Provided by: nfs-common_2.6.4-3ubuntu5_amd64 bug

NAME

       nfs - fstab format and options for the nfs file systems

SYNOPSIS

       /etc/fstab

DESCRIPTION

       NFS  is  an  Internet  Standard  protocol  created  by  Sun  Microsystems in 1984. NFS was
       developed to allow file  sharing  between  systems  residing  on  a  local  area  network.
       Depending  on  kernel configuration, the Linux NFS client may support NFS versions 3, 4.0,
       4.1, or 4.2.

       The mount(8) command attaches a file system to the system's  name  space  hierarchy  at  a
       given  mount point.  The /etc/fstab file describes how mount(8) should assemble a system's
       file name hierarchy from various independent file systems (including file systems exported
       by  NFS  servers).   Each  line in the /etc/fstab file describes a single file system, its
       mount point, and a set of default mount options for that mount point.

       For NFS file system mounts, a line in the /etc/fstab file specifies the server  name,  the
       path name of the exported server directory to mount, the local directory that is the mount
       point, the type of file system that is being mounted, and a list  of  mount  options  that
       control  the  way  the filesystem is mounted and how the NFS client behaves when accessing
       files on this mount point.  The fifth and sixth fields on each line are not used  by  NFS,
       thus conventionally each contain the digit zero. For example:

               server:path   /mountpoint   fstype   option,option,...   0 0

       The  server's  hostname  and  export  pathname  are  separated by a colon, while the mount
       options are separated by commas. The remaining fields are separated by blanks or tabs.

       The server's hostname can be an unqualified hostname, a fully  qualified  domain  name,  a
       dotted  quad IPv4 address, or an IPv6 address enclosed in square brackets.  Link-local and
       site-local IPv6 addresses must be accompanied by an interface identifier.  See ipv6(7) for
       details on specifying raw IPv6 addresses.

       The fstype field contains "nfs".  Use of the "nfs4" fstype in /etc/fstab is deprecated.

MOUNT OPTIONS

       Refer  to  mount(8)  for  a  description  of  generic mount options available for all file
       systems. If you do not need to specify any mount options, use the generic option  defaults
       in /etc/fstab.

   Options supported by all versions
       These options are valid to use with any NFS version.

       nfsvers=n      The  NFS  protocol version number used to contact the server's NFS service.
                      If the server does not support the requested  version,  the  mount  request
                      fails.   If  this  option  is  not  specified, the client tries version 4.2
                      first, then negotiates down until it  finds  a  version  supported  by  the
                      server.

       vers=n         This  option  is  an alternative to the nfsvers option.  It is included for
                      compatibility with other operating systems

       soft / softerr / hard
                      Determines the recovery behavior of the NFS client  after  an  NFS  request
                      times out.  If no option is specified (or if the hard option is specified),
                      NFS requests are retried indefinitely.   If  either  the  soft  or  softerr
                      option is specified, then the NFS client fails an NFS request after retrans
                      retransmissions have been sent, causing the NFS client to return either the
                      error  EIO  (for  the soft option) or ETIMEDOUT (for the softerr option) to
                      the calling application.

                      NB: A so-called "soft" timeout can cause silent data corruption in  certain
                      cases.   As  such,  use  the  soft  or  softerr  option  only  when  client
                      responsiveness is more important than data integrity.  Using NFS  over  TCP
                      or  increasing  the  value  of  the retrans option may mitigate some of the
                      risks of using the soft or softerr option.

       softreval / nosoftreval
                      In cases where the NFS server is down, it may be useful to  allow  the  NFS
                      client  to  continue  to  serve  up  paths  and attributes from cache after
                      retrans attempts to revalidate that cache have timed out.   This  may,  for
                      instance, be helpful when trying to unmount a filesystem tree from a server
                      that is permanently down.

                      It is possible to combine softreval with the soft mount  option,  in  which
                      case  operations  that  cannot  be  served  up from cache will time out and
                      return an error after retrans attempts. The combination  with  the  default
                      hard  mount option implies those uncached operations will continue to retry
                      until a response is received from the server.

