X-Git-Url: https://git.decadent.org.uk/gitweb/?p=nfs-utils.git;a=blobdiff_plain;f=utils%2Fexportfs%2Fexports.man;h=54adfeb555f837f5ba1fd81cf0e2244579674724;hp=bfc4d42d314c404cc7a4337db8acc0a7658959f2;hb=014e00dfaea0efc92150e2aedc5ca43aa337545e;hpb=6f228ea26be06572de245aed5496aaa122cca5a8 diff --git a/utils/exportfs/exports.man b/utils/exportfs/exports.man index bfc4d42..54adfeb 100644 --- a/utils/exportfs/exports.man +++ b/utils/exportfs/exports.man @@ -45,22 +45,11 @@ or restart the NFS server. .SS Machine Name Formats NFS clients may be specified in a number of ways: .IP "single host -This is the most common format. You may specify a host either by an +You may specify a host either by an abbreviated name recognized be the resolver, the fully qualified domain -name, or an IP address. -.IP "netgroups -NIS netgroups may be given as -.IR @group . -Only the host part of each -netgroup members is consider in checking for membership. Empty host -parts or those containing a single dash (\-) are ignored. -.IP "wildcards -Machine names may contain the wildcard characters \fI*\fR and \fI?\fR. -This can be used to make the \fIexports\fR file more compact; for instance, -\fI*.cs.foo.edu\fR matches all hosts in the domain -\fIcs.foo.edu\fR. As these characters also match the dots in a domain -name, the given pattern will also match all hosts within any subdomain -of \fIcs.foo.edu\fR. +name, an IPv4 address, or an IPv6 address. IPv6 addresses must not be +inside square brackets in /etc/exports lest they be confused with +character-class wildcard matches. .IP "IP networks You can also export directories to all hosts on an IP (sub-) network simultaneously. This is done by specifying an IP address and netmask pair @@ -69,29 +58,54 @@ as where the netmask can be specified in dotted-decimal format, or as a contiguous mask length. For example, either `/255.255.252.0' or `/22' appended -to the network base IPv4 address results in identical subnetworks with 10 bits of -host. Wildcard characters generally do not work on IP addresses, though they +to the network base IPv4 address results in identical subnetworks with 10 bits +of host. IPv6 addresses must use a contiguous mask length and must not be inside square brackets to avoid confusion with character-class wildcards. Wildcard characters generally do not work on IP addresses, though they may work by accident when reverse DNS lookups fail. -'''.TP -'''.B =public -'''This is a special ``hostname'' that identifies the given directory name -'''as the public root directory (see the section on WebNFS in -'''.BR nfsd (8) -'''for a discussion of WebNFS and the public root handle). When using this -'''convention, -'''.B =public -'''must be the only entry on this line, and must have no export options -'''associated with it. Note that this does -'''.I not -'''actually export the named directory; you still have to set the exports -'''options in a separate entry. -'''.PP -'''The public root path can also be specified by invoking -'''.I nfsd -'''with the -'''.B \-\-public\-root -'''option. Multiple specifications of a public root will be ignored. +.IP "wildcards +Machine names may contain the wildcard characters \fI*\fR and \fI?\fR, or may contain character class lists within [square brackets]. +This can be used to make the \fIexports\fR file more compact; for instance, +\fI*.cs.foo.edu\fR matches all hosts in the domain +\fIcs.foo.edu\fR. As these characters also match the dots in a domain +name, the given pattern will also match all hosts within any subdomain +of \fIcs.foo.edu\fR. +.IP "netgroups +NIS netgroups may be given as +.IR @group . +Only the host part of each +netgroup members is consider in checking for membership. Empty host +parts or those containing a single dash (\-) are ignored. +.IP "anonymous +This is specified by a single +.I * +character (not to be confused with the +.I wildcard +entry above) and will match all clients. +.\".TP +.\".B =public +.\"This is a special ``hostname'' that identifies the given directory name +.\"as the public root directory (see the section on WebNFS in +.