blob: 77e6299ac02d812a59a5b11ebe7b57d2adf7f57b [file] [log] [blame]
.\"@(#)rpc.mountd.8"
.\"
.\" Copyright (C) 1999 Olaf Kirch <okir@monad.swb.de>
.\" Modified by Paul Clements, 2004.
.\"
.TH rpc.mountd 8 "31 Dec 2009"
.SH NAME
rpc.mountd \- NFS mount daemon
.SH SYNOPSIS
.BI "/usr/sbin/rpc.mountd [" options "]"
.SH DESCRIPTION
The
.B rpc.mountd
daemon implements the server side of the NFS MOUNT protocol,
an NFS side protocol used by NFS version 2 [RFC1094] and NFS version 3 [RFC1813].
It also responds to requests from the Linux kernel to authenticate
clients and provides details of access permissions.
.PP
The NFS server
.RI ( nfsd )
maintains a cache of authentication and authorization information which
is used to identify the source of each request, and then what access
permissions that source has to any local filesystem. When required
information is not found in the cache, the server sends a request to
.B mountd
to fill in the missing information. Mountd uses a table of information
stored in
.B /var/lib/nfs/etab
and maintained by
.BR exportfs (8),
possibly based on the contents of
.BR exports (5),
to respond to each request.
.SS Mounting exported NFS File Systems
The NFS MOUNT protocol has several procedures.
The most important of these are
MNT (mount an export) and
UMNT (unmount an export).
.PP
A MNT request has two arguments: an explicit argument that
contains the pathname of the root directory of the export to be mounted,
and an implicit argument that is the sender's IP address.
.PP
When receiving a MNT request from an NFS client,
.B rpc.mountd
checks both the pathname and the sender's IP address against its export table.
If the sender is permitted to access the requested export,
.B rpc.mountd
returns an NFS file handle for the export's root directory to the client.
The client can then use the root file handle and NFS LOOKUP requests
to navigate the directory structure of the export.
.SS The rmtab File
The
.B rpc.mountd
daemon registers every successful MNT request by adding an entry to the
.I /var/lib/nfs/rmtab
file.
When receivng a UMNT request from an NFS client,
.B rpc.mountd
simply removes the matching entry from
.IR /var/lib/nfs/rmtab ,
as long as the access control list for that export allows that sender
to access the export.
.PP
Clients can discover the list of file systems an NFS server is
currently exporting, or the list of other clients that have mounted
its exports, by using the
.BR showmount (8)
command.
.BR showmount (8)
uses other procedures in the NFS MOUNT protocol to report information
about the server's exported file systems.
.PP
Note, however, that there is little to guarantee that the contents of
.I /var/lib/nfs/rmtab
are accurate.
A client may continue accessing an export even after invoking UMNT.
If the client reboots without sending a UMNT request, stale entries
remain for that client in
.IR /var/lib/nfs/rmtab .
.SS Mounting File Systems with NFSv4
Version 4 (and later) of NFS does not use a separate NFS MOUNT
protocol. Instead mounting is performed using regular NFS requests
handled by the NFS server in the Linux kernel
.RI ( nfsd ).
Consequently
.I /var/lib/nfs/rmtab
is not updated to reflect any NFSv4 activity.
.SH OPTIONS
.TP
.B \-d kind " or " \-\-debug kind
Turn on debugging. Valid kinds are: all, auth, call, general and parse.
.TP
.BR \-l " or " \-\-log\-auth
Enable logging of responses to authentication and access requests from
nfsd. Each response is then cached by the kernel for 30 minutes (or as set by
.B \-\-ttl
below), and will be refreshed after 15 minutes (half the ttl time) if
the relevant client remains active.
Note that
.B -l
is equivalent to
.B "-d auth"
and so can be enabled in
.B /etc/nfs.conf
with
.B "\[dq]debug = auth\[dq]"
in the
.B "[mountd]"
section.
