X-Git-Url: https://git.decadent.org.uk/gitweb/?p=nfs-utils.git;a=blobdiff_plain;f=utils%2Fmount%2Fnfs.man;h=a8ec46cb7509ba85c6d3359f3bc3eb27f7fc47d4;hp=55d4b553b480bd4c4859c4815c99d4d3cbb3a1b9;hb=fb06ed9fc1fa11a95544fb2d89adb6c51ef5d946;hpb=706bfd7c94d48659a1411fdef2a3a61d4719f1aa diff --git a/utils/mount/nfs.man b/utils/mount/nfs.man index 55d4b55..a8ec46c 100644 --- a/utils/mount/nfs.man +++ b/utils/mount/nfs.man @@ -1,5 +1,5 @@ .\"@(#)nfs.5" -.TH NFS 5 "2 November 2007" +.TH NFS 5 "9 October 2012" .SH NAME nfs \- fstab format and options for the .B nfs @@ -46,11 +46,10 @@ files on this mount point. The fifth and sixth fields on each line are not used by NFS, thus conventionally each contain the digit zero. For example: .P -.SP -.NF -.TA 2.5i +0.75i +0.75i +1.0i +.nf +.ta 8n +14n +14n +9n +20n server:path /mountpoint fstype option,option,... 0 0 -.FI +.fi .P The server's hostname and export pathname are separated by a colon, while @@ -69,10 +68,9 @@ for details on specifying raw IPv6 addresses. .P The .I fstype -field contains "nfs", for whatever version of the protocol. -The -.B nfs -allow several mount options, which are described below. +field contains "nfs". Use of the "nfs4" fstype in +.I /etc/fstab +is deprecated. .SH "MOUNT OPTIONS" Refer to .BR mount (8) @@ -114,12 +112,16 @@ option may mitigate some of the risks of using the option. .TP 1.5i .BI timeo= n -The time (in tenths of a second) the NFS client waits for a -response before it retries an NFS request. If this -option is not specified, requests are retried every -60 seconds for NFS over TCP. -The NFS client does not perform any kind of timeout backoff -for NFS over TCP. +The time in deciseconds (tenths of a second) the NFS client waits for a +response before it retries an NFS request. +.IP +For NFS over TCP the default +.B timeo +value is 600 (60 seconds). +The NFS client performs linear backoff: After each retransmission the +timeout is increased by +.BR timeo +up to the maximum of 600 seconds. .IP However, for NFS over UDP, the client uses an adaptive algorithm to estimate an appropriate timeout value for frequently used @@ -345,6 +347,13 @@ using an automounter (refer to .BR automount (8) for details). .TP 1.5i +.BR rdirplus " / " nordirplus +Selects whether to use NFS v3 or v4 READDIRPLUS requests. +If this option is not specified, the NFS client uses READDIRPLUS requests +on NFS v3 or v4 mounts to read small directories. +Some applications perform better if the client uses only READDIR requests +for all directories. +.TP 1.5i .BI retry= n The number of minutes that the .BR mount (8) @@ -357,27 +366,22 @@ If a value of zero is specified, the .BR mount (8) command exits immediately after the first failure. .TP 1.5i -.BI sec= mode -The RPCGSS security flavor to use for accessing files on this mount point. -If the -.B sec -option is not specified, or if -.B sec=sys -is specified, the NFS client uses the AUTH_SYS security flavor -for all NFS requests on this mount point. -Valid security flavors are +.BI sec= flavor +The security flavor to use for accessing files on this mount point. +If the server does not support this flavor, the mount operation fails. +If +.B sec= +is not specified, the client attempts to find +a security flavor that both the client and the server supports. +Valid +.I flavors +are .BR none , .BR sys , .BR krb5 , .BR krb5i , -.BR krb5p , -.BR lkey , -.BR lkeyi , -.BR lkeyp , -.BR spkm , -.BR spkmi , and -.BR spkmp . +.BR krb5p . Refer to the SECURITY CONSIDERATIONS section for details. .TP 1.5i .BR sharecache " / " nosharecache @@ -464,29 +468,27 @@ by other clients, but can impact application and server performance. .IP The DATA AND METADATA COHERENCE section contains a detailed discussion of these trade-offs. -.SS "Options for versions 2 and 3 only" +.TP 1.5i +.BR fsc " / " nofsc +Enable/Disables the cache of (read-only) data pages to the local disk +using the FS-Cache facility. See cachefilesd(8) +and /Documentation/filesystems/caching +for detail on how to configure the FS-Cache