                      Note: the default mount option is nosoftreval which disallows  fallback  to
                      cache when revalidation fails, and instead follows the behavior dictated by
                      the hard or soft mount option.

       intr / nointr  This option is provided for backward compatibility.  It  is  ignored  after
                      kernel 2.6.25.

       timeo=n        The  time  in  deciseconds  (tenths of a second) the NFS client waits for a
                      response before it retries an NFS request.

                      For NFS over TCP the default timeo value is  600  (60  seconds).   The  NFS
                      client  performs  linear  backoff: After each retransmission the timeout is
                      increased by timeo up to the maximum of 600 seconds.

                      However, for NFS over  UDP,  the  client  uses  an  adaptive  algorithm  to
                      estimate  an  appropriate  timeout  value for frequently used request types
                      (such as  READ  and  WRITE  requests),  but  uses  the  timeo  setting  for
                      infrequently  used  request  types (such as FSINFO requests).  If the timeo
                      option is not specified, infrequently used request types are retried  after
                      1.1 seconds.  After each retransmission, the NFS client doubles the timeout
                      for that request, up to a maximum timeout length of 60 seconds.

       retrans=n      The number of times the NFS client retries a  request  before  it  attempts
                      further  recovery  action.  If the retrans option is not specified, the NFS
                      client tries each UDP request three times and each TCP request twice.

                      The NFS client generates a "server not responding"  message  after  retrans
                      retries,  then  attempts  further  recovery  (depending on whether the hard
                      mount option is in effect).

       rsize=n        The maximum number of bytes in each  network  READ  request  that  the  NFS
                      client  can  receive  when  reading data from a file on an NFS server.  The
                      actual data payload size of each NFS READ request is equal  to  or  smaller
                      than the rsize setting. The largest read payload supported by the Linux NFS
                      client is 1,048,576 bytes (one megabyte).

                      The rsize value is a positive integral multiple of 1024.   Specified  rsize
                      values  lower  than 1024 are replaced with 4096; values larger than 1048576
                      are replaced with 1048576. If a specified value  is  within  the  supported
                      range  but  not  a  multiple  of  1024,  it  is rounded down to the nearest
                      multiple of 1024.

                      If an rsize value is not specified, or if  the  specified  rsize  value  is
                      larger  than  the  maximum  that  either  client or server can support, the
                      client and server negotiate the largest rsize  value  that  they  can  both
                      support.

                      The rsize mount option as specified on the mount(8) command line appears in
                      the /etc/mtab file. However, the effective rsize value  negotiated  by  the
                      client and server is reported in the /proc/mounts file.

       wsize=n        The  maximum  number of bytes per network WRITE request that the NFS client
                      can send when writing data to a file on an  NFS  server.  The  actual  data
                      payload  size  of  each  NFS  WRITE request is equal to or smaller than the
                      wsize setting. The largest write payload supported by the Linux NFS  client
                      is 1,048,576 bytes (one megabyte).

                      Similar to rsize , the wsize value is a positive integral multiple of 1024.
                      Specified wsize values lower than  1024  are  replaced  with  4096;  values
                      larger  than  1048576  are  replaced  with 1048576. If a specified value is
                      within the supported range but not a multiple of 1024, it is  rounded  down
                      to the nearest multiple of 1024.

                      If  a  wsize  value  is  not  specified, or if the specified wsize value is
                      larger than the maximum that either  client  or  server  can  support,  the
                      client  and  server  negotiate  the  largest wsize value that they can both
                      support.

                      The wsize mount option as specified on the mount(8) command line appears in
                      the  /etc/mtab  file.  However, the effective wsize value negotiated by the
                      client and server is reported in the /proc/mounts file.

       ac / noac      Selects whether the client may cache file attributes. If neither option  is
                      specified (or if ac is specified), the client caches file attributes.

                      To  improve  performance,  NFS  clients  cache  file  attributes. Every few
                      seconds,  an  NFS  client  checks  the  server's  version  of  each  file's
                      attributes  for  updates.   Changes that occur on the server in those small
                      intervals remain undetected until the client checks the server  again.  The
                      noac   option  prevents  clients  from  caching  file  attributes  so  that
                      applications can more quickly detect file changes on the server.

