Manual Pages


Table of Contents

NAME

na_exports - A list of export entries for all file system paths that Data ONTAP exports automatically when NFS starts up.

SYNOPSIS

/etc/exports

DESCRIPTION

The /etc/exports file contains a list of export entries for all file system paths that Data ONTAP exports automatically when NFS starts up. The /etc/exports file can contain up to 10,240 export entries. Each export entry can contain up to 4,096 characters, including the end-of-line character. To specify that an export entry continues onto the next line, you must use the line continuation character "\".

An export entry has the following syntax:

  path -option[,option...]

where path is a file system path (for example, a path to a volume, directory, or file) and option is one of the following export options:

actual=path
Specifies the actual file system path corresponding to the exported file system path. You can use this option to move files to new locations without requiring NFS clients to mount new file system paths. The actual file system path you specify must exist. You cannot specify an exported file system path that consists of a single forward slash (/), which would mislead some automounters. Note: NFSv4 clients will not see an exported path using the actual option unless the export path is only one level deep and is not /vol.

anon=uid|name
Specifies the effective user ID (or name) of all anonymous or root NFS client users that access the file system path. An anonymous NFS client user is an NFS client user that does not provide valid NFS credentials; a root NFS client user is an NFS client user with a user ID of 0. Data ONTAP determines a user's file access permissions by checking the user's effective user ID against the NFS server's /etc/passwd file. By default, the effective user ID of all anonymous and root NFS client users is 65534. To disable root access by anonymous and root NFS client users, set the anon option to 65535. To grant root user access to all anonymous and root NFS client users, set the anon option to 0.

nosuid
Disables creation of setuid and setgid executable files and mknod commands on the file system path. Unless the file system is a root partition of a diskless NFS client, you should set the nosuid option to prevent NFS client users from creating setuid executable files and device nodes that careless or cooperating NFS server users could use to gain root access. Pre-existing setuid and setgid executable files will continue to function as intended.

ro | ro=clientid[:clientid...]
Specifies which NFS clients have read-only access to the file system path. To give all NFS clients read-only access, specify the ro option. Otherwise, specify the ro= option followed by a colon-delimited list of NFS client identifiers. To exclude NFS clients from the list, prepend the NFS client identifiers with a minus sign (-). Unless you specify the ro, ro=, or rw= option, Data ONTAP uses the rw option, giving all NFS clients read-write access to the file system path.

rw | rw=clientid[:clientid...]
Specifies which NFS clients have read-write access to the file system path. To give all NFS clients read-write access, specify the rw option. Otherwise, specify the rw= option followed by a colon-delimited list of NFS client identifiers. To exclude NFS clients from the list, prepend the NFS client identifiers with a minus sign (-). Unless you specify the ro, ro=, or rw= option, Data ONTAP uses the rw option, giving all NFS clients read-write access to the file system path. Note: Unlike in Data ONTAP releases prior to 6.5, if you specify the rw= option, Data ONTAP does not use the ro option as the default for all other NFS clients.

root=clientid[:clientid...]
Specifies which NFS clients have root access to the file system path. If you specify the root= option, you must specify at least one NFS client identifier. To exclude NFS clients from the list, prepend the NFS client identifiers with a minus sign (-).

sec=sectype[:sectype...]
Specifies the security types that an NFS client must support to access the file system path. To apply the security types to all types of access, specify the sec= option once. To apply the security types to specific types of access (anonymous, non-super user, read-only, read-write, or root), specify the sec= option at least twice, once before each access type to which it applies (anon, nosuid, ro, rw, or root, respectively). Note: You cannot apply the same security type to more than one access type. By default, an NFS client must support the sys security type to access a file system path.

