2 .TH NFS 5 "2 November 2007"
4 nfs \- fstab format and options for the
10 NFS is an Internet Standard protocol
11 created by Sun Microsystems in 1984. NFS was developed
12 to allow file sharing between systems residing
13 on a local area network.
14 The Linux NFS client supports three versions
16 NFS version 2 [RFC1094],
17 NFS version 3 [RFC1813],
18 and NFS version 4 [RFC3530].
22 command attaches a file system to the system's
23 name space hierarchy at a given mount point.
28 should assemble a system's file name hierarchy
29 from various independent file systems
30 (including file systems exported by NFS servers).
33 file describes a single file system, its mount point,
34 and a set of default mount options for that mount point.
36 For NFS file system mounts, a line in the
38 file specifies the server name,
39 the path name of the exported server directory to mount,
40 the local directory that is the mount point,
41 the type of file system that is being mounted,
42 and a list of mount options that control
43 the way the filesystem is mounted and
44 how the NFS client behaves when accessing
45 files on this mount point.
46 The fifth and sixth fields on each line are not used
47 by NFS, thus conventionally each contain the digit zero. For example:
50 .ta 8n +14n +14n +9n +20n
51 server:path /mountpoint fstype option,option,... 0 0
54 The server's hostname and export pathname
55 are separated by a colon, while
56 the mount options are separated by commas. The remaining fields
57 are separated by blanks or tabs.
59 The server's hostname can be an unqualified hostname,
60 a fully qualified domain name,
61 a dotted quad IPv4 address, or
62 an IPv6 address enclosed in square brackets.
63 Link-local and site-local IPv6 addresses must be accompanied by an
67 for details on specifying raw IPv6 addresses.
71 field contains "nfs". Use of the "nfs4" fstype in
77 for a description of generic mount options
78 available for all file systems. If you do not need to
79 specify any mount options, use the generic option
84 .SS "Options supported by all versions"
85 These options are valid to use with any NFS version.
88 Determines the recovery behavior of the NFS client
89 after an NFS request times out.
90 If neither option is specified (or if the
92 option is specified), NFS requests are retried indefinitely.
95 option is specified, then the NFS client fails an NFS request
98 retransmissions have been sent,
99 causing the NFS client to return an error
100 to the calling application.
103 A so-called "soft" timeout can cause
104 silent data corruption in certain cases. As such, use the
106 option only when client responsiveness
107 is more important than data integrity.
108 Using NFS over TCP or increasing the value of the
110 option may mitigate some of the risks of using the
115 The time in deciseconds (tenths of a second) the NFS client waits for a
116 response before it retries an NFS request.
118 For NFS over TCP the default
120 value is 600 (60 seconds).
121 The NFS client performs linear backoff: After each retransmission the
122 timeout is increased by
124 up to the maximum of 600 seconds.
126 However, for NFS over UDP, the client uses an adaptive
127 algorithm to estimate an appropriate timeout value for frequently used
128 request types (such as READ and WRITE requests), but uses the
130 setting for infrequently used request types (such as FSINFO requests).
133 option is not specified,
134 infrequently used request types are retried after 1.1 seconds.
135 After each retransmission, the NFS client doubles the timeout for
137 up to a maximum timeout length of 60 seconds.
140 The number of times the NFS client retries a request before
141 it attempts further recovery action. If the
143 option is not specified, the NFS client tries each request
146 The NFS client generates a "server not responding" message
149 retries, then attempts further recovery (depending on whether the
151 mount option is in effect).
154 The maximum number of bytes in each network READ request
155 that the NFS client can receive when reading data from a file
157 The actual data payload size of each NFS READ request is equal to
160 setting. The largest read payload supported by the Linux NFS client
161 is 1,048,576 bytes (one megabyte).
165 value is a positive integral multiple of 1024.
168 values lower than 1024 are replaced with 4096; values larger than
169 1048576 are replaced with 1048576. If a specified value is within the supported
170 range but not a multiple of 1024, it is rounded down to the nearest
175 value is not specified, or if the specified
177 value is larger than the maximum that either client or server can support,
178 the client and server negotiate the largest
180 value that they can both support.
184 mount option as specified on the
186 command line appears in the
188 file. However, the effective
190 value negotiated by the client and server is reported in the
195 The maximum number of bytes per network WRITE request
196 that the NFS client can send when writing data to a file
197 on an NFS server. The actual data payload size of each
198 NFS WRITE request is equal to
201 setting. The largest write payload supported by the Linux NFS client
202 is 1,048,576 bytes (one megabyte).
208 value is a positive integral multiple of 1024.
211 values lower than 1024 are replaced with 4096; values larger than
212 1048576 are replaced with 1048576. If a specified value is within the supported
213 range but not a multiple of 1024, it is rounded down to the nearest
218 value is not specified, or if the specified
220 value is larger than the maximum that either client or server can support,
221 the client and server negotiate the largest
223 value that they can both support.
227 mount option as specified on the
229 command line appears in the
231 file. However, the effective
233 value negotiated by the client and server is reported in the
238 Selects whether the client may cache file attributes. If neither
239 option is specified (or if
241 is specified), the client caches file
244 To improve performance, NFS clients cache file
245 attributes. Every few seconds, an NFS client checks the server's version of each
246 file's attributes for updates. Changes that occur on the server in
247 those small intervals remain undetected until the client checks the
250 option prevents clients from caching file
251 attributes so that applications can more quickly detect file changes
254 In addition to preventing the client from caching file attributes,
257 option forces application writes to become synchronous so
258 that local changes to a file become visible on the server
259 immediately. That way, other clients can quickly detect recent
260 writes when they check the file's attributes.
264 option provides greater cache coherence among NFS clients
265 accessing the same files,
266 but it extracts a significant performance penalty.
267 As such, judicious use of file locking is encouraged instead.
268 The DATA AND METADATA COHERENCE section contains a detailed discussion
272 The minimum time (in seconds) that the NFS client caches
273 attributes of a regular file before it requests
274 fresh attribute information from a server.