\".BR nfsd (8) +.\"for a discussion of WebNFS and the public root handle). When using this +.\"convention, +.\".B =public +.\"must be the only entry on this line, and must have no export options +.\"associated with it. Note that this does +.\".I not +.\"actually export the named directory; you still have to set the exports +.\"options in a separate entry. +.\".PP +.\"The public root path can also be specified by invoking +.\".I nfsd +.\"with the +.\".B \-\-public\-root +.\"option. Multiple specifications of a public root will be ignored. .PP +If a client matches more than one of the specifications above, then +the first match from the above list order takes precedence - regardless of +the order they appear on the export line. However, if a client matches +more than one of the same type of specification (e.g. two netgroups), +then the first match from the order they appear on the export line takes +precedence. .SS RPCSEC_GSS security You may use the special strings "gss/krb5", "gss/krb5i", or "gss/krb5p" to restrict access to clients using rpcsec_gss security. However, this @@ -116,7 +130,7 @@ this way are ro, rw, no_root_squash, root_squash, and all_squash. .BR exportfs understands the following export options: .TP -.IR secure "\*d +.IR secure This option requires that requests originate on an Internet port less than IPPORT_RESERVED (1024). This option is on by default. To turn it off, specify @@ -145,7 +159,9 @@ storage (see .IR async above). -In releases of nfs-utils up to and including 1.0.0, this option was the +In releases of nfs-utils up to and including 1.0.0, the +.I async +option was the default. In all releases after 1.0.0, .I sync is the default, and @@ -295,24 +311,24 @@ with ACL support (i.e. by default, .I no_acl is off). -'''.TP -'''.I noaccess -'''This makes everything below the directory inaccessible for the named -'''client. This is useful when you want to export a directory hierarchy to -'''a client, but exclude certain subdirectories. The client's view of a -'''directory flagged with noaccess is very limited; it is allowed to read -'''its attributes, and lookup `.' and `..'. These are also the only entries -'''returned by a readdir. -'''.TP -'''.IR link_relative -'''Convert absolute symbolic links (where the link contents start with a -'''slash) into relative links by prepending the necessary number of ../'s -'''to get from the directory containing the link to the root on the -'''server. This has subtle, perhaps questionable, semantics when the file -'''hierarchy is not mounted at its root. -'''.TP -'''.IR link_absolute -'''Leave all symbolic link as they are. This is the default operation. +.\".TP +.\".I noaccess +.\"This makes everything below the directory inaccessible for the named +.\"client. This is useful when you want to export a directory hierarchy to +.\"a client, but exclude certain subdirectories. The client's view of a +.\"directory flagged with noaccess is very limited; it is allowed to read +.\"its attributes, and lookup `.' and `..'. These are also the only entries +.\"returned by a readdir. +.\".TP +.\".IR link_relative +.\"Convert absolute symbolic links (where the link contents start with a +.\"slash) into relative links by prepending the necessary number of ../'s +.\"to get from the directory containing the link to the root on the +.\"server. This has subtle, perhaps questionable, semantics when the file +.\"hierarchy is not mounted at its root. +.\".TP +.\".IR link_absolute +.\"Leave all symbolic link as they are. This is the default operation. .TP .IR mountpoint= path @@ -395,21 +411,21 @@ and can be turned off with .IR no_root_squash . .PP By default, -'''.B nfsd -'''tries to obtain the anonymous uid and gid by looking up user -'''.I nobody -'''in the password file at startup time. If it isn't found, a uid and gid +.\".B nfsd +.\"tries to obtain the anonymous uid and gid by looking up user +.\".I nobody +.