Versions Compared

Old Version 2

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

nfs(5) - Linux man page

Name

nfs - fstab format and options for the nfs file systems

Synopsis

/etc/fstab

Description

NFS is an Internet Standard protocol created by Sun Microsystems in 1984. NFS was developed to allow file sharing between systems residing on a local area network. The Linux NFS client supports three versions of the NFS protocol: NFS version 2 [RFC1094], NFS version 3 [RFC1813], and NFS version 4 [RFC3530].

...

server:path/mountpointfstypeoption,option,...0 0The server's hostname and export pathname are separated by a colon, while the mount options are separated by commas. The remaining fields are separated by blanks or tabs.The server's hostname can be an unqualified hostname, a fully qualified domain name, a dotted quad IPv4 address, or an IPv6 address enclosed in square brackets. Link-local and site-local IPv6 addresses must be accompanied by an interface identifier. See ipv6(7) for details on specifying raw IPv6 addresses.The fstype field contains "nfs". Use of the "nfs4" fstype in /etc/fstab is deprecated.

Mount Options

Refer to mount(8) for a description of generic mount options available for all file systems. If you do not need to specify any mount options, use the generic option defaults in /etc/fstab.

...

The DATA AND METADATA COHERENCE section contains a detailed discussion of these trade-offs.

Options for NFS versions 2 and 3 only

Use these options, along with the options in the above subsection, for NFS versions 2 and 3 only.proto=netidThe transport protocol name and protocol family the NFS client uses to transmit requests to the NFS server for this mount point. If an NFS server has both an IPv4 and an IPv6 address, using a specific netid will force the use of IPv4 or IPv6 networking to communicate with that server.

...

NOTE: When used together, the 'local_lock' mount option will be overridden by 'nolock'/'lock' mount option.

Options for NFS version 4 only

Use these options, along with the options in the first subsection above, for NFS version 4 and newer.minorversion=nSpecifies the protocol minor version number. NFSv4 introduces "minor versioning," where NFS protocol enhancements can be introduced without bumping the NFS protocol version number.

...

If this option is not specified, the mount(8) command attempts to discover an appropriate callback address automatically. The automatic discovery process is not perfect, however. In the presence of multiple client network interfaces, special routing policies, or atypical network topologies, the exact address to use for callbacks may be nontrivial to determine.

nfs4 FILE SYSTEM TYPE

The nfs4 file system type is an old syntax for specifying NFSv4 usage. It can still be used with all NFSv4-specific and common options, excepted the nfsvers mount option.

Mount Configuration File

If the mount command is configured to do so, all of the mount options described in the previous section can also be configured in the /etc/nfsmount.conf file. See nfsmount.conf(5) for details.

Examples

To mount an export using NFS version 2, use the nfs file system type and specify the nfsvers=2 mount option. To mount using NFS version 3, use the nfs file system type and specify the nfsvers=3 mount option. To mount using NFS version 4, use either the nfs file system type, with the nfsvers=4 mount option, or the nfs4 file system type.

...

server:/export/mntnfsdefaults0 0Here is an example from an /etc/fstab file for an NFS version 2 mount over UDP.server:/export/mntnfsnfsvers=2,proto=udp0 0Try this example to mount using NFS version 4 over TCP with Kerberos 5 mutual authentication.server:/export/mntnfs4sec=krb50 0This example can be used to mount /usr over NFS.server:/export/usrnfsro,nolock,nocto,actimeo=36000 0This example shows how to mount an NFS server using a raw IPv6 link-local address.[fe80::215:c5ff:fb3e:e2b1%eth0]:/export/mntnfsdefaults0 0

Transport Methods

NFS clients send requests to NFS servers via Remote Procedure Calls, or RPCs. The RPC client discovers remote service endpoints automatically, handles per-request authentication, adjusts request parameters for different byte endianness on client and server, and retransmits requests that may have been lost by the network or server. RPC requests and replies flow over a network transport.

...

Under normal circumstances, networks drop packets much more frequently than NFS servers drop requests. As such, an aggressive retransmit timeout setting for NFS over TCP is unnecessary. Typical timeout settings for NFS over TCP are between one and ten minutes. After the client exhausts its retransmits (the value of the retrans mount option), it assumes a network partition has occurred, and attempts to reconnect to the server on a fresh socket. Since TCP itself makes network data transfer reliable, rsize and wsize can safely be allowed to default to the largest values supported by both client and server, independent of the network's MTU size.

