An export entry has the following syntax:
path -option[,option...]
actual=path
Specifies the actual file system path corresponding to the
exported file system path. You can use this option to
move files to new locations without requiring NFS clients
to mount new file system paths. The actual file system
path you specify must exist. You cannot specify an
exported file system path that consists of a single
forward slash (/), which would mislead some automounters.
Note: NFSv4 clients will not see an exported path using
the actual option unless the export path is only one level
deep and is not /vol.
anon=uid|name
Specifies the effective user ID (or name) of all anonymous
or root NFS client users that access the file system path.
An anonymous NFS client user is an NFS client user that
does not provide valid NFS credentials; a root NFS client
user is an NFS client user with a user ID of 0. Data
ONTAP determines a user's file access permissions by
checking the user's effective user ID against the NFS
server's /etc/passwd file. By default, the effective user
ID of all anonymous and root NFS client users is 65534.
To disable root access by anonymous and root NFS client
users, set the anon option to 65535. To grant root user
access to all anonymous and root NFS client users, set the
anon option to 0.
nosuid
Disables creation of setuid and setgid executable files
and mknod commands on the file system path. Unless the
file system is a root partition of a diskless NFS client,
you should set the nosuid option to prevent NFS client
users from creating setuid executable files and device
nodes that careless or cooperating NFS server users could
use to gain root access. Pre-existing setuid and setgid
executable files will continue to function as intended.
ro | ro=clientid[:clientid...]
Specifies which NFS clients have read-only access to the
file system path. To give all NFS clients read-only
access, specify the ro option. Otherwise, specify the ro=
option followed by a colon-delimited list of NFS client
identifiers. To exclude NFS clients from the list,
prepend the NFS client identifiers with a minus sign (-).
Unless you specify the ro, ro=, or rw= option, Data ONTAP
uses the rw option, giving all NFS clients read-write
access to the file system path.
rw | rw=clientid[:clientid...]
Specifies which NFS clients have read-write access to the
file system path. To give all NFS clients read-write
access, specify the rw option. Otherwise, specify the rw=
option followed by a colon-delimited list of NFS client
identifiers. To exclude NFS clients from the list,
prepend the NFS client identifiers with a minus sign (-).
Unless you specify the ro, ro=, or rw= option, Data ONTAP
uses the rw option, giving all NFS clients read-write
access to the file system path. Note: Unlike in Data
ONTAP releases prior to 6.5, if you specify the rw=
option, Data ONTAP does not use the ro option as the
default for all other NFS clients.
root=clientid[:clientid...]
Specifies which NFS clients have root access to the file
system path. If you specify the root= option, you must
specify at least one NFS client identifier. To exclude
NFS clients from the list, prepend the NFS client
identifiers with a minus sign (-).
sec=sectype[:sectype...]
Specifies the security types that an NFS client must
support to access the file system path. To apply the
security types to all types of access, specify the sec=
option once. To apply the security types to specific
types of access (anonymous, non-super user, read-only,
read-write, or root), specify the sec= option at least
twice, once before each access type to which it applies
(anon, nosuid, ro, rw, or root, respectively). Note: You
cannot apply the same security type to more than one
access type. By default, an NFS client must support the
sys security type to access a file system path.
Specify any combination of the following security types as a colon-delimited list:
Specifying an NFS client identifier
To specify which NFS clients have read-only, read-write,
and root access to a file system path (using the ro=, rw=,
and root= options, respectively), you must specify an NFS
client identifier. An NFS client identifier is a host
name, netgroup name, IP address, subnet, or DNS domain.
A host name is an alphanumeric string associated with an IP address. Data ONTAP uses the first definition that it finds in the /etc/hosts file, searching the NIS, LDAP, DNS, and local versions in the order specified in the /etc/nsswitch.conf file.
A netgroup name is an alphanumeric string associated with a group of host names. Data ONTAP uses the first definition that it finds in the /etc/netgroup file, searching the NIS, DNS, and local versions in the order specified in the /etc/nsswitch.conf file. Note: DNS does not support netgroups.
To specify that a name is a netgroup name, not a host name, thus preventing Data ONTAP from searching the /etc/hosts file unnecessarily, prepend the name with an "at" (@) character.
To specify that all netgroup names begin with an "at" (@) character, thus preventing Data ONTAP from searching the /etc/hosts or /etc/netgroups file unnecessarily, set the nfs.netgroup.strict option to on. For more information, see na_options(1).
