X-Git-Url: https://git.decadent.org.uk/gitweb/?p=nfs-utils.git;a=blobdiff_plain;f=utils%2Fexportfs%2Fexports.man;h=3aa8de8ab45b6af86d842c6f502929318556c39e;hp=97264cdc6511880f69ed3d00a0c092043b1abffd;hb=e91ff0175602cc56f223f1d92de6511099fa40d1;hpb=de8fd61f8e692d5d8207d7c30e8914da05ca122f diff --git a/utils/exportfs/exports.man b/utils/exportfs/exports.man index 97264cd..3aa8de8 100644 --- a/utils/exportfs/exports.man +++ b/utils/exportfs/exports.man @@ -1,5 +1,4 @@ -.TH EXPORTS 5 "28 October 1999" -.UC 5 +.TH EXPORTS 5 "4 March 2005" "Linux" "Linux File Formats Manual" .SH NAME exports \- NFS file systems being exported (for Kernel based NFS) .SH SYNOPSIS @@ -23,6 +22,11 @@ client may be immediately followed by a parenthesized, comma-separated list of export options for that client. No whitespace is permitted between a client and its option list. .PP +Also, each line may have one or more specifications for default options +after the path name, in the form of a dash ("\-") followed by an option +list. The option list is used for all subsequent exports on that line +only. +.PP Blank lines are ignored. A pound sign ("#") introduces a comment to the end of the line. Entries may be continued across newlines using a backslash. If an export name contains spaces it should be quoted using @@ -45,9 +49,10 @@ parts or those containing a single dash (\-) are ignored. .IP "wildcards Machine names may contain the wildcard characters \fI*\fR and \fI?\fR. This can be used to make the \fIexports\fR file more compact; for instance, -\fI*.cs.foo.edu\fR matches all hosts in the domain \fIcs.foo.edu\fR. However, -these wildcard characters do not match the dots in a domain name, so the -above pattern does not include hosts such as \fIa.b.cs.foo.edu\fR. +\fI*.cs.foo.edu\fR matches all hosts in the domain +\fIcs.foo.edu\fR. As these characters also match the dots in a domain +name, the given pattern will also match all hosts within any subdomain +of \fIcs.foo.edu\fR. .IP "IP networks You can also export directories to all hosts on an IP (sub-) network simultaneously. This is done by specifying an IP address and netmask pair @@ -78,12 +83,17 @@ may work by accident when reverse DNS lookups fail. '''.B \-\-public\-root '''option. Multiple specifications of a public root will be ignored. .PP +.SS RPCSEC_GSS security +To restrict access to an export using rpcsec_gss security, use the special +string "gss/krb5" as the client. It is not possible to simultaneously require +rpcsec_gss and to make requirements on the IP address of the client. +.PP .SS General Options .IR exportfs understands the following export options: .TP .IR secure "\*d -This option requires that requests originate on an internet port less +This option requires that requests originate on an Internet port less than IPPORT_RESERVED (1024). This option is on by default. To turn it off, specify .IR insecure . @@ -104,13 +114,20 @@ Using this option usually improves performance, but at the cost that an unclean server restart (i.e. a crash) can cause data to be lost or corrupted. -In releases of nfs-utils upto and including 1.0.0, this option was the -default. In this and future releases, +.TP +.IR sync +Reply to requests only after the changes have been committed to stable +storage (see +.IR async +above). + +In releases of nfs-utils up to and including 1.0.0, this option was the +default. In all subsequence releases, .I sync is the default, and .I async -must be explicit requested if needed. -To help make system adminstrators aware of this change, 'exportfs' +must be explicitly requested if needed. +To help make system administrators aware of this change, 'exportfs' will issue a warning if neither .I sync nor @@ -163,9 +180,17 @@ copes with the situation effectively. The option can be explicitly disabled with .IR hide . .TP +.IR crossmnt +This option is similar to +.I nohide +but it makes it possible for clients to move from the filesystem marked +with crossmnt to exported filesystems mounted on it. Thus when a child +filesystem "B" is mounted on a parent "A", setting crossmnt on "A" has +the same effect as setting "nohide" on B. +.TP .IR no_subtree_check This option disables subtree checking, which has mild security -implications, but can improve reliability is some circumstances. +implications, but can improve reliability in some circumstances. If a subdirectory of a filesystem is exported, but the whole filesystem isn't then whenever a NFS request arrives, the server must @@ -184,7 +209,7 @@ subtree checking is also used to make sure that files inside directories to which only root has access can only be accessed if the filesystem is exported with .I no_root_squash -(see below), even the file itself allows more general access. +(see below), even if the file itself allows more general access. As a general guide, a home directory filesystem, which is normally exported at the root and may see lots of file renames, should be @@ -197,6 +222,16 @@ The default of having subtree checks