X-Git-Url: https://git.decadent.org.uk/gitweb/?p=nfs-utils.git;a=blobdiff_plain;f=utils%2Fexportfs%2Fexports.man;h=ea28ca883ba9ef28c5f5a2e4eeaec59e20d802fd;hp=892533b5992c78994c394e4a31badfc05c7e8f36;hb=9ccfe0fa5a43dfc4453b09e328565a6c8f999fe4;hpb=fde446dcc8f2e96c13b71a1226fcc944f53485da

diff --git a/utils/exportfs/exports.man b/utils/exportfs/exports.man
index 892533b..ea28ca8 100644
--- a/utils/exportfs/exports.man
+++ b/utils/exportfs/exports.man
@@ -34,6 +34,8 @@ double quotes. You can also specify spaces or other unusual character in
 the export name using a backslash followed by the character code as three
 octal digits.
 .PP
+To apply changes to this file, run exportfs \-ra or restart the NFS server.
+.PP
 .SS Machine Name Formats
 NFS clients may be specified in a number of ways:
 .IP "single host
@@ -84,9 +86,24 @@ may work by accident when reverse DNS lookups fail.
 '''option. Multiple specifications of a public root will be ignored.
 .PP
 .SS RPCSEC_GSS security
-To restrict access to an export using rpcsec_gss security, use the special
-string "gss/krb5" as the client.  It is not possible to simultaneously require
-rpcsec_gss and to make requirements on the IP address of the client.
+You may use the special strings "gss/krb5", "gss/krb5i", or "gss/krb5p"
+to restrict access to clients using rpcsec_gss security.  However, this
+syntax is deprecated; on linux kernels since 2.6.23, you should instead
+use the "sec=" export option:
+.TP
+.IR sec=
+The sec= option, followed by a colon-delimited list of security flavors,
+restricts the export to clients using those flavors.  Available security
+flavors include sys (the default--no cryptographic security), krb5
+(authentication only), krb5i (integrity protection), and krb5p (privacy
+protection).  For the purposes of security flavor negotiation, order
+counts: preferred flavors should be listed first.  The order of the sec=
+option with respect to the other options does not matter, unless you
+want some options to be enforced differently depending on flavor.
+In that case you may include multiple sec= options, and following options
+will be enforced only for access using flavors listed in the immediately
+preceding sec= option.  The only options that are permitted to vary in
+this way are ro, rw, no_root_squash, root_squash, and all_squash.
 .PP
 .SS General Options
 .IR exportfs
@@ -122,7 +139,7 @@ storage (see
 above).
 
 In releases of nfs-utils up to and including 1.0.0, this option was the
-default.  In all subsequence releases,
+default.  In all releases after 1.0.0,
 .I sync
 is the default, and
 .I async
@@ -306,26 +323,61 @@ then the nominated path must be a mountpoint for the exportpoint to be
 exported.
 
 .TP
-.IR fsid= num
-This option forces the filesystem identification portion of the file
-handle and file attributes used on the wire to be
-.I num
-instead of a number derived from the major and minor number of the
-block device on which the filesystem is mounted.  Any 32 bit number
-can be used, but it must be unique amongst all the exported filesystems.
+.IR fsid= num|root|uuid
+NFS needs to be able to identify each filesystem that it exports.
+Normally it will use a UUID for the filesystem (if the filesystem has
+such a thing) or the device number of the device holding the
+filesystem (if the filesystem is stored on the device).
+
+As not all filesystems are stored on devices, and not all filesystems
+have UUIDs, it is sometimes necessary to explicitly tell NFS how to
+identify a filesystem.  This is done with the
+.I fsid=
+option.
+
+For NFSv4, there is a distinguished filesystem which is the root of
+all exported filesystem.  This is specified with
+.I fsid=root
+or
+.I fsid=0
+both of which mean exactly the same thing.
 
-This can be useful for NFS failover, to ensure that both servers of
-the failover pair use the same NFS file handles for the shared filesystem
-thus avoiding stale file handles after failover.
+Other filesystems can be identified with a small integer, or a UUID
+which should contain 32 hex digits and arbitrary punctuation.
 
-Some Linux filesystems are not mounted on a block device; exporting
-these via NFS requires the use of the
-.I fsid
-option (although that may still not be enough).
+Linux kernels version 2.6.20 and earlier do not understand the UUID
+setting so a small integer must be used if an fsid option needs to be
+set for such kernels.  Setting both a small number and a UUID is
+supported so the same configuration can be made to work on old and new
+kernels alike.
 
-The value  0 has a special meaning when use with NFSv4.  NFSv4 has a
-concept of a root of the overall exported filesystem. The export point
-exported with fsid=0 will be used as this root.
+.TP
+.IR refer= path@host[+host][:path@host[+host]]
+A client referencing the export point will be directed to choose from
+the given list an alternative location for the filesystem.
+(Note that the server must have a mountpoint here, though a different
+filesystem is not required; so, for example,
+.IR "mount --bind" " /path /path"
+is sufficient.)
+.TP
+.IR replicas= path@host[+host][:path@host[+host]]
+If the client asks for alternative locations for the export point, it
+will be given this list of alternatives. (Note that actual replication
+of the filesystem must be handled elsewhere.)
+
+.TP
+.IR refer= path@host[+host][:path@host[+host]]
+A client referencing the export point will be directed to choose from
+the given list an alternative location for the filesystem.
+(Note that the server must have a mountpoint here, though a different
+filesystem is not required; so, for example,
+.IR "mount --bind" " /path /path"
+is sufficient.)
+.TP
+.IR replicas= path@host[+host][:path@host[+host]]
+If the client asks for alternative locations for the export point, it
+will be given this list of alternatives. (Note that actual replication
+of the filesystem must be handled elsewhere.)
 
