{ "mode": "man", "parameter": "nfs", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/nfs/5/json", "generated": "2026-05-30T07:08:57Z", "synopsis": "/etc/fstab", "sections": { "NAME": { "content": "nfs - fstab format and options for the nfs file systems\n", "subsections": [] }, "SYNOPSIS": { "content": "/etc/fstab\n", "subsections": [] }, "DESCRIPTION": { "content": "NFS is an Internet Standard protocol created by Sun Microsystems in 1984. NFS was developed\nto allow file sharing between systems residing on a local area network. Depending on kernel\nconfiguration, the Linux NFS client may support NFS versions 3, 4.0, 4.1, or 4.2.\n\nThe mount(8) command attaches a file system to the system's name space hierarchy at a given\nmount point. The /etc/fstab file describes how mount(8) should assemble a system's file name\nhierarchy from various independent file systems (including file systems exported by NFS\nservers). Each line in the /etc/fstab file describes a single file system, its mount point,\nand a set of default mount options for that mount point.\n\nFor NFS file system mounts, a line in the /etc/fstab file specifies the server name, the path\nname of the exported server directory to mount, the local directory that is the mount point,\nthe type of file system that is being mounted, and a list of mount options that control the\nway the filesystem is mounted and how the NFS client behaves when accessing files on this\nmount point. The fifth and sixth fields on each line are not used by NFS, thus convention‐\nally each contain the digit zero. For example:\n\nserver:path /mountpoint fstype option,option,... 0 0\n\nThe server's hostname and export pathname are separated by a colon, while the mount options\nare separated by commas. The remaining fields are separated by blanks or tabs.\n\nThe server's hostname can be an unqualified hostname, a fully qualified domain name, a dotted\nquad IPv4 address, or an IPv6 address enclosed in square brackets. Link-local and site-local\nIPv6 addresses must be accompanied by an interface identifier. See ipv6(7) for details on\nspecifying raw IPv6 addresses.\n\nThe fstype field contains \"nfs\". Use of the \"nfs4\" fstype in /etc/fstab is deprecated.\n", "subsections": [] }, "MOUNT OPTIONS": { "content": "Refer to mount(8) for a description of generic mount options available for all file systems.\nIf you do not need to specify any mount options, use the generic option defaults in\n/etc/fstab.\n", "subsections": [ { "name": "Options supported by all versions", "content": "These options are valid to use with any NFS version.\n\nnfsvers=n The NFS protocol version number used to contact the server's NFS service. If\nthe server does not support the requested version, the mount request fails.\nIf this option is not specified, the client tries version 4.2 first, then ne‐\ngotiates down until it finds a version supported by the server.\n\nvers=n This option is an alternative to the nfsvers option. It is included for com‐\npatibility with other operating systems\n\nsoft / hard Determines the recovery behavior of the NFS client after an NFS request times\nout. If neither option is specified (or if the hard option is specified), NFS\nrequests are retried indefinitely. If the soft option is specified, then the\nNFS client fails an NFS request after retrans retransmissions have been sent,\ncausing the NFS client to return an error to the calling application.\n\nNB: A so-called \"soft\" timeout can cause silent data corruption in certain\ncases. As such, use the soft option only when client responsiveness is more\nimportant than data integrity. Using NFS over TCP or increasing the value of\nthe retrans option may mitigate some of the risks of using the soft option.\n\nsoftreval / nosoftreval\nIn cases where the NFS server is down, it may be useful to allow the NFS\nclient to continue to serve up paths and attributes from cache after retrans\nattempts to revalidate that cache have timed out. This may, for instance, be\nhelpful when trying to unmount a filesystem tree from a server that is perma‐\nnently down.\n\nIt is possible to combine softreval with the soft mount option, in which case\noperations that cannot be served up from cache will time out and return an er‐\nror after retrans attempts. The combination with the default hard mount option\nimplies those uncached operations will continue to retry until a response is\nreceived from the server.\n\nNote: the default mount option is nosoftreval which disallows fallback to\ncache when revalidation fails, and instead follows the behavior dictated by\nthe hard or soft mount option.\n\nintr / nointr This option is provided for backward compatibility. It is ignored after ker‐\nnel 2.6.25.\n\ntimeo=n The time in deciseconds (tenths of a second) the NFS client waits for a re‐\nsponse before it retries an NFS request.\n\nFor NFS over TCP the default timeo value is 600 (60 seconds). The NFS client\nperforms linear backoff: After each retransmission the timeout is increased by\ntimeo up to the maximum of 600 seconds.\n\nHowever, for NFS over UDP, the client uses an adaptive algorithm to estimate\nan appropriate timeout value for frequently used request types (such as READ\nand WRITE requests), but uses the timeo setting for infrequently used request\ntypes (such as FSINFO requests). If the timeo option is not specified, infre‐\nquently used request types are retried after 1.1 seconds. After each retrans‐\nmission, the NFS client doubles the timeout for that request, up to a maximum\ntimeout length of 60 seconds.\n\nretrans=n The number of times the NFS client retries a request before it attempts fur‐\nther recovery action. If the retrans option is not specified, the NFS client\ntries each UDP request three times and each TCP request twice.\n\nThe NFS client generates a \"server not responding\" message after retrans re‐\ntries, then attempts further recovery (depending on whether the hard mount op‐\ntion is in effect).\n\nrsize=n The maximum number of bytes in each network READ request that the NFS client\ncan receive when reading data from a file on an NFS server. The actual data\npayload size of each NFS READ request is equal to or smaller than the rsize\nsetting. The largest read payload supported by the Linux NFS client is\n1,048,576 bytes (one megabyte).\n\nThe rsize value is a positive integral multiple of 1024. Specified rsize val‐\nues lower than 1024 are replaced with 4096; values larger than 1048576 are re‐\nplaced with 1048576. If a specified value is within the supported range but\nnot a multiple of 1024, it is rounded down to the nearest multiple of 1024.\n\nIf an rsize value is not specified, or if the specified rsize value is larger\nthan the maximum that either client or server can support, the client and\nserver negotiate the largest rsize value that they can both support.\n\nThe rsize mount option as specified on the mount(8) command line appears in\nthe /etc/mtab file. However, the effective rsize value negotiated by the\nclient and server is reported in the /proc/mounts file.\n\nwsize=n The maximum number of bytes per network WRITE request that the NFS client can\nsend when writing data to a file on an NFS server. The actual data payload\nsize of each NFS WRITE request is equal to or smaller than the wsize setting.\nThe largest write payload supported by the Linux NFS client is 1,048,576 bytes\n(one megabyte).\n\nSimilar to rsize , the wsize value is a positive integral multiple of 1024.\nSpecified wsize values lower than 1024 are replaced with 4096; values larger\nthan 1048576 are replaced with 1048576. If a specified value is within the\nsupported range but not a multiple of 1024, it is rounded down to the nearest\nmultiple of 1024.\n\nIf a wsize value is not specified, or if the specified wsize value is larger\nthan the maximum that either client or server can support, the client and\nserver negotiate the largest wsize value that they can both support.\n\nThe wsize mount option as specified on the mount(8) command line appears in\nthe /etc/mtab file. However, the effective wsize value negotiated by the\nclient and server is reported in the /proc/mounts file.\n\nac / noac Selects whether the client may cache file attributes. If neither option is\nspecified (or if ac is specified), the client caches file attributes.