Manual Pages


Table of Contents

NAME

na_exportfs - Exports or unexports a file system path, making it available or unavailable, respectively, for mounting by NFS clients.

SYNOPSIS

exportfs

exportfs [ -v ] [ -io options ] path

exportfs -a [ -v ]

exportfs -b [ -v ] enable | disable save | nosave allhosts | clientid[:clientid...] allpaths | path[:path...]

exportfs -c [ -v ] clientaddr[:clientaddr...] path [ [ ro | rw | root ] [ sys | none | krb5 | krb5i | krb5p ] ]

exportfs -f [-n clientaddr | hostname] [path]

exportfs -h | -r [ -v ]

exportfs -p [ -v ] [options] path

exportfs -q | -s | -w | -z [ -v ] path

exportfs -u [ -v ] path | -a

DESCRIPTION

Use the exportfs command to perform any of the following tasks:

* Export or unexport a file system path.

* Add an export entry to or remove an export entry from the /etc/exports file.

* Export or unexport all file system paths specified in the /etc/exports file.

* Enable or disable fencing of specific NFS clients from specific file system paths.

* Check whether NFS clients have a specific type of access to a file system path.

* Flush entries from the access cache.

* Display exported file system paths and export options.

* Display the actual file system path corresponding to an exported file system path.

* Save exported file system paths and their export options into a file.

OPTIONS

(none)
Displays all exported file system paths.

path
Exports a file system path without adding a corresponding export entry to the /etc/exports file. To override any export options specified for the file system path in the /etc/exports file, specify the -io options followed by a comma-delimited list of export options. For more information about export options, see na_exports(5). Note: To export a file system path and add a corresponding entry to the /etc/exports file, use the -p option instead.

-a
Exports all file system paths specified in the /etc/exports file. To export all file system paths specified in the /etc/exports file and unexport all file system paths not specified in the /etc/exports file, use the -r option instead. Note: Data ONTAP re-exports a file system path only if its persistent export options (those specified in the /etc/exports file) are different from its current export options, thus ensuring that it does not expose NFS clients unnecessarily to a brief moment during a re-export in which a file system path is not available.

-b
Enables or disables fencing of specific NFS clients from specific file system paths, giving the NFS clients read-only or read-write access, respectively. To enable fencing, specify the enable option; to disable fencing, specify the disable option. To update the /etc/exports file, specify the save option; otherwise, specify the nosave option. To affect all NFS clients, specify the allhosts option; otherwise, specify a colon-delimited list of NFS client identifiers. To affect all exported file system paths, specify the allpaths option; otherwise, specify a colon-delimited list of file system paths. Data ONTAP drains all of the NFS requests in its queue before it enables or disables fencing, thereby ensuring that all file writes are atomic. Note: When you enable or disable fencing, Data ONTAP moves the NFS client to the front of its new access list (rw= or ro=). This reordering can change your original export rules.

-c
Checks whether NFS clients have a specific type of access to a file system path. You must specify the IP addresses of the NFS clients (hostip) and the exported (not actual) file system path (path). To check whether the NFS client has read-only, read-write, or root access to the file system path, specify the ro, rw, or root option, respectively. If you do not specify an access type, Data ONTAP simply checks whether the NFS client can mount the file system path. If you specify an access type, you can also specify the NFS client's security type: sys, none, krb5, krb5i, or krb5p. If you do not specify a security type, Data ONTAP assumes the NFS client's security type is sys. Note: If Data ONTAP does not find an entry in the access cache corresponding to (1) the file system path and (2) the NFS client's IP address, access type, and security type, Data ONTAP (1) determines the NFS client's host name from its IP address (for example, it performs a reverse DNS lookup), (2) checks the NFS client's host name, access type, and security type against the file system path's export options, and (3) adds the result to the access cache as a new entry.

-f
Flushes entries from the access cache. Without any arguments this option will flush all of the access cache entries. To flush access cache entries corresponding to a specific file system path, specify the file system path. To flush access cache entries corresponding to a specific host, use the -n option with hostname or IP address of the host. Note: To control when access cache entries expire automatically, set the options nfs.export.harvest.timeout,
nfs.export.neg.timeout,
and nfs.export.pos.timeout. For more information about these options, see. na_options(1).