Using the mountproto mount option

This section applies only to NFS version 2 and version 3 mounts since NFS version 4 does not use a separate protocol for mount requests.The Linux NFS client can use a different transport for contacting an NFS server's rpcbind service, its mountd service, its Network Lock Manager (NLM) service, and its NFS service. The exact transports employed by the Linux NFS client for each mount point depends on the settings of the transport mount options, which include proto, mountproto, udp, and tcp.The client sends Network Status Manager (NSM) notifications via UDP no matter what transport options are specified, but listens for server NSM notifications on both UDP and TCP. The NFS Access Control List (NFSACL) protocol shares the same transport as the main NFS service.If no transport options are specified, the Linux NFS client uses UDP to contact the server's mountd service, and TCP to contact its NLM and NFS services by default.If the server does not support these transports for these services, the mount(8) command attempts to discover what the server supports, and then retries the mount request once using the discovered transports. If the server does not advertise any transport supported by the client or is misconfigured, the mount request fails. If the bg option is in effect, the mount command backgrounds itself and continues to attempt the specified mount request.When the proto option, the udp option, or the tcp option is specified but the mountproto option is not, the specified transport is used to contact both the server's mountd service and for the NLM and NFS services.If the mountproto option is specified but none of the proto, udp or tcp options are specified, then the specified transport is used for the initial mountd request, but the mount command attempts to discover what the server supports for the NFS protocol, preferring TCP if both transports are supported.If both the mountproto and proto (or udp or tcp) options are specified, then the transport specified by the mountproto option is used for the initial mountd request, and the transport specified by the proto option (or the udp or tcp options) is used for NFS, no matter what order these options appear. No automatic service discovery is performed if these options are specified.If any of the proto, udp, tcp, or mountproto options are specified more than once on the same mount command line, then the value of the rightmost instance of each of these options takes effect.

Data And Metadata Coherence

Some modern cluster file systems provide perfect cache coherence among their clients. Perfect cache coherence among disparate NFS clients is expensive to achieve, especially on wide area networks. As such, NFS settles for weaker cache coherence that satisfies the requirements of most file sharing types. Normally, file sharing is completely sequential: first client A opens a file, writes something to it, then closes it; then client B opens the same file, and reads the changes.

Close-to-open cache consistency

When an application opens a file stored on an NFS server, the NFS client checks that it still exists on the server and is permitted to the opener by sending a GETATTR or ACCESS request. When the application closes the file, the NFS client writes back any pending changes to the file so that the next opener can view the changes. This also gives the NFS client an opportunity to report any server write errors to the application via the return code from close(2). The behavior of checking at open time and flushing at close time is referred to as close-to-open cache consistency.

Weak cache consistency

There are still opportunities for a client's data cache to contain stale data. The NFS version 3 protocol introduced "weak cache consistency" (also known as WCC) which provides a way of efficiently checking a file's attributes before and after a single request. This allows a client to help identify changes that could have been made by other clients.When a client is using many concurrent operations that update the same file at the same time (for example, during asynchronous write behind), it is still difficult to tell whether it was that client's updates or some other client's updates that altered the file.

Attribute caching

Use the noac mount option to achieve attribute cache coherence among multiple clients. Almost every file system operation checks file attribute information. The client keeps this information cached for a period of time to reduce network and server load. When noac is in effect, a client's file attribute cache is disabled, so each operation that needs to check a file's attributes is forced to go back to the server. This permits a client to see changes to a file very quickly, at the cost of many extra network operations.Be careful not to confuse the noac option with "no data caching." The noac mount option prevents the client from caching file metadata, but there are still races that may result in data cache incoherence between client and server.The NFS protocol is not designed to support true cluster file system cache coherence without some type of application serialization. If absolute cache coherence among clients is required, applications should use file locking. Alternatively, applications can also open their files with the O_DIRECT flag to disable data caching entirely.

Directory entry caching

The Linux NFS client caches the result of all NFS LOOKUP requests. If the requested directory entry exists on the server, the result is referred to as a positive lookup result. If the requested directory entry does not exist on the server (that is, the server returned ENOENT), the result is referred to as negative lookup result.To detect when directory entries have been added or removed on the server, the Linux NFS client watches a directory's mtime. If the client detects a change in a directory's mtime, the client drops all cached LOOKUP results for that directory. Since the directory's mtime is a cached attribute, it may take some time before a client notices it has changed. See the descriptions of the acdirmin, acdirmax, and noac mount options for more information about how long a directory's mtime is cached.Caching directory entries improves the performance of applications that do not share files with applications on other clients. Using cached information about directories can interfere with applications that run concurrently on multiple clients and need to detect the creation or removal of files quickly, however. The lookupcache mount option allows some tuning of directory entry caching behavior.Before kernel release 2.6.28, the Linux NFS client tracked only positive lookup results. This permitted applications to detect new directory entries created by other clients quickly while still providing some of the performance benefits of caching. If an application depends on the previous lookup caching behavior of the Linux NFS client, you can use lookupcache=positive.If the client ignores its cache and validates every application lookup request with the server, that client can immediately detect when a new directory entry has been either created or removed by another client. You can specify this behavior using lookupcache=none. The extra NFS requests needed if the client does not cache directory entries can exact a performance penalty. Disabling lookup caching should result in less of a performance penalty than using noac, and has no effect on how the NFS client caches the attributes of files.

