In doing some digging related to T124991 it seems that exportfs is in an invasive operation. While NFSv4 does not protocol wise require rpc.mountd it still uses it for auth in the sec=sys mode, and in our case with -g for manage groups which allows the server side lookup to overcome the 16 group limitations. This server side lookup has a hardcoded cache of auth in proc:
root@labstore1002:~# cat /proc/net/rpc/auth.unix.gid/content #uid cnt: gids... 0 2: 500 0
This is meant to be kept for 30minutes, and every time we run our export job (every 5m) it wipes out this cache. We could make this better I think using
path-based activation: A unit can be started based on activity on or the availability of certain filesystem paths. This utilizes inotify.
in order to only run this when actual changes are taking place preserving the cache as much as possible.