 .SS User ID Mapping
 .PP
@@ -365,43 +417,6 @@ options.
 Finally, you can map all user requests to the
 anonymous uid by specifying the
 .IR all_squash " option.
-'''.PP 
-'''For the benefit of installations where uids differ between different
-'''machines, 
-'''.I nfsd
-'''provides several mechanism to dynamically map server uids to client
-'''uids and vice versa: static mapping files, NIS-based mapping, and
-'''.IR ugidd -based
-'''mapping.
-'''.PP
-'''.IR ugidd -based
-'''mapping is enabled with the 
-'''.I map_daemon
-'''option, and uses the UGID RPC protocol. For this to work, you have to run
-'''the
-'''.IR ugidd (8)
-'''mapping daemon on the client host. It is the least secure of the three methods,
-'''because by running
-'''.IR ugidd ,
-'''everybody can query the client host for a list of valid user names. You
-'''can protect yourself by restricting access to
-'''.I ugidd
-'''to valid hosts only. This can be done by entering the list of valid
-'''hosts into the
-'''.I hosts.allow
-'''or 
-'''.I hosts.deny
-'''file. The service name is
-'''.IR ugidd .
-'''For a description of the file's syntax, please read
-'''.IR hosts_access (5).
-'''.PP
-'''Static mapping is enabled by using the
-'''.I map_static
-'''option, which takes a file name as an argument that describes the mapping.
-'''NIS-based mapping queries the client's NIS server to obtain a mapping from
-'''user and group names on the server host to user and group names on the
-'''client.
 .PP
 Here's the complete list of mapping options:
 .TP
@@ -415,14 +430,6 @@ or group
 .TP
 .IR no_root_squash
 Turn off root squashing. This option is mainly useful for diskless clients.
-'''.TP
-'''.IR squash_uids " and " squash_gids
-'''This option specifies a list of uids or gids that should be subject to
-'''anonymous mapping. A valid list of ids looks like this:
-'''.IP
-'''.IR squash_uids=0-15,20,25-50
-'''.IP
-'''Usually, your squash lists will look a lot simpler.
 .TP
 .IR all_squash
 Map all uids and gids to the anonymous user. Useful for NFS-exported
@@ -430,60 +437,6 @@ public FTP directories, news spool directories, etc. The opposite option
 is 
 .IR no_all_squash ,
 which is the default setting.
-'''.TP
-'''.IR map_daemon
-'''This option turns on dynamic uid/gid mapping. Each uid in an NFS request
-'''will be translated to the equivalent server uid, and each uid in an
-'''NFS reply will be mapped the other way round. This option requires that
-'''.IR rpc.ugidd (8)
-'''runs on the client host. The default setting is
-'''.IR map_identity ,
-'''which leaves all uids untouched. The normal squash options apply regardless
-'''of whether dynamic mapping is requested or not.
-'''.TP
-'''.IR map_static
-'''This option enables static mapping. It specifies the name of the file
-'''that describes the uid/gid mapping, e.g.
-'''.IP
-'''.IR map_static=/etc/nfs/foobar.map
-'''.IP
-'''The file's format looks like this
-'''.IP
-'''.nf
-'''.ta +3i
-'''# Mapping for client foobar:
-'''#    remote     local
-'''uid  0-99       -       # squash these
-'''uid  100-500    1000    # map 100-500 to 1000-1400
-'''gid  0-49       -       # squash these
-'''gid  50-100     700     # map 50-100 to 700-750
-'''.fi
-'''.TP
-'''.IR map_nis
-'''This option enables NIS-based uid/gid mapping. For instance, when
-'''the server encounters the uid 123 on the server, it will obtain the
-'''login name associated with it, and contact the NFS client's NIS server
-'''to obtain the uid the client associates with the name.
-'''.IP
-'''In order to do this, the NFS server must know the client's NIS domain.
-'''This is specified as an argument to the
-'''.I map_nis
-'''options, e.g.
-'''.IP
-'''.I map_nis=foo.com
-'''.IP
-'''Note that it may not be sufficient to simply specify the NIS domain
-'''here; you may have to take additional actions before
-'''.I nfsd
-'''is actually able to contact the server. If your distribution uses
-'''the NYS library, you can specify one or more NIS servers for the
-'''client's domain in
-'''.IR /etc/yp.conf .
-'''If you are using a different NIS library, you may have to obtain a
-'''special
-'''.IR ypbind (8)
-'''daemon that can be configured via
-'''.IR yp.conf .
 .TP
 .IR anonuid " and " anongid
 These options explicitly set the uid and gid of the anonymous account.
@@ -503,7 +456,7 @@ is supposedly that of user joe).
 /projects       proj*.local.domain(rw)
 /usr            *.local.domain(ro) @trusted(rw)
 /home/joe       pc001(rw,all_squash,anonuid=150,anongid=100)
-/pub            (ro,insecure,all_squash)
+/pub            *(ro,insecure,all_squash)
 /srv/www        \-sync,rw server @trusted @external(ro)
 '''/pub/private    (noaccess)
 .fi