exports File for NFS

Edit online

Purpose

Contains a list of directories that can be exported to Network File System (NFS) clients.

Description

The /etc/exports file contains an entry for each directory that can be exported to NFS clients. This file is read automatically by the exportfs command. If you change this file, you must run the exportfs command before the changes can affect the way the daemon operates.

Only when this file is present during system startup does the rc.nfs script execute the exportfs command and start the nfsd and mountd daemons.
Restriction: You cannot export either a parent directory or a subdirectory of an exported directory within the same file system.

If there are two entries for the same directory with different NFS versions 2 (or 3) and NFS versions 4 in the /etc/exports file, the exportfs command exports both of the two entries.

If the options for NFS versions 2 (or 3) and 4 are the same for a directory, there can be one entry in the /etc/exports file specifying -vers=3:4.

Entries in the file are formatted as follows:

Directory-Option [ , Option ] ...

These entries are defined as follows:

Entry Definition
Directory Specifies the directory name.
Option Specifies the optional characteristics for the directory being exported. You can enter more than one variable by separating them with commas. For options taking a Client parameter, Client can specify a hostname, a dotted IP address, a network name, or a subnet designator. A subnet designator is of the form @host/mask, where host is either a hostname or a dotted IP address and mask specifies the number of bits to use when checking access. If mask is not specified, a full mask is used. For example, the designator @client.group.company.com/16 will match all Clients on the company.com subnet. A designator of @client.group.company.com/24 will match only the Clients on the group.company.com subnet. Choose from the following options:
ro
Exports the directory with read-only permission. If not specified, the directory is exported with read-write permission.
ro=Client[:Client]
Exports the directory with read-only permission to the specified Clients. Exports the directory with read-write permissions to Clients not specified in the list. A read-only list cannot be specified if a read-write list has been specified.
rw
Exports the directory with read-write permission to all Clients.
rw = Client [:Client]
Exports the directory with read-write permission to the specified Clients. Exports the directory read-only to Clients not in the list. A read-write list cannot be specified if a read-only list has been specified.
access = Client[:Client,...]
Gives mount access to each Client listed. If not specified, any Client is allowed to mount the specified directory. The ro option and the rw option can be combined on a single exports entry. See the following examples: 
access=x, ro=y 
indicates that x has the rw option and y has the ro option
access=x, rw=y 
indicates that x has the ro option and y has the rw option
anon= UID
If a request comes from a root user, use the user identification (UID) value as the effective user ID.

The default value for this option is -2. Setting the value of the anon option to -1 disables anonymous access. Note that, by default, secure NFS accepts nonsecure requests as anonymous, and users who want more security can disable this feature by setting anon to a value of -1.

 
root=Client[:Client]
Allows root access from the specified clients in the list. Putting a host in the root list does not override the semantics of the other options. For example, this option denies the mount access from a host present in the root list but absent in the access list.
secure
Requires clients to use a more secure protocol when accessing the directory.

A # (pound sign) anywhere in the file indicates a comment that extends to the end of the line.

deleg={yes|no}
Enable or disable file delegation for the specified export. This option overrides the system-wide delegation enablement for this export. The system-wide enablement is done through the nfso command.
vers=version[:version]
Exports the directory for clients using the specified nfs protocol versions. Allowable values are 2, 3, and 4. Versions 2 and 3 cannot be enforced separately. Specifying version 2 or 3 allows access by clients using either nfs protocol versions 2 or 3. Version 4 can be specified independently and must be specified to allow access by clients using version 4 protocol. The default is 2 and 3.
exname=external-name
Exports the directory by the specified external name. The external name must begin with the nfsroot name. See below for a description of the nfsroot and nfspublic paths. This applies only to directories exported for access by version 4 protocol only.
Option (continued)
sec=flavor[:flavor...]
This option is used to specify a list of security methods that may be used to access files under the exported directory. Most exportfs options can be clustered using the sec option. Options following a sec option are presumed to belong with the preceding sec option. Any number of sec stanzas may be specified, but each security method can be specified only once. Within each sec stanza the ro, rw, root, and access options may be specified once. Only the public, anon and vers options are considered global for the export. If the sec option is used to specify any security method, it must be used to specify all security methods. In the absence of any sec option, UNIX authentication is assumed.
Allowable flavor values are:
sys
UNIX authentication.
dh
DES authentication.
krb5
Kerberos. Authentication only.
krb5i
Kerberos. Authentication and integrity.
krb5p
Kerberos. Authentication, integrity, and privacy.
none
Allow mount requests to proceed with anonymous credentials if the mount request uses an authentication flavor not specified in the export. Otherwise a weak auth error is returned. By default, all flavors are allowed.
The secure option may be specified, but not in conjunction with a sec option. The secure option is deprecated and may be eliminated. Use sec=dh instead.
refer=rootpath@host [+host][:rootpath@host [+host]]
A namespace referral is created at the specified path. This referral directs clients to the specified alternate locations where the clients can continue operations. A referral is a special object. If a non-referral object exists at the specified path, the export is not allowed and an error message is printed. If nothing exists at the specified path, a referral object is created there; this referral object includes the pathname directories that lead to the object. Multiple referrals can be created within a file system. A referral cannot be specified for nfsroot. The name localhost cannot be used as a hostname.

Unexporting the referral object has the effect of removing the referral locations information from the referral object. Unexporting the referral object does not remove the referral object itself. The object can be removed using rm if desired. The administrator must ensure that appropriate data is available at the referral servers.