275 If this option is not specified, the NFS client uses
279 The maximum time (in seconds) that the NFS client caches
280 attributes of a regular file before it requests
281 fresh attribute information from a server.
282 If this option is not specified, the NFS client uses
286 The minimum time (in seconds) that the NFS client caches
287 attributes of a directory before it requests
288 fresh attribute information from a server.
289 If this option is not specified, the NFS client uses
293 The maximum time (in seconds) that the NFS client caches
294 attributes of a directory before it requests
295 fresh attribute information from a server.
296 If this option is not specified, the NFS client uses
309 If this option is not specified, the NFS client uses
310 the defaults for each of these options listed above.
315 command behaves if an attempt to mount an export fails.
320 to exit with an error status if any part of the mount request
321 times out or fails outright.
322 This is called a "foreground" mount,
323 and is the default behavior if neither the
327 mount option is specified.
331 option is specified, a timeout or failure causes the
333 command to fork a child which continues to attempt
335 The parent immediately returns with a zero exit code.
336 This is known as a "background" mount.
338 If the local mount point directory is missing, the
340 command acts as if the mount request timed out.
341 This permits nested NFS mounts specified in
343 to proceed in any order during system initialization,
344 even if some NFS servers are not yet available.
345 Alternatively these issues can be addressed
346 using an automounter (refer to
351 The number of minutes that the
353 command retries an NFS mount operation
354 in the foreground or background before giving up.
355 If this option is not specified, the default value for foreground mounts
356 is 2 minutes, and the default value for background mounts is 10000 minutes
357 (80 minutes shy of one week).
358 If a value of zero is specified, the
360 command exits immediately after the first failure.
363 The RPCGSS security flavor to use for accessing files on this mount point.
366 option is not specified, or if
368 is specified, the NFS client uses the AUTH_SYS security flavor
369 for all NFS requests on this mount point.
370 Valid security flavors are
377 Refer to the SECURITY CONSIDERATIONS section for details.
379 .BR sharecache " / " nosharecache
380 Determines how the client's data cache and attribute cache are shared
381 when mounting the same export more than once concurrently. Using the
382 same cache reduces memory requirements on the client and presents
383 identical file contents to applications when the same remote file is
384 accessed via different mount points.
386 If neither option is specified, or if the
389 specified, then a single cache is used for all mount points that
390 access the same export. If the
393 then that mount point gets a unique cache. Note that when data and
394 attribute caches are shared, the mount options from the first mount
395 point take effect for subsequent concurrent mounts of the same export.
397 As of kernel 2.6.18, the behavior specified by
399 is legacy caching behavior. This
400 is considered a data risk since multiple cached copies
401 of the same file on the same client can become out of sync
402 following a local update of one of the copies.
404 .BR resvport " / " noresvport
405 Specifies whether the NFS client should use a privileged source port
406 when communicating with an NFS server for this mount point.
407 If this option is not specified, or the
409 option is specified, the NFS client uses a privileged source port.
412 option is specified, the NFS client uses a non-privileged source port.
413 This option is supported in kernels 2.6.28 and later.
415 Using non-privileged source ports helps increase the maximum number of
416 NFS mount points allowed on a client, but NFS servers must be configured
417 to allow clients to connect via non-privileged source ports.
419 Refer to the SECURITY CONSIDERATIONS section for important details.
421 .BI lookupcache= mode
422 Specifies how the kernel manages its cache of directory entries
423 for a given mount point.
431 This option is supported in kernels 2.6.28 and later.
433 The Linux NFS client caches the result of all NFS LOOKUP requests.
434 If the requested directory entry exists on the server,
435 the result is referred to as
437 If the requested directory entry does not exist on the server,
438 the result is referred to as
441 If this option is not specified, or if
443 is specified, the client assumes both types of directory cache entries
444 are valid until their parent directory's cached attributes expire.
447 .BR pos " or " positive
448 is specified, the client assumes positive entries are valid
449 until their parent directory's cached attributes expire, but
450 always revalidates negative entires before an application
456 the client revalidates both types of directory cache entries
457 before an application can use them.
458 This permits quick detection of files that were created or removed
459 by other clients, but can impact application and server performance.
461 The DATA AND METADATA COHERENCE section contains a
462 detailed discussion of these trade-offs.
463 .SS "Options for NFS versions 2 and 3 only"
464 Use these options, along with the options in the above subsection,
465 for NFS versions 2 and 3 only.
468 The transport protocol name and protocol family the NFS client uses
469 to transmit requests to the NFS server for this mount point.
470 If an NFS server has both an IPv4 and an IPv6 address, using a specific
471 netid will force the use of IPv4 or IPv6 networking to communicate
474 If support for TI-RPC is built into the
478 is a valid netid listed in
480 The value "rdma" may also be specified.
483 command does not have TI-RPC support, then
485 is one of "tcp," "udp," or "rdma," and only IPv4 may be used.
487 Each transport protocol uses different default
492 Refer to the description of these two mount options for details.
494 In addition to controlling how the NFS client transmits requests to
495 the server, this mount option also controls how the
497 command communicates with the server's rpcbind and mountd services.
498 Specifying a netid that uses TCP forces all traffic from the
500 command and the NFS client to use TCP.
501 Specifying a netid that uses UDP forces all traffic types to use UDP.
503 .B Before using NFS over UDP, refer to the TRANSPORT METHODS section.
507 mount option is not specified, the
509 command discovers which protocols the server supports
510 and chooses an appropriate transport for each service.
511 Refer to the TRANSPORT METHODS section for more details.
516 option is an alternative to specifying
518 It is included for compatibility with other operating systems.
520 .B Before using NFS over UDP, refer to the TRANSPORT METHODS section.
525 option is an alternative to specifying
527 It is included for compatibility with other operating systems.
532 option is an alternative to specifying
536 The numeric value of the server's NFS service port.
537 If the server's NFS service is not available on the specified port,
538 the mount request fails.
