X-Git-Url: https://git.decadent.org.uk/gitweb/?p=nfs-utils.git;a=blobdiff_plain;f=utils%2Fmount%2Fnfs.man;h=a8ec46cb7509ba85c6d3359f3bc3eb27f7fc47d4;hp=ce40933b2b42b2d503831c1de43c16d82608c6b6;hb=fb06ed9fc1fa11a95544fb2d89adb6c51ef5d946;hpb=baf04c05bdeb97d014a048c4e531a5cc36ce1fd0 diff --git a/utils/mount/nfs.man b/utils/mount/nfs.man index ce40933..a8ec46c 100644 --- a/utils/mount/nfs.man +++ b/utils/mount/nfs.man @@ -1,5 +1,5 @@ .\"@(#)nfs.5" -.TH NFS 5 "2 November 2007" +.TH NFS 5 "9 October 2012" .SH NAME nfs \- fstab format and options for the .B nfs @@ -347,6 +347,13 @@ using an automounter (refer to .BR automount (8) for details). .TP 1.5i +.BR rdirplus " / " nordirplus +Selects whether to use NFS v3 or v4 READDIRPLUS requests. +If this option is not specified, the NFS client uses READDIRPLUS requests +on NFS v3 or v4 mounts to read small directories. +Some applications perform better if the client uses only READDIR requests +for all directories. +.TP 1.5i .BI retry= n The number of minutes that the .BR mount (8) @@ -359,27 +366,22 @@ If a value of zero is specified, the .BR mount (8) command exits immediately after the first failure. .TP 1.5i -.BI sec= mode -The RPCGSS security flavor to use for accessing files on this mount point. -If the -.B sec -option is not specified, or if -.B sec=sys -is specified, the NFS client uses the AUTH_SYS security flavor -for all NFS requests on this mount point. -Valid security flavors are +.BI sec= flavor +The security flavor to use for accessing files on this mount point. +If the server does not support this flavor, the mount operation fails. +If +.B sec= +is not specified, the client attempts to find +a security flavor that both the client and the server supports. +Valid +.I flavors +are .BR none , .BR sys , .BR krb5 , .BR krb5i , -.BR krb5p , -.BR lkey , -.BR lkeyi , -.BR lkeyp , -.BR spkm , -.BR spkmi , and -.BR spkmp . +.BR krb5p . Refer to the SECURITY CONSIDERATIONS section for details. .TP 1.5i .BR sharecache " / " nosharecache @@ -466,29 +468,27 @@ by other clients, but can impact application and server performance. .IP The DATA AND METADATA COHERENCE section contains a detailed discussion of these trade-offs. +.TP 1.5i +.BR fsc " / " nofsc +Enable/Disables the cache of (read-only) data pages to the local disk +using the FS-Cache facility. See cachefilesd(8) +and /Documentation/filesystems/caching +for detail on how to configure the FS-Cache facility. +Default value is nofsc. .SS "Options for NFS versions 2 and 3 only" Use these options, along with the options in the above subsection, for NFS versions 2 and 3 only. .TP 1.5i .BI proto= netid -The transport protocol name and protocol family the NFS client uses -to transmit requests to the NFS server for this mount point. -If an NFS server has both an IPv4 and an IPv6 address, using a specific -netid will force the use of IPv4 or IPv6 networking to communicate -with that server. -.IP -If support for TI-RPC is built into the -.B mount.nfs -command, -.I netid -is a valid netid listed in -.IR /etc/netconfig . -The value "rdma" may also be specified. -If the -.B mount.nfs -command does not have TI-RPC support, then +The .I netid -is one of "tcp," "udp," or "rdma," and only IPv4 may be used. +determines the transport that is used to communicate with the NFS +server. Available options are +.BR udp ", " udp6 ", "tcp ", " tcp6 ", and " rdma . +Those which end in +.B 6 +use IPv6 addresses and are only available if support for TI-RPC is +built in. Others use IPv4 addresses. .IP Each transport protocol uses different default .B retrans @@ -506,6 +506,8 @@ Specifying a netid that uses TCP forces all traffic from the command and the NFS client to use TCP. Specifying a netid that uses UDP forces all traffic types to use UDP. .IP +.B Before using NFS over UDP, refer to the TRANSPORT METHODS section. +.IP If the .B proto mount option is not specified, the @@ -520,6 +522,8 @@ The option is an alternative to specifying .BR proto=udp. It is included for compatibility with other operating systems. +.IP +.B Before using NFS over UDP, refer to the TRANSPORT METHODS section. .TP 1.5i .B tcp The @@ -564,19 +568,18 @@ This option can be used when mounting an NFS server through a firewall that blocks the rpcbind protocol. .TP 1.5i .BI mountproto= netid -The transport protocol name and protocol family the NFS client uses +The transport the NFS client uses to transmit requests to the NFS server's mountd service when performing this mount request, and when later unmounting this mount point. .IP -If support