\n\nTo improve performance, NFS clients cache file attributes. Every few seconds,\nan NFS client checks the server's version of each file's attributes for up‐\ndates. Changes that occur on the server in those small intervals remain unde‐\ntected until the client checks the server again. The noac option prevents\nclients from caching file attributes so that applications can more quickly de‐\ntect file changes on the server.\n\nIn addition to preventing the client from caching file attributes, the noac\noption forces application writes to become synchronous so that local changes\nto a file become visible on the server immediately. That way, other clients\ncan quickly detect recent writes when they check the file's attributes.\n\nUsing the noac option provides greater cache coherence among NFS clients ac‐\ncessing the same files, but it extracts a significant performance penalty. As\nsuch, judicious use of file locking is encouraged instead. The DATA AND META‐\nDATA COHERENCE section contains a detailed discussion of these trade-offs.\n\nacregmin=n The minimum time (in seconds) that the NFS client caches attributes of a regu‐\nlar file before it requests fresh attribute information from a server. If\nthis option is not specified, the NFS client uses a 3-second minimum. See the\nDATA AND METADATA COHERENCE section for a full discussion of attribute\ncaching.\n\nacregmax=n The maximum time (in seconds) that the NFS client caches attributes of a regu‐\nlar file before it requests fresh attribute information from a server. If\nthis option is not specified, the NFS client uses a 60-second maximum. See\nthe DATA AND METADATA COHERENCE section for a full discussion of attribute\ncaching.\n\nacdirmin=n The minimum time (in seconds) that the NFS client caches attributes of a di‐\nrectory before it requests fresh attribute information from a server. If this\noption is not specified, the NFS client uses a 30-second minimum. See the\nDATA AND METADATA COHERENCE section for a full discussion of attribute\ncaching.\n\nacdirmax=n The maximum time (in seconds) that the NFS client caches attributes of a di‐\nrectory before it requests fresh attribute information from a server. If this\noption is not specified, the NFS client uses a 60-second maximum. See the\nDATA AND METADATA COHERENCE section for a full discussion of attribute\ncaching.\n\nactimeo=n Using actimeo sets all of acregmin, acregmax, acdirmin, and acdirmax to the\nsame value. If this option is not specified, the NFS client uses the defaults\nfor each of these options listed above.\n\nbg / fg Determines how the mount(8) command behaves if an attempt to mount an export\nfails. The fg option causes mount(8) to exit with an error status if any part\nof the mount request times out or fails outright. This is called a \"fore‐\nground\" mount, and is the default behavior if neither the fg nor bg mount op‐\ntion is specified.\n\nIf the bg option is specified, a timeout or failure causes the mount(8) com‐\nmand to fork a child which continues to attempt to mount the export. The par‐\nent immediately returns with a zero exit code. This is known as a \"back‐\nground\" mount.\n\nIf the local mount point directory is missing, the mount(8) command acts as if\nthe mount request timed out. This permits nested NFS mounts specified in\n/etc/fstab to proceed in any order during system initialization, even if some\nNFS servers are not yet available. Alternatively these issues can be ad‐\ndressed using an automounter (refer to automount(8) for details).\n\nnconnect=n When using a connection oriented protocol such as TCP, it may sometimes be ad‐\nvantageous to set up multiple connections between the client and server. For\ninstance, if your clients and/or servers are equipped with multiple network\ninterface cards (NICs), using multiple connections to spread the load may im‐\nprove overall performance. In such cases, the nconnect option allows the user\nto specify the number of connections that should be established between the\nclient and server up to a limit of 16.\n\nNote that the nconnect option may also be used by some pNFS drivers to decide\nhow many connections to set up to the data servers.\n\nmaxconnect=n While nconnect option sets a limit on the number of connections that can be\nestablished to a given server IP, maxconnect option allows the user to spec‐\nify maximum number of connections to different server IPs that belong to the\nsame NFSv4.1+ server (session trunkable connections) up to a limit of 16. When\nclient discovers that it established a client ID to an already existing\nserver, instead of dropping the newly created network transport, the client\nwill add this new connection to the list of available transports for that RPC\nclient.\n\nrdirplus / nordirplus\nSelects whether to use NFS v3 or v4 READDIRPLUS requests. If this option is\nnot specified, the NFS client uses READDIRPLUS requests on NFS v3 or v4 mounts\nto read small directories. Some applications perform better if the client\nuses only READDIR requests for all directories.\n\nretry=n The number of minutes that the mount(8) command retries an NFS mount operation\nin the foreground or background before giving up. If this option is not spec‐\nified, the default value for foreground mounts is 2 minutes, and the default\nvalue for background mounts is 10000 minutes (80 minutes shy of one week). If\na value of zero is specified, the mount(8) command exits immediately after the\nfirst failure.\n\nNote that this only affects how many retries are made and doesn't affect the\ndelay caused by each retry. For UDP each retry takes the time determined by\nthe timeo and retrans options, which by default will be about 7 seconds. For\nTCP the default is 3 minutes, but system TCP connection timeouts will some‐\ntimes limit the timeout of each retransmission to around 2 minutes.\n\nsec=flavors A colon-separated list of one or more security flavors to use for accessing\nfiles on the mounted export. If the server does not support any of these fla‐\nvors, the mount operation fails. If sec= is not specified, the client at‐\ntempts to find a security flavor that both the client and the server supports.\nValid flavors are none, sys, krb5, krb5i, and krb5p. Refer to the SECURITY\nCONSIDERATIONS section for details.\n\nsharecache / nosharecache\nDetermines how the client's data cache and attribute cache are shared when\nmounting the same export more than once concurrently. Using the same cache\nreduces memory requirements on the client and presents identical file contents\nto applications when the same remote file is accessed via different mount\npoints.\n\nIf neither option is specified, or if the sharecache option is specified, then\na single cache is used for all mount points that access the same export. If\nthe nosharecache option is specified, then that mount point gets a unique\ncache. Note that when data and attribute caches are shared, the mount options\nfrom the first mount point take effect for subsequent concurrent mounts of the\nsame export.\n\nAs of kernel 2.6.18, the behavior specified by nosharecache is legacy caching\nbehavior. This is considered a data risk since multiple cached copies of the\nsame file on the same client can become out of sync following a local update\nof one of the copies.\n\nresvport / noresvport\nSpecifies whether the NFS client should use a privileged source port when com‐\nmunicating with an NFS server for this mount point. If this option is not\nspecified, or the resvport option is specified, the NFS client uses a privi‐\nleged source port. If the noresvport option is specified, the NFS client uses\na non-privileged source port. This option is supported in kernels 2.6.28 and\nlater.\n\nUsing non-privileged source ports helps increase the maximum number of NFS\nmount points allowed on a client, but NFS servers must be configured to allow\nclients to connect via non-privileged source ports.\n\nRefer to the SECURITY CONSIDERATIONS section for important details.\n\nlookupcache=mode\nSpecifies how the kernel manages its cache of directory entries for a given\nmount point. mode can be one of all, none, pos, or positive. This option is\nsupported in kernels 2.6.28 and later.\n\nThe Linux NFS client caches the result of all NFS LOOKUP requests. If the re‐\nquested directory entry exists on the server, the result is referred to as\npositive. If the requested directory entry does not exist on the server, the\nresult is referred to as negative.