540 If this option is not specified, or if the specified port value is 0,
541 then the NFS client uses the NFS service port number
542 advertised by the server's rpcbind service.
543 The mount request fails if the server's rpcbind service is not available,
544 the server's NFS service is not registered with its rpcbind service,
545 or the server's NFS service is not available on the advertised port.
548 The numeric value of the server's mountd port.
549 If the server's mountd service is not available on the specified port,
550 the mount request fails.
552 If this option is not specified,
553 or if the specified port value is 0, then the
555 command uses the mountd service port number
556 advertised by the server's rpcbind service.
557 The mount request fails if the server's rpcbind service is not available,
558 the server's mountd service is not registered with its rpcbind service,
559 or the server's mountd service is not available on the advertised port.
561 This option can be used when mounting an NFS server
562 through a firewall that blocks the rpcbind protocol.
564 .BI mountproto= netid
565 The transport protocol name and protocol family the NFS client uses
566 to transmit requests to the NFS server's mountd service when performing
567 this mount request, and when later unmounting this mount point.
569 If support for TI-RPC is built into the
573 is a valid netid listed in
577 is one of "tcp" or "udp," and only IPv4 may be used.
579 This option can be used when mounting an NFS server
580 through a firewall that blocks a particular transport.
581 When used in combination with the
583 option, different transports for mountd requests and NFS requests
585 If the server's mountd service is not available via the specified
586 transport, the mount request fails.
588 Refer to the TRANSPORT METHODS section for more on how the
590 mount option interacts with the
595 The hostname of the host running mountd.
596 If this option is not specified, the
598 command assumes that the mountd service runs
599 on the same host as the NFS service.
602 The RPC version number used to contact the server's mountd.
603 If this option is not specified, the client uses a version number
604 appropriate to the requested NFS version.
605 This option is useful when multiple NFS services
606 are running on the same remote server host.
609 The maximum length of a pathname component on this mount.
610 If this option is not specified, the maximum length is negotiated
611 with the server. In most cases, this maximum length is 255 characters.
613 Some early versions of NFS did not support this negotiation.
614 Using this option ensures that
616 reports the proper maximum component length to applications
620 The NFS protocol version number used to contact the server's NFS service.
621 If the server does not support the requested version, the mount request fails.
622 If this option is not specified, the client negotiates a suitable version with
623 the server, trying version 4 first, version 3 second, and version 2 last.
626 This option is an alternative to the
629 It is included for compatibility with other operating systems.
631 .BR lock " / " nolock
632 Selects whether to use the NLM sideband protocol to lock files on the server.
633 If neither option is specified (or if
635 is specified), NLM locking is used for this mount point.
638 option, applications can lock files,
639 but such locks provide exclusion only against other applications
640 running on the same client.
641 Remote applications are not affected by these locks.
643 NLM locking must be disabled with the
645 option when using NFS to mount
649 contains files used by the NLM implementation on Linux.
652 option is also required when mounting exports on NFS servers
653 that do not support the NLM protocol.
655 .BR intr " / " nointr
656 Selects whether to allow signals to interrupt file operations
657 on this mount point. If neither option
661 signals do not interrupt NFS file operations. If
663 is specified, system calls return EINTR if an in-progress NFS operation is interrupted by
668 option is preferred to using the
670 option because it is significantly less likely to result in data corruption.
673 .BR intr " / " nointr
674 mount option is deprecated after kernel 2.6.25.
675 Only SIGKILL can interrupt a pending NFS operation on these kernels,
676 and if specified, this mount option is ignored to provide backwards
677 compatibility with older kernels.
680 Selects whether to use close-to-open cache coherence semantics.
681 If neither option is specified (or if
683 is specified), the client uses close-to-open
684 cache coherence semantics. If the
686 option is specified, the client uses a non-standard heuristic to determine when
687 files on the server have changed.
691 option may improve performance for read-only mounts,
692 but should be used only if the data on the server changes only occasionally.
693 The DATA AND METADATA COHERENCE section discusses the behavior
694 of this option in more detail.
697 Selects whether to use the NFSACL sideband protocol on this mount point.
698 The NFSACL sideband protocol is a proprietary protocol
699 implemented in Solaris that manages Access Control Lists. NFSACL was never
700 made a standard part of the NFS protocol specification.
707 the NFS client negotiates with the server
708 to see if the NFSACL protocol is supported,
709 and uses it if the server supports it.
710 Disabling the NFSACL sideband protocol may be necessary
711 if the negotiation causes problems on the client or server.
712 Refer to the SECURITY CONSIDERATIONS section for more details.
714 .BR rdirplus " / " nordirplus
715 Selects whether to use NFS version 3 READDIRPLUS requests.
716 If this option is not specified, the NFS client uses READDIRPLUS requests
717 on NFS version 3 mounts to read small directories.
718 Some applications perform better if the client uses only READDIR requests
721 .BR local_lock= mechanism
722 Specifies whether to use local locking for any or both of the flock and the
723 POSIX locking mechanisms.
731 This option is supported in kernels 2.6.37 and later.
733 The Linux NFS client provides a way to make locks local. This means, the
734 applications can lock files, but such locks provide exclusion only against
735 other applications running on the same client. Remote applications are not
736 affected by these locks.
738 If this option is not specified, or if
740 is specified, the client assumes that the locks are not local.
744 is specified, the client assumes that both flock and POSIX locks are local.
748 is specified, the client assumes that only flock locks are local and uses
749 NLM sideband protocol to lock files when POSIX locks are used.
753 is specified, the client assumes that POSIX locks are local and uses NLM
754 sideband protocol to lock files when flock locks are used.
756 To support legacy flock behavior similar to that of NFS clients < 2.6.12,
757 use 'local_lock=flock'. This option is required when exporting NFS mounts via
758 Samba as Samba maps Windows share mode locks as flock. Since NFS clients >
759 2.6.12 implement flock by emulating POSIX locks, this will result in
762 NOTE: When used together, the 'local_lock' mount option will be overridden
763 by 'nolock'/'lock' mount option.
