X-Git-Url: https://git.decadent.org.uk/gitweb/?p=nfs-utils.git;a=blobdiff_plain;f=utils%2Fexportfs%2Fexports.man;h=ab63b03cfd6be56bdd56f8fda5ae5b1b53a55f39;hp=7ab7640da1350b8f8b6733c007135fb13d639abe;hb=5fe51292e188a4a78dea81c2c13f2dbe614a2536;hpb=617f2d4dad0525eb63ddb44b2f33d041f45578cb

diff --git a/utils/exportfs/exports.man b/utils/exportfs/exports.man
index 7ab7640..ab63b03 100644
--- a/utils/exportfs/exports.man
+++ b/utils/exportfs/exports.man
@@ -1,5 +1,4 @@
-.TH EXPORTS 5 "28 October 1999"
-.UC 5
+.TH EXPORTS 5 "4 March 2005" "Linux" "Linux File Formats Manual"
 .SH NAME
 exports \- NFS file systems being exported (for Kernel based NFS)
 .SH SYNOPSIS
@@ -23,6 +22,11 @@ client may be immediately followed by a parenthesized, comma-separated
 list of export options for that client. No whitespace is permitted
 between a client and its option list.
 .PP
+Also, each line may have one or more specifications for default options
+after the path name, in the form of a dash ("\-") followed by an option
+list. The option list is used for all subsequent exports on that line
+only.
+.PP
 Blank lines are ignored.  A pound sign ("#") introduces a comment to the
 end of the line. Entries may be continued across newlines using a
 backslash. If an export name contains spaces it should be quoted using
@@ -79,12 +83,17 @@ may work by accident when reverse DNS lookups fail.
 '''.B \-\-public\-root
 '''option. Multiple specifications of a public root will be ignored.
 .PP
+.SS RPCSEC_GSS security
+To restrict access to an export using rpcsec_gss security, use the special
+string "gss/krb5" as the client.  It is not possible to simultaneously require
+rpcsec_gss and to make requirements on the IP address of the client.
+.PP
 .SS General Options
 .IR exportfs
 understands the following export options:
 .TP
 .IR secure "\*d
-This option requires that requests originate on an internet port less
+This option requires that requests originate on an Internet port less
 than IPPORT_RESERVED (1024). This option is on by default. To turn it
 off, specify
 .IR insecure .
@@ -105,13 +114,20 @@ Using this option usually improves performance, but at the cost that
 an unclean server restart (i.e. a crash) can cause data to be lost or
 corrupted.
 
-In releases of nfs-utils upto and including 1.0.0, this option was the
-default.  In this and future releases,
+.TP
+.IR sync
+Reply to requests only after the changes have been committed to stable
+storage (see
+.IR async
+above).
+
+In releases of nfs-utils up to and including 1.0.0, this option was the
+default.  In all subsequence releases,
 .I sync
 is the default, and
 .I async
-must be explicit requested if needed.
-To help make system adminstrators aware of this change, 'exportfs'
+must be explicitly requested if needed.
+To help make system administrators aware of this change, 'exportfs'
 will issue a warning if neither
 .I sync
 nor
@@ -164,9 +180,17 @@ copes with the situation effectively.
 The option can be explicitly disabled with
 .IR hide .
 .TP
+.IR crossmnt
+This option is similar to
+.I nohide
+but it makes it possible for clients to move from the filesystem marked
+with crossmnt to exported filesystems mounted on it.  Thus when a child
+filesystem "B" is mounted on a parent "A", setting crossmnt on "A" has
+the same effect as setting "nohide" on B.
+.TP
 .IR no_subtree_check
 This option disables subtree checking, which has mild security
-implications, but can improve reliability is some circumstances.
+implications, but can improve reliability in some circumstances.
 
 If a subdirectory of a filesystem is exported, but the whole
 filesystem isn't then whenever a NFS request arrives, the server must
@@ -185,7 +209,7 @@ subtree checking is also used to make sure that files inside
 directories to which only root has access can only be accessed if the
 filesystem is exported with
 .I no_root_squash
-(see below), even the file itself allows more general access.
+(see below), even if the file itself allows more general access.
 
 As a general guide, a home directory filesystem, which is normally
 exported at the root and may see lots of file renames, should be
@@ -198,6 +222,16 @@ The default of having subtree checks enabled, can be explicitly
 requested with
 .IR subtree_check .
 
+From release 1.1.0 of nfs-utils onwards, the default will be
+.I no_subtree_check
+as subtree_checking tends to cause more problems than it is worth.
+If you genuinely require subtree checking, you should explicitly put
+that option in the
+.B exports
+file.  If you put neither option,
+.I exportfs
+will warn you that the change is pending.
+
 .TP
 .IR insecure_locks
 .TP
@@ -218,6 +252,21 @@ be explicitly requested with either of the synonymous
 .IR auth_nlm ,
 or
 .IR secure_locks .
+.TP
+.IR no_acl
+On some specially patched kernels, and when exporting filesystems that
+support ACLs, this option tells nfsd not to reveal ACLs to clients, so
+they will see only a subset of actual permissions on the given file
+system.  This option is safe for filesystems used by NFSv2 clients and
+old NFSv3 clients that perform access decisions locally.  Current
+NFSv3 clients use the ACCESS RPC to perform all access decisions on
+the server.  Note that the
+.I no_acl
+option only has effect on kernels specially patched to support it, and
+when exporting filesystems with ACL support.  The default is to export
+with ACL support (i.e. by default,
+.I no_acl
+is off).
 