facility. +Default value is nofsc. +.SS "Options for NFS versions 2 and 3 only" Use these options, along with the options in the above subsection, -for NFSv2/v3 only. They will be ignored for newer versions. +for NFS versions 2 and 3 only. .TP 1.5i .BI proto= netid -The transport protocol name and protocol family the NFS client uses -to transmit requests to the NFS server for this mount point. -If an NFS server has both an IPv4 and an IPv6 address, using a specific -netid will force the use of IPv4 or IPv6 networking to communicate -with that server. -.IP -If support for TI-RPC is built into the -.B mount.nfs -command, -.I netid -is a valid netid listed in -.IR /etc/netconfig . -The value "rdma" may also be specified. -If the -.B mount.nfs -command does not have TI-RPC support, then +The .I netid -is one of "tcp," "udp," or "rdma," and only IPv4 may be used. +determines the transport that is used to communicate with the NFS +server. Available options are +.BR udp ", " udp6 ", "tcp ", " tcp6 ", and " rdma . +Those which end in +.B 6 +use IPv6 addresses and are only available if support for TI-RPC is +built in. Others use IPv4 addresses. .IP Each transport protocol uses different default .B retrans @@ -504,6 +506,8 @@ Specifying a netid that uses TCP forces all traffic from the command and the NFS client to use TCP. Specifying a netid that uses UDP forces all traffic types to use UDP. .IP +.B Before using NFS over UDP, refer to the TRANSPORT METHODS section. +.IP If the .B proto mount option is not specified, the @@ -518,6 +522,8 @@ The option is an alternative to specifying .BR proto=udp. It is included for compatibility with other operating systems. +.IP +.B Before using NFS over UDP, refer to the TRANSPORT METHODS section. .TP 1.5i .B tcp The @@ -562,19 +568,18 @@ This option can be used when mounting an NFS server through a firewall that blocks the rpcbind protocol. .TP 1.5i .BI mountproto= netid -The transport protocol name and protocol family the NFS client uses +The transport the NFS client uses to transmit requests to the NFS server's mountd service when performing this mount request, and when later unmounting this mount point. .IP -If support for TI-RPC is built into the +.I netid +may be one of +.BR udp ", and " tcp +which use IPv4 address or, if TI-RPC is built into the .B mount.nfs command, -.I netid -is a valid netid listed in -.IR /etc/netconfig . -Otherwise, -.I netid -is one of "tcp" or "udp," and only IPv4 may be used. +.BR udp6 ", and " tcp6 +which use IPv6 addresses. .IP This option can be used when mounting an NFS server through a firewall that blocks a particular transport. @@ -619,7 +624,7 @@ in such cases. .BI nfsvers= n The NFS protocol version number used to contact the server's NFS service. If the server does not support the requested version, the mount request fails. -If this option is not specified, the client negociate a suitable version with +If this option is not specified, the client negotiates a suitable version with the server, trying version 4 first, version 3 second, and version 2 last. .TP 1.5i .BI vers= n @@ -711,32 +716,62 @@ Disabling the NFSACL sideband protocol may be necessary if the negotiation causes problems on the client or server. Refer to the SECURITY CONSIDERATIONS section for more details. .TP 1.5i -.BR rdirplus " / " nordirplus -Selects whether to use NFS version 3 READDIRPLUS requests. -If this option is not specified, the NFS client uses READDIRPLUS requests -on NFS version 3 mounts to read small directories. -Some applications perform better if the client uses only READDIR requests -for all directories. -.SS "Options for version 4 only" +.BR local_lock= mechanism +Specifies whether to use local locking for any or both of the flock and the +POSIX locking mechanisms. +.I mechanism +can be one of +.BR all , +.BR flock , +.BR posix , +or +.BR none . +This option is supported in kernels 2.6.37 and later. +.IP +The Linux NFS client provides a way to make locks local. This means, the +applications can lock files, but such