-h
Displays help for all exportfs options.

-i
Ignores the options specified for a file system path in the /etc/exports file. If you do not specify the -i option with the -o option, Data ONTAP uses the options specified for the file system path in the /etc/exports file instead of the options you specify on the command line.

-o
Specifies one or more export options for a file system path as a comma-delimited list. For more information about export options, see na_exports(5). Note: To override the options specified for the file system path in the /etc/exports file, you must specify the -i and -o options together.

-p
Exports a file system path and adds a corresponding export entry to the /etc/exports file. If you do not specify any export options, Data ONTAP automatically exports the file system path with the rw and -sec=sys export options. Use the -p option to add a file system path to the /etc/exports file without manually editing the /etc/exports file. Note: Data ONTAP exports the file system paths specified in the /etc/exports file every time NFS starts up (for example, when the node reboots). For more information, see na_exports(5).

-q
Displays the export options for a file system path. Use the -q option to quickly view the export options for a single file system path without manually searching through the /etc/exports file. In addition to displaying the options, it also displays the ruleid for each "rule" in the export. This ruleid is used to display the in-memory and on-disk access cache for each "rule". Rule is a set of host access permissions defined for a security flavor in an export and a ruleid uniquely identifies a rule for the duration when a node is up. For example:
   exportfs -q /vol/vol0
   /vol/vol0  -sec=krb5,(ruleid=2),rw
This means that the filesystem /vol/vol0 is exported via the rule "rw" and this rule has a ruleid of 2.
   exportfs -q /vol/vol1
   /vol/vol1  -sec=sys,(ruleid=2),rw,
          sec=krb5,(ruleid=10),ro=172.16.27.0/24,rw=172.16.36.0/24
This means that the filesystem /vol/vol1 is exported via the rule "rw" (ruleid 2) to everyone who is coming with AUTH_SYS security and is also exported via the rule "ro=172.16.27.0/24,rw=172.16.36.0/24" (ruleid 10) to everyone coming in with Kerberos.

-r
Exports all file system paths specified in the /etc/exports file and unexports all file system paths not specified in the /etc/exports file. To export all file system paths specified in the /etc/exports file without unexporting any file system paths, use the -a option instead. Note: Data ONTAP re-exports a file system path only if its persistent export options (those specified in the /etc/exports file) are different from its current export options, thus ensuring that it does not expose NFS clients unnecessarily to a brief moment during a re-export in which a file system path is not available.

-s
Displays the actual file system path corresponding to an exported file system path. Note: Unless a file system path is exported with the -actual option, its actual file system path is the same as its exported file system path.

-u
Unexports a file system path. To unexport a single file system path, specify the path; otherwise, to unexport all file system paths specified in the /etc/exports file, specify the -a option. Note: The -u option does not remove export entries from the /etc/exports file. To unexport a file system path and remove its export entry from the /etc/exports file, use the -z option instead.

-v
Specifies that Data ONTAP should be verbose. Use the -v option with any other option. For example, specify the -v option with the -a option to specify that Data ONTAP should display all file system paths that it exports.

-w
Saves exported file system paths and their export options into a file.

-z
Unexports a file system path and removes its export entry from the /etc/exports file. Use the -z option to remove a file system path from the /etc/exports file without manually editing the /etc/exports file. Note: By default entries are actually commented out and not removed from the /etc/exports file. To change the behavior to actually remove entries switch off the nfs.export.exportfs_comment_on_delete option. For more information see na_options(1).

OPERANDS

clientaddr
An NFS client's IP address. Every IPv6 address must be enclosed within square brackets (for example, [7F52:85FC:774A:8AC::34]).

clientid
One of the following NFS client identifiers: host name, IP address, netgroup, subnet, or domain name. For more information, see na_exports(5).

options
A comma-delimited list of export options. For more information, see na_exports(5).

path
A file system path: for example, a path to a volume, directory, or file.

