file or directory
        cluster.go:151: mount.nfs4: mounting 10.0.2.2:/var/nfs5/share failed, reason given by server: No such file or directory
        cluster.go:151: mount.nfs4: mounting 10.0.2.2:/var/nfs6/share failed, reason given by server: No such file or directory
        cluster.go:173: "for i in $(seq 6); do\n\t\t\tsudo mount -t nfs4 10.0.2.2:/var/nfs$i/share /var/tmp/data$i\n\t\t\tdone" failed: output , status Process exited with status 32 

[HuijingHei]

I tried to start 2 VMs with libvirtd, and add kernel argument ostree.prepare-root.composefs=1 in butane config when booting VM, after booted, check mounted composefs, and can mount nfs shared directories successfully.

nfs server:

# cat /etc/exports
/var/tmp1/data  *(rw,insecure,no_root_squash,fsid=101)
/var/tmp2/data  *(rw,insecure,no_root_squash,fsid=102)

# df -Th
Filesystem     Type      Size  Used Avail Use% Mounted on
composefs      overlay   5.6M  5.6M     0 100% /

# journalctl | tail -n 100 | cat
Feb 13 11:16:46 localhost.localdomain rpc.mountd[1859]: v4.2 client attached: 0x7292146e67add09f from "192.168.122.181:832"
Feb 13 11:16:46 localhost.localdomain rpc.mountd[1859]: Cannot export /, possibly unsupported filesystem or fsid= required
Feb 13 11:16:46 localhost.localdomain rpc.mountd[1859]: v4.2 client detached: 0x7292146e67add09f from "192.168.122.181:832"
Feb 13 11:16:46 localhost.localdomain rpc.mountd[1859]: authenticated mount request from 192.168.122.181:671 for /var/tmp1/data (/var/tmp1/data)
Feb 13 11:16:54 localhost.localdomain rpc.mountd[1859]: authenticated mount request from 192.168.122.181:949 for /var/tmp2/data (/var/tmp2/data)

nfs client:

[root@localhost core]# df -Th
Filesystem                    Type      Size  Used Avail Use% Mounted on
composefs                     overlay   5.6M  5.6M     0 100% /
192.168.122.21:/var/tmp1/data nfs        16G  2.0G   14G  13% /var/tmp/data1
192.168.122.21:/var/tmp2/data nfs        16G  2.0G   14G  13% /var/tmp/data2

[root@localhost core]# touch /var/tmp/data1/test
[root@localhost core]# touch /var/tmp/data2/test

[jbtrystram]

is the error happenning when composefs is on for the server or the client ? or both ?

[jlebon]

For now I just denylisted it in #1735.

[HuijingHei]

Based on the above result, I thought composefs should work with ostree.sync, but I tried to update the nfs_server_butane using the same nfs config, it does not help.

[root@qemu1 core]# mount -t nfs4 10.0.2.2:/var/nfs1/share /var/tmp/data1
mount.nfs4: mounting 10.0.2.2:/var/nfs1/share failed, reason given by server: No such file or directory

[HuijingHei]

is the error happenning when composefs is on for the server or the client ? or both ?

Hit the error only when composefs is on for the server. Any idea about this? Thanks!

[cgwalters]

Feb 13 11:16:46 localhost.localdomain rpc.mountd[1859]: Cannot export /, possibly unsupported filesystem or fsid= required

It looks like this test case is trying to reuse the host root filesystem as a filesystem to export. This is a thing real world use cases aren't going to do in my opinion.

But it should work (with and without composefs) to change the exported filesystem to be /sysroot if we wanted to just test it that way.

Alternatively, I think it'd be better to export a temporary tree, something like:

mkdir /var/lib/test-exported-fs
echo sometestdata > /var/lib/test-exported-fs/somedata

and then have the client validate that, etc.

[cgwalters]

Although reading the code I don't see it trying to export /? And it's not in your quoted /etc/exports.

The relevant nfs code looks to be this...I wonder if we need some debugging prints in here or so.

[HuijingHei]

Feb 13 11:16:46 localhost.localdomain rpc.mountd[1859]: Cannot export /, possibly unsupported filesystem or fsid= required

It looks like this test case is trying to reuse the host root filesystem as a filesystem to export. This is a thing real world use cases aren't going to do in my opinion.