\n\nIf this option is not specified, or if all is specified, the client assumes\nboth types of directory cache entries are valid until their parent directory's\ncached attributes expire.\n\nIf pos or positive is specified, the client assumes positive entries are valid\nuntil their parent directory's cached attributes expire, but always revali‐\ndates negative entires before an application can use them.\n\nIf none is specified, the client revalidates both types of directory cache en‐\ntries before an application can use them. This permits quick detection of\nfiles that were created or removed by other clients, but can impact applica‐\ntion and server performance.\n\nThe DATA AND METADATA COHERENCE section contains a detailed discussion of\nthese trade-offs.\n\nfsc / nofsc Enable/Disables the cache of (read-only) data pages to the local disk using\nthe FS-Cache facility. See cachefilesd(8) and /Documenta‐\ntion/filesystems/caching for detail on how to configure the FS-Cache facility.\nDefault value is nofsc.\n\nsloppy The sloppy option is an alternative to specifying mount.nfs -s option.\n\n" }, { "name": "Options for NFS versions 2 and 3 only", "content": "Use these options, along with the options in the above subsection, for NFS versions 2 and 3\nonly.\n\nproto=netid The netid determines the transport that is used to communicate with the NFS\nserver. Available options are udp, udp6, tcp, tcp6, rdma, and rdma6. Those\nwhich end in 6 use IPv6 addresses and are only available if support for TI-RPC\nis built in. Others use IPv4 addresses.\n\nEach transport protocol uses different default retrans and timeo settings.\nRefer to the description of these two mount options for details.\n\nIn addition to controlling how the NFS client transmits requests to the\nserver, this mount option also controls how the mount(8) command communicates\nwith the server's rpcbind and mountd services. Specifying a netid that uses\nTCP forces all traffic from the mount(8) command and the NFS client to use\nTCP. Specifying a netid that uses UDP forces all traffic types to use UDP.\n\nBefore using NFS over UDP, refer to the TRANSPORT METHODS section.\n\nIf the proto mount option is not specified, the mount(8) command discovers\nwhich protocols the server supports and chooses an appropriate transport for\neach service. Refer to the TRANSPORT METHODS section for more details.\n\nudp The udp option is an alternative to specifying proto=udp. It is included for\ncompatibility with other operating systems.\n\nBefore using NFS over UDP, refer to the TRANSPORT METHODS section.\n\ntcp The tcp option is an alternative to specifying proto=tcp. It is included for\ncompatibility with other operating systems.\n\nrdma The rdma option is an alternative to specifying proto=rdma.\n\nport=n The numeric value of the server's NFS service port. If the server's NFS ser‐\nvice is not available on the specified port, the mount request fails.\n\nIf this option is not specified, or if the specified port value is 0, then the\nNFS client uses the NFS service port number advertised by the server's rpcbind\nservice. The mount request fails if the server's rpcbind service is not\navailable, the server's NFS service is not registered with its rpcbind ser‐\nvice, or the server's NFS service is not available on the advertised port.\n\nmountport=n The numeric value of the server's mountd port. If the server's mountd service\nis not available on the specified port, the mount request fails.\n\nIf this option is not specified, or if the specified port value is 0, then the\nmount(8) command uses the mountd service port number advertised by the\nserver's rpcbind service. The mount request fails if the server's rpcbind\nservice is not available, the server's mountd service is not registered with\nits rpcbind service, or the server's mountd service is not available on the\nadvertised port.\n\nThis option can be used when mounting an NFS server through a firewall that\nblocks the rpcbind protocol.\n\nmountproto=netid\nThe transport the NFS client uses to transmit requests to the NFS server's\nmountd service when performing this mount request, and when later unmounting\nthis mount point.\n\nnetid may be one of udp, and tcp which use IPv4 address or, if TI-RPC is built\ninto the mount.nfs command, udp6, and tcp6 which use IPv6 addresses.\n\nThis option can be used when mounting an NFS server through a firewall that\nblocks a particular transport. When used in combination with the proto op‐\ntion, different transports for mountd requests and NFS requests can be speci‐\nfied. If the server's mountd service is not available via the specified\ntransport, the mount request fails.\n\nRefer to the TRANSPORT METHODS section for more on how the mountproto mount\noption interacts with the proto mount option.\n\nmounthost=name The hostname of the host running mountd. If this option is not specified, the\nmount(8) command assumes that the mountd service runs on the same host as the\nNFS service.\n\nmountvers=n The RPC version number used to contact the server's mountd. If this option is\nnot specified, the client uses a version number appropriate to the requested\nNFS version. This option is useful when multiple NFS services are running on\nthe same remote server host.\n\nnamlen=n The maximum length of a pathname component on this mount. If this option is\nnot specified, the maximum length is negotiated with the server. In most\ncases, this maximum length is 255 characters.\n\nSome early versions of NFS did not support this negotiation. Using this op‐\ntion ensures that pathconf(3) reports the proper maximum component length to\napplications in such cases.\n\nlock / nolock Selects whether to use the NLM sideband protocol to lock files on the server.\nIf neither option is specified (or if lock is specified), NLM locking is used\nfor this mount point. When using the nolock option, applications can lock\nfiles, but such locks provide exclusion only against other applications run‐\nning on the same client. Remote applications are not affected by these locks.\n\nNLM locking must be disabled with the nolock option when using NFS to mount\n/var because /var contains files used by the NLM implementation on Linux. Us‐\ning the nolock option is also required when mounting exports on NFS servers\nthat do not support the NLM protocol.\n\ncto / nocto Selects whether to use close-to-open cache coherence semantics. If neither\noption is specified (or if cto is specified), the client uses close-to-open\ncache coherence semantics. If the nocto option is specified, the client uses a\nnon-standard heuristic to determine when files on the server have changed.\n\nUsing the nocto option may improve performance for read-only mounts, but\nshould be used only if the data on the server changes only occasionally. The\nDATA AND METADATA COHERENCE section discusses the behavior of this option in\nmore detail.\n\nacl / noacl Selects whether to use the NFSACL sideband protocol on this mount point. The\nNFSACL sideband protocol is a proprietary protocol implemented in Solaris that\nmanages Access Control Lists. NFSACL was never made a standard part of the NFS\nprotocol specification.\n\nIf neither acl nor noacl option is specified, the NFS client negotiates with\nthe server to see if the NFSACL protocol is supported, and uses it if the\nserver supports it. Disabling the NFSACL sideband protocol may be necessary\nif the negotiation causes problems on the client or server. Refer to the SE‐\nCURITY CONSIDERATIONS section for more details.\n\nlocallock=mechanism\nSpecifies whether to use local locking for any or both of the flock and the\nPOSIX locking mechanisms. mechanism can be one of all, flock, posix, or none.\nThis option is supported in kernels 2.6.37 and later.\n\nThe Linux NFS client provides a way to make locks local. This means, the ap‐\nplications can lock files, but such locks provide exclusion only against other\napplications running on the same client. Remote applications are not affected\nby these locks.\n\nIf this option is not specified, or if none is specified, the client assumes\nthat the locks are not local.\n\nIf all is specified, the client assumes that both flock and POSIX locks are\nlocal.\n\nIf flock is specified, the client assumes that only flock locks are local and\nuses NLM sideband protocol to lock files when POSIX locks are used.