locks provide exclusion only against +other applications running on the same client. Remote applications are not +affected by these locks. +.IP +If this option is not specified, or if +.B none +is specified, the client assumes that the locks are not local. +.IP +If +.BR all +is specified, the client assumes that both flock and POSIX locks are local. +.IP +If +.BR flock +is specified, the client assumes that only flock locks are local and uses +NLM sideband protocol to lock files when POSIX locks are used. +.IP +If +.BR posix +is specified, the client assumes that POSIX locks are local and uses NLM +sideband protocol to lock files when flock locks are used. +.IP +To support legacy flock behavior similar to that of NFS clients < 2.6.12, +use 'local_lock=flock'. This option is required when exporting NFS mounts via +Samba as Samba maps Windows share mode locks as flock. Since NFS clients > +2.6.12 implement flock by emulating POSIX locks, this will result in +conflicting locks. +.IP +NOTE: When used together, the 'local_lock' mount option will be overridden +by 'nolock'/'lock' mount option. +.SS "Options for NFS version 4 only" Use these options, along with the options in the first subsection above, -for NFSv4 only. They will be ignored with older versions. +for NFS version 4 and newer. .TP 1.5i .BI proto= netid -The transport protocol name and protocol family the NFS client uses -to transmit requests to the NFS server for this mount point. -If an NFS server has both an IPv4 and an IPv6 address, using a specific -netid will force the use of IPv4 or IPv6 networking to communicate -with that server. -.IP -If support for TI-RPC is built into the -.B mount.nfs -command, -.I netid -is a valid netid listed in -.IR /etc/netconfig . -Otherwise, +The .I netid -is one of "tcp" or "udp," and only IPv4 may be used. +determines the transport that is used to communicate with the NFS +server. Supported options are +.BR tcp ", " tcp6 ", and " rdma . +.B tcp6 +use IPv6 addresses and is only available if support for TI-RPC is +built in. Both others use IPv4 addresses. .IP All NFS version 4 servers are required to support TCP, so if this mount option is not specified, the NFS version 4 client @@ -800,6 +835,8 @@ The DATA AND METADATA COHERENCE section discusses the behavior of this option in more detail. .TP 1.5i .BI clientaddr= n.n.n.n +.TP 1.5i +.BI clientaddr= n:n: ... :n Specifies a single IPv4 address (in dotted-quad form), or a non-link-local IPv6 address, that the NFS client advertises to allow servers @@ -857,40 +894,40 @@ The following example from an file causes the mount command to negotiate reasonable defaults for NFS behavior. .P -.NF -.TA 2.5i +0.7i +0.7i +.7i +.nf +.ta 8n +16n +6n +6n +30n server:/export /mnt nfs defaults 0 0 -.FI +.fi .P Here is an example from an /etc/fstab file for an NFS version 2 mount over UDP. .P -.NF -.TA 2.5i +0.7i +0.7i +.7i +.nf +.ta 8n +16n +6n +6n +30n server:/export /mnt nfs nfsvers=2,proto=udp 0 0 -.FI +.fi .P Try this example to mount using NFS version 4 over TCP with Kerberos 5 mutual authentication. .P -.NF -.TA 2.5i +0.7i +0.7i +.7i +.nf +.ta 8n +16n +6n +6n +30n server:/export /mnt nfs4 sec=krb5 0 0 -.FI +.fi .P This example can be used to mount /usr over NFS. .P -.NF -.TA 2.5i +0.7i +0.7i +.7i +.nf +.ta 8n +16n +6n +6n +30n server:/export /usr nfs ro,nolock,nocto,actimeo=3600 0 0 -.FI +.fi .P This example shows how to mount an NFS server using a raw IPv6 link-local address. .P -.NF -.TA 2.5i +0.7i +0.7i +.7i +.nf +.ta 8n +40n +5n +4n +9n [fe80::215:c5ff:fb3e:e2b1%eth0]:/export /mnt nfs defaults 0 0 -.FI +.fi .SH "TRANSPORT METHODS" NFS clients send requests to NFS servers via Remote Procedure Calls, or @@ -1030,6 +1067,83 @@ or options are specified more than once on the same mount command line, then the value of the rightmost instance of each of these options takes effect. +.SS "Using NFS over UDP on high-speed links" +Using NFS over UDP on high-speed links such as Gigabit +.BR "can cause silent data corruption" . +.P +The problem can