                      In addition to preventing the client from caching file attributes, the noac
                      option  forces  application  writes  to  become  synchronous  so that local
                      changes to a file become visible on  the  server  immediately.   That  way,
                      other  clients  can quickly detect recent writes when they check the file's
                      attributes.

                      Using the noac option provides greater cache coherence  among  NFS  clients
                      accessing  the  same  files,  but  it  extracts  a  significant performance
                      penalty.  As such, judicious use of file  locking  is  encouraged  instead.
                      The  DATA  AND METADATA COHERENCE section contains a detailed discussion of
                      these trade-offs.

       acregmin=n     The minimum time (in seconds) that the NFS client caches  attributes  of  a
                      regular  file before it requests fresh attribute information from a server.
                      If this option is not specified, the NFS client uses  a  3-second  minimum.
                      See  the  DATA  AND  METADATA  COHERENCE  section  for a full discussion of
                      attribute caching.

       acregmax=n     The maximum time (in seconds) that the NFS client caches  attributes  of  a
                      regular  file before it requests fresh attribute information from a server.
                      If this option is not specified, the NFS client uses a  60-second  maximum.
                      See  the  DATA  AND  METADATA  COHERENCE  section  for a full discussion of
                      attribute caching.

       acdirmin=n     The minimum time (in seconds) that the NFS client caches  attributes  of  a
                      directory before it requests fresh attribute information from a server.  If
                      this option is not specified, the NFS client uses a 30-second minimum.  See
                      the  DATA AND METADATA COHERENCE section for a full discussion of attribute
                      caching.

       acdirmax=n     The maximum time (in seconds) that the NFS client caches  attributes  of  a
                      directory before it requests fresh attribute information from a server.  If
                      this option is not specified, the NFS client uses a 60-second maximum.  See
                      the  DATA AND METADATA COHERENCE section for a full discussion of attribute
                      caching.

       actimeo=n      Using actimeo sets all of acregmin, acregmax, acdirmin, and acdirmax to the
                      same  value.   If  this  option  is  not specified, the NFS client uses the
                      defaults for each of these options listed above.

       bg / fg        Determines how the mount(8) command behaves  if  an  attempt  to  mount  an
                      export  fails.   The fg option causes mount(8) to exit with an error status
                      if any part of the mount request times out  or  fails  outright.   This  is
                      called  a "foreground" mount, and is the default behavior if neither the fg
                      nor bg mount option is specified.

                      If the bg option is specified, a timeout or  failure  causes  the  mount(8)
                      command  to  fork  a  child which continues to attempt to mount the export.
                      The parent immediately returns with a zero exit code.  This is known  as  a
                      "background" mount.

                      If the local mount point directory is missing, the mount(8) command acts as
                      if the mount request timed out.  This permits nested NFS  mounts  specified
                      in /etc/fstab to proceed in any order during system initialization, even if
                      some NFS servers are not yet available.  Alternatively these issues can  be
                      addressed using an automounter (refer to automount(8) for details).

       nconnect=n     When  using a connection oriented protocol such as TCP, it may sometimes be
                      advantageous to set up multiple connections between the client and  server.
                      For  instance,  if  your  clients and/or servers are equipped with multiple
                      network interface cards (NICs), using multiple connections  to  spread  the
                      load  may  improve overall performance.  In such cases, the nconnect option
                      allows the user to  specify  the  number  of  connections  that  should  be
                      established between the client and server up to a limit of 16.

                      Note  that  the  nconnect  option  may also be used by some pNFS drivers to
                      decide how many connections to set up to the data servers.

       rdirplus / nordirplus
                      Selects whether to use NFS v3 or v4 READDIRPLUS requests.  If  this  option
                      is  not specified, the NFS client uses READDIRPLUS requests on NFS v3 or v4
                      mounts to read small directories.  Some applications perform better if  the
                      client uses only READDIR requests for all directories.

       retry=n        The  number  of  minutes  that  the  mount(8)  command retries an NFS mount
                      operation in the foreground or background before giving up.  If this option
                      is not specified, the default value for foreground mounts is 2 minutes, and
                      the default value for background mounts is 10000 minutes (80 minutes shy of
                      one  week).   If  a  value of zero is specified, the mount(8) command exits
                      immediately after the first failure.

