Manual Pages
Table of Contents
na_exportfs - exports or unexports a file system path,
making it available or unavailable, respectively, for
mounting by NFS clients.
exportfs
exportfs [ -v ] [ -io options ] path
exportfs -a [ -v ]
exportfs -b [ -v ] enable | disable save | nosave allhosts
| clientid[:clientid...] allpaths | path[:path...]
exportfs -c [ -v ] clientaddr[:clientaddr...] path [ [ ro
| rw | root ] [ sys | none | krb5 | krb5i | krb5p ] ]
exportfs -f [-n clientaddr | hostname] [path]
exportfs -h | -r [ -v ]
exportfs -p [ -v ] [options] path
exportfs -q | -s | -w | -z [ -v ] path
exportfs -u [ -v ] path | -a
Use the exportfs command to perform any of the following
tasks:
* Export or unexport a file system path.
* Add an export entry to or remove an export entry from
the /etc/exports file.
* Export or unexport all file system paths specified in
the /etc/exports file.
* Enable or disable fencing of specific NFS clients from
specific file system paths.
* Check whether NFS clients have a specific type of access
to a file system path.
* Flush entries from the access cache.
* Display exported file system paths and export options.
* Display the actual file system path corresponding to an
exported file system path.
* Save exported file system paths and their export options
into a file.
- (none)
- Displays all exported file system paths.
- path
- Exports a file system path without adding a
corresponding export entry to the /etc/exports
file. To override any export options specified
for the file system path in the /etc/exports
file, specify the -io options followed by a
comma-delimited list of export options. For more
information about export options, see
na_exports(5). Note: To export a file system
path and add a corresponding entry to the
/etc/exports file, use the -p option instead.
- -a
- Exports all file system paths specified in the
/etc/exports file. To export all file system
paths specified in the /etc/exports file and
unexport all file system paths not specified in
the /etc/exports file, use the -r option instead.
Note: Data ONTAP reexports a file system path
only if its persistent export options (those
specified in the /etc/exports file) are different
from its current export options, thus ensuring
that it does not expose NFS clients unnecessarily
to a brief moment during a reexport in which a
file system path is not available.
- -b
- Enables or disables fencing of specific NFS
clients from specific file system paths, giving
the NFS clients read-only or read-write access,
respectively. To enable fencing, specify the
enable option; to disable fencing, specify the
disable option. To update the /etc/exports file,
specify the save option; otherwise, specify the
nosave option. To affect all NFS clients, specify
the allhosts option; otherwise, specify a
colon-delimited list of NFS client identifiers.
To affect all exported file system paths, specify
the allpaths option; otherwise, specify a
colon-delimited list of file system paths. Data
ONTAP drains all of the NFS requests in its queue
before it enables or disables fencing, thereby
ensuring that all file writes are atomic. Note:
When you enable or disable fencing, Data ONTAP
moves the NFS client to the front of its new
access list (rw= or ro=). This reordering can
change your original export rules.
- -c
- Checks whether NFS clients have a specific type
of access to a file system path. You must specify
the IP addresses of the NFS clients (hostip)
and the exported (not actual) file system path
(path). To check whether the NFS client has
read-only, read-write, or root access to the file
system path, specify the ro, rw, or root option,
respectively. If you do not specify an access
type, Data ONTAP simply checks whether the NFS
client can mount the file system path. If you
specify an access type, you can also specify the
NFS client's security type: sys, none, krb5,
krb5i, or krb5p. If you do not specify a security
type, Data ONTAP assumes the NFS client's
security type is sys. Note: If Data ONTAP does
not find an entry in the access cache corresponding
to (1) the file system path and (2) the NFS
client's IP address, access type, and security
type, Data ONTAP (1) determines the NFS client's
host name from its IP address (for example, it
performs a reverse DNS lookup), (2) checks the
NFS client's host name, access type, and security
type against the file system path's export
options, and (3) adds the result to the access
cache as a new entry.
- -f
- Flushes entries from the access cache. Without
any arguments this option will flush all of the
access cache entries. To flush access cache
entries corresponding to a specific file system
path, specify the file system path. To flush
access cache entries corresponding to a specific
host, use the -n option with hostname or IP
address of the host. Note: To control when
access cache entries expire automatically, set
the options nfs.export.harvest.timeout,
nfs.export.neg.timeout, and nfs.export.pos.timeout.