\n\nIf posix is specified, the client assumes that POSIX locks are local and uses\nNLM sideband protocol to lock files when flock locks are used.\n\nTo support legacy flock behavior similar to that of NFS clients < 2.6.12, use\n'locallock=flock'. This option is required when exporting NFS mounts via\nSamba as Samba maps Windows share mode locks as flock. Since NFS clients >\n2.6.12 implement flock by emulating POSIX locks, this will result in conflict‐\ning locks.\n\nNOTE: When used together, the 'locallock' mount option will be overridden by\n'nolock'/'lock' mount option.\n" }, { "name": "Options for NFS version 4 only", "content": "Use these options, along with the options in the first subsection above, for NFS version 4.0\nand newer.\n\nproto=netid The netid determines the transport that is used to communicate with the NFS\nserver. Supported options are tcp, tcp6, rdma, and rdma6. tcp6 use IPv6 ad‐\ndresses and is only available if support for TI-RPC is built in. Both others\nuse IPv4 addresses.\n\nAll NFS version 4 servers are required to support TCP, so if this mount option\nis not specified, the NFS version 4 client uses the TCP protocol. Refer to\nthe TRANSPORT METHODS section for more details.\n\nminorversion=n Specifies the protocol minor version number. NFSv4 introduces \"minor version‐\ning,\" where NFS protocol enhancements can be introduced without bumping the\nNFS protocol version number. Before kernel 2.6.38, the minor version is al‐\nways zero, and this option is not recognized. After this kernel, specifying\n\"minorversion=1\" enables a number of advanced features, such as NFSv4 ses‐\nsions.\n\nRecent kernels allow the minor version to be specified using the vers= option.\nFor example, specifying vers=4.1 is the same as specifying vers=4,minorver‐‐\nsion=1.\n\nport=n The numeric value of the server's NFS service port. If the server's NFS ser‐\nvice is not available on the specified port, the mount request fails.\n\nIf this mount option is not specified, the NFS client uses the standard NFS\nport number of 2049 without first checking the server's rpcbind service. This\nallows an NFS version 4 client to contact an NFS version 4 server through a\nfirewall that may block rpcbind requests.\n\nIf the specified port value is 0, then the NFS client uses the NFS service\nport number advertised by the server's rpcbind service. The mount request\nfails if the server's rpcbind service is not available, the server's NFS ser‐\nvice is not registered with its rpcbind service, or the server's NFS service\nis not available on the advertised port.\n\ncto / nocto Selects whether to use close-to-open cache coherence semantics for NFS direc‐\ntories on this mount point. If neither cto nor nocto is specified, the de‐\nfault is to use close-to-open cache coherence semantics for directories.\n\nFile data caching behavior is not affected by this option. The DATA AND META‐\nDATA COHERENCE section discusses the behavior of this option in more detail.\n\nclientaddr=n.n.n.n\n\nclientaddr=n:n:...:n\nSpecifies a single IPv4 address (in dotted-quad form), or a non-link-local\nIPv6 address, that the NFS client advertises to allow servers to perform NFS\nversion 4.0 callback requests against files on this mount point. If the\nserver is unable to establish callback connections to clients, performance may\ndegrade, or accesses to files may temporarily hang. Can specify a value of\nIPv4ANY (0.0.0.0) or equivalent IPv6 any address which will signal to the NFS\nserver that this NFS client does not want delegations.\n\nIf this option is not specified, the mount(8) command attempts to discover an\nappropriate callback address automatically. The automatic discovery process\nis not perfect, however. In the presence of multiple client network inter‐\nfaces, special routing policies, or atypical network topologies, the exact ad‐\ndress to use for callbacks may be nontrivial to determine.\n\nNFS protocol versions 4.1 and 4.2 use the client-established TCP connection\nfor callback requests, so do not require the server to connect to the client.\nThis option is therefore only affect NFS version 4.0 mounts.\n\nmigration / nomigration\nSelects whether the client uses an identification string that is compatible\nwith NFSv4 Transparent State Migration (TSM). If the mounted server supports\nNFSv4 migration with TSM, specify the migration option.\n\nSome server features misbehave in the face of a migration-compatible identifi‐\ncation string. The nomigration option retains the use of a traditional client\nindentification string which is compatible with legacy NFS servers. This is\nalso the behavior if neither option is specified. A client's open and lock\nstate cannot be migrated transparently when it identifies itself via a tradi‐\ntional identification string.\n\nThis mount option has no effect with NFSv4 minor versions newer than zero,\nwhich always use TSM-compatible client identification strings.\n" }, { "name": "nfs4 FILE SYSTEM TYPE", "content": "The nfs4 file system type is an old syntax for specifying NFSv4 usage. It can still be used\nwith all NFSv4-specific and common options, excepted the nfsvers mount option.\n" } ] }, "MOUNT CONFIGURATION FILE": { "content": "If the mount command is configured to do so, all of the mount options described in the previ‐\nous section can also be configured in the /etc/nfsmount.conf file. See nfsmount.conf(5) for\ndetails.\n", "subsections": [] }, "EXAMPLES": { "content": "mount option. To mount using NFS version 3, use the nfs file system type and specify the\nnfsvers=3 mount option. To mount using NFS version 4, use either the nfs file system type,\nwith the nfsvers=4 mount option, or the nfs4 file system type.\n\nThe following example from an /etc/fstab file causes the mount command to negotiate reason‐\nable defaults for NFS behavior.\n\nserver:/export /mnt nfs defaults 0 0\n\nThis example shows how to mount using NFS version 4 over TCP with Kerberos 5 mutual authenti‐\ncation.\n\nserver:/export /mnt nfs4 sec=krb5 0 0\n\nThis example shows how to mount using NFS version 4 over TCP with Kerberos 5 privacy or data\nintegrity mode.\n\nserver:/export /mnt nfs4 sec=krb5p:krb5i 0 0\n\nThis example can be used to mount /usr over NFS.\n\nserver:/export /usr nfs ro,nolock,nocto,actimeo=3600 0 0\n\nThis example shows how to mount an NFS server using a raw IPv6 link-local address.\n\n[fe80::215:c5ff:fb3e:e2b1%eth0]:/export /mnt nfs defaults 0 0\n", "subsections": [] }, "TRANSPORT METHODS": { "content": "NFS clients send requests to NFS servers via Remote Procedure Calls, or RPCs. The RPC client\ndiscovers remote service endpoints automatically, handles per-request authentication, adjusts\nrequest parameters for different byte endianness on client and server, and retransmits re‐\nquests that may have been lost by the network or server. RPC requests and replies flow over\na network transport.\n\nIn most cases, the mount(8) command, NFS client, and NFS server can automatically negotiate\nproper transport and data transfer size settings for a mount point. In some cases, however,\nit pays to specify these settings explicitly using mount options.\n\nTraditionally, NFS clients used the UDP transport exclusively for transmitting requests to\nservers. Though its implementation is simple, NFS over UDP has many limitations that prevent\nsmooth operation and good performance in some common deployment environments. Even an in‐\nsignificant packet loss rate results in the loss of whole NFS requests; as such, retransmit\ntimeouts are usually in the subsecond range to allow clients to recover quickly from dropped\nrequests, but this can result in extraneous network traffic and server load.\n\nHowever, UDP can be quite effective in specialized settings where the networks MTU is large\nrelative to NFSs data transfer size (such as network environments that enable jumbo Ethernet\nframes). In such environments, trimming the rsize and wsize settings so that each NFS read\nor write request fits in just a few network frames (or even in a single frame) is advised.\nThis reduces the probability that the loss of a single MTU-sized network frame results in the\nloss of an entire large read or write request.\n\nTCP is the default transport protocol used for all modern NFS implementations. It performs\nwell in almost every conceivable network environment and provides excellent guarantees\nagainst data corruption caused by network unreliability. TCP is often a requirement for\nmounting a server through a network firewall.