be triggered at high loads, and is caused by problems in +IP fragment reassembly. NFS read and writes typically transmit UDP packets +of 4 Kilobytes or more, which have to be broken up into several fragments +in order to be sent over the Ethernet link, which limits packets to 1500 +bytes by default. This process happens at the IP network layer and is +called fragmentation. +.P +In order to identify fragments that belong together, IP assigns a 16bit +.I IP ID +value to each packet; fragments generated from the same UDP packet +will have the same IP ID. The receiving system will collect these +fragments and combine them to form the original UDP packet. This process +is called reassembly. The default timeout for packet reassembly is +30 seconds; if the network stack does not receive all fragments of +a given packet within this interval, it assumes the missing fragment(s) +got lost and discards those it already received. +.P +The problem this creates over high-speed links is that it is possible +to send more than 65536 packets within 30 seconds. In fact, with +heavy NFS traffic one can observe that the IP IDs repeat after about +5 seconds. +.P +This has serious effects on reassembly: if one fragment gets lost, +another fragment +.I from a different packet +but with the +.I same IP ID +will arrive within the 30 second timeout, and the network stack will +combine these fragments to form a new packet. Most of the time, network +layers above IP will detect this mismatched reassembly - in the case +of UDP, the UDP checksum, which is a 16 bit checksum over the entire +packet payload, will usually not match, and UDP will discard the +bad packet. +.P +However, the UDP checksum is 16 bit only, so there is a chance of 1 in +65536 that it will match even if the packet payload is completely +random (which very often isn't the case). If that is the case, +silent data corruption will occur. +.P +This potential should be taken seriously, at least on Gigabit +Ethernet. +Network speeds of 100Mbit/s should be considered less +problematic, because with most traffic patterns IP ID wrap around +will take much longer than 30 seconds. +.P +It is therefore strongly recommended to use +.BR "NFS over TCP where possible" , +since TCP does not perform fragmentation. +.P +If you absolutely have to use NFS over UDP over Gigabit Ethernet, +some steps can be taken to mitigate the problem and reduce the +probability of corruption: +.TP +1.5i +.I Jumbo frames: +Many Gigabit network cards are capable of transmitting +frames bigger than the 1500 byte limit of traditional Ethernet, typically +9000 bytes. Using jumbo frames of 9000 bytes will allow you to run NFS over +UDP at a page size of 8K without fragmentation. Of course, this is +only feasible if all involved stations support jumbo frames. +.IP +To enable a machine to send jumbo frames on cards that support it, +it is sufficient to configure the interface for a MTU value of 9000. +.TP +1.5i +.I Lower reassembly timeout: +By lowering this timeout below the time it takes the IP ID counter +to wrap around, incorrect reassembly of fragments can be prevented +as well. To do so, simply write the new timeout value (in seconds) +to the file +.BR /proc/sys/net/ipv4/ipfrag_time . +.IP +A value of 2 seconds will greatly reduce the probability of IPID clashes on +a single Gigabit link, while still allowing for a reasonable timeout +when receiving fragmented traffic from distant peers. .SH "DATA AND METADATA COHERENCE" Some modern cluster file systems provide perfect cache coherence among their clients. @@ -1331,19 +1445,19 @@ These auxiliary protocols use no authentication. In addition to combining these sideband protocols with the main NFS protocol, NFS version 4 introduces more advanced forms of access control, authentication, and in-transit data protection. -The NFS version 4 specification mandates NFSv4 ACLs, -RPCGSS authentication, and RPCGSS security flavors +The NFS version 4 specification mandates support for +strong authentication and security flavors