For more information about these options,
see. na_options(1).
- -h
- Displays help for all exportfs options.
- -i
- Ignores the options specified for a file system
path in the /etc/exports file. If you do not
specify the -i option with the -o option, Data
ONTAP uses the options specified for the file
system path in the /etc/exports file instead of
the options you specify on the command line.
- -o
- Specifies one or more export options for a file
system path as a comma-delimited list. For more
information about export options, see
na_exports(5). Note: To override the options
specified for the file system path in the
/etc/exports file, you must specify the -i and -o
options together.
- -p
- Exports a file system path and adds a corresponding
export entry to the /etc/exports file. If
you do not specify any export options, Data ONTAP
automatically exports the file system path with
the rw and -sec=sys export options. Use the -p
option to add a file system path to the
/etc/exports file without manually editing the
/etc/exports file. Note: Data ONTAP exports the
file system paths specified in the /etc/exports
file every time NFS starts up (for example, when
the filer reboots). For more information, see
na_exports(5).
- -q
- Displays the export options for a file system
path. Use the -q option to quickly view the
export options for a single file system path
without manually searching through the
/etc/exports file. In addition to displaying the
options, it also displays the ruleid for each
"rule" in the export. This ruleid is used to display
the in-memory and on-disk access cache for
each "rule". Rule is a set of host access permissions
defined for a security flavor in an export
and a ruleid uniquely identifies a rule for the
duration when a filer is up. e.g.
exportfs -q /vol/vol0
/vol/vol0 -sec=krb5,(ruleid=2),rw
This means that the filesystem /vol/vol0 is
exported via the rule "rw" and this rule has a
ruleid of 2. exportfs -q /vol/vol1
/vol/vol1 -sec=sys,(ruleid=2),rw,
sec=krb5,(ruleid=10),ro=172.16.27.0/24,rw=172.16.36.0/24
This means that the filesystem /vol/vol1 is
exported via the rule "rw" (ruleid 2) to everyone
who is coming with AUTH_SYS security and is also
exported via the rule
"ro=172.16.27.0/24,rw=172.16.36.0/24" (ruleid 10)
to everyone coming in with Kerberos.
- -r
- Exports all file system paths specified in the
/etc/exports file and unexports all file system
paths not specified in the /etc/exports file. To
export all file system paths specified in the
/etc/exports file without unexporting any file
system paths, use the -a option instead. Note:
Data ONTAP reexports a file system path only if
its persistent export options (those specified in
the /etc/exports file) are different from its
current export options, thus ensuring that it
does not expose NFS clients unnecessarily to a
brief moment during a reexport in which a file
system path is not available.
- -s
- Displays the actual file system path corresponding
to an exported file system path. Note:
Unless a file system path is exported with the
-actual option, its actual file system path is
the same as its exported file system path.
- -u
- Unexports a file system path. To unexport a single
file system path, specify the path; otherwise,
to unexport all file system paths specified
in the /etc/exports file, specify the -a option.
Note: The -u option does not remove export
entries from the /etc/exports file. To unexport
a file system path and remove its export entry
from the /etc/exports file, use the -z option
instead.
- -v
- Specifies that Data ONTAP should be verbose. Use
the -v option with any other option. For example,
specify the -v option with the -a option to
specify that Data ONTAP should display all file
system paths that it exports.
- -w
- Saves exported file system paths and their export
options into a file.
- -z
- Unexports a file system path and removes its
export entry from the /etc/exports file. Use the
-z option to remove a file system path from the
/etc/exports file without manually editing the
/etc/exports file. Note: By default entries are
actually commented out and not removed from the
/etc/exports file. To change the behaviour to
actually remove entries switch off the
nfs.export.exportfs_comment_on_delete option. For
more information see na_options(1).
- clientaddr
- An NFS client's IP address. Every IPv6
address must be enclosed within square
brackets (for example,
[7F52:85FC:774A:8AC::34]).
- clientid
- One of the following NFS client identifiers:
host name, IP address, netgroup, subnet, or
domain name. For more information, see
na_exports(5).
- options
- A comma-delimited list of export options.
For more information, see na_exports(5).