Specify any combination of the following security types as a colon-delimited list:

none
No security. Data ONTAP treats all of the NFS client's users as anonymous users.

sys
Standard UNIX (AUTH_SYS) authentication. Data ONTAP checks the NFS credentials of all of the NFS client's users, applying the file access permissions specified for those users in the NFS server's /etc/passwd file. This is the default security type.

krb5
Kerberos(tm) Version 5 authentication. Data ONTAP uses data encryption standard (DES) key encryption to authenticate the NFS client's users.

krb5i
Kerberos(tm) Version 5 integrity. In addition to authenticating the NFS client's users, Data ONTAP uses message authentication codes (MACs) to verify the integrity of the NFS client's remote procedure requests and responses, thus preventing "man-in-the-middle" tampering.

krb5p
Kerberos(tm) Version 5 privacy. In addition to authenticating the NFS client's users and verifying data integrity, Data ONTAP encrypts NFS arguments and results to provide privacy.

Note: Before specifying the krb5, krb5i, or krb5p option, you must enable Kerberos V5 security using the nfs setup command. For more information, see na_nfs(1).

Specifying an NFS client identifier
To specify which NFS clients have read-only, read-write, and root access to a file system path (using the ro=, rw=, and root= options, respectively), you must specify an NFS client identifier. An NFS client identifier is a host name, netgroup name, IP address, subnet, or DNS domain.

A host name is an alphanumeric string associated with an IP address. Data ONTAP uses the first definition that it finds in the /etc/hosts file, searching the NIS, LDAP, DNS, and local versions in the order specified in the /etc/nsswitch.conf file.

A netgroup name is an alphanumeric string associated with a group of host names. Data ONTAP uses the first definition that it finds in the /etc/netgroup file, searching the NIS, DNS, and local versions in the order specified in the /etc/nsswitch.conf file. Note: DNS does not support netgroups.

To specify that a name is a netgroup name, not a host name, thus preventing Data ONTAP from searching the /etc/hosts file unnecessarily, prepend the name with an "at" (@) character.

To specify that all netgroup names begin with an "at" (@) character, thus preventing Data ONTAP from searching the /etc/hosts or /etc/netgroups file unnecessarily, set the nfs.netgroup.strict option to on. For more information, see na_options(1).

Note: If a name is defined as both a host name and a netgroup name, Data ONTAP assumes the name is a host name.

An IP address uniquely identifies a machine on an IP network. For IPv4, a machine IP is in dotted decimal format (AAA.BBB.CCC.DDD), and for IPv6, machine IP is of the form [AAAA:BBBB:CCCC:DDDD::FFFF]. For example:

  104.342.403.224 (IPv4)
  BA32:235C:5D24:23F::32 (IPv6)

A subnet is a group of machines that share a common network. To specify a subnet, use the following short form:

  subnetaddr/subnetbits

where subnetaddr is the subnet IP address and subnetbits is the number of bits in the subnet mask.

You can also use the following long form, but Data ONTAP automatically converts this long form to the short form:

  [networkaddr] subnetaddr [subnetmask] subnetmask

where networkaddr is the network IP address, subnetaddr is the subnet IP address, and subnetmask is the subnet mask.

A DNS domain is an alphanumeric value starting with a period (.) that identifies a group of machines. For example:

   .frogs.fauna.mycompany.com

EXTENDED DESCRIPTION

To edit the /etc/exports file, you must either use a text editor on an NFS client that has root access to the storage system or run the exportfs command with the -b, -p, or -z option on the storage system command line.

Enabling automatic updating
If the nfs.export.auto-update option is on, Data ONTAP updates the /etc/exports file automatically when you create, rename, or destroy a volume. In this case, when you create a volume, if an administration host is defined, Data ONTAP adds the following export entry to the /etc/exports file:

  path -sec=sys,root=adminhostid,nosuid

If an administration host is not defined, Data ONTAP adds the following entry to the /etc/exports file:

  path -sec=sys,rw,nosuid

When you rename a volume, Data ONTAP automatically replaces the old volume name, wherever it appears in /etc/exports file, with the new volume name. When you delete a volume, Data ONTAP removes all corresponding entries from the /etc/exports file.