The sync mount option

The NFS client treats the sync mount option differently than some other file systems (refer to mount(8) for a description of the generic sync and async mount options). If neither sync nor async is specified (or if the async option is specified), the NFS client delays sending application writes to the server until any of these events occur:Memory pressure forces reclamation of system memory resources.An application flushes file data explicitly with sync(2), msync(2), or fsync(3).An application closes a file with close(2).The file is locked/unlocked via fcntl(2).In other words, under normal circumstances, data written by an application may not immediately appear on the server that hosts the file.If the sync option is specified on a mount point, any system call that writes data to files on that mount point causes that data to be flushed to the server before the system call returns control to user space. This provides greater data cache coherence among clients, but at a significant performance cost.Applications can use the O_SYNC open flag to force application writes to individual files to go to the server immediately without the use of the sync mount option.

Using file locks with NFS

The Network Lock Manager protocol is a separate sideband protocol used to manage file locks in NFS version 2 and version 3. To support lock recovery after a client or server reboot, a second sideband protocol -- known as the Network Status Manager protocol -- is also required. In NFS version 4, file locking is supported directly in the main NFS protocol, and the NLM and NSM sideband protocols are not used.In most cases, NLM and NSM services are started automatically, and no extra configuration is required. Configure all NFS clients with fully-qualified domain names to ensure that NFS servers can find clients to notify them of server reboots.NLM supports advisory file locks only. To lock NFS files, use fcntl(2) with the F_GETLK and F_SETLK commands. The NFS client converts file locks obtained via flock(2) to advisory locks.When mounting servers that do not support the NLM protocol, or when mounting an NFS server through a firewall that blocks the NLM service port, specify the nolock mount option. NLM locking must be disabled with the nolock option when using NFS to mount /var because /var contains files used by the NLM implementation on Linux.Specifying the nolock option may also be advised to improve the performance of a proprietary application which runs on a single client and uses file locks extensively.

NFS version 4 caching features

The data and metadata caching behavior of NFS version 4 clients is similar to that of earlier versions. However, NFS version 4 adds two features that improve cache behavior: change attributes and file delegation.The change attribute is a new part of NFS file and directory metadata which tracks data changes. It replaces the use of a file's modification and change time stamps as a way for clients to validate the content of their caches. Change attributes are independent of the time stamp resolution on either the server or client, however.A file delegation is a contract between an NFS version 4 client and server that allows the client to treat a file temporarily as if no other client is accessing it. The server promises to notify the client (via a callback request) if another client attempts to access that file. Once a file has been delegated to a client, the client can cache that file's data and metadata aggressively without contacting the server.File delegations come in two flavors: read and write. A read delegation means that the server notifies the client about any other clients that want to write to the file. A write delegation means that the client gets notified about either read or write accessors.Servers grant file delegations when a file is opened, and can recall delegations at any time when another client wants access to the file that conflicts with any delegations already granted. Delegations on directories are not supported.In order to support delegation callback, the server checks the network return path to the client during the client's initial contact with the server. If contact with the client cannot be established, the server simply does not grant any delegations to that client.

...

The NFS version 4 protocol allows clients and servers to negotiate among multiple security flavors during mount processing. However, Linux does not yet implement such negotiation. The Linux client specifies a single security flavor at mount time which remains in effect for the lifetime of the mount. If the server does not support this flavor, the initial mount request is rejected by the server.