\n\nUnder normal circumstances, networks drop packets much more frequently than NFS servers drop\nrequests. As such, an aggressive retransmit timeout setting for NFS over TCP is unneces‐\nsary. Typical timeout settings for NFS over TCP are between one and ten minutes. After the\nclient exhausts its retransmits (the value of the retrans mount option), it assumes a network\npartition has occurred, and attempts to reconnect to the server on a fresh socket. Since TCP\nitself makes network data transfer reliable, rsize and wsize can safely be allowed to default\nto the largest values supported by both client and server, independent of the network's MTU\nsize.\n", "subsections": [ { "name": "Using the mountproto mount option", "content": "This section applies only to NFS version 3 mounts since NFS version 4 does not use a separate\nprotocol for mount requests.\n\nThe Linux NFS client can use a different transport for contacting an NFS server's rpcbind\nservice, its mountd service, its Network Lock Manager (NLM) service, and its NFS service.\nThe exact transports employed by the Linux NFS client for each mount point depends on the\nsettings of the transport mount options, which include proto, mountproto, udp, and tcp.\n\nThe client sends Network Status Manager (NSM) notifications via UDP no matter what transport\noptions are specified, but listens for server NSM notifications on both UDP and TCP. The NFS\nAccess Control List (NFSACL) protocol shares the same transport as the main NFS service.\n\nIf no transport options are specified, the Linux NFS client uses UDP to contact the server's\nmountd service, and TCP to contact its NLM and NFS services by default.\n\nIf the server does not support these transports for these services, the mount(8) command at‐\ntempts to discover what the server supports, and then retries the mount request once using\nthe discovered transports. If the server does not advertise any transport supported by the\nclient or is misconfigured, the mount request fails. If the bg option is in effect, the\nmount command backgrounds itself and continues to attempt the specified mount request.\n\nWhen the proto option, the udp option, or the tcp option is specified but the mountproto op‐\ntion is not, the specified transport is used to contact both the server's mountd service and\nfor the NLM and NFS services.\n\nIf the mountproto option is specified but none of the proto, udp or tcp options are speci‐\nfied, then the specified transport is used for the initial mountd request, but the mount com‐\nmand attempts to discover what the server supports for the NFS protocol, preferring TCP if\nboth transports are supported.\n\nIf both the mountproto and proto (or udp or tcp) options are specified, then the transport\nspecified by the mountproto option is used for the initial mountd request, and the transport\nspecified by the proto option (or the udp or tcp options) is used for NFS, no matter what or‐\nder these options appear. No automatic service discovery is performed if these options are\nspecified.\n\nIf any of the proto, udp, tcp, or mountproto options are specified more than once on the same\nmount command line, then the value of the rightmost instance of each of these options takes\neffect.\n" }, { "name": "Using NFS over UDP on high-speed links", "content": "Using NFS over UDP on high-speed links such as Gigabit can cause silent data corruption.\n\nThe problem can be triggered at high loads, and is caused by problems in IP fragment reassem‐\nbly. NFS read and writes typically transmit UDP packets of 4 Kilobytes or more, which have to\nbe broken up into several fragments in order to be sent over the Ethernet link, which limits\npackets to 1500 bytes by default. This process happens at the IP network layer and is called\nfragmentation.\n\nIn order to identify fragments that belong together, IP assigns a 16bit IP ID value to each\npacket; fragments generated from the same UDP packet will have the same IP ID. The receiving\nsystem will collect these fragments and combine them to form the original UDP packet. This\nprocess is called reassembly. The default timeout for packet reassembly is 30 seconds; if the\nnetwork stack does not receive all fragments of a given packet within this interval, it as‐\nsumes the missing fragment(s) got lost and discards those it already received.\n\nThe problem this creates over high-speed links is that it is possible to send more than 65536\npackets within 30 seconds. In fact, with heavy NFS traffic one can observe that the IP IDs\nrepeat after about 5 seconds.\n\nThis has serious effects on reassembly: if one fragment gets lost, another fragment from a\ndifferent packet but with the same IP ID will arrive within the 30 second timeout, and the\nnetwork stack will combine these fragments to form a new packet. Most of the time, network\nlayers above IP will detect this mismatched reassembly - in the case of UDP, the UDP check‐\nsum, which is a 16 bit checksum over the entire packet payload, will usually not match, and\nUDP will discard the bad packet.\n\nHowever, the UDP checksum is 16 bit only, so there is a chance of 1 in 65536 that it will\nmatch even if the packet payload is completely random (which very often isn't the case). If\nthat is the case, silent data corruption will occur.\n\nThis potential should be taken seriously, at least on Gigabit Ethernet. Network speeds of\n100Mbit/s should be considered less problematic, because with most traffic patterns IP ID\nwrap around will take much longer than 30 seconds.\n\nIt is therefore strongly recommended to use NFS over TCP where possible, since TCP does not\nperform fragmentation.\n\nIf you absolutely have to use NFS over UDP over Gigabit Ethernet, some steps can be taken to\nmitigate the problem and reduce the probability of corruption:\n\nJumbo frames: Many Gigabit network cards are capable of transmitting frames bigger than the\n1500 byte limit of traditional Ethernet, typically 9000 bytes. Using jumbo\nframes of 9000 bytes will allow you to run NFS over UDP at a page size of 8K\nwithout fragmentation. Of course, this is only feasible if all involved sta‐\ntions support jumbo frames.\n\nTo enable a machine to send jumbo frames on cards that support it, it is suf‐\nficient to configure the interface for a MTU value of 9000.\n\nLower reassembly timeout:\nBy lowering this timeout below the time it takes the IP ID counter to wrap\naround, incorrect reassembly of fragments can be prevented as well. To do so,\nsimply write the new timeout value (in seconds) to the file\n/proc/sys/net/ipv4/ipfragtime.\n\nA value of 2 seconds will greatly reduce the probability of IPID clashes on a\nsingle Gigabit link, while still allowing for a reasonable timeout when re‐\nceiving fragmented traffic from distant peers.\n" } ] }, "DATA AND METADATA COHERENCE": { "content": "Some modern cluster file systems provide perfect cache coherence among their clients. Per‐\nfect cache coherence among disparate NFS clients is expensive to achieve, especially on wide\narea networks. As such, NFS settles for weaker cache coherence that satisfies the require‐\nments of most file sharing types.\n", "subsections": [ { "name": "Close-to-open cache consistency", "content": "Typically file sharing is completely sequential. First client A opens a file, writes some‐\nthing to it, then closes it. Then client B opens the same file, and reads the changes.\n\nWhen an application opens a file stored on an NFS version 3 server, the NFS client checks\nthat the file exists on the server and is permitted to the opener by sending a GETATTR or AC‐\nCESS request. The NFS client sends these requests regardless of the freshness of the file's\ncached attributes.\n\nWhen the application closes the file, the NFS client writes back any pending changes to the\nfile so that the next opener can view the changes. This also gives the NFS client an oppor‐\ntunity to report write errors to the application via the return code from close(2).\n\nThe behavior of checking at open time and flushing at close time is referred to as close-to-\nopen cache consistency, or CTO. It can be disabled for an entire mount point using the nocto\nmount option.