764 .SS "Options for NFS version 4 only"
765 Use these options, along with the options in the first subsection above,
766 for NFS version 4 and newer.
769 The transport protocol name and protocol family the NFS client uses
770 to transmit requests to the NFS server for this mount point.
771 If an NFS server has both an IPv4 and an IPv6 address, using a specific
772 netid will force the use of IPv4 or IPv6 networking to communicate
775 If support for TI-RPC is built into the
779 is a valid netid listed in
783 is one of "tcp" or "udp," and only IPv4 may be used.
785 All NFS version 4 servers are required to support TCP,
786 so if this mount option is not specified, the NFS version 4 client
787 uses the TCP protocol.
788 Refer to the TRANSPORT METHODS section for more details.
791 The numeric value of the server's NFS service port.
792 If the server's NFS service is not available on the specified port,
793 the mount request fails.
795 If this mount option is not specified,
796 the NFS client uses the standard NFS port number of 2049
797 without first checking the server's rpcbind service.
798 This allows an NFS version 4 client to contact an NFS version 4
799 server through a firewall that may block rpcbind requests.
801 If the specified port value is 0,
802 then the NFS client uses the NFS service port number
803 advertised by the server's rpcbind service.
804 The mount request fails if the server's rpcbind service is not available,
805 the server's NFS service is not registered with its rpcbind service,
806 or the server's NFS service is not available on the advertised port.
808 .BR intr " / " nointr
809 Selects whether to allow signals to interrupt file operations
810 on this mount point. If neither option is specified (or if
812 is specified), system calls return EINTR if an in-progress NFS operation
813 is interrupted by a signal. If
815 is specified, signals do not
816 interrupt NFS operations.
820 option is preferred to using the
822 option because it is significantly less likely to result in data corruption.
825 .BR intr " / " nointr
826 mount option is deprecated after kernel 2.6.25.
827 Only SIGKILL can interrupt a pending NFS operation on these kernels,
828 and if specified, this mount option is ignored to provide backwards
829 compatibility with older kernels.
832 Selects whether to use close-to-open cache coherence semantics
833 for NFS directories on this mount point.
839 the default is to use close-to-open cache coherence
840 semantics for directories.
842 File data caching behavior is not affected by this option.
843 The DATA AND METADATA COHERENCE section discusses
844 the behavior of this option in more detail.
846 .BI clientaddr= n.n.n.n
847 Specifies a single IPv4 address (in dotted-quad form),
848 or a non-link-local IPv6 address,
849 that the NFS client advertises to allow servers
850 to perform NFS version 4 callback requests against
851 files on this mount point. If the server is unable to
852 establish callback connections to clients, performance
853 may degrade, or accesses to files may temporarily hang.
855 If this option is not specified, the
857 command attempts to discover an appropriate callback address automatically.
858 The automatic discovery process is not perfect, however.
859 In the presence of multiple client network interfaces,
860 special routing policies,
861 or atypical network topologies,
862 the exact address to use for callbacks may be nontrivial to determine.
863 .SH nfs4 FILE SYSTEM TYPE
866 file system type is an old syntax for specifying NFSv4 usage. It can still
867 be used with all NFSv4-specific and common options, excepted the
870 .SH MOUNT CONFIGURATION FILE
871 If the mount command is configured to do so, all of the mount options
872 described in the previous section can also be configured in the
873 .I /etc/nfsmount.conf
878 To mount an export using NFS version 2,
881 file system type and specify the
884 To mount using NFS version 3,
887 file system type and specify the
890 To mount using NFS version 4,
893 file system type, with the
899 The following example from an
901 file causes the mount command to negotiate
902 reasonable defaults for NFS behavior.
905 .ta 8n +16n +6n +6n +30n
906 server:/export /mnt nfs defaults 0 0
909 Here is an example from an /etc/fstab file for an NFS version 2 mount over UDP.
912 .ta 8n +16n +6n +6n +30n
913 server:/export /mnt nfs nfsvers=2,proto=udp 0 0
916 Try this example to mount using NFS version 4 over TCP
917 with Kerberos 5 mutual authentication.
920 .ta 8n +16n +6n +6n +30n
921 server:/export /mnt nfs4 sec=krb5 0 0
924 This example can be used to mount /usr over NFS.
927 .ta 8n +16n +6n +6n +30n
928 server:/export /usr nfs ro,nolock,nocto,actimeo=3600 0 0
931 This example shows how to mount an NFS server
932 using a raw IPv6 link-local address.
935 .ta 8n +40n +5n +4n +9n
936 [fe80::215:c5ff:fb3e:e2b1%eth0]:/export /mnt nfs defaults 0 0
938 .SH "TRANSPORT METHODS"
939 NFS clients send requests to NFS servers via
940 Remote Procedure Calls, or
942 The RPC client discovers remote service endpoints automatically,
943 handles per-request authentication,
944 adjusts request parameters for different byte endianness on client and server,
945 and retransmits requests that may have been lost by the network or server.
946 RPC requests and replies flow over a network transport.
950 command, NFS client, and NFS server
951 can automatically negotiate proper transport
952 and data transfer size settings for a mount point.
953 In some cases, however, it pays to specify
954 these settings explicitly using mount options.
956 Traditionally, NFS clients used the UDP transport exclusively for
957 transmitting requests to servers. Though its implementation is
958 simple, NFS over UDP has many limitations that prevent smooth
959 operation and good performance in some common deployment
960 environments. Even an insignificant packet loss rate results in the
961 loss of whole NFS requests; as such, retransmit timeouts are usually
962 in the subsecond range to allow clients to recover quickly from
963 dropped requests, but this can result in extraneous network traffic
966 However, UDP can be quite effective in specialized settings where
967 the networks MTU is large relative to NFSs data transfer size (such
968 as network environments that enable jumbo Ethernet frames). In such
969 environments, trimming the
973 settings so that each
974 NFS read or write request fits in just a few network frames (or even
975 in a single frame) is advised. This reduces the probability that
976 the loss of a single MTU-sized network frame results in the loss of
977 an entire large read or write request.