.IP
.B rpc.mountd
will always log authentication responses to MOUNT requests when NFSv3 is
used, but to get similar logs for NFSv4, this option is required.
.TP
.BR \-i " or " \-\-cache\-use\-ipaddr
Normally each client IP address is matched against each host identifier
(name, wildcard, netgroup etc) found in
.B /etc/exports
and a combined identity is formed from all matching identifiers.
Often many clients will map to the same combined identity so performing
this mapping reduces the number of distinct access details that the
kernel needs to store.
Specifying the
.B \-i
option suppresses this mapping so that access to each filesystem is
requested and cached separately for each client IP address. Doing this
can increase the burden of updating the cache slightly, but can make the
log messages produced by the
.B -l
option easier to read.
.TP
.B \-T " or " \-\-ttl
Provide a time-to-live (TTL) for cached information given to the kernel.
The kernel will normally request an update if the information is needed
after half of this time has expired. Increasing the provided number,
which is in seconds, reduces the rate of cache update requests, and this
is particularly noticeable when these requests are logged with
.BR \-l .
However increasing also means that changes to hostname to address
mappings can take longer to be noticed.
The default TTL is 1800 (30 minutes).
.TP
.B \-F " or " \-\-foreground
Run in foreground (do not daemonize)
.TP
.B \-h " or " \-\-help
Display usage message.
.TP
.B \-o num " or " \-\-descriptors num
Set the limit of the number of open file descriptors to num. The
default is to leave the limit unchanged.
.TP
.B \-N mountd-version " or " \-\-no-nfs-version mountd-version
This option can be used to request that
.B rpc.mountd
do not offer certain versions of NFS. The current version of
.B rpc.mountd
can support both NFS version 2, 3 and 4. If the
either one of these version should not be offered,
.B rpc.mountd
must be invoked with the option
.B "\-\-no-nfs-version <vers>" .
.TP
.B \-n " or " \-\-no-tcp
Don't advertise TCP for mount.
.TP
.B \-p num " or " \-P num " or " \-\-port num
Specifies the port number used for RPC listener sockets.
If this option is not specified,
.B rpc.mountd
will try to consult
.IR /etc/services ,
if gets port succeed, set the same port for all listener socket,
otherwise chooses a random ephemeral port for each listener socket.
.IP
This option can be used to fix the port value of
.BR rpc.mountd 's
listeners when NFS MOUNT requests must traverse a firewall
between clients and servers.
.TP
.B \-H " prog or " \-\-ha-callout prog
Specify a high availability callout program.
This program receives callouts for all MOUNT and UNMOUNT requests.
This allows
.B rpc.mountd
to be used in a High Availability NFS (HA-NFS) environment.
.IP
The callout program is run with 4 arguments.
The first is
.B mount
or
.B unmount
depending on the reason for the callout.
The second will be the name of the client performing the mount.
The third will be the path that the client is mounting.
The last is the number of concurrent mounts that we believe the client
has of that path.
.IP
This callout is not needed with 2.6 and later kernels.
Instead, mount the nfsd filesystem on
.IR /proc/fs/nfsd .
.TP
.BI "\-s," "" " \-\-state\-directory\-path " directory
Specify a directory in which to place state information (etab and rmtab).
If this option is not specified the default of
.I /var/lib/nfs
is used.
.TP
.BI "\-r," "" " \-\-reverse\-lookup"
.B rpc.mountd
tracks IP addresses in the
.I rmtab
file. When a DUMP request is made (by
someone running
.BR "showmount -a" ,
for instance), it returns IP addresses instead
of hostnames by default. This option causes
.B rpc.mountd
to perform a reverse lookup on each IP address and return that hostname instead.
Enabling this can have a substantial negative effect on performance
in some situations.
.TP
.BR "\-t N" " or " "\-\-num\-threads=N " or " \-\-num\-threads N "
This option specifies the number of worker threads that rpc.mountd
spawns. The default is 1 thread, which is probably enough. More
threads are usually only needed for NFS servers which need to handle
mount storms of hundreds of NFS mounts in a few seconds, or when
your DNS server is slow or unreliable.