\n" }, { "name": "Weak cache consistency", "content": "There are still opportunities for a client's data cache to contain stale data. The NFS ver‐\nsion 3 protocol introduced \"weak cache consistency\" (also known as WCC) which provides a way\nof efficiently checking a file's attributes before and after a single request. This allows a\nclient to help identify changes that could have been made by other clients.\n\nWhen a client is using many concurrent operations that update the same file at the same time\n(for example, during asynchronous write behind), it is still difficult to tell whether it was\nthat client's updates or some other client's updates that altered the file.\n" }, { "name": "Attribute caching", "content": "Use the noac mount option to achieve attribute cache coherence among multiple clients. Al‐\nmost every file system operation checks file attribute information. The client keeps this\ninformation cached for a period of time to reduce network and server load. When noac is in\neffect, a client's file attribute cache is disabled, so each operation that needs to check a\nfile's attributes is forced to go back to the server. This permits a client to see changes\nto a file very quickly, at the cost of many extra network operations.\n\nBe careful not to confuse the noac option with \"no data caching.\" The noac mount option pre‐\nvents the client from caching file metadata, but there are still races that may result in\ndata cache incoherence between client and server.\n\nThe NFS protocol is not designed to support true cluster file system cache coherence without\nsome type of application serialization. If absolute cache coherence among clients is re‐\nquired, applications should use file locking. Alternatively, applications can also open their\nfiles with the ODIRECT flag to disable data caching entirely.\n" }, { "name": "File timestamp maintenance", "content": "NFS servers are responsible for managing file and directory timestamps (atime, ctime, and\nmtime). When a file is accessed or updated on an NFS server, the file's timestamps are up‐\ndated just like they would be on a filesystem local to an application.\n\nNFS clients cache file attributes, including timestamps. A file's timestamps are updated on\nNFS clients when its attributes are retrieved from the NFS server. Thus there may be some\ndelay before timestamp updates on an NFS server appear to applications on NFS clients.\n\nTo comply with the POSIX filesystem standard, the Linux NFS client relies on NFS servers to\nkeep a file's mtime and ctime timestamps properly up to date. It does this by flushing local\ndata changes to the server before reporting mtime to applications via system calls such as\nstat(2).\n\nThe Linux client handles atime updates more loosely, however. NFS clients maintain good per‐\nformance by caching data, but that means that application reads, which normally update atime,\nare not reflected to the server where a file's atime is actually maintained.\n\nBecause of this caching behavior, the Linux NFS client does not support generic atime-related\nmount options. See mount(8) for details on these options.\n\nIn particular, the atime/noatime, diratime/nodiratime, relatime/norelatime, and stricta‐‐\ntime/nostrictatime mount options have no effect on NFS mounts.\n\n/proc/mounts may report that the relatime mount option is set on NFS mounts, but in fact the\natime semantics are always as described here, and are not like relatime semantics.\n" }, { "name": "Directory entry caching", "content": "The Linux NFS client caches the result of all NFS LOOKUP requests. If the requested direc‐\ntory entry exists on the server, the result is referred to as a positive lookup result. If\nthe requested directory entry does not exist on the server (that is, the server returned\nENOENT), the result is referred to as negative lookup result.\n\nTo detect when directory entries have been added or removed on the server, the Linux NFS\nclient watches a directory's mtime. If the client detects a change in a directory's mtime,\nthe client drops all cached LOOKUP results for that directory. Since the directory's mtime\nis a cached attribute, it may take some time before a client notices it has changed. See the\ndescriptions of the acdirmin, acdirmax, and noac mount options for more information about how\nlong a directory's mtime is cached.\n\nCaching directory entries improves the performance of applications that do not share files\nwith applications on other clients. Using cached information about directories can interfere\nwith applications that run concurrently on multiple clients and need to detect the creation\nor removal of files quickly, however. The lookupcache mount option allows some tuning of di‐\nrectory entry caching behavior.\n\nBefore kernel release 2.6.28, the Linux NFS client tracked only positive lookup results.\nThis permitted applications to detect new directory entries created by other clients quickly\nwhile still providing some of the performance benefits of caching. If an application depends\non the previous lookup caching behavior of the Linux NFS client, you can use lookupcache=pos‐‐\nitive.\n\nIf the client ignores its cache and validates every application lookup request with the\nserver, that client can immediately detect when a new directory entry has been either created\nor removed by another client. You can specify this behavior using lookupcache=none. The ex‐\ntra NFS requests needed if the client does not cache directory entries can exact a perfor‐\nmance penalty. Disabling lookup caching should result in less of a performance penalty than\nusing noac, and has no effect on how the NFS client caches the attributes of files.\n" }, { "name": "The sync mount option", "content": "The NFS client treats the sync mount option differently than some other file systems (refer\nto mount(8) for a description of the generic sync and async mount options). If neither sync\nnor async is specified (or if the async option is specified), the NFS client delays sending\napplication writes to the server until any of these events occur:\n\nMemory pressure forces reclamation of system memory resources.\n\nAn application flushes file data explicitly with sync(2), msync(2), or fsync(3).\n\nAn application closes a file with close(2).\n\nThe file is locked/unlocked via fcntl(2).\n\nIn other words, under normal circumstances, data written by an application may not immedi‐\nately appear on the server that hosts the file.\n\nIf the sync option is specified on a mount point, any system call that writes data to files\non that mount point causes that data to be flushed to the server before the system call re‐\nturns control to user space. This provides greater data cache coherence among clients, but\nat a significant performance cost.\n\nApplications can use the OSYNC open flag to force application writes to individual files to\ngo to the server immediately without the use of the sync mount option.\n" }, { "name": "Using file locks with NFS", "content": "The Network Lock Manager protocol is a separate sideband protocol used to manage file locks\nin NFS version 3. To support lock recovery after a client or server reboot, a second side‐\nband protocol -- known as the Network Status Manager protocol -- is also required. In NFS\nversion 4, file locking is supported directly in the main NFS protocol, and the NLM and NSM\nsideband protocols are not used.\n\nIn most cases, NLM and NSM services are started automatically, and no extra configuration is\nrequired. Configure all NFS clients with fully-qualified domain names to ensure that NFS\nservers can find clients to notify them of server reboots.\n\nNLM supports advisory file locks only. To lock NFS files, use fcntl(2) with the FGETLK and\nFSETLK commands. The NFS client converts file locks obtained via flock(2) to advisory\nlocks.\n\nWhen mounting servers that do not support the NLM protocol, or when mounting an NFS server\nthrough a firewall that blocks the NLM service port, specify the nolock mount option. NLM\nlocking must be disabled with the nolock option when using NFS to mount /var because /var\ncontains files used by the NLM implementation on Linux.\n\nSpecifying the nolock option may also be advised to improve the performance of a proprietary\napplication which runs on a single client and uses file locks extensively.\n" }, { "name": "NFS version 4 caching features", "content": "The data and metadata caching behavior of NFS version 4 clients is similar to that of earlier\nversions. However, NFS version 4 adds two features that improve cache behavior: change at‐\ntributes and file delegation.