Note: If a name is defined as both a host name and a netgroup name, Data ONTAP assumes the name is a host name.
An IP address uniquely identifies a machine on an IP network. For IPv4, a machine IP is in dotted decimal format (AAA.BBB.CCC.DDD), and for IPv6, machine IP is of the form [AAAA:BBBB:CCCC:DDDD::FFFF]. For example:
104.342.403.224 (IPv4) BA32:235C:5D24:23F::32 (IPv6)
subnetaddr/subnetbits
You can also use the following long form, but Data ONTAP automatically converts this long form to the short form:
[networkaddr] subnetaddr [subnetmask] subnetmask
A DNS domain is an alphanumeric value starting with a period (.) that identifies a group of machines. For example:
.frogs.fauna.mycompany.com
Enabling automatic updating
If the nfs.export.auto-update option is on, Data ONTAP
updates the /etc/exports file automatically when you
create, rename, or destroy a volume. In this case, when
you create a volume, if an administration host is defined,
Data ONTAP adds the following export entry to the
/etc/exports file:
path -sec=sys,root=adminhostid,nosuid
path -sec=sys,rw,nosuid
If the nfs.export.auto-update option is off, Data ONTAP does not update the /etc/exports file automatically when you create, rename, or destroy a volume; instead, it adds a message to the system log that notifies you to update the /etc/exports file manually.
Specifying ro, ro=, rw, and rw=
The following sections describe how to specify the ro,
ro=, rw, and rw= options given their defaults, invalid
combinations, and order of precedence.
Defaults:
* If you do not specify the ro, ro=, or rw= option, Data ONTAP uses the rw option by default.
* Unlike in Data ONTAP releases prior to 6.5, if you specify a list of NFS clients with read-write access using the rw= option, Data ONTAP does not use the ro option as the default for all other NFS clients.
Invalid combinations:
* You cannot specify the ro option with the ro= option.
* You cannot specify the rw option with the rw= option.
* You cannot exclude an NFS client identifier from the ro= or rw= option and include the same NFS client identifier in the other option.
Order of precedence:
* The ro option takes precedence over the rw option.
* The ro= option takes precedence over the rw option.
* The rw= option takes precedence over the ro option.
* The ro= option takes precedence over the rw= option.
* A host name or IP address in the ro= or rw option takes precedence over a netgroup, subnet, or domain in the other option.
* Host names and IP addresses take precedence from left to right within an option.
Upgrading the /etc/exports file
Whenever you invoke the exportfs command to export file
systems specified in the /etc/exports file (for example,
whenever you invoke exportfs -a or exportfs -r), Data
ONTAP automatically upgrades the /etc/exports file to a
format compatible with the current Data ONTAP release.
Data ONTAP no longer supports the access option; therefore, Data ONTAP automatically converts all export entries containing an access option to an equivalent export entry containing the ro= or rw= option.
For example, if an export entry uses the access option to specify that an NFS client has read-write access:
/vol/vol0 -access=hostname
/vol/vol0 -rw=hostname
Similarly, if an export entry uses the access option to specify that an NFS client has read-only access:
/vol/vol0 -access=hostname,ro
/vol/vol0 -ro=hostname
/vol/vol0 -rw="network 10.45.67.0 netmask 255.255.255.0"
/vol/vol0 -rw=10.45.67.0/24
Upgrade examples
Old:
/vol/vol0 -anon=0
/vol/vol0 -rw,anon=0
/vol/vol0 -access=pets:workers:alligator:mule,rw=dog:cat:skunk:pig:horse:ox:mule
/vol/vol0 -ro=pets:workers:alligator,rw=dog:cat:skunk:pig:horse:ox:mule
/vol/vol1 -ro=pets:workers:alligator,rw=pets:workers
/vol/vol1 -ro=alligator,rw=@pets:@workers
When you run the exportfs -d 6.5 command, Data ONTAP:
* Removes all "at" (@) symbols, which denote netgroups.
* Consolidates multiple security contexts into one security context. If the ro and/or rw options exist in any security context, Data ONTAP removes the ro= and rw= options, respectively, from the other security contexts. Data ONTAP merges security contexts from left to right.