979 TCP is the default transport protocol used for all modern NFS
980 implementations. It performs well in almost every conceivable
981 network environment and provides excellent guarantees against data
982 corruption caused by network unreliability. TCP is often a
983 requirement for mounting a server through a network firewall.
985 Under normal circumstances, networks drop packets much more
986 frequently than NFS servers drop requests. As such, an aggressive
987 retransmit timeout setting for NFS over TCP is unnecessary. Typical
988 timeout settings for NFS over TCP are between one and ten minutes.
989 After the client exhausts its retransmits (the value of the
991 mount option), it assumes a network partition has occurred,
992 and attempts to reconnect to the server on a fresh socket. Since
993 TCP itself makes network data transfer reliable,
997 can safely be allowed to default to the largest values supported by
998 both client and server, independent of the network's MTU size.
999 .SS "Using the mountproto mount option"
1000 This section applies only to NFS version 2 and version 3 mounts
1001 since NFS version 4 does not use a separate protocol for mount
1004 The Linux NFS client can use a different transport for
1005 contacting an NFS server's rpcbind service, its mountd service,
1006 its Network Lock Manager (NLM) service, and its NFS service.
1007 The exact transports employed by the Linux NFS client for
1008 each mount point depends on the settings of the transport
1009 mount options, which include
1012 .BR udp ", and " tcp .
1014 The client sends Network Status Manager (NSM) notifications
1015 via UDP no matter what transport options are specified, but
1016 listens for server NSM notifications on both UDP and TCP.
1017 The NFS Access Control List (NFSACL) protocol shares the same
1018 transport as the main NFS service.
1020 If no transport options are specified, the Linux NFS client
1021 uses UDP to contact the server's mountd service, and TCP to
1022 contact its NLM and NFS services by default.
1024 If the server does not support these transports for these services, the
1026 command attempts to discover what the server supports, and then retries
1027 the mount request once using the discovered transports.
1028 If the server does not advertise any transport supported by the client
1029 or is misconfigured, the mount request fails.
1032 option is in effect, the mount command backgrounds itself and continues
1033 to attempt the specified mount request.
1041 option is specified but the
1043 option is not, the specified transport is used to contact
1044 both the server's mountd service and for the NLM and NFS services.
1048 option is specified but none of the
1049 .BR proto ", " udp " or " tcp
1050 options are specified, then the specified transport is used for the
1051 initial mountd request, but the mount command attempts to discover
1052 what the server supports for the NFS protocol, preferring TCP if
1053 both transports are supported.
1056 .BR mountproto " and " proto
1058 .BR udp " or " tcp )
1059 options are specified, then the transport specified by the
1061 option is used for the initial mountd request, and the transport
1065 .BR udp " or " tcp " options)"
1066 is used for NFS, no matter what order these options appear.
1067 No automatic service discovery is performed if these options are
1071 .BR proto ", " udp ", " tcp ", "
1074 options are specified more than once on the same mount command line,
1075 then the value of the rightmost instance of each of these options
1077 .SS "Using NFS over UDP on high-speed links"
1078 Using NFS over UDP on high-speed links such as Gigabit
1079 .BR "can cause silent data corruption" .
1081 The problem can be triggered at high loads, and is caused by problems in
1082 IP fragment reassembly. NFS read and writes typically transmit UDP packets
1083 of 4 Kilobytes or more, which have to be broken up into several fragments
1084 in order to be sent over the Ethernet link, which limits packets to 1500
1085 bytes by default. This process happens at the IP network layer and is
1086 called fragmentation.
1088 In order to identify fragments that belong together, IP assigns a 16bit
1090 value to each packet; fragments generated from the same UDP packet
1091 will have the same IP ID. The receiving system will collect these
1092 fragments and combine them to form the original UDP packet. This process
1093 is called reassembly. The default timeout for packet reassembly is
1094 30 seconds; if the network stack does not receive all fragments of
1095 a given packet within this interval, it assumes the missing fragment(s)
1096 got lost and discards those it already received.
1098 The problem this creates over high-speed links is that it is possible
1099 to send more than 65536 packets within 30 seconds. In fact, with
1100 heavy NFS traffic one can observe that the IP IDs repeat after about
1103 This has serious effects on reassembly: if one fragment gets lost,
1105 .I from a different packet
1108 will arrive within the 30 second timeout, and the network stack will
1109 combine these fragments to form a new packet. Most of the time, network
1110 layers above IP will detect this mismatched reassembly - in the case
1111 of UDP, the UDP checksum, which is a 16 bit checksum over the entire
1112 packet payload, will usually not match, and UDP will discard the
1115 However, the UDP checksum is 16 bit only, so there is a chance of 1 in
1116 65536 that it will match even if the packet payload is completely
1117 random (which very often isn't the case). If that is the case,
1118 silent data corruption will occur.
1120 This potential should be taken seriously, at least on Gigabit
1122 Network speeds of 100Mbit/s should be considered less
1123 problematic, because with most traffic patterns IP ID wrap around
1124 will take much longer than 30 seconds.
1126 It is therefore strongly recommended to use
1127 .BR "NFS over TCP where possible" ,
1128 since TCP does not perform fragmentation.
1130 If you absolutely have to use NFS over UDP over Gigabit Ethernet,
1131 some steps can be taken to mitigate the problem and reduce the
1132 probability of corruption:
1135 Many Gigabit network cards are capable of transmitting
1136 frames bigger than the 1500 byte limit of traditional Ethernet, typically
1137 9000 bytes. Using jumbo frames of 9000 bytes will allow you to run NFS over
1138 UDP at a page size of 8K without fragmentation. Of course, this is
1139 only feasible if all involved stations support jumbo frames.