\n\nThe change attribute is a new part of NFS file and directory metadata which tracks data\nchanges. It replaces the use of a file's modification and change time stamps as a way for\nclients to validate the content of their caches. Change attributes are independent of the\ntime stamp resolution on either the server or client, however.\n\nA file delegation is a contract between an NFS version 4 client and server that allows the\nclient to treat a file temporarily as if no other client is accessing it. The server prom‐\nises to notify the client (via a callback request) if another client attempts to access that\nfile. Once a file has been delegated to a client, the client can cache that file's data and\nmetadata aggressively without contacting the server.\n\nFile delegations come in two flavors: read and write. A read delegation means that the\nserver notifies the client about any other clients that want to write to the file. A write\ndelegation means that the client gets notified about either read or write accessors.\n\nServers grant file delegations when a file is opened, and can recall delegations at any time\nwhen another client wants access to the file that conflicts with any delegations already\ngranted. Delegations on directories are not supported.\n\nIn order to support delegation callback, the server checks the network return path to the\nclient during the client's initial contact with the server. If contact with the client can‐\nnot be established, the server simply does not grant any delegations to that client.\n" } ] }, "SECURITY CONSIDERATIONS": { "content": "NFS servers control access to file data, but they depend on their RPC implementation to pro‐\nvide authentication of NFS requests. Traditional NFS access control mimics the standard mode\nbit access control provided in local file systems. Traditional RPC authentication uses a\nnumber to represent each user (usually the user's own uid), a number to represent the user's\ngroup (the user's gid), and a set of up to 16 auxiliary group numbers to represent other\ngroups of which the user may be a member.\n\nTypically, file data and user ID values appear unencrypted (i.e. \"in the clear\") on the net‐\nwork. Moreover, NFS versions 2 and 3 use separate sideband protocols for mounting, locking\nand unlocking files, and reporting system status of clients and servers. These auxiliary\nprotocols use no authentication.\n\nIn addition to combining these sideband protocols with the main NFS protocol, NFS version 4\nintroduces more advanced forms of access control, authentication, and in-transit data protec‐\ntion. The NFS version 4 specification mandates support for strong authentication and secu‐\nrity flavors that provide per-RPC integrity checking and encryption. Because NFS version 4\ncombines the function of the sideband protocols into the main NFS protocol, the new security\nfeatures apply to all NFS version 4 operations including mounting, file locking, and so on.\nRPCGSS authentication can also be used with NFS versions 2 and 3, but it does not protect\ntheir sideband protocols.\n\nThe sec mount option specifies the security flavor used for operations on behalf of users on\nthat NFS mount point. Specifying sec=krb5 provides cryptographic proof of a user's identity\nin each RPC request. This provides strong verification of the identity of users accessing\ndata on the server. Note that additional configuration besides adding this mount option is\nrequired in order to enable Kerberos security. Refer to the rpc.gssd(8) man page for de‐\ntails.\n\nTwo additional flavors of Kerberos security are supported: krb5i and krb5p. The krb5i secu‐\nrity flavor provides a cryptographically strong guarantee that the data in each RPC request\nhas not been tampered with. The krb5p security flavor encrypts every RPC request to prevent\ndata exposure during network transit; however, expect some performance impact when using in‐\ntegrity checking or encryption. Similar support for other forms of cryptographic security is\nalso available.\n", "subsections": [ { "name": "NFS version 4 filesystem crossing", "content": "The NFS version 4 protocol allows a client to renegotiate the security flavor when the client\ncrosses into a new filesystem on the server. The newly negotiated flavor effects only ac‐\ncesses of the new filesystem.\n\nSuch negotiation typically occurs when a client crosses from a server's pseudo-fs into one of\nthe server's exported physical filesystems, which often have more restrictive security set‐\ntings than the pseudo-fs.\n" }, { "name": "NFS version 4 Leases", "content": "In NFS version 4, a lease is a period during which a server irrevocably grants a client file\nlocks. Once the lease expires, the server may revoke those locks. Clients periodically re‐\nnew their leases to prevent lock revocation.\n\nAfter an NFS version 4 server reboots, each client tells the server about existing file open\nand lock state under its lease before operation can continue. If a client reboots, the\nserver frees all open and lock state associated with that client's lease.\n\nWhen establishing a lease, therefore, a client must identify itself to a server. Each client\npresents an arbitrary string to distinguish itself from other clients. The client adminis‐\ntrator can supplement the default identity string using the nfs4.nfs4uniqueid module param‐\neter to avoid collisions with other client identity strings.\n\nA client also uses a unique security flavor and principal when it establishes its lease. If\ntwo clients present the same identity string, a server can use client principals to distin‐\nguish between them, thus securely preventing one client from interfering with the other's\nlease.\n\nThe Linux NFS client establishes one lease on each NFS version 4 server. Lease management\noperations, such as lease renewal, are not done on behalf of a particular file, lock, user,\nor mount point, but on behalf of the client that owns that lease. A client uses a consistent\nidentity string, security flavor, and principal across client reboots to ensure that the\nserver can promptly reap expired lease state.\n\nWhen Kerberos is configured on a Linux NFS client (i.e., there is a /etc/krb5.keytab on that\nclient), the client attempts to use a Kerberos security flavor for its lease management oper‐\nations. Kerberos provides secure authentication of each client. By default, the client uses\nthe host/ or nfs/ service principal in its /etc/krb5.keytab for this purpose, as described in\nrpc.gssd(8).\n\nIf the client has Kerberos configured, but the server does not, or if the client does not\nhave a keytab or the requisite service principals, the client uses AUTHSYS and UID 0 for\nlease management.\n" }, { "name": "Using non-privileged source ports", "content": "NFS clients usually communicate with NFS servers via network sockets. Each end of a socket\nis assigned a port value, which is simply a number between 1 and 65535 that distinguishes\nsocket endpoints at the same IP address. A socket is uniquely defined by a tuple that in‐\ncludes the transport protocol (TCP or UDP) and the port values and IP addresses of both end‐\npoints.\n\nThe NFS client can choose any source port value for its sockets, but usually chooses a privi‐\nleged port. A privileged port is a port value less than 1024. Only a process with root\nprivileges may create a socket with a privileged source port.\n\nThe exact range of privileged source ports that can be chosen is set by a pair of sysctls to\navoid choosing a well-known port, such as the port used by ssh. This means the number of\nsource ports available for the NFS client, and therefore the number of socket connections\nthat can be used at the same time, is practically limited to only a few hundred.\n\nAs described above, the traditional default NFS authentication scheme, known as AUTHSYS, re‐\nlies on sending local UID and GID numbers to identify users making NFS requests. An NFS\nserver assumes that if a connection comes from a privileged port, the UID and GID numbers in\nthe NFS requests on this connection have been verified by the client's kernel or some other\nlocal authority. This is an easy system to spoof, but on a trusted physical network between\ntrusted hosts, it is entirely adequate.