When you run the exportfs -d 6.4 command, Data ONTAP:
* Reverts the /etc/exports file to a format compatible with the Data ONTAP 6.5 release (see above).
* Replaces anon=clientid with anon=uid.
* Removes nosuid.
* Removes all domain names, each of which starts with a period (.).
* Removes all excluded NFS client identifiers, each of which starts with a minus sign (-).
* Removes the rw option.
* Replaces rw=clientid,ro with rw=clientid.
* Replaces rw=clientidX,ro=clientidY
with access=clientidX+clientidY,rw=clientidX.
* Removes ro=clientid,rw.
Note: This access restriction cannot be expressed in a format that is compatible with the Data ONTAP 6.4 release.
* Replaces ro=clientid with access=clientid,ro.
* Replaces rw=clientid with access=clientid,rw=clientid.
Note: After running the exportfs -d 6.4 command, you must manually edit all rw= and root= options in the /etc/exports file to:
* Replace netgroup names with the host names.
* Reduce the number of host names to less than 255.
* Reduce the number of characters to 4,096 or less.
When reverting the /etc/exports file, Data ONTAP displays messages on the console notifying you of any export entries that require manual editing.
Managing duplicate entries
Data ONTAP processes export entries in sequential order,
using only the last export entry in the /etc/exports file
for a specific file system path. Therefore, you should
not add multiple export entries for the same file system
path, whether exported or actual, to the /etc/exports
file.
For example, if you add the following export entries to the /etc/exports file:
/vol/vol0/ -ro /vol/vol0/ -rw
And, if you add the following export entries to the /etc/exports file:
/vol/vol1/ -actual=/vol/vol0,ro /vol/vol2/ -actual=/vol/vol0,rw
Debugging mount and access problems
For information about debugging mount and access problems,
see na_exportfs(1).
farm pets livestock workers pets (dog,,) (cat,,) (pig,,) (parrot,,) livestock (cow,,) (pig,,) (chicken,,) (ostrich,,) workers (dog,,) (horse,,) (ox,,) (mule,,) predators (coyote,,) (puma,,) (fox,,) (crow,,)
/vol/vol0 -anon=0,rw=horse
The following example exports /vol/vol0 to horse for read-write access and all other NFS clients for read-only access:
/vol/vol0 -anon=0,ro,rw=horse
/vol/vol0 -ro=@workers,rw=@farm /vol/vol0 -rw=@farm,ro=@workers
/vol/vol0 -rw=@farm:-@workers
The following example exports /vol/vol0 to pets for read-write access and livestock for read-only access, but denies access to workers:
/vol/vol0 -rw=@pets:-@workers,ro=@livestock
/vol/vol0 -ro=10.56.17/24,rw=10.56/16
/vol/vol0 -ro=[A1C0:4C34:5D32:6F34::1]/64,rw=[BA32:235C:5D24:23F::32]
/vol/vol0 -ro=10.56.17/24,rw=10.56.17.5:10.56.17.6
/vol/vol0 -ro=.frogs.fauna.mycompany.com, rw=.fauna.mycompany.com
For example, suppose cat, which belongs to the farm and pets netgroups, requests read-write access to /vol/vol0.
Data ONTAP grants cat read-write access if you specify the following export entry:
/vol/vol0 -ro,rw=@farm:-@pets
/vol/vol0 -ro,rw=-@pets:@farm
Specifying an actual path
The following example exports /vol/vol0/home/user1 as
/vol/vol0/user1 to NFSv2/v3 clients for read-write access:
/vol/vol0/user1 -actual=/vol/vol0/home/user1,sec=sys,rw
/myhome -actual=/vol/vol0/home,sec=sys,rw
/vol/vol0 -sec=sys,rw,anon=65535
/vol/vol0 -sec=sys,rw,anon=100
/vol/vol0 -sec=sys,rw,anon=0
/vol/vol0 -sec=sys,rw,root=adminhost
/vol/vol0 -sec=sys,rw,root=adminhost,nosuid
/vol/vol0 -ro=.farm.mycompany.com,sec=krb5,rw
/vol/vol0 -sec=sys:none,rw,sec=krb5:krb5i:k4b5p,rw,anon=0
/etc/netgroup Maps group names to hosts.
/etc/nsswitch.conf Specifies the order in which Data ONTAP searches local, NIS, DNS, and LDAP files.
/etc/passwd Specifies user information.