X-Git-Url: https://git.decadent.org.uk/gitweb/?p=nfs-utils.git;a=blobdiff_plain;f=utils%2Fexportfs%2Fexports.man;h=bc1de731ddf3c5e9325a140a90315bc90ec0e742;hp=8e6f880ec02f034439faa168f5467d48cdddcbad;hb=HEAD;hpb=7d71ff8e3825a7f8c2d5c9b5b9344e95e7aa1392 diff --git a/utils/exportfs/exports.man b/utils/exportfs/exports.man index 8e6f880..bc1de73 100644 --- a/utils/exportfs/exports.man +++ b/utils/exportfs/exports.man @@ -45,9 +45,11 @@ or restart the NFS server. .SS Machine Name Formats NFS clients may be specified in a number of ways: .IP "single host -This is the most common format. You may specify a host either by an +You may specify a host either by an abbreviated name recognized be the resolver, the fully qualified domain -name, an IPv4 address, or an IPv6 address. +name, an IPv4 address, or an IPv6 address. IPv6 addresses must not be +inside square brackets in /etc/exports lest they be confused with +character-class wildcard matches. .IP "IP networks You can also export directories to all hosts on an IP (sub-) network simultaneously. This is done by specifying an IP address and netmask pair @@ -57,11 +59,10 @@ where the netmask can be specified in dotted-decimal format, or as a contiguous mask length. For example, either `/255.255.252.0' or `/22' appended to the network base IPv4 address results in identical subnetworks with 10 bits -of host. IPv6 addresses must use a contiguous mask length. Wildcard characters -generally do not work on IP addresses, though they +of host. IPv6 addresses must use a contiguous mask length and must not be inside square brackets to avoid confusion with character-class wildcards. Wildcard characters generally do not work on IP addresses, though they may work by accident when reverse DNS lookups fail. .IP "wildcards -Machine names may contain the wildcard characters \fI*\fR and \fI?\fR. +Machine names may contain the wildcard characters \fI*\fR and \fI?\fR, or may contain character class lists within [square brackets]. This can be used to make the \fIexports\fR file more compact; for instance, \fI*.cs.foo.edu\fR matches all hosts in the domain \fIcs.foo.edu\fR. As these characters also match the dots in a domain @@ -79,25 +80,25 @@ This is specified by a single character (not to be confused with the .I wildcard entry above) and will match all clients. -'''.TP -'''.B =public -'''This is a special ``hostname'' that identifies the given directory name -'''as the public root directory (see the section on WebNFS in -'''.BR nfsd (8) -'''for a discussion of WebNFS and the public root handle). When using this -'''convention, -'''.B =public -'''must be the only entry on this line, and must have no export options -'''associated with it. Note that this does -'''.I not -'''actually export the named directory; you still have to set the exports -'''options in a separate entry. -'''.PP -'''The public root path can also be specified by invoking -'''.I nfsd -'''with the -'''.B \-\-public\-root -'''option. Multiple specifications of a public root will be ignored. +.\".TP +.\".B =public +.\"This is a special ``hostname'' that identifies the given directory name +.\"as the public root directory (see the section on WebNFS in +.\".BR nfsd (8) +.\"for a discussion of WebNFS and the public root handle). When using this +.\"convention, +.\".B =public +.\"must be the only entry on this line, and must have no export options +.\"associated with it. Note that this does +.\".I not +.\"actually export the named directory; you still have to set the exports +.\"options in a separate entry. +.\".PP +.\"The public root path can also be specified by invoking +.\".I nfsd +.\"with the +.\".B \-\-public\-root +.\"option. Multiple specifications of a public root will be ignored. .PP If a client matches more than one of the specifications above, then the first match from the above list order takes precedence - regardless of @@ -129,7 +130,7 @@ this way are ro, rw, no_root_squash, root_squash, and all_squash. .BR exportfs understands the following export options: .TP -.IR secure "\*d +.IR secure This option requires that requests originate on an Internet port less than IPPORT_RESERVED (1024). This option is on by default. To turn it off, specify @@ -292,42 +293,24 @@ be explicitly requested with either of the synonymous .IR auth_nlm , or .IR secure_locks . -.TP -.IR no_acl -On some specially patched kernels, and when exporting filesystems that -support ACLs, this option tells -.B nfsd -not to reveal ACLs to clients, so -they will see only a subset of actual permissions on the given file -system. This option is safe for filesystems used by NFSv2 clients and -old NFSv3 clients that perform access decisions locally. Current -NFSv3 clients use the ACCESS RPC to perform all access decisions on -the server. Note that the -.I no_acl -option only has effect on kernels specially patched to support it, and -when exporting filesystems with ACL support. The default is to export -with ACL support (i.e. by default, -.I no_acl -is off). - -'''.TP -'''.I noaccess -'''This makes everything below the directory inaccessible for the named -'''client. This is useful when you want to export a directory hierarchy to -'''a client, but exclude certain subdirectories. The client's view of a -'''directory flagged with noaccess is very limited; it is allowed to read -'''its attributes, and lookup `.' and `..'