.SS Machine Name Formats
NFS clients may be specified in a number of ways:
.IP "single host
-This is the most common format. You may specify a host either by an
+You may specify a host either by an
abbreviated name recognized be the resolver, the fully qualified domain
-name, or an IP address.
-.IP "netgroups
-NIS netgroups may be given as
-.IR @group .
-Only the host part of each
-netgroup members is consider in checking for membership. Empty host
-parts or those containing a single dash (\-) are ignored.
-.IP "wildcards
-Machine names may contain the wildcard characters \fI*\fR and \fI?\fR.
-This can be used to make the \fIexports\fR file more compact; for instance,
-\fI*.cs.foo.edu\fR matches all hosts in the domain
-\fIcs.foo.edu\fR. As these characters also match the dots in a domain
-name, the given pattern will also match all hosts within any subdomain
-of \fIcs.foo.edu\fR.
+name, an IPv4 address, or an IPv6 address. IPv6 addresses must not be
+inside square brackets in /etc/exports lest they be confused with
+character-class wildcard matches.
.IP "IP networks
You can also export directories to all hosts on an IP (sub-) network
simultaneously. This is done by specifying an IP address and netmask pair
where the netmask can be specified in dotted-decimal format, or as a
contiguous mask length.
For example, either `/255.255.252.0' or `/22' appended
-to the network base IPv4 address results in identical subnetworks with 10 bits of
-host. Wildcard characters generally do not work on IP addresses, though they
+to the network base IPv4 address results in identical subnetworks with 10 bits
+of host. IPv6 addresses must use a contiguous mask length and must not be inside square brackets to avoid confusion with character-class wildcards. Wildcard characters generally do not work on IP addresses, though they
may work by accident when reverse DNS lookups fail.
-'''.TP
-'''.B =public
-'''This is a special ``hostname'' that identifies the given directory name
-'''as the public root directory (see the section on WebNFS in
-'''.BR nfsd (8)
-'''for a discussion of WebNFS and the public root handle). When using this
-'''convention,
-'''.B =public
-'''must be the only entry on this line, and must have no export options
-'''associated with it. Note that this does
-'''.I not
-'''actually export the named directory; you still have to set the exports
-'''options in a separate entry.
-'''.PP
-'''The public root path can also be specified by invoking
-'''.I nfsd
-'''with the
-'''.B \-\-public\-root
-'''option. Multiple specifications of a public root will be ignored.
+.IP "wildcards
+Machine names may contain the wildcard characters \fI*\fR and \fI?\fR, or may contain character class lists within [square brackets].
+This can be used to make the \fIexports\fR file more compact; for instance,
+\fI*.cs.foo.edu\fR matches all hosts in the domain
+\fIcs.foo.edu\fR. As these characters also match the dots in a domain
+name, the given pattern will also match all hosts within any subdomain
+of \fIcs.foo.edu\fR.
+.IP "netgroups
+NIS netgroups may be given as
+.IR @group .
+Only the host part of each
+netgroup members is consider in checking for membership. Empty host
+parts or those containing a single dash (\-) are ignored.
+.IP "anonymous
+This is specified by a single
+.I *
+character (not to be confused with the
+.I wildcard
+entry above) and will match all clients.
+.\".TP
+.\".B =public
+.\"This is a special ``hostname'' that identifies the given directory name
+.\"as the public root directory (see the section on WebNFS in
+.\".BR nfsd (8)
+.\"for a discussion of WebNFS and the public root handle). When using this
+.\"convention,
+.\".B =public
+.\"must be the only entry on this line, and must have no export options
+.\"associated with it. Note that this does
+.\".I not
+.\"actually export the named directory; you still have to set the exports
+.\"options in a separate entry.
+.\".PP
+.\"The public root path can also be specified by invoking
+.\".I nfsd
+.\"with the
+.\".B \-\-public\-root
+.\"option. Multiple specifications of a public root will be ignored.
.PP
+If a client matches more than one of the specifications above, then
+the first match from the above list order takes precedence - regardless of
+the order they appear on the export line. However, if a client matches
+more than one of the same type of specification (e.g. two netgroups),
+then the first match from the order they appear on the export line takes
+precedence.