EXTENDED DESCRIPTION

When you export a file system path, specify the -p option to add a corresponding entry to the /etc/exports file; otherwise, specify the -i and -o options to override any export options specified for the file system path in the /etc/exports file with the export options you specify on the command line.

When you specify the -b option (or the rw=, ro=, or root= export option), you must specify one or more NFS client identifiers as a colon-delimited list. An NFS client identifier is a host name, IP address, netgroup, subnet, or domain name. For more information about client identifiers, see na_exports(5).

Unlike UNIX systems, Data ONTAP lets you export a file system path even if one of its ancestors has been exported already. For example, you can export /vol/vol0/home even if /vol/vol0 has been exported already. However, you must never export an ancestor with fewer access controls than its children. Otherwise, NFS clients can mount the ancestor to circumvent the children's access controls. For example, suppose you export /vol/vol0 to all NFS clients for read-write access (with the rw export option) and /vol/vol0/home to all NFS clients for read-only access (with the ro export option). If an NFS client mounts /vol/vol0/home, it has read-only access to /vol/vol0/home. But if an NFS client mounts /vol/vol0, it has read-write access to vol/vol0 and /vol/vol0/home. Thus, by mounting /vol/vol0, an NFS client can circumvent the security restrictions on /vol/vol0/home.

When an NFS client mounts a subpath of an exported file system path, Data ONTAP applies the export options of the exported file system path with the longest matching prefix. For example, suppose the only exported file system paths are /vol/vol0 and /vol/vol0/home. If an NFS client mounts /vol/vol0/home/user1, Data ONTAP applies the export options for /vol/vol0/home, not /vol/vol0, because /vol/vol0/home has the longest matching prefix.

Managing the access cache
Whenever an NFS client attempts to access an exported file system path, Data ONTAP checks the access cache for an entry corresponding to (1) the file system path and (2) the NFS client's IP address, access type, and security type. If an entry exists, Data ONTAP grants or denies access according to the value of the entry. If an entry does not exist, Data ONTAP grants or denies access according to the result of a comparison between (1) the file system path's export options and (2) the NFS client's host name, access type, and security type. In this case, Data ONTAP looks up the client's host name (for example, Data ONTAP performs a reverse DNS lookup) and adds a new entry to the access cache. To manually add access cache entries, use the -c option.

Note: The access cache associates an NFS client's access rights with its IP address. Therefore, changes to an NFS client's host name will not change its access rights until the access cache is flushed. Data ONTAP automatically flushes an access cache entry when (1) its corresponding file system path is exported or unexported or (2) it expires. To control the expiration of access cache entries, set the nfs.export.harvest.timeout, nfs.export.neg.timeout, and nfs.export.pos.timeout options. For more information about these options, see na_options(1). To manually flush access cache entries, use the -f option.

Running exportfs on a vFiler unit
To run exportfs on a vFiler (TM) unit, use the vfiler run command. All paths you specify must belong to the vFiler unit. In addition, all IP addresses you specify must be in the vFiler unit's ipspace. For more information, see na_vfiler(1).

Debugging mount and access problems
To debug mount and access problems, (1) temporarily set the nfs.mountd.trace option to on and (2) monitor related messages that Data ONTAP displays and logs in the /etc/messages file. Some common access problems include:

* Data ONTAP cannot determine an NFS client's host name because it does not have a reverse DNS entry for it. Add the NFS client's host name to the DNS, NIS or the /etc/hosts file. Note: Data ONTAP cannot resolve a IPv6 address to multiple hostnames (including aliases), when doing a reverse host name lookup.

* The root volume is exported with a file system path consisting of a single forward slash (/), which misleads some automounters. Export the file system path using a different file system path name.

Exporting Origin Node for FlexCache
Exporting a volume using the /etc/exports file does not affect whether the volume is available to a FlexCache volume; To enable a volume to be a FlexCache origin volume, use the flexcache.access option.