\"in the password file at startup time. If it isn't found, a uid and gid .B exportfs chooses a uid and gid of 65534 for squashed access. These values can also be overridden by the .IR anonuid " and " anongid options. -'''.PP -'''In addition to this, -'''.B nfsd -'''lets you specify arbitrary uids and gids that should be mapped to user -'''nobody as well. +.\".PP +.\"In addition to this, +.\".B nfsd +.\"lets you specify arbitrary uids and gids that should be mapped to user +.\"nobody as well. Finally, you can map all user requests to the anonymous uid by specifying the .IR all_squash " option. @@ -442,6 +458,24 @@ export entry for .B /home/joe in the example section below, which maps all requests to uid 150 (which is supposedly that of user joe). +.SS Extra Export Tables +After reading +.I /etc/exports +.B exportfs +reads files under +.I /etc/exports.d. +directory as extra export tables. +.B exportfs +regards only a file which name is ended with +.I .exports +and +not started with +.I . +as an extra export file. A file which name +is not met this condition is just ignored. +The format for extra export tables is the same as +.I /etc/exports +. .IP .SH EXAMPLE .PP @@ -454,7 +488,9 @@ is supposedly that of user joe). /home/joe pc001(rw,all_squash,anonuid=150,anongid=100) /pub *(ro,insecure,all_squash) /srv/www \-sync,rw server @trusted @external(ro) -'''/pub/private (noaccess) +/foo 2001:db8:9:e54::/64(rw) 192.0.2.0/24(rw) +/build buildhost[0-9].local.domain(rw) +.\"/pub/private (noaccess) .fi .PP The first line exports the entire filesystem to machines master and trusty. @@ -469,41 +505,44 @@ option in this entry also allows clients with NFS implementations that don't use a reserved port for NFS. The sixth line exports a directory read-write to the machine 'server' as well as the `@trusted' netgroup, and read-only to netgroup `@external', -all three mounts with the `sync' option enabled. -''' The last line denies all NFS clients -'''access to the private directory. -'''.SH CAVEATS -'''Unlike other NFS server implementations, this -'''.B nfsd -'''allows you to export both a directory and a subdirectory thereof to -'''the same host, for instance -'''.IR /usr " and " /usr/X11R6 . -'''In this case, the mount options of the most specific entry apply. For -'''instance, when a user on the client host accesses a file in -'''.IR /usr/X11R6 , -'''the mount options given in the -'''.I /usr/X11R6 -'''entry apply. This is also true when the latter is a wildcard or netgroup -'''entry. +all three mounts with the `sync' option enabled. The seventh line exports +a directory to both an IPv6 and an IPv4 subnet. The eighth line demonstrates +a character class wildcard match. +.\" The last line denies all NFS clients +.\"access to the private directory. +.\".SH CAVEATS +.\"Unlike other NFS server implementations, this +.\".B nfsd +.\"allows you to export both a directory and a subdirectory thereof to +.\"the same host, for instance +.\".IR /usr " and " /usr/X11R6 . +.\"In this case, the mount options of the most specific entry apply. For +.\"instance, when a user on the client host accesses a file in +.\".IR /usr/X11R6 , +.\"the mount options given in the +.\".I /usr/X11R6 +.\"entry apply. This is also true when the latter is a wildcard or netgroup +.\"entry. .SH FILES /etc/exports +/etc/exports.d .SH SEE ALSO .BR exportfs (8), .BR netgroup (5), .BR mountd (8), .BR nfsd (8), .BR showmount (8). -'''.SH DIAGNOSTICS -'''An error parsing the file is reported using syslogd(8) as level NOTICE from -'''a DAEMON whenever -'''.BR nfsd (8) -'''or -'''.BR mountd (8) -'''is started up. Any unknown -'''host is reported at that time, but often not all hosts are not yet known -'''to -'''.BR named (8) -'''at boot time, thus as hosts are found they are reported -'''with the same -'''.BR syslogd (8) -'''parameters. +.\".SH DIAGNOSTICS +.\"An error parsing the file is reported using syslogd(8) as level NOTICE from +.\"a DAEMON whenever +.\".BR nfsd (8) +.\"or +.\".BR mountd (8) +.\"is started up. Any unknown +.\"host is reported at that time, but often not all hosts are not yet known +.\"to +.\".BR named (8) +.\"at boot time, thus as hosts are found they are reported +.\"with the same +.\".BR syslogd (8) +.\"parameters.