for TI-RPC is built into the +.I netid +may be one of +.BR udp ", and " tcp +which use IPv4 address or, if TI-RPC is built into the .B mount.nfs command, -.I netid -is a valid netid listed in -.IR /etc/netconfig . -Otherwise, -.I netid -is one of "tcp" or "udp," and only IPv4 may be used. +.BR udp6 ", and " tcp6 +which use IPv6 addresses. .IP This option can be used when mounting an NFS server through a firewall that blocks a particular transport. @@ -713,13 +716,6 @@ Disabling the NFSACL sideband protocol may be necessary if the negotiation causes problems on the client or server. Refer to the SECURITY CONSIDERATIONS section for more details. .TP 1.5i -.BR rdirplus " / " nordirplus -Selects whether to use NFS version 3 READDIRPLUS requests. -If this option is not specified, the NFS client uses READDIRPLUS requests -on NFS version 3 mounts to read small directories. -Some applications perform better if the client uses only READDIR requests -for all directories. -.TP 1.5i .BR local_lock= mechanism Specifies whether to use local locking for any or both of the flock and the POSIX locking mechanisms. @@ -768,21 +764,14 @@ Use these options, along with the options in the first subsection above, for NFS version 4 and newer. .TP 1.5i .BI proto= netid -The transport protocol name and protocol family the NFS client uses -to transmit requests to the NFS server for this mount point. -If an NFS server has both an IPv4 and an IPv6 address, using a specific -netid will force the use of IPv4 or IPv6 networking to communicate -with that server. -.IP -If support for TI-RPC is built into the -.B mount.nfs -command, -.I netid -is a valid netid listed in -.IR /etc/netconfig . -Otherwise, +The .I netid -is one of "tcp" or "udp," and only IPv4 may be used. +determines the transport that is used to communicate with the NFS +server. Supported options are +.BR tcp ", " tcp6 ", and " rdma . +.B tcp6 +use IPv6 addresses and is only available if support for TI-RPC is +built in. Both others use IPv4 addresses. .IP All NFS version 4 servers are required to support TCP, so if this mount option is not specified, the NFS version 4 client @@ -846,6 +835,8 @@ The DATA AND METADATA COHERENCE section discusses the behavior of this option in more detail. .TP 1.5i .BI clientaddr= n.n.n.n +.TP 1.5i +.BI clientaddr= n:n: ... :n Specifies a single IPv4 address (in dotted-quad form), or a non-link-local IPv6 address, that the NFS client advertises to allow servers @@ -1076,6 +1067,83 @@ or options are specified more than once on the same mount command line, then the value of the rightmost instance of each of these options takes effect. +.SS "Using NFS over UDP on high-speed links" +Using NFS over UDP on high-speed links such as Gigabit +.BR "can cause silent data corruption" . +.P +The problem can be triggered at high loads, and is caused by problems in +IP fragment reassembly. NFS read and writes typically transmit UDP packets +of 4 Kilobytes or more, which have to be broken up into several fragments +in order to be sent over the Ethernet link, which limits packets to 1500 +bytes by default. This process happens at the IP network layer and is +called fragmentation. +.P +In order to identify fragments that belong together, IP assigns a 16bit +.I IP ID +value to each packet; fragments generated from the same UDP packet +will have the same IP ID. The receiving system will collect these +fragments and combine them to form the original UDP packet. This process +is called reassembly. The default timeout for packet reassembly is +30 seconds; if the network stack does not receive all fragments of +a given packet within this interval, it assumes the missing fragment(s) +got lost and discards those it already received. +.P +The problem this creates over high-speed links is that it is possible +to send more than 65536 packets within 30 seconds. In fact, with +heavy NFS traffic one can observe that the IP IDs repeat after about +5 seconds. +.P +This has serious effects on reassembly: if one fragment gets lost, +another fragment +.I from a different packet +but with the +.I same IP ID +will arrive within the 30 second timeout, and the network stack will +combine these fragments to form a new packet. Most of the time, network +layers above IP will detect this mismatched reassembly - in the case +of UDP, the UDP checksum, which is a 16 bit checksum over the entire +packet payload, will usually not match, and UDP will discard the +bad packet. +.P +However, the UDP checksum is 16 bit only, so there is a chance of 1 in +65536 that it will