Maybe use container like coreos/coreos-assembler#3922? Just think this could get more logs if failed, but no lucky.

But it should work (with and without composefs) to change the exported filesystem to be /sysroot if we wanted to just test it that way.

Tried again, and check that can only mount (with composefs enabled) 10.0.2.2:/ when using fsid=0 in nfs config like:

/var/tmp1/share  *(rw,no_root_squash,insecure,fsid=0)
/var/tmp2/share  *(rw,no_root_squash,insecure,fsid=12)

But can not mount different dirs except 10.0.2.2:/.

# mount -t nfs4 10.0.2.2:/ /var/tmp/data1
# df -Th
Filesystem     Type      Size  Used Avail Use% Mounted on
composefs      overlay   5.6M  5.6M     0 100% /
10.0.2.2:/     nfs4       16G  2.0G   14G  13% /var/tmp/data1
# mount -t nfs4 10.0.2.2:/var/tmp2/share /var/tmp/data2
mount.nfs4: mounting 10.0.2.2:/var/tmp2/share failed, reason given by server: No such file or directory

[HuijingHei]

If add kernel argument ostree.prepare-root.composefs=0 in nfs_server_config and update fsid=0 to fsid=11, can mount successfully. Seems composefs prevents to mount the share directory when fsid != 0.

And this is the exportfs -v on nfs server:

/var/tmp1/share
		<world>(sync,wdelay,hide,no_subtree_check,fsid=11,sec=sys,rw,insecure,no_root_squash,no_all_squash)
/var/tmp2/share
		<world>(sync,wdelay,hide,no_subtree_check,fsid=12,sec=sys,rw,insecure,no_root_squash,no_all_squash)

Run kola command (using the latest scos as it includes the enablefs patch):
./bin/kola run -p qemu --arch x86_64 -b rhcos --qemu-image scos-9.0.20250214-0-qemu.x86_64.qcow2 ostree.sync --debug --ssh-on-test-failure

[cgwalters]

But can not mount different dirs except 10.0.2.2:/.

Hum wait, so it's the opposite of what I was thinking, NFS is broken except mounting the rootfs? That's really strange.

Ah I think I see...looking at man exports there's discussion of mount crossing. I bet what's happening here is the NFS export is only looking at the composefs and isn't traversing the mount points as they appear in userspace.

Does it work if you set crossmnt in the config?

[cgwalters]

Offhand, how I would expect this to work nowadays is that the nfs server uses the equivalent of openat2(/path/to/export, RESOLVE_IN_ROOT) or so. But I bet the in-kernel NFS server predates all that logic.

[scottmayhew]

For NFSv4 you need to have something exported as fsid=0/fsid=root. This represents the root of the exported tree, so everything else needs to hang off of that.

On a non-image mode (package mode?) setup, you don't have to explicitly specify it (and you haven't for years) - in which case rpc.mountd will construct a "pseudo root" and a "pseudo fs", where it will use the actual / as the root and it will fill in any path components necessary to be able to walk to the actual export (the root and intermediate path components are all read-only). But that only works if the root filesystem is exportable - hence the "Cannot export /, possibly unsupported filesystem or fsid= required" error message from rpc.mountd.

So here's what I have on my NFS server that I'm using for testing on image mode. I have two filesystems I want to export:
[root@nfsd ~]# grep export /proc/mounts
/dev/vdc /var/srv/export/scratch xfs rw,seclabel,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota 0 0
/dev/vdb /var/srv/export/test xfs rw,seclabel,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota 0 0

And here's my /etc/exports:
[root@nfsd ~]# cat /etc/exports
/srv/export *(ro,insecure,no_root_squash,fsid=0,security_label,sec=sys:krb5:krb5i:krb5p,xprtsec=none:tls:mtls)
/srv/export/test *(rw,insecure,no_root_squash,security_label,sec=sys:krb5:krb5i:krb5p,xprtsec=none:tls:mtls)
/srv/export/scratch *(rw,insecure,no_root_squash,security_label,sec=sys:krb5:krb5i:krb5p,xprtsec=none:tls:mtls)

/srv/export is my "root". Note that means that NFSv4 clients see that as "/" and need to use that when mounting, not "/srv/export"... i.e. this fails:

[root@nfs ~]# mount -o v4.2 nfsd.bootc.test:/srv/export /mnt/t
mount.nfs: mounting nfsd.bootc.test:/srv/export failed, reason given by server: No such file or directory

and this works:
[root@nfs ~]# mount -o v4.2 nfsd.bootc.test:/ /mnt/t
[root@nfs ~]# ls /mnt/t
scratch test
[root@nfs ~]# ls /mnt/t/scratch >/dev/null
[root@nfs ~]# ls /mnt/t/test >/dev/null
[root@nfs ~]# grep nfs4 /proc/mounts
nfsd.bootc.test:/ /var/mnt/t nfs4 rw,seclabel,relatime,vers=4.2,rsize=524288,wsize=524288,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=10.6.54.224,local_lock=none,addr=10.6.54.208 0 0
nfsd.bootc.test:/scratch /var/mnt/t/scratch nfs4 rw,seclabel,relatime,vers=4.2,rsize=524288,wsize=524288,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=10.6.54.224,local_lock=none,addr=10.6.54.208 0 0
nfsd.bootc.test:/test /var/mnt/t/test nfs4 rw,seclabel,relatime,vers=4.2,rsize=524288,wsize=524288,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=10.6.54.224,local_lock=none,addr=10.6.54.208 0 0

One wrinkle when you explicitly specify an fsid=0 is that NFSv3 clients have have a concept of a single root of the exported tree, so they see the exports differently:

[root@nfs ~]# mount -o v3 nfsd.bootc.test:/ /mnt/t
mount.nfs: access denied by server while mounting nfsd.bootc.test:/
[root@nfs ~]# mount -o v3 nfsd.bootc.test:/srv/export /mnt/t
[root@nfs ~]# grep vers=3 /proc/mounts
nfsd.bootc.test:/srv/export /var/mnt/t nfs rw,relatime,vers=3,rsize=524288,wsize=524288,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=10.6.54.208,mountvers=3,mountport=20048,mountproto=udp,local_lock=none,addr=10.6.54.208 0 0

I see that overlayfs has an "nfs_export" mount option, which controls whether the fh_to_dentry export operation is enabled. Would it be possible for the image mode root fs to be mounted with "nfs_export=on"? That should make it unnecessary to do these fsid=0 shenanigans.

[cgwalters]

Would it be possible for the image mode root fs to be mounted with "nfs_export=on"?

I think so. But...here's the thing, we aren't actually trying to export that filesystem right? It's just being traversed (AIUI) in order to access the real exported directories which are ultimately held somewhere else (typically the default is the real "physical root" of e.g. xfs or whatever is backing /var, which is a bind mount to a subdirectory).

I guess my question in a nutshell is: why do any intermediate filesystems in the exported paths defined in /etc/exports matter at all? I had a comment above about how I expected this to work.

Again though I think we could enable nfs_export unconditionally given that per the docs it only conflicts with metacopy=on which we aren't using by default today because actually the overlayfs is read-only anyways by default. (Although, we do support a transient root and I guess it'd make sense to have use metacopy=on, except it also probably doesn't really matter since most operations here are going to be non-metadata).

[scottmayhew]

Would it be possible for the image mode root fs to be mounted with "nfs_export=on"?

I think so. But...here's the thing, we aren't actually trying to export that filesystem right? It's just being traversed (AIUI) in order to access the real exported directories which are ultimately held somewhere else (typically the default is the real "physical root" of e.g. xfs or whatever is backing /var, which is a bind mount to a subdirectory).

Correct - it's strictly for traversing to the "real" export. IOW it's only to make it unnecessary for an admin to have to explicitly specify an fsid=0 export (in fact I wouldn't expect anyone to explicitly export part of the overlayfs at all). At the risk of over-explaining I'll post a somewhat lengthy example below showing how this works on a non-image mode setup.

I guess my question in a nutshell is: why do any intermediate filesystems in the exported paths defined in /etc/exports matter at all? I had a comment above about how I expected this to work.
It matters because path resolution in NFS is basically series of lookupps where the client supplies a filehandle (which is essentially and encoding of a filesystem id and a dentry) along with the name to look for... rinse and repeat until you have the complete path. The server needs to map that filehandle to an actual file/directory - to do that, it uses the fh_to_dentry() export operation.