                      Note that this only affects how many retries are made  and  doesn't  affect
                      the  delay  caused  by  each  retry.   For  UDP  each  retry takes the time
                      determined by the timeo and retrans options, which by default will be about
                      7  seconds.   For  TCP  the default is 3 minutes, but system TCP connection
                      timeouts will sometimes limit the timeout of each retransmission to  around
                      2 minutes.

       sec=flavors    A colon-separated list of one or more security flavors to use for accessing
                      files on the mounted export. If the server does not support  any  of  these
                      flavors,  the  mount operation fails.  If sec= is not specified, the client
                      attempts to find a security flavor that both  the  client  and  the  server
                      supports.   Valid  flavors are none, sys, krb5, krb5i, and krb5p.  Refer to
                      the SECURITY CONSIDERATIONS section for details.

       sharecache / nosharecache
                      Determines how the client's data cache and attribute cache are shared  when
                      mounting the same export more than once concurrently.  Using the same cache
                      reduces memory requirements on  the  client  and  presents  identical  file
                      contents  to  applications  when  the  same  remote  file  is  accessed via
                      different mount points.

                      If neither option is specified, or if the sharecache option  is  specified,
                      then  a  single  cache  is  used  for all mount points that access the same
                      export.  If the nosharecache option is specified,  then  that  mount  point
                      gets  a unique cache.  Note that when data and attribute caches are shared,
                      the mount options from the first mount point  take  effect  for  subsequent
                      concurrent mounts of the same export.

                      As  of  kernel  2.6.18,  the  behavior  specified by nosharecache is legacy
                      caching behavior. This is considered a  data  risk  since  multiple  cached
                      copies of the same file on the same client can become out of sync following
                      a local update of one of the copies.

       resvport / noresvport
                      Specifies whether the NFS client should use a privileged source  port  when
                      communicating  with  an NFS server for this mount point.  If this option is
                      not specified, or the resvport option is specified, the NFS client  uses  a
                      privileged  source  port.   If  the noresvport option is specified, the NFS
                      client uses a non-privileged source port.   This  option  is  supported  in
                      kernels 2.6.28 and later.

                      Using  non-privileged source ports helps increase the maximum number of NFS
                      mount points allowed on a client, but NFS servers  must  be  configured  to
                      allow clients to connect via non-privileged source ports.

                      Refer to the SECURITY CONSIDERATIONS section for important details.

       lookupcache=mode
                      Specifies how the kernel manages its cache of directory entries for a given
                      mount point.  mode can be one of all, none, pos, or positive.  This  option
                      is supported in kernels 2.6.28 and later.

                      The  Linux NFS client caches the result of all NFS LOOKUP requests.  If the
                      requested directory entry exists on the server, the result is  referred  to
                      as  positive.   If  the  requested  directory  entry  does not exist on the
                      server, the result is referred to as negative.

                      If this option is not specified, or if all is specified, the client assumes
                      both  types  of  directory  cache  entries  are  valid  until  their parent
                      directory's cached attributes expire.

                      If pos or positive is specified, the client assumes  positive  entries  are
                      valid  until  their parent directory's cached attributes expire, but always
                      revalidates negative entires before an application can use them.

                      If none is specified, the client revalidates both types of directory  cache
                      entries  before  an application can use them.  This permits quick detection
                      of files that were created or removed by  other  clients,  but  can  impact
                      application and server performance.

