18.7. The /etc/exports Configuration File


/etc/exports 파일은 어떤 파일 시스템들이 원격 호스트에 export되는지를 컨트롤하고, 옵션을 지정한다. 공백 라인은 무시되며, 주석은 hash mark(#)으로 라인을 처리하면 된다, 그리고 긴 라인은 backslash(\)로 감쌀 수 있다.

각각의 export된 파일시스템들은 개별적인 라인으로 이루어지며, export된 파일시스템의 뒤에 위치한 허가된 호스트들의 목록들은 공백 문자에 의해 분리된다. 각 호스트들에 대한 옵션들은 호스트 식별자 뒤에 바로 괄호로 묶여 위치해야 하고, 첫 괄호와 호스트를 나누는 어떠한 공백도 있으면 안된다.

유효한 호스트 타입들은 gss/krb5gss/krb5i 그리고 gss/krb5p이다.

export된 파일시스템에 대한 라인은 다음 구조를 가지고 있다.


<export> <host1>(<options>) <hostN>(<options>)...


In this structure, replace <export> with the directory being exported, replace <host1> with the host or network to which the export is being shared, and replace <options> with the options for that host or network. Additional hosts can be specified in a space separated list.

The following methods can be used to specify host names:

  • single host — Where one particular host is specified with a fully qualified domain name, hostname, or IP address.

  • wildcards — Where a * or ? character is used to take into account a grouping of fully qualified domain names that match a particular string of letters. Wildcards should not be used with IP addresses; however, it is possible for them to work accidentally if reverse DNS lookups fail.

    Be careful when using wildcards with fully qualified domain names, as they tend to be more exact than expected. For example, the use of *.example.com as a wildcard allows sales.example.com to access an exported file system, but not bob.sales.example.com. To match both possibilities both*.example.com and *.*.example.com must be specified.

  • IP networks — Allows the matching of hosts based on their IP addresses within a larger network. For example, 192.168.0.0/28 allows the first 16 IP addresses, from 192.168.0.0 to 192.168.0.15, to access the exported file system, but not 192.168.0.16 and higher.

  • netgroups — Permits an NIS netgroup name, written as @<group-name>, to be used. This effectively puts the NIS server in charge of access control for this exported file system, where users can be added and removed from an NIS group without affecting /etc/exports.

In its simplest form, the /etc/exports file only specifies the exported directory and the hosts permitted to access it, as in the following example:

/exported/directory bob.example.com

In the example, bob.example.com can mount /exported/directory/. Because no options are specified in this example, the following default NFS options take effect:

  • ro — Mounts of the exported file system are read-only. Remote hosts are not able to make changes to the data shared on the file system. To allow hosts to make changes to the file system, the read/write (rw) option must be specified.

  • wdelay — Causes the NFS server to delay writing to the disk if it suspects another write request is imminent. This can improve performance by reducing the number of times the disk must be accessed by separate write commands, reducing write overhead. The no_wdelay option turns off this feature, but is only available when using the sync option.

  • root_squash — 원격의 연결된 root users가 root 권한을 갖는 것을 방지하고, 그들에게 nfsnobody 의 user ID를 할당한다. 이것은 효과적으로 원격의 root user의 능력을 가장 낮은 로컬 유저로 "억압하며(squashes)", 원격 서버 상의 파일이 허가되지 않은 상태로 변경되는 것을 방지한다. 선택적으로, no_root_squash 옵션은 root squashing을 끄는 옵션. root를 포함하여, 모든 원격 유저들을 squash하기 위해, all_squash 옵션을 사용할 수 있다. 특별한 호스트로 부터 원격 유저들에 사용할 user와 group ID들을 지정하기 위해, anonuid와 anongid 옵션을 각각 사용할 수 있다. 이 경우에 원격 NFS 유저들이 공유하고 (anonuid=<uid-value>, anongid=<gid-value)를 지정하기 위해 특별한 유저 계정이 생성되될 수 있다, <uid-value>는 user ID 번호이며, <gid-vaule>는 group ID 번호이다. 

Important

By default, access control lists (ACLs) are supported by NFS under Red Hat Enterprise Linux. To disable this feature, specify the no_acl option when exporting the file system.

Each default for every exported file system must be explicitly overridden. For example, if the rw option is not specified, then the exported file system is shared as read-only. The following is a sample line from/etc/exports which overrides two default options:

/another/exported/directory 192.168.0.3(rw,sync)

In this example 192.168.0.3 can mount /another/exported/directory/ read/write and all transfers to disk are committed to the disk before the write request by the client is completed.

Additionally, other options are available where no default value is specified. These include the ability to disable sub-tree checking, allow access from insecure ports, and allow insecure file locks (necessary for certain early NFS client implementations). Refer to the exports man page for details on these lesser used options.

Warning

The format of the /etc/exports file is very precise, particularly in regards to use of the space character. Remember to always separate exported file systems from hosts and hosts from one another with a space character. However, there should be no other space characters in the file except on comment lines.