1141 To enable a machine to send jumbo frames on cards that support it,
1142 it is sufficient to configure the interface for a MTU value of 9000.
1144 .I Lower reassembly timeout:
1145 By lowering this timeout below the time it takes the IP ID counter
1146 to wrap around, incorrect reassembly of fragments can be prevented
1147 as well. To do so, simply write the new timeout value (in seconds)
1149 .BR /proc/sys/net/ipv4/ipfrag_time .
1151 A value of 2 seconds will greatly reduce the probability of IPID clashes on
1152 a single Gigabit link, while still allowing for a reasonable timeout
1153 when receiving fragmented traffic from distant peers.
1154 .SH "DATA AND METADATA COHERENCE"
1155 Some modern cluster file systems provide
1156 perfect cache coherence among their clients.
1157 Perfect cache coherence among disparate NFS clients
1158 is expensive to achieve, especially on wide area networks.
1159 As such, NFS settles for weaker cache coherence that
1160 satisfies the requirements of most file sharing types. Normally,
1161 file sharing is completely sequential:
1162 first client A opens a file, writes something to it, then closes it;
1163 then client B opens the same file, and reads the changes.
1165 .SS "Close-to-open cache consistency"
1166 When an application opens a file stored on an NFS server,
1167 the NFS client checks that it still exists on the server
1168 and is permitted to the opener by sending a GETATTR or ACCESS request.
1169 When the application closes the file,
1170 the NFS client writes back any pending changes
1171 to the file so that the next opener can view the changes.
1172 This also gives the NFS client an opportunity to report
1173 any server write errors to the application
1174 via the return code from
1176 The behavior of checking at open time and flushing at close time
1177 is referred to as close-to-open cache consistency.
1178 .SS "Weak cache consistency"
1179 There are still opportunities for a client's data cache
1180 to contain stale data.
1181 The NFS version 3 protocol introduced "weak cache consistency"
1182 (also known as WCC) which provides a way of efficiently checking
1183 a file's attributes before and after a single request.
1184 This allows a client to help identify changes
1185 that could have been made by other clients.
1187 When a client is using many concurrent operations
1188 that update the same file at the same time
1189 (for example, during asynchronous write behind),
1190 it is still difficult to tell whether it was
1191 that client's updates or some other client's updates
1192 that altered the file.
1193 .SS "Attribute caching"
1196 mount option to achieve attribute cache coherence
1197 among multiple clients.
1198 Almost every file system operation checks
1199 file attribute information.
1200 The client keeps this information cached
1201 for a period of time to reduce network and server load.
1204 is in effect, a client's file attribute cache is disabled,
1205 so each operation that needs to check a file's attributes
1206 is forced to go back to the server.
1207 This permits a client to see changes to a file very quickly,
1208 at the cost of many extra network operations.
1210 Be careful not to confuse the
1212 option with "no data caching."
1215 mount option prevents the client from caching file metadata,
1216 but there are still races that may result in data cache incoherence
1217 between client and server.
1219 The NFS protocol is not designed to support
1220 true cluster file system cache coherence
1221 without some type of application serialization.
1222 If absolute cache coherence among clients is required,
1223 applications should use file locking. Alternatively, applications
1224 can also open their files with the O_DIRECT flag
1225 to disable data caching entirely.
1226 .SS "Directory entry caching"
1227 The Linux NFS client caches the result of all NFS LOOKUP requests.
1228 If the requested directory entry exists on the server,
1229 the result is referred to as a
1230 .IR positive " lookup result.
1231 If the requested directory entry does not exist on the server
1232 (that is, the server returned ENOENT),
1233 the result is referred to as
1234 .IR negative " lookup result.
1236 To detect when directory entries have been added or removed
1238 the Linux NFS client watches a directory's mtime.
1239 If the client detects a change in a directory's mtime,
1240 the client drops all cached LOOKUP results for that directory.
1241 Since the directory's mtime is a cached attribute, it may
1242 take some time before a client notices it has changed.
1243 See the descriptions of the
1244 .BR acdirmin ", " acdirmax ", and " noac
1245 mount options for more information about
1246 how long a directory's mtime is cached.
1248 Caching directory entries improves the performance of applications that
1249 do not share files with applications on other clients.
1250 Using cached information about directories can interfere
1251 with applications that run concurrently on multiple clients and
1252 need to detect the creation or removal of files quickly, however.
1255 mount option allows some tuning of directory entry caching behavior.
1257 Before kernel release 2.6.28,
1258 the Linux NFS client tracked only positive lookup results.
1259 This permitted applications to detect new directory entries
1260 created by other clients quickly while still providing some of the
1261 performance benefits of caching.
1262 If an application depends on the previous lookup caching behavior
1263 of the Linux NFS client, you can use
1264 .BR lookupcache=positive .
1266 If the client ignores its cache and validates every application
1267 lookup request with the server,
1268 that client can immediately detect when a new directory
1269 entry has been either created or removed by another client.
1270 You can specify this behavior using
1271 .BR lookupcache=none .
1272 The extra NFS requests needed if the client does not
1273 cache directory entries can exact a performance penalty.
1274 Disabling lookup caching
1275 should result in less of a performance penalty than using
1277 and has no effect on how the NFS client caches the attributes of files.
1279 .SS "The sync mount option"
1280 The NFS client treats the
1282 mount option differently than some other file systems
1285 for a description of the generic
1294 is specified (or if the
1296 option is specified),
1297 the NFS client delays sending application
1298 writes to the server
1299 until any of these events occur:
1301 Memory pressure forces reclamation of system memory resources.
1303 An application flushes file data explicitly with
1309 An application closes a file with
1312 The file is locked/unlocked via
1315 In other words, under normal circumstances,
1316 data written by an application may not immediately appear
1317 on the server that hosts the file.