 '''.TP
 '''.I noaccess
@@ -237,6 +286,82 @@ or
 '''.TP
 '''.IR link_absolute
 '''Leave all symbolic link as they are. This is the default operation.
+
+.TP
+.IR mountpoint= path
+.TP
+.I mp
+This option makes it possible to only export a directory if it has
+successfully been mounted.
+If no path is given (e.g.
+.IR mountpoint " or " mp )
+then the export point must also be a mount point.  If it isn't then
+the export point is not exported.  This allows you to be sure that the
+directory underneath a mountpoint will never be exported by accident
+if, for example, the filesystem failed to mount due to a disc error.
+
+If a path is given (e.g.
+.IR mountpoint= "/path or " mp= /path)
+then the nominated path must be a mountpoint for the exportpoint to be
+exported.
+
+.TP
+.IR fsid= num|root|uuid
+NFS needs to be able to identify each filesystem that it exports.
+Normally it will use a UUID for the filesystem (if the filesystem has
+such a thing) or the device number of the device holding the
+filesystem (if the filesystem is stored on the device).
+
+As not all filesystems are stored on devices, and not all filesystems
+have UUIDs, it is sometimes necessary to explicitly tell NFS how to
+identify a filesystem.  This is done with the
+.I fsid=
+option.
+
+For NFSv4, there is a distinguished filesystem which is the root of
+all exported filesystem.  This is specified with
+.I fsid=root
+or
+.I fsid=0
+both of which mean exactly the same thing.
+
+Other filesystems can be identified with a small integer, or a UUID
+which should contain 32 hex digits and arbitrary punctuation.
+
+Linux kernels version 2.6.20 and earlier do not understand the UUID
+setting so a small integer must be used if an fsid option needs to be
+set for such kernels.  Setting both a small number and a UUID is
+supported so the same configuration can be made to work on old and new
+kernels alike.
+
+.TP
+.IR refer= path@host[+host][:path@host[+host]]
+A client referencing the export point will be directed to choose from
+the given list an alternative location for the filesystem.
+(Note that the server must have a mountpoint here, though a different
+filesystem is not required; so, for example,
+.IR "mount --bind" " /path /path"
+is sufficient.)
+.TP
+.IR replicas= path@host[+host][:path@host[+host]]
+If the client asks for alternative locations for the export point, it
+will be given this list of alternatives. (Note that actual replication
+of the filesystem must be handled elsewhere.)
+
+.TP
+.IR refer= path@host[+host][:path@host[+host]]
+A client referencing the export point will be directed to choose from
+the given list an alternative location for the filesystem.
+(Note that the server must have a mountpoint here, though a different
+filesystem is not required; so, for example,
+.IR "mount --bind" " /path /path"
+is sufficient.)
+.TP
+.IR replicas= path@host[+host][:path@host[+host]]
+If the client asks for alternative locations for the export point, it
+will be given this list of alternatives. (Note that actual replication
+of the filesystem must be handled elsewhere.)
+
 .SS User ID Mapping
 .PP
 .I nfsd
@@ -263,7 +388,7 @@ By default,
 '''in the password file at startup time. If it isn't found, a uid and gid
 .I exportfs
 chooses a uid and gid
-of -2 (i.e. 65534) for squashed access. These values can also be overridden by
+of 65534 for squashed access. These values can also be overridden by
 the
 .IR anonuid " and " anongid
 options.
@@ -317,8 +442,11 @@ Here's the complete list of mapping options:
 .TP
 .IR root_squash
 Map requests from uid/gid 0 to the anonymous uid/gid. Note that this does
-not apply to any other uids that might be equally sensitive, such as user
-.IR bin .
+not apply to any other uids or gids that might be equally sensitive, such as
+user
+.IR bin 
+or group
+.IR staff .
 .TP
 .IR no_root_squash
 Turn off root squashing. This option is mainly useful for diskless clients.
@@ -411,6 +539,7 @@ is supposedly that of user joe).
 /usr            *.local.domain(ro) @trusted(rw)
 /home/joe       pc001(rw,all_squash,anonuid=150,anongid=100)
 /pub            (ro,insecure,all_squash)
+/srv/www        \-sync,rw server @trusted @external(ro)
 '''/pub/private    (noaccess)
 .fi
 .PP
@@ -424,6 +553,9 @@ under the nobody account. The
 .I insecure 
 option in this entry also allows clients with NFS implementations that
 don't use a reserved port for NFS.
+The sixth line exports a directory read-write to the machine 'server'
+as well as the `@trusted' netgroup, and read-only to netgroup `@external',
+all three mounts with the `sync' option enabled.
 ''' The last line denies all NFS clients
 '''access to the private directory.
 '''.SH CAVEATS
@@ -441,6 +573,12 @@ don't use a reserved port for NFS.
 '''entry.
 .SH FILES
 /etc/exports
+.SH SEE ALSO
+.BR exportfs (8),
+.BR netgroup (5),
+.BR mountd (8),
+.BR nfsd (8),
+.BR showmount (8).
 '''.SH DIAGNOSTICS
 '''An error parsing the file is reported using syslogd(8) as level NOTICE from
 '''a DAEMON whenever nfsd(8) or mountd(8) is started up.  Any unknown