For example, the following two lines do not mean the same thing:

/home bob.example.com(rw) /home bob.example.com (rw)

The first line allows only users from bob.example.com read/write access to the /homedirectory. The second line allows users from bob.example.com to mount the directory as read-only (the default), while the rest of the world can mount it read/write.

18.7.1. The exportfs Command

Every file system being exported to remote users via NFS, as well as the access level for those file systems, are listed in the /etc/exports file. When the nfs service starts, the /usr/sbin/exportfscommand launches and reads this file, passes control to rpc.mountd (if NFSv2 or NFSv3) for the actual mounting process, then to rpc.nfsd where the file systems are then available to remote users.

When issued manually, the /usr/sbin/exportfs command allows the root user to selectively export or unexport directories without restarting the NFS service. When given the proper options, the/usr/sbin/exportfs command writes the exported file systems to /var/lib/nfs/xtab. Since rpc.mountdrefers to the xtab file when deciding access privileges to a file system, changes to the list of exported file systems take effect immediately.

The following is a list of commonly used options available for /usr/sbin/exportfs:

  • -r — Causes all directories listed in /etc/exports to be exported by constructing a new export list in/etc/lib/nfs/xtab. This option effectively refreshes the export list with any changes that have been made to /etc/exports.

  • -a — Causes all directories to be exported or unexported, depending on what other options are passed to /usr/sbin/exportfs. If no other options are specified, /usr/sbin/exportfs exports all file systems specified in /etc/exports.

  • -o file-systems — Specifies directories to be exported that are not listed in /etc/exports. Replacefile-systems with additional file systems to be exported. These file systems must be formatted in the same way they are specified in /etc/exports. Refer to Section 18.7, “The /etc/exports Configuration File” for more information on /etc/exports syntax. This option is often used to test an exported file system before adding it permanently to the list of file systems to be exported.

  • -i — Ignores /etc/exports; only options given from the command line are used to define exported file systems.

  • -u — Unexports all shared directories. The command /usr/sbin/exportfs -ua suspends NFS file sharing while keeping all NFS daemons up. To re-enable NFS sharing, type exportfs -r.

  • -v — Verbose operation, where the file systems being exported or unexported are displayed in greater detail when the exportfs command is executed.

If no options are passed to the /usr/sbin/exportfs command, it displays a list of currently exported file systems.

For more information about the /usr/sbin/exportfs command, refer to the exportfs man page.

18.7.1.1. Using exportfs with NFSv4


exportfs 명령어는 export된 파일 시스템의 NFS 테이블을 관리하는 데 사용된다. 인자 없이 터미널에서 사용되면,

exportfs 명령어는 모든 export된 디렉토리를 보여준다.

NFSv4는 NFSv2와 NFSv3에서 사용되었던 rpc.mountd 프로토콜을 더 이상 사용하지 않기 때문에, 파일시스템의 마운트 방식이 변경되었다.

NFSv4 클라이언트는 이제 NFSv 서버에 의해 제공되는 모든 exports를, NFSv4 pseudo-파일시스템이라고 하는, 단일 파일시스템처럼 볼 수 있다.

레드햇 엔터프라이즈 리눅스에서, pseudo-파일시스템은 exports할 때 fsid=0 옵션을 가진 것으로 구분된, 단일의, 실제 파일시스템이다.


For example, the following commands could be executed on an NFSv4 server:

mkdir /exports 
mkdir /exports/opt 
mkdir /exports/etc 
mount --bind /usr/local/opt /exports/opt 
mount --bind /usr/local/etc /exports/etc 
exportfs -o fsid=0,insecure,no_subtree_check gss/krb5p:/exports 
exportfs -o rw,nohide,insecure,no_subtree_check gss/krb5p:/exports/opt 
exportfs -o rw,nohide,insecure,no_subtree_check gss/krb5p:/exports/etc

In this example, clients are provided with multiple file systems to mount, by using the --bind option which creates unbreakeable links.

Because of the pseudo-file systems feature, NFS version 2, 3 and 4 export configurations are not always compatible. For example, given the following directory tree:


/home
/home/sam 
/home/john
/home/joe

and the export:

            
/home *(rw,fsid=0,sync)
          

Using NFS version 2,3 and 4 the following would work:

            
mount server:/home /mnt/home
ls /mnt/home/joe
          

Using v4 the following would work:

            
mount -t nfs4 server:/ /mnt/home
ls /mnt/home/joe
          

The difference being "server:/home" and "server:/". To make the exports configurations compatible for all version, one needs to export (read only) the root filesystem with an fsid=0. The fsid=0 signals the NFS server that this export is the root.

            
/ *(ro,fsid=0)
/home *(rw,sync,nohide)
          

Now with these exports, both "mount server:/home /mnt/home" and "mount -t nfs server:/home /mnt/home" will work as expected.


+ Recent posts