that provide per-RPC integrity checking and encryption. Because NFS version 4 combines the function of the sideband protocols into the main NFS protocol, the new security features apply to all NFS version 4 operations including mounting, file locking, and so on. RPCGSS authentication can also be used with NFS versions 2 and 3, -but does not protect their sideband protocols. +but it does not protect their sideband protocols. .P The .B sec -mount option specifies the RPCGSS security mode +mount option specifies the security flavor that is in effect on a given NFS mount point. Specifying .B sec=krb5 @@ -1370,17 +1484,18 @@ security flavor encrypts every RPC request to prevent data exposure during network transit; however, expect some performance impact when using integrity checking or encryption. -Similar support for other forms of cryptographic security (such as lipkey and SPKM3) +Similar support for other forms of cryptographic security is also available. .P The NFS version 4 protocol allows -clients and servers to negotiate among multiple security flavors -during mount processing. -However, Linux does not yet implement such negotiation. -The Linux client specifies a single security flavor at mount time -which remains in effect for the lifetime of the mount. -If the server does not support this flavor, -the initial mount request is rejected by the server. +a client to renegotiate the security flavor +when the client crosses into a new filesystem on the server. +The newly negotiated flavor effects only accesses of the new filesystem. +.P +Such negotiation typically occurs when a client crosses +from a server's pseudo-fs +into one of the server's exported physical filesystems, +which often have more restrictive security settings than the pseudo-fs. .SS "Using non-privileged source ports" NFS clients usually communicate with NFS servers via network sockets. Each end of a socket is assigned a port value, which is simply a number @@ -1480,32 +1595,54 @@ of Access Control Lists that are semantically richer than POSIX ACLs. NFS version 4 ACLs are not fully compatible with POSIX ACLs; as such, some translation between the two is required in an environment that mixes POSIX ACLs and NFS version 4. -.SH FILES -.TP 1.5i -.I /etc/fstab -file system table -.SH BUGS -The generic -.B remount -option is not fully supported. -Generic options, such as -.BR rw " and " ro -can be modified using the -.B remount -option, -but NFS-specific options are not all supported. +.SH "THE REMOUNT OPTION" +Generic mount options such as +.BR rw " and " sync +can be modified on NFS mount points using the +.BR remount +option. +See +.BR mount (8) +for more information on generic mount options. +.P +With few exceptions, NFS-specific options +are not able to be modified during a remount. The underlying transport or NFS version cannot be changed by a remount, for example. +.P Performing a remount on an NFS file system mounted with the .B noac option may have unintended consequences. The .B noac -option is a mixture of a generic option, +option is a combination of the generic option .BR sync , -and an NFS-specific option +and the NFS-specific option .BR actimeo=0 . -.P +.SS "Unmounting after a remount" +For mount points that use NFS versions 2 or 3, the NFS umount subcommand +depends on knowing the original set of mount options used to perform the +MNT operation. +These options are stored on disk by the NFS mount subcommand, +and can be erased by a remount. +.P +To ensure that the saved mount options are not erased during a remount, +specify either the local mount directory, or the server hostname and +export pathname, but not both, during a remount. For example, +.P +.nf +.ta 8n + mount -o remount,ro /mnt +.fi +.P +merges the mount option +.B ro +with the mount options already saved on disk for the NFS server mounted at /mnt. +.SH FILES +.TP 1.5i +.I /etc/fstab +file system table +.SH BUGS Before 2.4.7, the Linux NFS client did not support NFS over TCP. .P Before 2.4.20, the Linux NFS client used a heuristic