If the nfs.export.auto-update option is off, Data ONTAP does not update the /etc/exports file automatically when you create, rename, or destroy a volume; instead, it adds a message to the system log that notifies you to update the /etc/exports file manually.

Specifying ro, ro=, rw, and rw=
The following sections describe how to specify the ro, ro=, rw, and rw= options given their defaults, invalid combinations, and order of precedence.

Defaults:

* If you do not specify the ro, ro=, or rw= option, Data ONTAP uses the rw option by default.

* Unlike in Data ONTAP releases prior to 6.5, if you specify a list of NFS clients with read-write access using the rw= option, Data ONTAP does not use the ro option as the default for all other NFS clients.

Invalid combinations:

* You cannot specify the ro option with the ro= option.

* You cannot specify the rw option with the rw= option.

* You cannot exclude an NFS client identifier from the ro= or rw= option and include the same NFS client identifier in the other option.

Order of precedence:

* The ro option takes precedence over the rw option.

* The ro= option takes precedence over the rw option.

* The rw= option takes precedence over the ro option.

* The ro= option takes precedence over the rw= option.

* A host name or IP address in the ro= or rw option takes precedence over a netgroup, subnet, or domain in the other option.

* Host names and IP addresses take precedence from left to right within an option.

Upgrading the /etc/exports file
Whenever you invoke the exportfs command to export file systems specified in the /etc/exports file (for example, whenever you invoke exportfs -a or exportfs -r), Data ONTAP automatically upgrades the /etc/exports file to a format compatible with the current Data ONTAP release.

Data ONTAP no longer supports the access option; therefore, Data ONTAP automatically converts all export entries containing an access option to an equivalent export entry containing the ro= or rw= option.

For example, if an export entry uses the access option to specify that an NFS client has read-write access:

  /vol/vol0 -access=hostname

Data ONTAP upgrades the export entry to use the rw= option instead:

  /vol/vol0 -rw=hostname

Note: Unlike in Data ONTAP releases prior to 6.5, if you specify the rw= option, Data ONTAP does not use the ro option as the default for all other NFS clients.

Similarly, if an export entry uses the access option to specify that an NFS client has read-only access:

  /vol/vol0 -access=hostname,ro

Data ONTAP upgrades the export entry to use the ro= option instead:

  /vol/vol0 -ro=hostname

In addition, if an export entry specifies subnets in long form:

  /vol/vol0 -rw="network 10.45.67.0 netmask 255.255.255.0"

Data ONTAP upgrades them to short form:

  /vol/vol0 -rw=10.45.67.0/24

Note: Data ONTAP always preserves the ordering of NFS client identifiers within an option. Also, upgrading has no effect on the root=, rw=, and ro= options because their formatting has not changed.

Upgrade examples
Old:

  /vol/vol0 -anon=0

New:

  /vol/vol0 -rw,anon=0

Old:

  /vol/vol0 -access=pets:workers:alligator:mule,rw=dog:cat:skunk:pig:horse:ox:mule

New:

  /vol/vol0 -ro=pets:workers:alligator,rw=dog:cat:skunk:pig:horse:ox:mule

This can be rewritten as:

  /vol/vol1 -ro=pets:workers:alligator,rw=pets:workers

And should be:

  /vol/vol1 -ro=alligator,rw=@pets:@workers

Reverting the /etc/exports file
To revert the /etc/exports file to a format compatible with the Data ONTAP 6.5 or 6.4 release, run the exportfs -d 6.5 command or exportfs -d 6.4 command, respectively.

When you run the exportfs -d 6.5 command, Data ONTAP:

* Removes all "at" (@) symbols, which denote netgroups.

* Consolidates multiple security contexts into one security context. If the ro and/or rw options exist in any security context, Data ONTAP removes the ro= and rw= options, respectively, from the other security contexts. Data ONTAP merges security contexts from left to right.

When you run the exportfs -d 6.4 command, Data ONTAP:

* Reverts the /etc/exports file to a format compatible with the Data ONTAP 6.5 release (see above).