\n\nRoughly speaking, one socket is used for each NFS mount point. If a client could use non-\nprivileged source ports as well, the number of sockets allowed, and thus the maximum number\nof concurrent mount points, would be much larger.\n\nUsing non-privileged source ports may compromise server security somewhat, since any user on\nAUTHSYS mount points can now pretend to be any other when making NFS requests. Thus NFS\nservers do not support this by default. They explicitly allow it usually via an export op‐\ntion.\n\nTo retain good security while allowing as many mount points as possible, it is best to allow\nnon-privileged client connections only if the server and client both require strong authenti‐\ncation, such as Kerberos.\n" }, { "name": "Mounting through a firewall", "content": "A firewall may reside between an NFS client and server, or the client or server may block\nsome of its own ports via IP filter rules. It is still possible to mount an NFS server\nthrough a firewall, though some of the mount(8) command's automatic service endpoint discov‐\nery mechanisms may not work; this requires you to provide specific endpoint details via NFS\nmount options.\n\nNFS servers normally run a portmapper or rpcbind daemon to advertise their service endpoints\nto clients. Clients use the rpcbind daemon to determine:\n\nWhat network port each RPC-based service is using\n\nWhat transport protocols each RPC-based service supports\n\nThe rpcbind daemon uses a well-known port number (111) to help clients find a service end‐\npoint. Although NFS often uses a standard port number (2049), auxiliary services such as the\nNLM service can choose any unused port number at random.\n\nCommon firewall configurations block the well-known rpcbind port. In the absense of an\nrpcbind service, the server administrator fixes the port number of NFS-related services so\nthat the firewall can allow access to specific NFS service ports. Client administrators then\nspecify the port number for the mountd service via the mount(8) command's mountport option.\nIt may also be necessary to enforce the use of TCP or UDP if the firewall blocks one of those\ntransports.\n" }, { "name": "NFS Access Control Lists", "content": "Solaris allows NFS version 3 clients direct access to POSIX Access Control Lists stored in\nits local file systems. This proprietary sideband protocol, known as NFSACL, provides richer\naccess control than mode bits. Linux implements this protocol for compatibility with the So‐\nlaris NFS implementation. The NFSACL protocol never became a standard part of the NFS ver‐\nsion 3 specification, however.\n\nThe NFS version 4 specification mandates a new version of Access Control Lists that are se‐\nmantically richer than POSIX ACLs. NFS version 4 ACLs are not fully compatible with POSIX\nACLs; as such, some translation between the two is required in an environment that mixes\nPOSIX ACLs and NFS version 4.\n" } ] }, "THE REMOUNT OPTION": { "content": "Generic mount options such as rw and sync can be modified on NFS mount points using the re‐‐\nmount option. See mount(8) for more information on generic mount options.\n\nWith few exceptions, NFS-specific options are not able to be modified during a remount. The\nunderlying transport or NFS version cannot be changed by a remount, for example.\n\nPerforming a remount on an NFS file system mounted with the noac option may have unintended\nconsequences. The noac option is a combination of the generic option sync, and the NFS-spe‐\ncific option actimeo=0.\n", "subsections": [ { "name": "Unmounting after a remount", "content": "For mount points that use NFS versions 2 or 3, the NFS umount subcommand depends on knowing\nthe original set of mount options used to perform the MNT operation. These options are\nstored on disk by the NFS mount subcommand, and can be erased by a remount.\n\nTo ensure that the saved mount options are not erased during a remount, specify either the\nlocal mount directory, or the server hostname and export pathname, but not both, during a re‐\nmount. For example,\n\nmount -o remount,ro /mnt\n\nmerges the mount option ro with the mount options already saved on disk for the NFS server\nmounted at /mnt.\n" } ] }, "FILES": { "content": "/etc/fstab file system table\n\n/etc/nfsmount.conf\nConfiguration file for NFS mounts\n", "subsections": [] }, "NOTES": { "content": "Before 2.4.7, the Linux NFS client did not support NFS over TCP.\n\nBefore 2.4.20, the Linux NFS client used a heuristic to determine whether cached file data\nwas still valid rather than using the standard close-to-open cache coherency method described\nabove.\n\nStarting with 2.4.22, the Linux NFS client employs a Van Jacobsen-based RTT estimator to de‐\ntermine retransmit timeout values when using NFS over UDP.\n\nBefore 2.6.0, the Linux NFS client did not support NFS version 4.\n\nBefore 2.6.8, the Linux NFS client used only synchronous reads and writes when the rsize and\nwsize settings were smaller than the system's page size.\n\nThe Linux client's support for protocol versions depend on whether the kernel was built with\noptions CONFIGNFSV2, CONFIGNFSV3, CONFIGNFSV4, CONFIGNFSV41, and CONFIGNFSV42.\n", "subsections": [] }, "SEE ALSO": { "content": "fstab(5), mount(8), umount(8), mount.nfs(5), umount.nfs(5), exports(5), nfsmount.conf(5),\nnetconfig(5), ipv6(7), nfsd(8), sm-notify(8), rpc.statd(8), rpc.idmapd(8), rpc.gssd(8),\nrpc.svcgssd(8), kerberos(1)\n\nRFC 768 for the UDP specification.\nRFC 793 for the TCP specification.\nRFC 1813 for the NFS version 3 specification.\nRFC 1832 for the XDR specification.\nRFC 1833 for the RPC bind specification.\nRFC 2203 for the RPCSEC GSS API protocol specification.\nRFC 7530 for the NFS version 4.0 specification.\nRFC 5661 for the NFS version 4.1 specification.\nRFC 7862 for the NFS version 4.2 specification.\n\n\n\n9 October 2012 NFS(5)", "subsections": [] } }, "summary": "nfs - fstab format and options for the nfs file systems", "flags": [], "examples": [ "mount option. To mount using NFS version 3, use the nfs file system type and specify the", "nfsvers=3 mount option. To mount using NFS version 4, use either the nfs file system type,", "with the nfsvers=4 mount option, or the nfs4 file system type.", "The following example from an /etc/fstab file causes the mount command to negotiate reason‐", "able defaults for NFS behavior.", "server:/export /mnt nfs defaults 0 0", "This example shows how to mount using NFS version 4 over TCP with Kerberos 5 mutual authenti‐", "cation.", "server:/export /mnt nfs4 sec=krb5 0 0", "This example shows how to mount using NFS version 4 over TCP with Kerberos 5 privacy or data", "integrity mode.", "server:/export /mnt nfs4 sec=krb5p:krb5i 0 0", "This example can be used to mount /usr over NFS.", "server:/export /usr nfs ro,nolock,nocto,actimeo=3600 0 0", "This example shows how to mount an NFS server using a raw IPv6 link-local address.", "[fe80::215:c5ff:fb3e:e2b1%eth0]:/export /mnt nfs defaults 0 0" ], "see_also": [ { "name": "fstab", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/fstab/5/json" }, { "name": "mount", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/mount/8/json" }, { "name": "umount", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/umount/8/json" }, { "name": "mount.nfs", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/mount.nfs/5/json" }, { "name": "umount.nfs", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/umount.nfs/5/json" }, { "name": "exports", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/exports/5/json" }, { "name": "nfsmount.conf", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/nfsmount.conf/5/json" }, { "name": "netconfig", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/netconfig/5/json" }, { "name": "ipv6", "section": "7", "url": "https://www.chedong.com/phpMan.php/man/ipv6/7/json" }, { "name": "nfsd", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/nfsd/8/json" }, { "name": "sm-notify", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/sm-notify/8/json" }, { "name": "rpc.statd", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/rpc.statd/8/json" }, { "name": "rpc.idmapd", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/rpc.idmapd/8/json" }, { "name": "rpc.gssd", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/rpc.gssd/8/json" }, { "name": "rpc.svcgssd", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/rpc.svcgssd/8/json" }, { "name": "kerberos", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/kerberos/1/json" } ] }