This option is available only on AIX® version 5.3.0.30 or later, and is allowed only for version 4 exports. If the export specification allows version 2 or version 3 access, an error message will be printed and the export will be disallowed.
Note: A referral export can only be made if replication is enabled on the server. Use chnfs -R on to enable replication.
Option (continued)
replicas=rootpath@host [+host][:rootpath@host [+host]]
Replica location information is associated with the export path. The replica information can be used by NFS version 4 clients to redirect operations to the specified alternate locations if the current server becomes unavailable. You should ensure that appropriate data is available at the replica servers. Since replica information applies to an entire file system, the specified path must be the root of a file system. If the path is not a file system root, the export is not allowed and an error message is printed. The name localhost cannot be used as a hostname.

If the directory being exported is not in the replica list, the entry ExportedDirectory@CurrentHost is added as the first replica location. A replica export can only be made if replication is enabled on the server. By default, replication is not enabled. If replica exports are made at system boot, replication should be enabled using chnfs -R on. Replica locations can also be specified for the nfsroot. The chnfs command must be used for this purpose. In this case, the command is chnfs -R host [ + host ]. If the current host is not specified in the list, it will be added as the first replica host. The rootpath is not needed or allowed in this case. The reason is that the nfsroot is replicated only to the nfsroots of the specified hosts. The replication mode can only be changed if there are no active NFS version 4 exports. If the server's replication mode is changed, any filehandles issued by the server during the previous replication mode will not be honored by the server. This can cause application errors on clients with old filehandles. Care must be taken when changing the replication mode of the server. If possible, all client mounts to the server should be unmounted before the server's replication mode is changed. The replica location information associated with the directory can be changed by modifying the replica list and reexporting the directory. The new replica information will replace the old replica information.

NFS clients are expected to refresh replica information on a regular basis. If the server changes the replica information for an export, it may take some time for the client to refresh its replica information. This is not a serious problem if new replica locations are added, since clients with old replica information will still have correct, though possibly incomplete, replica information. Removing replica information can be problematic since it can result in clients having incorrect replica information for some period of time. To aid clients in detecting the new information, exportfs attempts to touch the replicated directory. This will change the timestamps on the directory, which in turn causes the client to refetch the directory's attributes. This operation may not be possible, however, if the replicated file system is read-only. When changing replica information for a directory, you should be aware that there may be a period of time between the changing of the replica information and clients getting the new replica information.

This option is available only on AIX version 5.3.0.30 or later, and is meaningful only for version 4 exports. If the option is used on an export that allows version 2 or version 3 access, the operation is allowed, but the replica information is ignored by the version 2 and version 3 servers.

noauto
Accepts the replicas specification as-is. Does not automatically insert the primary hostname as one of the replica locations if it has not been specified.

nfsroot and nfspublic

In order to allow the NFS server administrator to hide some detail of the local file system from clients, the nfsroot and nfspublic attributes were added to the NFS version 4 implementation. The nfsroot and nfspublic may be specified independently, but nfspublic must be a subdirectory of nfsroot. When the nfsroot is set, a local directory can be exported so that it appears to the client to be a subdirectory of the nfsroot. Restrictions must be placed on the exported directories in order to avoid problems:
  • The nfsroot must not be "/".
  • Either all version 4 exports must specify an external name, or none must specify an external name.
  • The external name must start with the nfsroot name. For example, if the nfsroot has been set to /export/server, the directory /export/server/abc can be used as an external name, but the directory /abc cannot be used as an external name. In this example, the /tmp directory might be exported as /export/server/tmp, but /tmp cannot be exported as /xyz.
  • If the -exname option is used, only one directory can be exported per file system.
  • If a directory is exported with an external name, any descendant of that directory that is also exported must maintain the same path between the two directories. For example, if /a is exported as /export/dira, the directory /a/b/c/d can only be exported as /export/dira/b/c/d, provided /a and /a/b/c/d are different file systems or members of different file systems.
  • If a directory is exported with an external name, any parent of that directory that is also exported must maintain the same path between the two directories. For example, if /a/b is exported as /export/a/b, the directory /a can only be exported as /export/a, provided /a and /a/b are different file systems or members of different file systems. Also, if /a/b is exported as /export/b, the directory /a cannot be exported because it does not exist in the path from the root node to export a pathname of /b.
  • The exportfs command will only allow the exname option when the -vers=4 options is also present.

Administration of nfsroot, nfspublic, and replication is performed using the chnfs command.

Examples

  1. To export to netgroup clients, enter: 
    /usr -access=clients
  2. To export to the world, enter: 
    /usr/local
  3. To export to only these systems, enter: 
    /usr2 -access=hermes:zip:tutorial
  4. To give root access only to these systems, enter: 
    /usr/tps -root=hermes:zip
  5. To convert client root users to guest UID=100, enter: 
    /usr/new -anon=100
  6. To export read-only to everyone, enter: 
    /usr/bin -ro
  7. To allow several options on one line, enter: 
    /usr/stuff -access=zip,anon=-3,ro
  8. To create a referral at /usr/info to the /usr/info directory on the host infoserver, add the following line to /etc/exports and then export /usr/info: 
    /usr/info -vers=4,refer=/usr/info@infoserver
  9. To specify replicas for the directory /common/info at hosts backup1 and backup2, add the following line to /etc/exports and then export /common/info: 
    /common/info -vers=4,replicas=/common/info@backup1:/common/info@backup2,<other options>

Files

Item Description
/etc/xtab Lists currently exported directories.
/etc/hosts Contains an entry for each host on the network.
/etc/netgroup Contains information about each user group on the network.