                      The  DATA  AND METADATA COHERENCE section contains a detailed discussion of
                      these trade-offs.

       fsc / nofsc    Enable/Disables the cache of (read-only) data pages to the local disk using
                      the       FS-Cache       facility.       See       cachefilesd(8)       and
                      <kernel_source>/Documentation/filesystems/caching  for  detail  on  how  to
                      configure the FS-Cache facility.  Default value is nofsc.

       sloppy         The sloppy option is an alternative to specifying mount.nfs -s option.

       xprtsec=policy Specifies  the  use  of  transport  layer  security  to protect NFS network
                      traffic on behalf of this mount point.  policy can be one of none, tls,  or
                      mtls.

                      If  none  is specified, transport layer security is forced off, even if the
                      NFS server supports transport layer security.

                      If tls is specified, the client uses  RPC-with-TLS  to  provide  in-transit
                      confidentiality.

                      If  mtls  is specified, the client uses RPC-with-TLS to authenticate itself
                      and to provide in-transit confidentiality.

                      If either tls or mtls is specified and the server  does  not  support  RPC-
                      with-TLS or peer authentication fails, the mount attempt fails.

                      If  the  xprtsec=  option is not specified, the default behavior depends on
                      the kernel version, but is usually equivalent to xprtsec=none.

   Options for NFS versions 2 and 3 only
       Use these options, along with the options in the above subsection, for NFS versions 2  and
       3 only.

       proto=netid    The netid determines the transport that is used to communicate with the NFS
                      server.  Available options are udp,  udp6,  tcp,  tcp6,  rdma,  and  rdma6.
                      Those  which  end in 6 use IPv6 addresses and are only available if support
                      for TI-RPC is built in. Others use IPv4 addresses.

                      Each transport protocol uses different default retrans and timeo  settings.
                      Refer to the description of these two mount options for details.

                      In  addition  to  controlling  how the NFS client transmits requests to the
                      server,  this  mount  option  also  controls  how  the   mount(8)   command
                      communicates  with  the server's rpcbind and mountd services.  Specifying a
                      netid that uses TCP forces all traffic from the mount(8)  command  and  the
                      NFS client to use TCP.  Specifying a netid that uses UDP forces all traffic
                      types to use UDP.

                      Before using NFS over UDP, refer to the TRANSPORT METHODS section.

                      If the proto mount option is not specified, the mount(8) command  discovers
                      which  protocols  the  server supports and chooses an appropriate transport
                      for each service.  Refer to the TRANSPORT METHODS section for more details.

       udp            The udp option is an alternative to specifying proto=udp.  It  is  included
                      for compatibility with other operating systems.

                      Before using NFS over UDP, refer to the TRANSPORT METHODS section.

       tcp            The  tcp  option is an alternative to specifying proto=tcp.  It is included
                      for compatibility with other operating systems.

       rdma           The rdma option is an alternative to specifying proto=rdma.

       port=n         The numeric value of the server's NFS service port.  If  the  server's  NFS
                      service is not available on the specified port, the mount request fails.

                      If  this option is not specified, or if the specified port value is 0, then
                      the NFS client uses the NFS service port number advertised by the  server's
                      rpcbind  service.   The mount request fails if the server's rpcbind service
                      is not available, the server's NFS  service  is  not  registered  with  its
                      rpcbind  service,  or  the  server's  NFS  service  is not available on the
                      advertised port.

       mountport=n    The numeric value of the server's mountd  port.   If  the  server's  mountd
                      service is not available on the specified port, the mount request fails.

                      If  this option is not specified, or if the specified port value is 0, then
                      the mount(8) command uses the mountd service port number advertised by  the
                      server's  rpcbind service.  The mount request fails if the server's rpcbind
                      service is not available, the server's mountd  service  is  not  registered
                      with  its  rpcbind service, or the server's mountd service is not available
                      on the advertised port.

                      This option can be used when mounting an NFS server through a firewall that
                      blocks the rpcbind protocol.

       mountproto=netid
                      The  transport the NFS client uses to transmit requests to the NFS server's
                      mountd  service  when  performing  this  mount  request,  and  when   later
                      unmounting this mount point.

                      netid  may  be  one of udp, and tcp which use IPv4 address or, if TI-RPC is
                      built into the mount.nfs command, udp6, and tcp6 which use IPv6 addresses.