1321 option is specified on a mount point,
1322 any system call that writes data to files on that mount point
1323 causes that data to be flushed to the server
1324 before the system call returns control to user space.
1325 This provides greater data cache coherence among clients,
1326 but at a significant performance cost.
1328 Applications can use the O_SYNC open flag to force application
1329 writes to individual files to go to the server immediately without
1333 .SS "Using file locks with NFS"
1334 The Network Lock Manager protocol is a separate sideband protocol
1335 used to manage file locks in NFS version 2 and version 3.
1336 To support lock recovery after a client or server reboot,
1337 a second sideband protocol --
1338 known as the Network Status Manager protocol --
1341 file locking is supported directly in the main NFS protocol,
1342 and the NLM and NSM sideband protocols are not used.
1344 In most cases, NLM and NSM services are started automatically,
1345 and no extra configuration is required.
1346 Configure all NFS clients with fully-qualified domain names
1347 to ensure that NFS servers can find clients to notify them of server reboots.
1349 NLM supports advisory file locks only.
1350 To lock NFS files, use
1352 with the F_GETLK and F_SETLK commands.
1353 The NFS client converts file locks obtained via
1357 When mounting servers that do not support the NLM protocol,
1358 or when mounting an NFS server through a firewall
1359 that blocks the NLM service port,
1362 mount option. NLM locking must be disabled with the
1364 option when using NFS to mount
1368 contains files used by the NLM implementation on Linux.
1372 option may also be advised to improve the performance
1373 of a proprietary application which runs on a single client
1374 and uses file locks extensively.
1375 .SS "NFS version 4 caching features"
1376 The data and metadata caching behavior of NFS version 4
1377 clients is similar to that of earlier versions.
1378 However, NFS version 4 adds two features that improve
1380 .I change attributes
1382 .IR "file delegation" .
1386 is a new part of NFS file and directory metadata
1387 which tracks data changes.
1388 It replaces the use of a file's modification
1389 and change time stamps
1390 as a way for clients to validate the content
1392 Change attributes are independent of the time stamp
1393 resolution on either the server or client, however.
1397 is a contract between an NFS version 4 client
1398 and server that allows the client to treat a file temporarily
1399 as if no other client is accessing it.
1400 The server promises to notify the client (via a callback request) if another client
1401 attempts to access that file.
1402 Once a file has been delegated to a client, the client can
1403 cache that file's data and metadata aggressively without
1404 contacting the server.
1406 File delegations come in two flavors:
1412 delegation means that the server notifies the client
1413 about any other clients that want to write to the file.
1416 delegation means that the client gets notified about
1417 either read or write accessors.
1419 Servers grant file delegations when a file is opened,
1420 and can recall delegations at any time when another
1421 client wants access to the file that conflicts with
1422 any delegations already granted.
1423 Delegations on directories are not supported.
1425 In order to support delegation callback, the server
1426 checks the network return path to the client during
1427 the client's initial contact with the server.
1428 If contact with the client cannot be established,
1429 the server simply does not grant any delegations to
1431 .SH "SECURITY CONSIDERATIONS"
1432 NFS servers control access to file data,
1433 but they depend on their RPC implementation
1434 to provide authentication of NFS requests.
1435 Traditional NFS access control mimics
1436 the standard mode bit access control provided in local file systems.
1437 Traditional RPC authentication uses a number
1438 to represent each user
1439 (usually the user's own uid),
1440 a number to represent the user's group (the user's gid),
1441 and a set of up to 16 auxiliary group numbers
1442 to represent other groups of which the user may be a member.
1444 Typically, file data and user ID values appear unencrypted
1445 (i.e. "in the clear") on the network.
1446 Moreover, NFS versions 2 and 3 use
1447 separate sideband protocols for mounting,
1448 locking and unlocking files,
1449 and reporting system status of clients and servers.
1450 These auxiliary protocols use no authentication.
1452 In addition to combining these sideband protocols with the main NFS protocol,
1453 NFS version 4 introduces more advanced forms of access control,
1454 authentication, and in-transit data protection.
1455 The NFS version 4 specification mandates NFSv4 ACLs,
1456 RPCGSS authentication, and RPCGSS security flavors
1457 that provide per-RPC integrity checking and encryption.
1458 Because NFS version 4 combines the
1459 function of the sideband protocols into the main NFS protocol,
1460 the new security features apply to all NFS version 4 operations
1461 including mounting, file locking, and so on.
1462 RPCGSS authentication can also be used with NFS versions 2 and 3,
1463 but does not protect their sideband protocols.
1467 mount option specifies the RPCGSS security mode
1468 that is in effect on a given NFS mount point.
1471 provides cryptographic proof of a user's identity in each RPC request.
1472 This provides strong verification of the identity of users
1473 accessing data on the server.
1474 Note that additional configuration besides adding this mount option
1475 is required in order to enable Kerberos security.
1478 man page for details.
1480 Two additional flavors of Kerberos security are supported:
1486 security flavor provides a cryptographically strong guarantee
1487 that the data in each RPC request has not been tampered with.
1490 security flavor encrypts every RPC request
1491 to prevent data exposure during network transit; however,
1492 expect some performance impact
1493 when using integrity checking or encryption.
1494 Similar support for other forms of cryptographic security
1497 The NFS version 4 protocol allows
1498 clients and servers to negotiate among multiple security flavors
1499 during mount processing.
1500 However, Linux does not yet implement such negotiation.
1501 The Linux client specifies a single security flavor at mount time
1502 which remains in effect for the lifetime of the mount.
1503 If the server does not support this flavor,
1504 the initial mount request is rejected by the server.
1505 .SS "Using non-privileged source ports"
1506 NFS clients usually communicate with NFS servers via network sockets.
1507 Each end of a socket is assigned a port value, which is simply a number
1508 between 1 and 65535 that distinguishes socket endpoints at the same
1510 A socket is uniquely defined by a tuple that includes the transport
1511 protocol (TCP or UDP) and the port values and IP addresses of both
1514 The NFS client can choose any source port value for its sockets,
1515 but usually chooses a
1518 A privileged port is a port value less than 1024.
1519 Only a process with root privileges may create a socket
1520 with a privileged source port.