Using non-privileged source ports

NFS clients usually communicate with NFS servers via network sockets. Each end of a socket is assigned a port value, which is simply a number between 1 and 65535 that distinguishes socket endpoints at the same IP address. A socket is uniquely defined by a tuple that includes the transport protocol (TCP or UDP) and the port values and IP addresses of both endpoints.The NFS client can choose any source port value for its sockets, but usually chooses a privileged port. A privileged port is a port value less than 1024. Only a process with root privileges may create a socket with a privileged source port.The exact range of privileged source ports that can be chosen is set by a pair of sysctls to avoid choosing a well-known port, such as the port used by ssh. This means the number of source ports available for the NFS client, and therefore the number of socket connections that can be used at the same time, is practically limited to only a few hundred.As described above, the traditional default NFS authentication scheme, known as AUTH_SYS, relies on sending local UID and GID numbers to identify users making NFS requests. An NFS server assumes that if a connection comes from a privileged port, the UID and GID numbers in the NFS requests on this connection have been verified by the client's kernel or some other local authority. This is an easy system to spoof, but on a trusted physical network between trusted hosts, it is entirely adequate.Roughly speaking, one socket is used for each NFS mount point. If a client could use non-privileged source ports as well, the number of sockets allowed, and thus the maximum number of concurrent mount points, would be much larger.Using non-privileged source ports may compromise server security somewhat, since any user on AUTH_SYS mount points can now pretend to be any other when making NFS requests. Thus NFS servers do not support this by default. They explicitly allow it usually via an export option.To retain good security while allowing as many mount points as possible, it is best to allow non-privileged client connections only if the server and client both require strong authentication, such as Kerberos.

Mounting through a firewall

A firewall may reside between an NFS client and server, or the client or server may block some of its own ports via IP filter rules. It is still possible to mount an NFS server through a firewall, though some of the mount(8) command's automatic service endpoint discovery mechanisms may not work; this requires you to provide specific endpoint details via NFS mount options.NFS servers normally run a portmapper or rpcbind daemon to advertise their service endpoints to clients. Clients use the rpcbind daemon to determine:What network port each RPC-based service is usingWhat transport protocols each RPC-based service supportsThe rpcbind daemon uses a well-known port number (111) to help clients find a service endpoint. Although NFS often uses a standard port number (2049), auxiliary services such as the NLM service can choose any unused port number at random.Common firewall configurations block the well-known rpcbind port. In the absense of an rpcbind service, the server administrator fixes the port number of NFS-related services so that the firewall can allow access to specific NFS service ports. Client administrators then specify the port number for the mountd service via the mount(8) command's mountport option. It may also be necessary to enforce the use of TCP or UDP if the firewall blocks one of those transports.

NFS Access Control Lists

Solaris allows NFS version 3 clients direct access to POSIX Access Control Lists stored in its local file systems. This proprietary sideband protocol, known as NFSACL, provides richer access control than mode bits. Linux implements this protocol for compatibility with the Solaris NFS implementation. The NFSACL protocol never became a standard part of the NFS version 3 specification, however.The NFS version 4 specification mandates a new version of Access Control Lists that are semantically richer than POSIX ACLs. NFS version 4 ACLs are not fully compatible with POSIX ACLs; as such, some translation between the two is required in an environment that mixes POSIX ACLs and NFS version 4.

The Remount Option

Generic mount options such as rw and sync can be modified on NFS mount points using the remount option. See mount(8) for more information on generic mount options.

...

Performing a remount on an NFS file system mounted with the noac option may have unintended consequences. The noac option is a combination of the generic option sync, and the NFS-specific option actimeo=0.


Unmounting after a remount

For mount points that use NFS versions 2 or 3, the NFS umount subcommand depends on knowing the original set of mount options used to perform the MNT operation. These options are stored on disk by the NFS mount subcommand, and can be erased by a remount.To ensure that the saved mount options are not erased during a remount, specify either the local mount directory, or the server hostname and export pathname, but not both, during a remount. For example,mount -o remount,ro /mntmerges the mount option ro with the mount options already saved on disk for the NFS server mounted at /mnt.

Files

/etc/fstabfile system table

Bugs

Before 2.4.7, the Linux NFS client did not support NFS over TCP.

...

The Linux NFS client does not yet support certain optional features of the NFS version 4 protocol, such as security negotiation, server referrals, and named attributes.

See Also

fstab(5), mount(8), umount(8), mount.nfs(5), umount.nfs(5), exports(5), netconfig(5), ipv6(7), nfsd(8), sm-notify(8), rpc.statd(8), rpc.idmapd(8), rpc.gssd(8), rpc.svcgssd(8), kerberos(1)

RFC 768 for the UDP specification.
RFC 793 for the TCP specification.
RFC 1094 for the NFS version 2 specification.
RFC 1813 for the NFS version 3 specification.
RFC 1832 for the XDR specification.
RFC 1833 for the RPC bind specification.
RFC 2203 for the RPCSEC GSS API protocol specification.
RFC 3530 for the NFS version 4 specification.

Referenced By

mount.nfs(8), mountd(8), nfsstat(8), rpc.rquotad(8), rpcdebug(8), umount.nfs4(8)