                      This option can be used when mounting an NFS server through a firewall that
                      blocks  a  particular  transport.   When used in combination with the proto
                      option, different transports for mountd requests and NFS  requests  can  be
                      specified.   If  the  server's  mountd  service  is  not  available via the
                      specified transport, the mount request fails.

                      Refer to the TRANSPORT METHODS section for more on how the mountproto mount
                      option interacts with the proto mount option.

       mounthost=name The  hostname of the host running mountd.  If this option is not specified,
                      the mount(8) command assumes that the mountd service runs on the same  host
                      as the NFS service.

       mountvers=n    The RPC version number used to contact the server's mountd.  If this option
                      is not specified, the client uses  a  version  number  appropriate  to  the
                      requested  NFS  version.   This option is useful when multiple NFS services
                      are running on the same remote server host.

       namlen=n       The maximum length of a pathname component on this mount.  If  this  option
                      is not specified, the maximum length is negotiated with the server. In most
                      cases, this maximum length is 255 characters.

                      Some early versions of NFS did not support this  negotiation.   Using  this
                      option ensures that pathconf(3) reports the proper maximum component length
                      to applications in such cases.

       lock / nolock  Selects whether to use the NLM sideband  protocol  to  lock  files  on  the
                      server.   If  neither  option  is  specified (or if lock is specified), NLM
                      locking is used for this  mount  point.   When  using  the  nolock  option,
                      applications  can lock files, but such locks provide exclusion only against
                      other applications running on the same client.  Remote applications are not
                      affected by these locks.

                      NLM locking must be disabled with the nolock option when using NFS to mount
                      /var because /var contains files used by the NLM implementation  on  Linux.
                      Using  the  nolock  option  is  also  required when mounting exports on NFS
                      servers that do not support the NLM protocol.

       cto / nocto    Selects whether to use close-to-open cache coherence semantics.  If neither
                      option is specified (or if cto is specified), the client uses close-to-open
                      cache coherence semantics. If the nocto option  is  specified,  the  client
                      uses  a  non-standard  heuristic to determine when files on the server have
                      changed.

                      Using the nocto option may improve performance for  read-only  mounts,  but
                      should  be  used  only if the data on the server changes only occasionally.
                      The DATA AND METADATA COHERENCE section  discusses  the  behavior  of  this
                      option in more detail.

       acl / noacl    Selects  whether  to  use the NFSACL sideband protocol on this mount point.
                      The NFSACL sideband protocol  is  a  proprietary  protocol  implemented  in
                      Solaris that manages Access Control Lists. NFSACL was never made a standard
                      part of the NFS protocol specification.

                      If neither acl nor noacl option is specified,  the  NFS  client  negotiates
                      with  the server to see if the NFSACL protocol is supported, and uses it if
                      the server supports it.  Disabling the  NFSACL  sideband  protocol  may  be
                      necessary  if  the  negotiation  causes  problems  on the client or server.
                      Refer to the SECURITY CONSIDERATIONS section for more details.

       local_lock=mechanism
                      Specifies whether to use local locking for any or both of the flock and the
                      POSIX  locking  mechanisms.   mechanism can be one of all, flock, posix, or
                      none.  This option is supported in kernels 2.6.37 and later.

                      The Linux NFS client provides a way to make locks local.  This  means,  the
                      applications  can lock files, but such locks provide exclusion only against
                      other applications running on the same client. Remote applications are  not
                      affected by these locks.

                      If  this  option  is  not  specified,  or  if none is specified, the client
                      assumes that the locks are not local.

                      If all is specified, the client assumes that both flock and POSIX locks are
                      local.

                      If  flock  is specified, the client assumes that only flock locks are local
                      and uses NLM sideband protocol to lock files when POSIX locks are used.

                      If posix is specified, the client assumes that POSIX locks  are  local  and
                      uses NLM sideband protocol to lock files when flock locks are used.

                      To  support  legacy flock behavior similar to that of NFS clients < 2.6.12,
                      use 'local_lock=flock'. This option is required when exporting  NFS  mounts
                      via  Samba  as  Samba  maps  Windows  share  mode locks as flock. Since NFS
                      clients > 2.6.12 implement flock by emulating POSIX locks, this will result
                      in conflicting locks.