- path
- A file system path: for example, a path to a
volume, directory, or file.
When you export a file system path, specify the -p option
to add a corresponding entry to the /etc/exports file;
otherwise, specify the -i and -o options to override any
export options specified for the file system path in the
/etc/exports file with the export options you specify on
the command line.
When you specify the -b option (or the rw=, ro=, or root=
export option), you must specify one or more NFS client
identifiers as a colon-delimited list. An NFS client
identifier is a host name, IP address, netgroup, subnet,
or domain name. For more information about client identifiers,
see na_exports(5).
Unlike UNIX systems, Data ONTAP lets you export a file
system path even if one of its ancestors has been exported
already. For example, you can export /vol/vol0/home even
if /vol/vol0 has been exported already. However, you must
never export an ancestor with fewer access controls than
its children. Otherwise, NFS clients can mount the ancestor
to circumvent the children's access controls. For
example, suppose you export /vol/vol0 to all NFS clients
for read-write access (with the rw export option) and
/vol/vol0/home to all NFS clients for read-only access
(with the ro export option). If an NFS client mounts
/vol/vol0/home, it has read-only access to /vol/vol0/home.
But if an NFS client mounts /vol/vol0, it has read-write
access to vol/vol0 and /vol/vol0/home. Thus, by mounting
/vol/vol0, an NFS client can circumvent the security
restrictions on /vol/vol0/home.
When an NFS client mounts a subpath of an exported file
system path, Data ONTAP applies the export options of the
exported file system path with the longest matching prefix.
For example, suppose the only exported file system
paths are /vol/vol0 and /vol/vol0/home. If an NFS client
mounts /vol/vol0/home/user1, Data ONTAP applies the export
options for /vol/vol0/home, not /vol/vol0, because
/vol/vol0/home has the longest matching prefix.
Managing the access cache
Whenever an NFS client attempts to access an exported file
system path, Data ONTAP checks the access cache for an
entry corresponding to (1) the file system path and (2)
the NFS client's IP address, access type, and security
type. If an entry exists, Data ONTAP grants or denies
access according to the value of the entry. If an entry
does not exist, Data ONTAP grants or denies access according
to the result of a comparison between (1) the file
system path's export options and (2) the NFS client's host
name, access type, and security type. In this case, Data
ONTAP looks up the client's host name (for example, Data
ONTAP performs a reverse DNS lookup) and adds a new entry
to the access cache. To manually add access cache
entries, use the -c option.
Note: The access cache associates an NFS client's access
rights with its IP address. Therefore, changes to an NFS
client's host name will not change its access rights until
the access cache is flushed. Data ONTAP automatically
flushes an access cache entry when (1) its corresponding
file system path is exported or unexported or (2) it
expires. To control the expiration of access cache
entries, set the nfs.export.harvest.timeout,
nfs.export.neg.timeout, and nfs.export.pos.timeout
options. For more information about these options, see
na_options(1). To manually flush access cache entries,
use the -f option.
Running exportfs on a vFiler unit
To run exportfs on a vFiler (TM) unit, use the vfiler run
command. All paths you specify must belong to the vFiler
unit. In addition, all IP addresses you specify must be
in the vFiler unit's ipspace. For more information, see
na_vfiler(1).
Debugging mount and access problems
To debug mount and access problems, (1) temporarily set
the nfs.mountd.trace option to on and (2) monitor related
messages that Data ONTAP displays and logs in the
/etc/messages file. Some common access problems include:
* Data ONTAP cannot determine an NFS client's host name
because it does not have a reverse DNS entry for it.
Add the NFS client's host name to the DNS, NIS or the
/etc/hosts file. Note: Data ONTAP cannot resolve a IPv6
address to multiple hostnames (including aliases), when
doing a reverse host name lookup.
* The root volume is exported with a file system path consisting
of a single forward slash (/), which misleads
some automounters. Export the file system path using a
different file system path name.
Exporting Origin Filer for FlexCache
Exporting a volume using the /etc/exports file does not
affect whether the volume is available to a FlexCache volume;
To enable a volume to be a FlexCache origin volume,
use the the flexcache.access option.