enabled, can be explicitly requested with .IR subtree_check . +From release 1.1.0 of nfs-utils onwards, the default will be +.I no_subtree_check +as subtree_checking tends to cause more problems than it is worth. +If you genuinely require subtree checking, you should explicitly put +that option in the +.B exports +file. If you put neither option, +.I exportfs +will warn you that the change is pending. + .TP .IR insecure_locks .TP @@ -217,6 +252,21 @@ be explicitly requested with either of the synonymous .IR auth_nlm , or .IR secure_locks . +.TP +.IR no_acl +On some specially patched kernels, and when exporting filesystems that +support ACLs, this option tells nfsd not to reveal ACLs to clients, so +they will see only a subset of actual permissions on the given file +system. This option is safe for filesystems used by NFSv2 clients and +old NFSv3 clients that perform access decisions locally. Current +NFSv3 clients use the ACCESS RPC to perform all access decisions on +the server. Note that the +.I no_acl +option only has effect on kernels specially patched to support it, and +when exporting filesystems with ACL support. The default is to export +with ACL support (i.e. by default, +.I no_acl +is off). '''.TP '''.I noaccess @@ -236,6 +286,54 @@ or '''.TP '''.IR link_absolute '''Leave all symbolic link as they are. This is the default operation. + +.TP +.IR mountpoint= path +.TP +.I mp +This option makes it possible to only export a directory if it has +successfully been mounted. +If no path is given (e.g. +.IR mountpoint " or " mp ) +then the export point must also be a mount point. If it isn't then +the export point is not exported. This allows you to be sure that the +directory underneath a mountpoint will never be exported by accident +if, for example, the filesystem failed to mount due to a disc error. + +If a path is given (e.g. +.IR mountpoint= "/path or " mp= /path) +then the nominated path must be a mountpoint for the exportpoint to be +exported. + +.TP +.IR fsid= num|root|uuid +NFS needs to be able to identify each filesystem that it exports. +Normally it will use a UUID for the filesystem (if the filesystem has +such a thing) or the device number of the device holding the +filesystem (if the filesystem is stored on the device). + +As not all filesystems are stored on devices, and not all filesystems +have UUIDs, it is sometimes necessary to explicitly tell NFS how to +identify a filesystem. This is done with the +.I fsid= +option. + +For NFSv4, there is a distinguished filesystem which is the root of +all exported filesystem. This is specified with +.I fsid=root +or +.I fsid=0 +both of which mean exactly the same thing. + +Other filesystems can be identified with a small integer, or a UUID +which should contain 32 hex digits and arbitrary punctuation. + +Linux kernels version 2.6.20 and earlier do not understand the UUID +setting so a small integer must be used if an fsid option needs to be +set for such kernels. Setting both a small number and a UUID is +supported so the same configuration can be made to work on old and new +kernels alike. + .SS User ID Mapping .PP .I nfsd @@ -262,7 +360,7 @@ By default, '''in the password file at startup time. If it isn't found, a uid and gid .I exportfs chooses a uid and gid -of -2 (i.e. 65534) for squashed access. These values can also be overridden by +of 65534 for squashed access. These values can also be overridden by the .IR anonuid " and " anongid options. @@ -316,8 +414,11 @@ Here's the complete list of mapping options: .TP .IR root_squash Map requests from uid/gid 0 to the anonymous uid/gid. Note that this does -not apply to any other uids that might be equally sensitive, such as user -.IR bin . +not apply to any other uids or gids that might be equally sensitive, such as +user +.IR bin +or group +.IR staff . .TP .IR no_root_squash Turn off root squashing. This option is mainly useful for diskless clients. @@ -410,6 +511,7 @@ is supposedly that of user joe). /usr *.local.domain(ro) @trusted(rw) /home/joe pc001(rw,all_squash,anonuid=150,anongid=100) /pub (ro,insecure,all_squash) +/srv/www \-sync,rw server @trusted @external(ro) '''/pub/private (noaccess) .fi .PP @@ -423,6 +525,9 @@ under the nobody account. The .I insecure option in this entry also allows clients with NFS implementations that don't use a reserved port for NFS. +The sixth line exports a directory read-write to the machine 'server' +as well as the `@trusted' netgroup, and read-only to netgroup `@external', +all three mounts with the `sync' option enabled. ''' The last line denies all NFS clients '''access to the private directory. '''.SH CAVEATS @@ -440,6 +545,12 @@ don't use a reserved port for NFS. '''entry. .SH FILES /etc/exports +.SH SEE ALSO +.BR exportfs (8), +.BR netgroup (5), +.BR mountd (8), +.BR nfsd (8), +.BR showmount (8). '''.SH DIAGNOSTICS '''An error parsing the file is reported using syslogd(8) as level NOTICE from '''a DAEMON whenever nfsd(8) or mountd(8) is started up. Any unknown