                      NOTE:  When used together, the 'local_lock' mount option will be overridden
                      by 'nolock'/'lock' mount option.

   Options for NFS version 4 only
       Use these options, along with the options in the first subsection above, for  NFS  version
       4.0 and newer.

       proto=netid    The netid determines the transport that is used to communicate with the NFS
                      server.  Supported options are tcp, tcp6, rdma, and rdma6.  tcp6  use  IPv6
                      addresses  and  is  only  available if support for TI-RPC is built in. Both
                      others use IPv4 addresses.

                      All NFS version 4 servers are required to support TCP,  so  if  this  mount
                      option  is  not  specified, the NFS version 4 client uses the TCP protocol.
                      Refer to the TRANSPORT METHODS section for more details.

       minorversion=n Specifies the protocol  minor  version  number.   NFSv4  introduces  "minor
                      versioning,"  where  NFS  protocol  enhancements  can be introduced without
                      bumping the NFS protocol version number.  Before kernel 2.6.38,  the  minor
                      version  is  always  zero,  and  this option is not recognized.  After this
                      kernel, specifying "minorversion=1" enables a number of advanced  features,
                      such as NFSv4 sessions.

                      Recent  kernels  allow  the  minor  version to be specified using the vers=
                      option.  For  example,  specifying  vers=4.1  is  the  same  as  specifying
                      vers=4,minorversion=1.

       port=n         The  numeric  value  of the server's NFS service port.  If the server's NFS
                      service is not available on the specified port, the mount request fails.

                      If this mount option is not specified, the NFS client uses the standard NFS
                      port  number  of  2049 without first checking the server's rpcbind service.
                      This allows an NFS version 4 client to contact  an  NFS  version  4  server
                      through a firewall that may block rpcbind requests.

                      If  the specified port value is 0, then the NFS client uses the NFS service
                      port number advertised by the server's rpcbind service.  The mount  request
                      fails  if  the  server's rpcbind service is not available, the server's NFS
                      service is not registered with its rpcbind service,  or  the  server's  NFS
                      service is not available on the advertised port.

       cto / nocto    Selects  whether  to  use  close-to-open  cache coherence semantics for NFS
                      directories on this mount point.  If neither cto nor  nocto  is  specified,
                      the   default  is  to  use  close-to-open  cache  coherence  semantics  for
                      directories.

                      File data caching behavior is not affected by this option.   The  DATA  AND
                      METADATA  COHERENCE  section  discusses the behavior of this option in more
                      detail.

       clientaddr=n.n.n.n

       clientaddr=n:n:...:n
                      Specifies a single IPv4 address (in dotted-quad form), or a  non-link-local
                      IPv6  address,  that  the NFS client advertises to allow servers to perform
                      NFS version 4.0 callback requests against files on  this  mount  point.  If
                      the   server  is  unable  to  establish  callback  connections  to clients,
                      performance may degrade, or accesses to files may  temporarily  hang.   Can
                      specify  a value of IPv4_ANY (0.0.0.0) or equivalent IPv6 any address which
                      will signal  to  the  NFS  server  that  this  NFS  client  does  not  want
                      delegations.

                      If  this option is not specified, the mount(8) command attempts to discover
                      an appropriate callback address  automatically.   The  automatic  discovery
                      process  is  not  perfect,  however.   In  the  presence of multiple client
                      network  interfaces,  special  routing  policies,   or   atypical   network
                      topologies,  the  exact  address  to use for callbacks may be nontrivial to
                      determine.

                      NFS protocol versions 4.1 and 4.2 use the client-established TCP connection
                      for  callback  requests,  so  do  not  require the server to connect to the
                      client.  This option is therefore only affect NFS version 4.0 mounts.

       migration / nomigration
                      Selects whether the client uses an identification string that is compatible
                      with  NFSv4  Transparent  State  Migration  (TSM).   If  the mounted server
                      supports NFSv4 migration with TSM, specify the migration option.