* Replaces anon=clientid with anon=uid.

* Removes nosuid.

* Removes all domain names, each of which starts with a period (.).

* Removes all excluded NFS client identifiers, each of which starts with a minus sign (-).

* Removes the rw option.

* Replaces rw=clientid,ro with rw=clientid.

* Replaces rw=clientidX,ro=clientidY

with access=clientidX+clientidY,rw=clientidX.

* Removes ro=clientid,rw.

Note: This access restriction cannot be expressed in a format that is compatible with the Data ONTAP 6.4 release.

* Replaces ro=clientid with access=clientid,ro.

* Replaces rw=clientid with access=clientid,rw=clientid.

Note: After running the exportfs -d 6.4 command, you must manually edit all rw= and root= options in the /etc/exports file to:

* Replace netgroup names with the host names.

* Reduce the number of host names to less than 255.

* Reduce the number of characters to 4,096 or less.

When reverting the /etc/exports file, Data ONTAP displays messages on the console notifying you of any export entries that require manual editing.

Managing duplicate entries
Data ONTAP processes export entries in sequential order, using only the last export entry in the /etc/exports file for a specific file system path. Therefore, you should not add multiple export entries for the same file system path, whether exported or actual, to the /etc/exports file.

For example, if you add the following export entries to the /etc/exports file:

  /vol/vol0/ -ro
  /vol/vol0/ -rw

Data ONTAP exports /vol/vol0 to all NFS clients for read-write access.

And, if you add the following export entries to the /etc/exports file:

  /vol/vol1/ -actual=/vol/vol0,ro
  /vol/vol2/ -actual=/vol/vol0,rw

Data ONTAP exports /vol/vol2/ to all NFS clients for read-write access, mapping it internally to /vol/vol0. Data ONTAP does not export /vol/vol1/.

Debugging mount and access problems
For information about debugging mount and access problems, see na_exportfs(1).

EXAMPLES

For the following examples, assume the /etc/netgroup file contains the following entries:

  farm pets livestock workers
  pets (dog,,) (cat,,) (pig,,) (parrot,,)
  livestock (cow,,) (pig,,) (chicken,,) (ostrich,,)
  workers (dog,,) (horse,,) (ox,,) (mule,,)
  predators (coyote,,) (puma,,) (fox,,) (crow,,)

Read and write access: netgroups
The following example exports /vol/vol0 to horse for read-write access:

  /vol/vol0 -anon=0,rw=horse

Note: Unlike in Data ONTAP releases prior to 6.5, all other NFS clients do not get read-only access.

The following example exports /vol/vol0 to horse for read-write access and all other NFS clients for read-only access:

  /vol/vol0 -anon=0,ro,rw=horse

Each of the following examples exports /vol/vol0 to workers (dog, cat, pig, and parrot) for read-only access and all remaining farm animals for read-write access:

  /vol/vol0 -ro=@workers,rw=@farm
  /vol/vol0 -rw=@farm,ro=@workers

The following example exports /vol/vol0 to all NFS clients except workers for read-write access:

  /vol/vol0 -rw=@farm:-@workers

Note: The workers do not have any access at all.

The following example exports /vol/vol0 to pets for read-write access and livestock for read-only access, but denies access to workers:

  /vol/vol0 -rw=@pets:-@workers,ro=@livestock

Read and write access: subnets
The following example exports /vol/vol0 to all NFS clients in the 10.56/16 subnet for read-write access and all NFS clients in the 10.56.17/24 subnet for read-only access:

  /vol/vol0 -ro=10.56.17/24,rw=10.56/16

The following example exports /vol/vol0 to all NFS clients in the subnet A1C0:4C34:5D32:6F34::1/64 for read-only access and all NFS clients whose IPv6 address is BA32:235C:5D24:23F::32 for read-write access.