. These are also the only entries -'''returned by a readdir. -'''.TP -'''.IR link_relative -'''Convert absolute symbolic links (where the link contents start with a -'''slash) into relative links by prepending the necessary number of ../'s -'''to get from the directory containing the link to the root on the -'''server. This has subtle, perhaps questionable, semantics when the file -'''hierarchy is not mounted at its root. -'''.TP -'''.IR link_absolute -'''Leave all symbolic link as they are. This is the default operation. +.\".TP +.\".I noaccess +.\"This makes everything below the directory inaccessible for the named +.\"client. This is useful when you want to export a directory hierarchy to +.\"a client, but exclude certain subdirectories. The client's view of a +.\"directory flagged with noaccess is very limited; it is allowed to read +.\"its attributes, and lookup `.' and `..'. These are also the only entries +.\"returned by a readdir. +.\".TP +.\".IR link_relative +.\"Convert absolute symbolic links (where the link contents start with a +.\"slash) into relative links by prepending the necessary number of ../'s +.\"to get from the directory containing the link to the root on the +.\"server. This has subtle, perhaps questionable, semantics when the file +.\"hierarchy is not mounted at its root. +.\".TP +.\".IR link_absolute +.\"Leave all symbolic link as they are. This is the default operation. .TP .IR mountpoint= path @@ -410,21 +393,21 @@ and can be turned off with .IR no_root_squash . .PP By default, -'''.B nfsd -'''tries to obtain the anonymous uid and gid by looking up user -'''.I nobody -'''in the password file at startup time. If it isn't found, a uid and gid +.\".B nfsd +.\"tries to obtain the anonymous uid and gid by looking up user +.\".I nobody +.\"in the password file at startup time. If it isn't found, a uid and gid .B exportfs chooses a uid and gid of 65534 for squashed access. These values can also be overridden by the .IR anonuid " and " anongid options. -'''.PP -'''In addition to this, -'''.B nfsd -'''lets you specify arbitrary uids and gids that should be mapped to user -'''nobody as well. +.\".PP +.\"In addition to this, +.\".B nfsd +.\"lets you specify arbitrary uids and gids that should be mapped to user +.\"nobody as well. Finally, you can map all user requests to the anonymous uid by specifying the .IR all_squash " option. @@ -488,7 +471,8 @@ The format for extra export tables is the same as /pub *(ro,insecure,all_squash) /srv/www \-sync,rw server @trusted @external(ro) /foo 2001:db8:9:e54::/64(rw) 192.0.2.0/24(rw) -'''/pub/private (noaccess) +/build buildhost[0-9].local.domain(rw) +.\"/pub/private (noaccess) .fi .PP The first line exports the entire filesystem to machines master and trusty. @@ -504,22 +488,23 @@ don't use a reserved port for NFS. The sixth line exports a directory read-write to the machine 'server' as well as the `@trusted' netgroup, and read-only to netgroup `@external', all three mounts with the `sync' option enabled. The seventh line exports -a directory to both an IPv6 and an IPv4 subnet. -''' The last line denies all NFS clients -'''access to the private directory. -'''.SH CAVEATS -'''Unlike other NFS server implementations, this -'''.B nfsd -'''allows you to export both a directory and a subdirectory thereof to -'''the same host, for instance -'''.IR /usr " and " /usr/X11R6 . -'''In this case, the mount options of the most specific entry apply. For -'''instance, when a user on the client host accesses a file in -'''.IR /usr/X11R6 , -'''the mount options given in the -'''.I /usr/X11R6 -'''entry apply. This is also true when the latter is a wildcard or netgroup -'''entry. +a directory to both an IPv6 and an IPv4 subnet. The eighth line demonstrates +a character class wildcard match. +.\" The last line denies all NFS clients +.\"access to the private directory. +.\".SH CAVEATS +.\"Unlike other NFS server implementations, this +.\".B nfsd +.\"allows you to export both a directory and a subdirectory thereof to +.\"the same host, for instance +.\".IR /usr " and " /usr/X11R6 . +.\"In this case, the mount options of the most specific entry apply. For +.\"instance, when a user on the client host accesses a file in +.\".IR /usr/X11R6 , +.\"the mount options given in the +.\".I /usr/X11R6 +.\"entry apply. This is also true when the latter is a wildcard or netgroup +.\"entry. .SH FILES /etc/exports /etc/exports.d @@ -529,17 +514,17 @@ a directory to both an IPv6 and an IPv4 subnet. .BR mountd (8), .BR nfsd (8), .BR showmount (8). -'''.SH DIAGNOSTICS -'''An error parsing the file is reported using syslogd(8) as level NOTICE from -'''a DAEMON whenever -'''.BR nfsd (8) -'''or -'''.BR mountd (8) -'''is started up. Any unknown -'''host is reported at that time, but often not all hosts are not yet known -'''to -'''.BR named (8) -'''at boot time, thus as hosts are found they are reported -'''with the same -'''.BR syslogd (8) -'''parameters. +.\".SH DIAGNOSTICS +.\"An error parsing the file is reported using syslogd(8) as level NOTICE from +.\"a DAEMON whenever +.\".BR nfsd (8) +.\"or +.\".BR mountd (8) +.\"is started up. Any unknown +.\"host is reported at that time, but often not all hosts are not yet known +.\"to +.\".BR named (8) +.\"at boot time, thus as hosts are found they are reported +.\"with the same +.\".BR syslogd (8) +.\"parameters.