list of export options for that client. No whitespace is permitted
between a client and its option list.
.PP
+Also, each line may have one or more specifications for default options
+after the path name, in the form of a dash ("\-") followed by an option
+list. The option list is used for all subsequent exports on that line
+only.
+.PP
Blank lines are ignored. A pound sign ("#") introduces a comment to the
end of the line. Entries may be continued across newlines using a
backslash. If an export name contains spaces it should be quoted using
understands the following export options:
.TP
.IR secure "\*d
-This option requires that requests originate on an internet port less
+This option requires that requests originate on an Internet port less
than IPPORT_RESERVED (1024). This option is on by default. To turn it
off, specify
.IR insecure .
an unclean server restart (i.e. a crash) can cause data to be lost or
corrupted.
-In releases of nfs-utils upto and including 1.0.0, this option was the
-default. In this and future releases,
+.TP
+.IR sync
+Reply to requests only after the changes have been committed to stable
+storage (see
+.IR async
+above).
+
+In releases of nfs-utils up to and including 1.0.0, this option was the
+default. In all subsequence releases,
.I sync
is the default, and
.I async
-must be explicit requested if needed.
-To help make system adminstrators aware of this change, 'exportfs'
+must be explicitly requested if needed.
+To help make system administrators aware of this change, 'exportfs'
will issue a warning if neither
.I sync
nor
The option can be explicitly disabled with
.IR hide .
.TP
+.IR crossmnt
+This option is similar to
+.I nohide
+but it makes it possible for clients to move from the filesystem marked
+with crossmnt to exported filesystems mounted on it. Thus when a child
+filesystem "B" is mounted on a parent "A", setting crossmnt on "A" has
+the same effect as setting "nohide" on B.
+.TP
.IR no_subtree_check
This option disables subtree checking, which has mild security
implications, but can improve reliability in some circumstances.
requested with
.IR subtree_check .
+From release 1.1.0 of nfs-utils onwards, the default will be
+.I no_subtree_check
+as subtree_checking tends to cause more problems than it is worth.
+If you genuinely require subtree checking, you should explicitly put
+that option in the
+.B exports
+file. If you put neither option,
+.I exportfs
+will warn you that the change is pending.
+
.TP
.IR insecure_locks
.TP
.IR auth_nlm ,
or
.IR secure_locks .
+.TP
+.IR no_acl
+On some specially patched kernels, and when exporting filesystems that
+support ACLs, this option tells nfsd not to reveal ACLs to clients, so
+they will see only a subset of actual permissions on the given file
+system. This option is safe for filesystems used by NFSv2 clients and
+old NFSv3 clients that perform access decisions locally. Current
+NFSv3 clients use the ACCESS RPC to perform all access decisions on
+the server. Note that the
+.I no_acl
+option only has effect on kernels specially patched to support it, and
+when exporting filesystems with ACL support. The default is to export
+with ACL support (i.e. by default,
+.I no_acl
+is off).
'''.TP
'''.I noaccess
If a path is given (e.g.
.IR mountpoint= "/path or " mp= /path)
-then the nominted path must be a mountpoint for the exportpoint to be
+then the nominated path must be a mountpoint for the exportpoint to be
exported.
.TP
-.IR fsid= num
-This option forces the filesystem identification portion of the file
-handle and file attributes used on the wire to be
-.I num
-instead of a number derived from the major and minor number of the
-block device on which the filesystem is mounted. Any 32 bit number
-can be used, but it must be unique amongst all the exported filesystems.
+.IR fsid= num|root|uuid
+NFS needs to be able to identify each filesystem that it exports.
+Normally it will use a UUID for the filesystem (if the filesystem has
+such a thing) or the device number of the device holding the
+filesystem (if the filesystem is stored on the device).
-This can be useful for NFS failover, to ensure that both servers of
-the failover pair use the same NFS file handles for the shared filesystem
-thus avoiding stale file handles after failover.
+As not all filesystems are stored on devices, and not all filesystems
+have UUIDs, it is sometimes necessary to explicitly tell NFS how to
+identify a filesystem. This is done with the
+.I fsid=
+option.
+
+For NFSv4, there is a distinguished filesystem which is the root of
+all exported filesystem. This is specified with
+.I fsid=root
+or
+.I fsid=0
+both of which mean exactly the same thing.
-Some Linux filesystems are not mounted on a block device; exporting
-these via NFS requires the use of the
-.I fsid
-option (although that may still not be enough).
+Other filesystems can be identified with a small integer, or a UUID
+which should contain 32 hex digits and arbitrary punctuation.
-The value 0 has a special meaning when use with NFSv4. NFSv4 has a
-concept of a root of the overall exported filesystem. The export point
-exported with fsid=0 will be used as this root.
+Linux kernels version 2.6.20 and earlier do not understand the UUID
+setting so a small integer must be used if an fsid option needs to be
+set for such kernels. Setting both a small number and a UUID is
+supported so the same configuration can be made to work on old and new
+kernels alike.
.SS User ID Mapping
.PP
'''in the password file at startup time. If it isn't found, a uid and gid
.I exportfs
chooses a uid and gid
-of -2 (i.e. 65534) for squashed access. These values can also be overridden by
+of 65534 for squashed access. These values can also be overridden by
the
.IR anonuid " and " anongid
options.
.TP
.IR root_squash
Map requests from uid/gid 0 to the anonymous uid/gid. Note that this does
-not apply to any other uids that might be equally sensitive, such as user
-.IR bin .
+not apply to any other uids or gids that might be equally sensitive, such as
+user
+.IR bin
+or group
+.IR staff .
.TP
.IR no_root_squash
Turn off root squashing. This option is mainly useful for diskless clients.
/usr *.local.domain(ro) @trusted(rw)
/home/joe pc001(rw,all_squash,anonuid=150,anongid=100)
/pub (ro,insecure,all_squash)
+/srv/www \-sync,rw server @trusted @external(ro)
'''/pub/private (noaccess)
.fi
.PP
.I insecure
option in this entry also allows clients with NFS implementations that
don't use a reserved port for NFS.
+The sixth line exports a directory read-write to the machine 'server'
+as well as the `@trusted' netgroup, and read-only to netgroup `@external',
+all three mounts with the `sync' option enabled.
''' The last line denies all NFS clients
'''access to the private directory.
'''.SH CAVEATS