To expand on that code snippet from rpc.mountd that you pointed at in an earlier comment... when rpc.mountd calls nfsd_export() -> dump_to_cache(), it writes to /proc/net/rpc/nfsd.export/channel, which triggers svc_export_parse() to be called in the kernel. svc_export_parse() calls check_export(), which has this

        if (!exportfs_can_decode_fh(inode->i_sb->s_export_op)) {
                dprintk("exp_export: export of invalid fs type.\n");
                return -EINVAL;
        }

exportfs_can_decode_fh() just checks to see if filesystem in question has an fh_to_dentry() operation (which overlayfs doesn't have if it's mounted with "nfs_export=off"):

static inline bool exportfs_can_decode_fh(const struct export_operations *nop)
{        
        return nop && nop->fh_to_dentry;
}

You can see that dprintk above if you enable some debug logging at the rpc layer (e.g. "rpcdebug -m nfsd -s export"). For example, if I were to remove the fsid=0 entry from my /etc/exports, do an "exportfs -r", and then try to mount again from the client, here's what I would see in the log on the server:

[root@nfsd ~]# journalctl -S -1m
Feb 14 10:59:17 nfsd.bootc.test kernel: found domain *
Feb 14 10:59:17 nfsd.bootc.test kernel: found fsidtype 1
Feb 14 10:59:17 nfsd.bootc.test kernel: found fsid length 4
Feb 14 10:59:17 nfsd.bootc.test kernel: Path seems to be </>
Feb 14 10:59:17 nfsd.bootc.test kernel: Found the path /
Feb 14 10:59:17 nfsd.bootc.test rpc.mountd[1145]: Cannot export /, possibly unsupported filesystem or fsid= required
Feb 14 10:59:17 nfsd.bootc.test kernel: exp_export: export of invalid fs type.
Feb 14 10:59:17 nfsd.bootc.test kernel: found domain gss/krb5i
Feb 14 10:59:17 nfsd.bootc.test kernel: found fsidtype 1
Feb 14 10:59:17 nfsd.bootc.test kernel: found fsid length 4
Feb 14 10:59:17 nfsd.bootc.test kernel: Path seems to be <>

Regarding openat2(how=RESOLVE_IN_ROOT),

• yes, knfsd predates openat2()
• openat2() is a system call, so it's for userspace programs not kernel code. knfsd has its own routines for opening files, but when it gets down to the vfs layer it's basically calling dentry_open().
• during this whole dance that knfsd does w/ rpc.mountd in order handle the export/service the client's mount request, nowhere is it actually opening any of those path components

Finally, a rather lengthy example to hopefully illustrate how the pseudofs works in NFSv4 (if you stop reading here, I don't blame you).

I'm using a standard (non-image mode) NFS server, with two filesystems mounted somewhat deep in the directory tree. Here are the fstab entries:

[root@rhel10 ~]# grep export /etc/fstab
/dev/vdb	/some/arbitrarily/long/path/to/export/ext4	ext4	defaults	0 0
/dev/vdc	/some/arbitrarily/long/path/to/export/xfs	xfs	defaults	0 0

And here are my /etc/exports entries. Note I'm not specifying an fsid anywhere:

[root@rhel10 ~]# cat /etc/exports
/some/arbitrarily/long/path/to/export/ext4    *(rw,insecure,no_root_squash,security_label,sec=sys:krb5:krb5i:krb5p)
/some/arbitrarily/long/path/to/export/xfs     *(rw,insecure,no_root_squash,security_label,sec=sys:krb5:krb5i:krb5p)

Furthermore, at each level in that directory hiearchy I've created a file, just to illustrate that the client see's only the path components that are necessary in order to traverse to the "real" export:

[root@rhel10 ~]# find /some -name you-should-not-see-this-file.txt
/some/arbitrarily/long/path/to/export/you-should-not-see-this-file.txt
/some/arbitrarily/long/path/to/you-should-not-see-this-file.txt
/some/arbitrarily/long/path/you-should-not-see-this-file.txt
/some/arbitrarily/long/you-should-not-see-this-file.txt
/some/arbitrarily/you-should-not-see-this-file.txt
/some/you-should-not-see-this-file.txt