.SS RPCSEC_GSS security
You may use the special strings "gss/krb5", "gss/krb5i", or "gss/krb5p"
to restrict access to clients using rpcsec_gss security. However, this
.BR exportfs
understands the following export options:
.TP
-.IR secure "\*d
+.IR secure
This option requires that requests originate on an Internet port less
than IPPORT_RESERVED (1024). This option is on by default. To turn it
off, specify
.IR async
above).
-In releases of nfs-utils up to and including 1.0.0, this option was the
+In releases of nfs-utils up to and including 1.0.0, the
+.I async
+option was the
default. In all releases after 1.0.0,
.I sync
is the default, and
.I no_acl
is off).
-'''.TP
-'''.I noaccess
-'''This makes everything below the directory inaccessible for the named
-'''client. This is useful when you want to export a directory hierarchy to
-'''a client, but exclude certain subdirectories. The client's view of a
-'''directory flagged with noaccess is very limited; it is allowed to read
-'''its attributes, and lookup `.' and `..'. These are also the only entries
-'''returned by a readdir.
-'''.TP
-'''.IR link_relative
-'''Convert absolute symbolic links (where the link contents start with a
-'''slash) into relative links by prepending the necessary number of ../'s
-'''to get from the directory containing the link to the root on the
-'''server. This has subtle, perhaps questionable, semantics when the file
-'''hierarchy is not mounted at its root.
-'''.TP
-'''.IR link_absolute
-'''Leave all symbolic link as they are. This is the default operation.
+.\".TP
+.\".I noaccess
+.\"This makes everything below the directory inaccessible for the named
+.\"client. This is useful when you want to export a directory hierarchy to
+.\"a client, but exclude certain subdirectories. The client's view of a
+.\"directory flagged with noaccess is very limited; it is allowed to read
+.\"its attributes, and lookup `.' and `..'. These are also the only entries
+.\"returned by a readdir.
+.\".TP
+.\".IR link_relative
+.\"Convert absolute symbolic links (where the link contents start with a
+.\"slash) into relative links by prepending the necessary number of ../'s
+.\"to get from the directory containing the link to the root on the
+.\"server. This has subtle, perhaps questionable, semantics when the file
+.\"hierarchy is not mounted at its root.
+.\".TP
+.\".IR link_absolute
+.\"Leave all symbolic link as they are. This is the default operation.
.TP
.IR mountpoint= path
will be given this list of alternatives. (Note that actual replication
of the filesystem must be handled elsewhere.)
-.TP
-.IR refer= path@host[+host][:path@host[+host]]
-A client referencing the export point will be directed to choose from
-the given list an alternative location for the filesystem.
-(Note that the server must have a mountpoint here, though a different
-filesystem is not required; so, for example,
-.IR "mount --bind" " /path /path"
-is sufficient.)
-.TP
-.IR replicas= path@host[+host][:path@host[+host]]
-If the client asks for alternative locations for the export point, it
-will be given this list of alternatives. (Note that actual replication
-of the filesystem must be handled elsewhere.)
-
.SS User ID Mapping
.PP
.B nfsd
.IR no_root_squash .
.PP
By default,
-'''.B nfsd
-'''tries to obtain the anonymous uid and gid by looking up user
-'''.I nobody
-'''in the password file at startup time. If it isn't found, a uid and gid
+.\".B nfsd
+.\"tries to obtain the anonymous uid and gid by looking up user
+.\".I nobody
+.\"in the password file at startup time. If it isn't found, a uid and gid
.B exportfs
chooses a uid and gid
of 65534 for squashed access. These values can also be overridden by
the
.IR anonuid " and " anongid
options.
-'''.PP
-'''In addition to this,
-'''.B nfsd
-'''lets you specify arbitrary uids and gids that should be mapped to user
-'''nobody as well.
+.\".PP
+.\"In addition to this,
+.\".B nfsd
+.\"lets you specify arbitrary uids and gids that should be mapped to user
+.\"nobody as well.