.TP
.B \-u " or " \-\-no-udp
Don't advertise UDP for mounting
.TP
.B \-V version " or " \-\-nfs-version version
This option can be used to request that
.B rpc.mountd
offer certain versions of NFS. The current version of
.B rpc.mountd
can support both NFS version 2 and the newer version 3.
.TP
.B \-v " or " \-\-version
Print the version of
.B rpc.mountd
and exit.
.TP
.B \-g " or " \-\-manage-gids
Accept requests from the kernel to map user id numbers into lists of
group id numbers for use in access control. An NFS request will
normally (except when using Kerberos or other cryptographic
authentication) contains a user-id and a list of group-ids. Due to a
limitation in the NFS protocol, at most 16 groups ids can be listed.
If you use the
.B \-g
flag, then the list of group ids received from the client will be
replaced by a list of group ids determined by an appropriate lookup on
the server. Note that the 'primary' group id is not affected so a
.B newgroup
command on the client will still be effective. This function requires
a Linux Kernel with version at least 2.6.21.
.SH CONFIGURATION FILE
Many of the options that can be set on the command line can also be
controlled through values set in the
.B [mountd]
or, in some cases, the
.B [nfsd]
sections of the
.I /etc/nfs.conf
configuration file.
Values recognized in the
.B [mountd]
section include
.BR manage-gids ,
.BR cache\-use\-ipaddr ,
.BR descriptors ,
.BR port ,
.BR threads ,
.BR ttl ,
.BR reverse-lookup ", and"
.BR state-directory-path ,
.B ha-callout
which each have the same effect as the option with the same name.
The values recognized in the
.B [nfsd]
section include
.BR TCP ,
.BR UDP ,
.BR vers2 ,
.BR vers3 ", and"
.B vers4
which each have same same meaning as given by
.BR rpc.nfsd (8).
.SH TCP_WRAPPERS SUPPORT
You can protect your
.B rpc.mountd
listeners using the
.B tcp_wrapper
library or
.BR iptables (8).
.PP
Note that the
.B tcp_wrapper
library supports only IPv4 networking.
.PP
Add the hostnames of NFS peers that are allowed to access
.B rpc.mountd
to
.IR /etc/hosts.allow .
Use the daemon name
.B mountd
even if the
.B rpc.mountd
binary has a different name.
.PP
Hostnames used in either access file will be ignored when
they can not be resolved into IP addresses.
For further information see the
.BR tcpd (8)
and
.BR hosts_access (5)
man pages.
.SS IPv6 and TI-RPC support
TI-RPC is a pre-requisite for supporting NFS on IPv6.
If TI-RPC support is built into
.BR rpc.mountd ,
it attempts to start listeners on network transports marked 'visible' in
.IR /etc/netconfig .
As long as at least one network transport listener starts successfully,
.B rpc.mountd
will operate.
.SH FILES
.TP 2.5i
.I /etc/exports
input file for
.BR exportfs ,
listing exports, export options, and access control lists
.TP 2.5i
.I /var/lib/nfs/rmtab
table of clients accessing server's exports
.SH SEE ALSO
.BR exportfs (8),
.BR exports (5),
.BR showmount (8),
.BR rpc.nfsd (8),
.BR rpc.rquotad (8),
.BR nfs (5),
.BR nfs.conf (5),
.BR tcpd (8),
.BR hosts_access (5),
.BR iptables (8),
.BR netconfig (5)
.sp
RFC 1094 - "NFS: Network File System Protocol Specification"
.br
RFC 1813 - "NFS Version 3 Protocol Specification"
.br
RFC 7530 - "Network File System (NFS) Version 4 Protocol"
.br
RFC 8881 - "Network File System (NFS) Version 4 Minor Version 1 Protocol"
.SH AUTHOR
Olaf Kirch, H. J. Lu, G. Allan Morris III, and a host of others.