Let's mount it from a client (again on image mode this would fail, assuming that everything leading up to the real export was on overlayfs):

[root@nfs ~]# mount -o v4.2 10.6.54.200:/some/arbitrarily/long/path/to/export/ext4 /mnt/t
[root@nfs ~]# grep nfs4 /proc/mounts
10.6.54.200:/some/arbitrarily/long/path/to/export/ext4 /var/mnt/t nfs4 rw,seclabel,relatime,vers=4.2,rsize=524288,wsize=524288,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=10.6.54.224,local_lock=none,addr=10.6.54.200 0 0
[root@nfs ~]# umount /mnt/t

Now let's mount from / and see what we can see:

[root@nfs ~]# mount -o v4.2 10.6.54.200:/ /mnt/t
[root@nfs ~]# grep nfs4 /proc/mounts
10.6.54.200:/ /var/mnt/t nfs4 rw,relatime,vers=4.2,rsize=524288,wsize=524288,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=10.6.54.224,local_lock=none,addr=10.6.54.200 0 0
[root@nfs ~]# ls /mnt/t
some
[root@nfs ~]# ls /mnt/t/some
arbitrarily
[root@nfs ~]# ls /mnt/t/some/arbitrarily/
long
[root@nfs ~]# ls /mnt/t/some/arbitrarily/long
path
[root@nfs ~]# ls /mnt/t/some/arbitrarily/long/path
to
[root@nfs ~]# ls /mnt/t/some/arbitrarily/long/path/to
export
[root@nfs ~]# ls /mnt/t/some/arbitrarily/long/path/to/export
ext4  xfs
[root@nfs ~]# ls /mnt/t/some/arbitrarily/long/path/to/export/ext4
lost+found

At each level, my client can only see the path components necessary to get to the actual root. Furthermore, it cannot write to any of those intermediate directories until I get to the actual export:

[root@nfs ~]# date >/mnt/t/file
-bash: /mnt/t/file: Read-only file system
[root@nfs ~]# date >/mnt/t/some/file
-bash: /mnt/t/some/file: Read-only file system
[root@nfs ~]# date >/mnt/t/some/arbitrarily/file
-bash: /mnt/t/some/arbitrarily/file: Read-only file system
[root@nfs ~]# date >/mnt/t/some/arbitrarily/long/file
-bash: /mnt/t/some/arbitrarily/long/file: Read-only file system
[root@nfs ~]# date >/mnt/t/some/arbitrarily/long/path/file
-bash: /mnt/t/some/arbitrarily/long/path/file: Read-only file system
[root@nfs ~]# date >/mnt/t/some/arbitrarily/long/path/to/file
-bash: /mnt/t/some/arbitrarily/long/path/to/file: Read-only file system
[root@nfs ~]# date >/mnt/t/some/arbitrarily/long/path/to/export/file
-bash: /mnt/t/some/arbitrarily/long/path/to/export/file: Read-only file system
[root@nfs ~]# date >/mnt/t/some/arbitrarily/long/path/to/export/ext4/file
(success)
[root@nfs ~]# 

Finally, the client cannot see any of the files that I had previously created (on the server side) within that directory structure leading up to the actual export:

[root@nfs ~]# find /mnt/t -name you-should-not-see-this-file.txt
(nothing)
[root@nfs ~]# 

I can look at /proc/net/rpc/nfsd.export/content to see exactly what's in the export cache in the kernel. For example, if I want to see the pseudofs exports that were constructed by rpc.mountd:

[root@rhel10 ~]# grep v4root /proc/net/rpc/nfsd.export/content | sort
/	*(ro,insecure,no_root_squash,sync,no_wdelay,no_subtree_check,v4root,fsid=0,sec=390003:390004:390005:1)
/some	*(ro,insecure,no_root_squash,sync,no_wdelay,no_subtree_check,v4root,uuid=1196c4b1:12a153dd:94eb28cc:bc9c0dbc,sec=390003:390004:390005:1)
/some/arbitrarily	*(ro,insecure,no_root_squash,sync,no_wdelay,no_subtree_check,v4root,uuid=922cf1fe:edec550a:8d5bef7d:4b4cf85b,sec=390003:390004:390005:1)
/some/arbitrarily/long	*(ro,insecure,no_root_squash,sync,no_wdelay,no_subtree_check,v4root,uuid=97ea3cf6:3b6d52ed:ae649210:4f58780a,sec=390003:390004:390005:1)
/some/arbitrarily/long/path	*(ro,insecure,no_root_squash,sync,no_wdelay,no_subtree_check,v4root,uuid=7ea28d6a:3e60538e:ae1ac6e7:6472f880,sec=390003:390004:390005:1)
/some/arbitrarily/long/path/to	*(ro,insecure,no_root_squash,sync,no_wdelay,no_subtree_check,v4root,uuid=2ae90729:7c4e5a77:b5c4ed93:afcacc7a,sec=390003:390004:390005:1)
/some/arbitrarily/long/path/to/export	*(ro,insecure,no_root_squash,sync,no_wdelay,no_subtree_check,v4root,uuid=2e7cde95:42c653f0:82101b40:c3dc5ad5,sec=390003:390004:390005:1)

Or I can dump the entire cache. Note all the entries with empty export options i.e. "*()". That's basically an indication that that path is not exported to anyone.

[root@rhel10 ~]# cat /proc/net/rpc/nfsd.export/content
#path domain(flags)
# /some/arbitrarily/long/you-should-not-see-this-file.txt	*()
# /sbin	*()
/some/arbitrarily/long/path	*(ro,insecure,no_root_squash,sync,no_wdelay,no_subtree_check,v4root,uuid=7ea28d6a:3e60538e:ae1ac6e7:6472f880,sec=390003:390004:390005:1)
/some/arbitrarily	*(ro,insecure,no_root_squash,sync,no_wdelay,no_subtree_check,v4root,uuid=922cf1fe:edec550a:8d5bef7d:4b4cf85b,sec=390003:390004:390005:1)
# /afs	*()
# /you-should-not-see-this-file.txt	*()
# /root	*()
# /dev	*()
# /proc	*()
# /media	*()
# /opt	*()
/some/arbitrarily/long/path/to	*(ro,insecure,no_root_squash,sync,no_wdelay,no_subtree_check,v4root,uuid=2ae90729:7c4e5a77:b5c4ed93:afcacc7a,sec=390003:390004:390005:1)
# /exp_test	*()
/some/arbitrarily/long/path/to/export/xfs	*(rw,insecure,no_root_squash,sync,wdelay,no_subtree_check,security_label,uuid=a51e351a:c9a24060:8b08d958:2913b7fd,sec=1:390003:390004:390005)
# /var	*()
# /boot	*()
# /mnt	*()
/some/arbitrarily/long	*(ro,insecure,no_root_squash,sync,no_wdelay,no_subtree_check,v4root,uuid=97ea3cf6:3b6d52ed:ae649210:4f58780a,sec=390003:390004:390005:1)
# /mnt_test	*()
# /bin	*()
/some/arbitrarily/long/path/to/export/ext4	*(rw,insecure,no_root_squash,sync,wdelay,no_subtree_check,security_label,uuid=1780be75:975047fb:862f6ecf:e4296e21,sec=1:390003:390004:390005)
# /sys	*()
# /some/you-should-not-see-this-file.txt	*()
# /some/arbitrarily/long/path/to/you-should-not-see-this-file.txt	*()
# /etc	*()
# /lib64	*()
# /run	*()
# /some/arbitrarily/long/path/to/export/you-should-not-see-this-file.txt	*()
# /export	*()
# /lib	*()
# /srv	*()
/	*(ro,insecure,no_root_squash,sync,no_wdelay,no_subtree_check,v4root,fsid=0,sec=390003:390004:390005:1)
/some	*(ro,insecure,no_root_squash,sync,no_wdelay,no_subtree_check,v4root,uuid=1196c4b1:12a153dd:94eb28cc:bc9c0dbc,sec=390003:390004:390005:1)
# /some/arbitrarily/long/path/you-should-not-see-this-file.txt	*()
# /some/arbitrarily/you-should-not-see-this-file.txt	*()
# /home	*()
# /tmp	*()
/some/arbitrarily/long/path/to/export	*(ro,insecure,no_root_squash,sync,no_wdelay,no_subtree_check,v4root,uuid=2e7cde95:42c653f0:82101b40:c3dc5ad5,sec=390003:390004:390005:1)
# /usr	*()