match even if the packet payload is completely +random (which very often isn't the case). If that is the case, +silent data corruption will occur. +.P +This potential should be taken seriously, at least on Gigabit +Ethernet. +Network speeds of 100Mbit/s should be considered less +problematic, because with most traffic patterns IP ID wrap around +will take much longer than 30 seconds. +.P +It is therefore strongly recommended to use +.BR "NFS over TCP where possible" , +since TCP does not perform fragmentation. +.P +If you absolutely have to use NFS over UDP over Gigabit Ethernet, +some steps can be taken to mitigate the problem and reduce the +probability of corruption: +.TP +1.5i +.I Jumbo frames: +Many Gigabit network cards are capable of transmitting +frames bigger than the 1500 byte limit of traditional Ethernet, typically +9000 bytes. Using jumbo frames of 9000 bytes will allow you to run NFS over +UDP at a page size of 8K without fragmentation. Of course, this is +only feasible if all involved stations support jumbo frames. +.IP +To enable a machine to send jumbo frames on cards that support it, +it is sufficient to configure the interface for a MTU value of 9000. +.TP +1.5i +.I Lower reassembly timeout: +By lowering this timeout below the time it takes the IP ID counter +to wrap around, incorrect reassembly of fragments can be prevented +as well. To do so, simply write the new timeout value (in seconds) +to the file +.BR /proc/sys/net/ipv4/ipfrag_time . +.IP +A value of 2 seconds will greatly reduce the probability of IPID clashes on +a single Gigabit link, while still allowing for a reasonable timeout +when receiving fragmented traffic from distant peers. .SH "DATA AND METADATA COHERENCE" Some modern cluster file systems provide perfect cache coherence among their clients. @@ -1377,19 +1445,19 @@ These auxiliary protocols use no authentication. In addition to combining these sideband protocols with the main NFS protocol, NFS version 4 introduces more advanced forms of access control, authentication, and in-transit data protection. -The NFS version 4 specification mandates NFSv4 ACLs, -RPCGSS authentication, and RPCGSS security flavors +The NFS version 4 specification mandates support for +strong authentication and security flavors that provide per-RPC integrity checking and encryption. Because NFS version 4 combines the function of the sideband protocols into the main NFS protocol, the new security features apply to all NFS version 4 operations including mounting, file locking, and so on. RPCGSS authentication can also be used with NFS versions 2 and 3, -but does not protect their sideband protocols. +but it does not protect their sideband protocols. .P The .B sec -mount option specifies the RPCGSS security mode +mount option specifies the security flavor that is in effect on a given NFS mount point. Specifying .B sec=krb5 @@ -1416,17 +1484,18 @@ security flavor encrypts every RPC request to prevent data exposure during network transit; however, expect some performance impact when using integrity checking or encryption. -Similar support for other forms of cryptographic security (such as lipkey and SPKM3) +Similar support for other forms of cryptographic security is also available. .P The NFS version 4 protocol allows -clients and servers to negotiate among multiple security flavors -during mount processing. -However, Linux does not yet implement such negotiation. -The Linux client specifies a single security flavor at mount time -which remains in effect for the lifetime of the mount. -If the server does not support this flavor, -the initial mount request is rejected by the server. +a client to renegotiate the security flavor +when the client crosses into a new filesystem on the server. +The newly negotiated flavor effects only accesses of the new filesystem. +.P +Such negotiation typically occurs when a client crosses +from a server's pseudo-fs +into one of the server's exported physical filesystems, +which often have more restrictive security settings than the pseudo-fs. .SS "Using non-privileged source ports" NFS clients usually communicate with NFS servers via network sockets. Each end of a socket is assigned a port value, which is simply a number @@ -1561,10 +1630,10 @@ To ensure that the saved mount options are not erased during a remount, specify either the local mount directory, or the server hostname and export pathname, but not both, during a remount. For example, .P -.NF -.TA 2.5i +.nf +.ta 8n mount -o remount,ro /mnt -.FI +.fi .P merges the mount option .B ro