Exporting file system paths
Each of the following commands exports /vol/vol0 to all
hosts for read-write access:
exportfs -p /vol/vol0
exportfs -io rw /vol/vol0
Each of the following commands exports /vol/vol0 to all
hosts for read-only access:
exportfs -p ro /vol/vol0
exportfs -io ro /vol/vol0
Each of the following commands exports /vol/vol0 to all
hosts on the 10.45.67.0 subnet with the 255.255.255.0 netmask
for read-write access:
exportfs -io rw=10.45.67.0/24 /vol/vol0
exportfs -io rw="network 10.45.67.0 netmask 255.255.255.0" /vol/vol0
exportfs -io rw="10.45.67.0 255.255.255.0" /vol/vol0
The following command exports /vol/vol0 to all hosts in
the FC21:71BE:B265:5204::49/64 subnet for read-write
access and to the NFS client with an IPv6 address of
F6C3:430A:B194:5CDA:6A91::83 for root access:
exportfs -io rw=[FC21:71BE:B265:5204::49]/64,\\
root=[F6C3:420A:B194:5CDA:6A91::83] /vol/vol0
The following command exports /vol/vol0 to the hosts in
the trusted netgroup for root access, the hosts in the
friendly netgroup for read-write access, and all other
hosts for read-only access:
exportfs -io ro,root=@trusted,rw=@friendly /vol/vol0
The following command exports all file system paths specified
in the /etc/exports file:
exportfs -a
The following command exports all file system paths specified
in the /etc/exports file and unexports all file system
paths not specified in the /etc/exports file:
exportfs -r
Unexporting file system paths
The following command unexports /vol/vol0:
exportfs -u /vol/vol0
The following command unexports /vol/vol0 and removes its
export entry from the /etc/exports file:
exportfs -z /vol/vol0
The following command unexports all file system paths:
exportfs -ua
Displaying exported file system paths
The following command displays all exported file system
paths and their corresponding export options:
exportfs
The following command displays the export options for
/vol/vol0:
exportfs -q /vol/vol0
Enabling and disabling fencing
Suppose /vol/vol0 is exported with the following export
options:
-rw=pig:horse:cat:dog,ro=duck,anon=0
The following command enables fencing of cat from
/vol/vol0:
exportfs -b enable save cat /vol/vol0
Note: cat moves to the front of the ro= list for
/vol/vol0:
-rw=pig:horse:dog,ro=cat:duck,anon=0
The following command disables fencing of cat from
/vol/vol0:
exportfs -b disable save cat /vol/vol0
Note: cat moves to the front of the rw= list for
/vol/vol0:
-rw=cat:pig:horse:dog,ro=duck,anon=0
Checking an NFS client's access rights
The following command checks whether an NFS client with an
IPv4 address of 192.168.208.51 and a security type of sys
can mount /vol/vol0:
exportfs -c 192.168.208.51 /vol/vol0
The following command checks whether an NFS client with an
IPv4 address of 192.168.208.51 and a security type of none
has read-only access to /vol/vol0:
exportfs -c 192.168.208.51 /vol/vol0 ro none
The following command checks whether NFS clients with IPv6
address A124:59B2:D234:23F3::45, and IPv4 address
10.102.168.76, can mount /vol/vol0, with a security type
of sys:
exportfs -c [A124:59B2:D234:23F3::45]:10.102.168.76 /vol/vol0
Flushing entries from the access cache
The following command flushes all entries from the access
cache:
exportfs -f
The following command flushes all entries for /vol/vol0
from the access cache:
exportfs -f /vol/vol0
The following command flushes the entry whose IP is
1234:AD19:B23F:23F3::23 from the access cache:
exportfs -f -n [1234:AD19:B23F:23F3::23]
The following command flushes the entry corresponding to
the host client1 for /vol/vol0 from the access cache:
exportfs -f -n client1 /vol/vol0
Displaying an actual file system path
The following example displays the actual file system path
corresponding to /vol/vol0:
exportfs -s /vol/vol0
Note: The actual file system path will be the same as the
exported file system path unless the file system path was
exported with the -actual option.
Saving file system paths
The following example saves the file system paths and
export options for all currently and recently exported
file paths into /etc/exports.recent:
exportfs -w /etc/exports.recent
na_ipspace(1), na_options(1), na_vfiler(1), na_exports(5),
na_hosts(5), na_netgroup(5), na_passwd(5)
Table of Contents