  /vol/vol0 -ro=[A1C0:4C34:5D32:6F34::1]/64,rw=[BA32:235C:5D24:23F::32]

The following example exports /vol/vol0 to 10.56.17.5 and 10.56.17.6 for read-write access and to all remaining NFS clients in the 10.56.17/24 subnet for read-only access:

  /vol/vol0 -ro=10.56.17/24,rw=10.56.17.5:10.56.17.6

Read and write access: domains
The following example exports /vol/vol0 to all NFS clients in the .frogs.fauna.mycompany.com domain for read-only access and to all remaining clients in the .fauna.mycompany.com domain for read-write access:

  /vol/vol0 -ro=.frogs.fauna.mycompany.com, rw=.fauna.mycompany.com

Excluding NFS client identifiers
Data ONTAP gives precedence to NFS client identifiers from left to right within an access control list; therefore, if you exclude an NFS client identifier from a list, the order in which you specify netgroups, subnets, and domains becomes important if the same NFS client appears in more than one netgroup, subnet, or domain.

For example, suppose cat, which belongs to the farm and pets netgroups, requests read-write access to /vol/vol0.

Data ONTAP grants cat read-write access if you specify the following export entry:

  /vol/vol0 -ro,rw=@farm:-@pets

But Data ONTAP denies cat read-write access if you specify the following export entry in which the order of the netgroups in the rw= list is reversed:

  /vol/vol0 -ro,rw=-@pets:@farm

In the first example, Data ONTAP gives precedence to the farm netgroup, which is included in the read-write access list. In the second example, Data ONTAP gives precedence to the pets netgroup, which is excluded from the read-write access list.

Specifying an actual path
The following example exports /vol/vol0/home/user1 as /vol/vol0/user1 to NFSv2/v3 clients for read-write access:

  /vol/vol0/user1 -actual=/vol/vol0/home/user1,sec=sys,rw

The following example exports /vol/vol0/home as /myhome to NFSv2/v3/v4 clients for read-write access:

  /myhome -actual=/vol/vol0/home,sec=sys,rw

Controlling anonymous access
The following example exports /vol/vol0 to all NFS clients for read-write access, but prevents access by anonymous and root NFS client users:

  /vol/vol0 -sec=sys,rw,anon=65535

The following example exports /vol/vol0 to all NFS clients for read-write access, giving anonymous and root NFS client users an effective user ID of 100:

  /vol/vol0 -sec=sys,rw,anon=100

The following example exports /vol/vol0 to all NFS clients for read-write access, giving anonymous and root NFS client users an effective user ID of 0 (root):

  /vol/vol0 -sec=sys,rw,anon=0

Controlling root access
The following example exports /vol/vol0 to adminhost for root access and all other NFS clients for read-write access:

  /vol/vol0 -sec=sys,rw,root=adminhost

The following example exports /vol/vol0 to adminhost for root access and all other NFS clients for read-write access, but prevents adminhost from creating setuid executables and device nodes:

  /vol/vol0 -sec=sys,rw,root=adminhost,nosuid

Controlling access by sectype
The following example exports /vol/vol0 to all NFS clients supporting the krb5 security type for read-write access and all remaining NFS clients in the .farm.mycompany.com domain for read-only access:

  /vol/vol0 -ro=.farm.mycompany.com,sec=krb5,rw

The following example exports /vol/vol0 to all hosts supporting no security type for read-write access and all hosts supporting the krb5, krb5i, or krb5p security type for read-write and root access:

  /vol/vol0 -sec=sys:none,rw,sec=krb5:krb5i:k4b5p,rw,anon=0

FILES

/etc/hosts Maps IP addresses to host names and aliases.

/etc/netgroup Maps group names to hosts.

/etc/nsswitch.conf Specifies the order in which Data ONTAP searches local, NIS, DNS, and LDAP files.

/etc/passwd Specifies user information.

SEE ALSO

na_exportfs(1), na_options(1), na_reboot(1), na_hosts(5), na_netgroup(5), na_nsswitch.conf(5), na_passwd(5)


Table of Contents