Finally, you can map all user requests to the
anonymous uid by specifying the
.IR all_squash " option.
.B /home/joe
in the example section below, which maps all requests to uid 150 (which
is supposedly that of user joe).
+.SS Extra Export Tables
+After reading
+.I /etc/exports
+.B exportfs
+reads files under
+.I /etc/exports.d.
+directory as extra export tables.
+.B exportfs
+regards only a file which name is ended with
+.I .exports
+and
+not started with
+.I .
+as an extra export file. A file which name
+is not met this condition is just ignored.
+The format for extra export tables is the same as
+.I /etc/exports
+.
.IP
.SH EXAMPLE
.PP
/home/joe pc001(rw,all_squash,anonuid=150,anongid=100)
/pub *(ro,insecure,all_squash)
/srv/www \-sync,rw server @trusted @external(ro)
-'''/pub/private (noaccess)
+/foo 2001:db8:9:e54::/64(rw) 192.0.2.0/24(rw)
+/build buildhost[0-9].local.domain(rw)
+.\"/pub/private (noaccess)
.fi
.PP
The first line exports the entire filesystem to machines master and trusty.
don't use a reserved port for NFS.
The sixth line exports a directory read-write to the machine 'server'
as well as the `@trusted' netgroup, and read-only to netgroup `@external',
-all three mounts with the `sync' option enabled.
-''' The last line denies all NFS clients
-'''access to the private directory.
-'''.SH CAVEATS
-'''Unlike other NFS server implementations, this
-'''.B nfsd
-'''allows you to export both a directory and a subdirectory thereof to
-'''the same host, for instance
-'''.IR /usr " and " /usr/X11R6 .
-'''In this case, the mount options of the most specific entry apply. For
-'''instance, when a user on the client host accesses a file in
-'''.IR /usr/X11R6 ,
-'''the mount options given in the
-'''.I /usr/X11R6
-'''entry apply. This is also true when the latter is a wildcard or netgroup
-'''entry.
+all three mounts with the `sync' option enabled. The seventh line exports
+a directory to both an IPv6 and an IPv4 subnet. The eighth line demonstrates
+a character class wildcard match.
+.\" The last line denies all NFS clients
+.\"access to the private directory.
+.\".SH CAVEATS
+.\"Unlike other NFS server implementations, this
+.\".B nfsd
+.\"allows you to export both a directory and a subdirectory thereof to
+.\"the same host, for instance
+.\".IR /usr " and " /usr/X11R6 .
+.\"In this case, the mount options of the most specific entry apply. For
+.\"instance, when a user on the client host accesses a file in
+.\".IR /usr/X11R6 ,
+.\"the mount options given in the
+.\".I /usr/X11R6
+.\"entry apply. This is also true when the latter is a wildcard or netgroup
+.\"entry.
.SH FILES
/etc/exports
+/etc/exports.d
.SH SEE ALSO
.BR exportfs (8),
.BR netgroup (5),
.BR mountd (8),
.BR nfsd (8),
.BR showmount (8).
-'''.SH DIAGNOSTICS
-'''An error parsing the file is reported using syslogd(8) as level NOTICE from
-'''a DAEMON whenever
-'''.BR nfsd (8)
-'''or
-'''.BR mountd (8)
-'''is started up. Any unknown
-'''host is reported at that time, but often not all hosts are not yet known
-'''to
-'''.BR named (8)
-'''at boot time, thus as hosts are found they are reported
-'''with the same
-'''.BR syslogd (8)
-'''parameters.
+.\".SH DIAGNOSTICS
+.\"An error parsing the file is reported using syslogd(8) as level NOTICE from
+.\"a DAEMON whenever
+.\".BR nfsd (8)
+.\"or
+.\".BR mountd (8)
+.\"is started up. Any unknown
+.\"host is reported at that time, but often not all hosts are not yet known
+.\"to
+.\".BR named (8)
+.\"at boot time, thus as hosts are found they are reported
+.\"with the same
+.\".BR syslogd (8)
+.\"parameters.
projects / nfs-utils.git / blobdiff