EXAMPLES

Exporting file system paths
Each of the following commands exports /vol/vol0 to all hosts for read-write access:

  exportfs -p /vol/vol0
  exportfs -io rw /vol/vol0

Each of the following commands exports /vol/vol0 to all hosts for read-only access:

  exportfs -p ro /vol/vol0
  exportfs -io ro /vol/vol0

Each of the following commands exports /vol/vol0 to all hosts on the 10.45.67.0 subnet with the 255.255.255.0 netmask for read-write access:

  exportfs -io rw=10.45.67.0/24 /vol/vol0
  exportfs -io rw="network 10.45.67.0 netmask 255.255.255.0" /vol/vol0
  exportfs -io rw="10.45.67.0 255.255.255.0" /vol/vol0

The following command exports /vol/vol0 to all hosts in the FC21:71BE:B265:5204::49/64 subnet for read-write access and to the NFS client with an IPv6 address of F6C3:430A:B194:5CDA:6A91::83 for root access:

  exportfs -io rw=[FC21:71BE:B265:5204::49]/64,\\
            root=[F6C3:420A:B194:5CDA:6A91::83] /vol/vol0

The following command exports /vol/vol0 to the hosts in the trusted netgroup for root access, the hosts in the friendly netgroup for read-write access, and all other hosts for read-only access:

  exportfs -io ro,root=@trusted,rw=@friendly /vol/vol0

The following command exports all file system paths specified in the /etc/exports file:

  exportfs -a

The following command exports all file system paths specified in the /etc/exports file and unexports all file system paths not specified in the /etc/exports file:

  exportfs -r

Unexporting file system paths
The following command unexports /vol/vol0:

  exportfs -u /vol/vol0

The following command unexports /vol/vol0 and removes its export entry from the /etc/exports file:

  exportfs -z /vol/vol0

The following command unexports all file system paths:

  exportfs -ua

Displaying exported file system paths
The following command displays all exported file system paths and their corresponding export options:

  exportfs

The following command displays the export options for /vol/vol0:

  exportfs -q /vol/vol0

Enabling and disabling fencing
Suppose /vol/vol0 is exported with the following export options:

  -rw=pig:horse:cat:dog,ro=duck,anon=0

The following command enables fencing of cat from /vol/vol0:

  exportfs -b enable save cat /vol/vol0

Note: cat moves to the front of the ro= list for /vol/vol0:

  -rw=pig:horse:dog,ro=cat:duck,anon=0

The following command disables fencing of cat from /vol/vol0:

  exportfs -b disable save cat /vol/vol0

Note: cat moves to the front of the rw= list for /vol/vol0:

  -rw=cat:pig:horse:dog,ro=duck,anon=0

Checking an NFS client's access rights
The following command checks whether an NFS client with an IPv4 address of 192.168.208.51 and a security type of sys can mount /vol/vol0:

  exportfs -c 192.168.208.51 /vol/vol0

The following command checks whether an NFS client with an IPv4 address of 192.168.208.51 and a security type of none has read-only access to /vol/vol0:

  exportfs -c 192.168.208.51 /vol/vol0 ro none

The following command checks whether NFS clients with IP addresses 10.21.121.45 and 10.102.168.76, can mount /vol/vol0, with a security type of sys:

  exportfs -c 10.21.121.45:10.102.168.76 /vol/vol0

Flushing entries from the access cache
The following command flushes all entries from the access cache:

  exportfs -f

The following command flushes all entries for /vol/vol0 from the access cache:

  exportfs -f /vol/vol0

The following command flushes the entry whose IP is 1234:AD19:B23F:23F3::23 from the access cache:

  exportfs -f -n [1234:AD19:B23F:23F3::23]

The following command flushes the entry corresponding to the host client1 for /vol/vol0 from the access cache:

  exportfs -f -n client1 /vol/vol0

Displaying an actual file system path
The following example displays the actual file system path corresponding to /vol/vol0:

  exportfs -s /vol/vol0

Note: The actual file system path will be the same as the exported file system path unless the file system path was exported with the -actual option.

Saving file system paths
The following example saves the file system paths and export options for all currently and recently exported file paths into /etc/exports.recent:

  exportfs -w /etc/exports.recent

SEE ALSO

na_ipspace(1), na_options(1), na_vfiler(1), na_exports(5), na_hosts(5), na_netgroup(5), na_passwd(5)


Table of Contents