1522 The exact range of privileged source ports that can be chosen is
1523 set by a pair of sysctls to avoid choosing a well-known port, such as
1524 the port used by ssh.
1525 This means the number of source ports available for the NFS client,
1526 and therefore the number of socket connections that can be used
1528 is practically limited to only a few hundred.
1530 As described above, the traditional default NFS authentication scheme,
1531 known as AUTH_SYS, relies on sending local UID and GID numbers to identify
1532 users making NFS requests.
1533 An NFS server assumes that if a connection comes from a privileged port,
1534 the UID and GID numbers in the NFS requests on this connection have been
1535 verified by the client's kernel or some other local authority.
1536 This is an easy system to spoof, but on a trusted physical network between
1537 trusted hosts, it is entirely adequate.
1539 Roughly speaking, one socket is used for each NFS mount point.
1540 If a client could use non-privileged source ports as well,
1541 the number of sockets allowed,
1542 and thus the maximum number of concurrent mount points,
1543 would be much larger.
1545 Using non-privileged source ports may compromise server security somewhat,
1546 since any user on AUTH_SYS mount points can now pretend to be any other
1547 when making NFS requests.
1548 Thus NFS servers do not support this by default.
1549 They explicitly allow it usually via an export option.
1551 To retain good security while allowing as many mount points as possible,
1552 it is best to allow non-privileged client connections only if the server
1553 and client both require strong authentication, such as Kerberos.
1554 .SS "Mounting through a firewall"
1555 A firewall may reside between an NFS client and server,
1556 or the client or server may block some of its own ports via IP
1558 It is still possible to mount an NFS server through a firewall,
1561 command's automatic service endpoint discovery mechanisms may not work; this
1562 requires you to provide specific endpoint details via NFS mount options.
1564 NFS servers normally run a portmapper or rpcbind daemon to advertise
1565 their service endpoints to clients. Clients use the rpcbind daemon to determine:
1567 What network port each RPC-based service is using
1569 What transport protocols each RPC-based service supports
1571 The rpcbind daemon uses a well-known port number (111) to help clients find a service endpoint.
1572 Although NFS often uses a standard port number (2049),
1573 auxiliary services such as the NLM service can choose
1574 any unused port number at random.
1576 Common firewall configurations block the well-known rpcbind port.
1577 In the absense of an rpcbind service,
1578 the server administrator fixes the port number
1579 of NFS-related services so that the firewall
1580 can allow access to specific NFS service ports.
1581 Client administrators then specify the port number
1582 for the mountd service via the
1587 It may also be necessary to enforce the use of TCP or UDP
1588 if the firewall blocks one of those transports.
1589 .SS "NFS Access Control Lists"
1590 Solaris allows NFS version 3 clients direct access
1591 to POSIX Access Control Lists stored in its local file systems.
1592 This proprietary sideband protocol, known as NFSACL,
1593 provides richer access control than mode bits.
1594 Linux implements this protocol
1595 for compatibility with the Solaris NFS implementation.
1596 The NFSACL protocol never became a standard part
1597 of the NFS version 3 specification, however.
1599 The NFS version 4 specification mandates a new version
1600 of Access Control Lists that are semantically richer than POSIX ACLs.
1601 NFS version 4 ACLs are not fully compatible with POSIX ACLs; as such,
1602 some translation between the two is required
1603 in an environment that mixes POSIX ACLs and NFS version 4.
1604 .SH "THE REMOUNT OPTION"
1605 Generic mount options such as
1607 can be modified on NFS mount points using the
1612 for more information on generic mount options.
1614 With few exceptions, NFS-specific options
1615 are not able to be modified during a remount.
1616 The underlying transport or NFS version
1617 cannot be changed by a remount, for example.
1619 Performing a remount on an NFS file system mounted with the
1621 option may have unintended consequences.
1624 option is a combination of the generic option
1626 and the NFS-specific option
1628 .SS "Unmounting after a remount"
1629 For mount points that use NFS versions 2 or 3, the NFS umount subcommand
1630 depends on knowing the original set of mount options used to perform the
1632 These options are stored on disk by the NFS mount subcommand,
1633 and can be erased by a remount.
1635 To ensure that the saved mount options are not erased during a remount,
1636 specify either the local mount directory, or the server hostname and
1637 export pathname, but not both, during a remount. For example,
1641 mount -o remount,ro /mnt
1644 merges the mount option
1646 with the mount options already saved on disk for the NFS server mounted at /mnt.
1652 Before 2.4.7, the Linux NFS client did not support NFS over TCP.
1654 Before 2.4.20, the Linux NFS client used a heuristic
1655 to determine whether cached file data was still valid
1656 rather than using the standard close-to-open cache coherency method
1659 Starting with 2.4.22, the Linux NFS client employs
1660 a Van Jacobsen-based RTT estimator to determine retransmit
1661 timeout values when using NFS over UDP.
1663 Before 2.6.0, the Linux NFS client did not support NFS version 4.
1665 Before 2.6.8, the Linux NFS client used only synchronous reads and writes
1667 .BR rsize " and " wsize
1668 settings were smaller than the system's page size.
1670 The Linux NFS client does not yet support
1671 certain optional features of the NFS version 4 protocol,
1672 such as security negotiation, server referrals, and named attributes.
1687 .BR rpc.svcgssd (8),
1690 RFC 768 for the UDP specification.
1692 RFC 793 for the TCP specification.
1694 RFC 1094 for the NFS version 2 specification.
1696 RFC 1813 for the NFS version 3 specification.
1698 RFC 1832 for the XDR specification.
1700 RFC 1833 for the RPC bind specification.
1702 RFC 2203 for the RPCSEC GSS API protocol specification.
1704 RFC 3530 for the NFS version 4 specification.