                      Some server features  misbehave  in  the  face  of  a  migration-compatible
                      identification  string.   The  nomigration  option  retains  the  use  of a
                      traditional client indentification string which is compatible  with  legacy
                      NFS  servers.  This is also the behavior if neither option is specified.  A
                      client's open and lock state  cannot  be  migrated  transparently  when  it
                      identifies itself via a traditional identification string.

                      This  mount option has no effect with NFSv4 minor versions newer than zero,
                      which always use TSM-compatible client identification strings.

       max_connect=n  While nconnect option sets a limit on the number of connections that can be
                      established  to  a  given  server IP, max_connect option allows the user to
                      specify maximum number of connections to different server IPs  that  belong
                      to  the  same NFSv4.1+ server (session trunkable connections) up to a limit
                      of 16. When client discovers that it established a client ID to an  already
                      existing  server,  instead of dropping the newly created network transport,
                      the client will add this new connection to the list of available transports
                      for that RPC client.

       trunkdiscovery / notrunkdiscovery
                      When  the  client  discovers  a  new  filesystem  on a NFSv4.1+ server, the
                      trunkdiscovery mount option will  cause  it  to  send  a  GETATTR  for  the
                      fs_locations  attribute.   If  is receives a non-zero length reply, it will
                      iterate through  the  response,  and  for  each  server  location  it  will
                      establish a connection, send an EXCHANGE_ID, and test for session trunking.
                      If the trunking test succeeds, the connection will be added to the existing
                      set  of  transports  for  the server, subject to the limit specified by the
                      max_connect option.  The default is notrunkdiscovery.

nfs4 FILE SYSTEM TYPE

       The nfs4 file system type is an old syntax for specifying NFSv4 usage.  It  can  still  be
       used with all NFSv4-specific and common options, excepted the nfsvers mount option.

MOUNT CONFIGURATION FILE

       If  the  mount  command  is configured to do so, all of the mount options described in the
       previous  section  can  also  be  configured   in   the   /etc/nfsmount.conf   file.   See
       nfsmount.conf(5) for details.

EXAMPLES

       To mount using NFS version 3, use the nfs file system type and specify the nfsvers=3 mount
       option.  To mount using NFS version 4, use either the  nfs  file  system  type,  with  the
       nfsvers=4 mount option, or the nfs4 file system type.

       The  following  example  from  an  /etc/fstab  file  causes the mount command to negotiate
       reasonable defaults for NFS behavior.

               server:/export  /mnt  nfs   defaults                      0 0

       This example shows how to mount using NFS version  4  over  TCP  with  Kerberos  5  mutual
       authentication.

               server:/export  /mnt  nfs4  sec=krb5                      0 0

       This  example  shows  how to mount using NFS version 4 over TCP with Kerberos 5 privacy or
       data integrity mode.

               server:/export  /mnt  nfs4  sec=krb5p:krb5i               0 0

       This example can be used to mount /usr over NFS.

               server:/export  /usr  nfs   ro,nolock,nocto,actimeo=3600  0 0

       This example shows how to mount an NFS server using a raw IPv6 link-local address.

               [fe80::215:c5ff:fb3e:e2b1%eth0]:/export /mnt nfs defaults 0 0

TRANSPORT METHODS

       NFS clients send requests to NFS servers via Remote Procedure Calls,  or  RPCs.   The  RPC
       client   discovers   remote   service   endpoints   automatically,   handles   per-request
       authentication, adjusts request parameters for different byte  endianness  on  client  and
       server,  and  retransmits  requests that may have been lost by the network or server.  RPC
       requests and replies flow over a network transport.

       In most cases, the  mount(8)  command,  NFS  client,  and  NFS  server  can  automatically
       negotiate  proper  transport  and  data transfer size settings for a mount point.  In some
       cases, however, it pays to specify these settings explicitly using mount options.

       Traditionally, NFS clients used the UDP transport exclusively for transmitting requests to
       servers.   Though  its  implementation  is  simple, NFS over UDP has many limitations that
       prevent smooth operation and good performance  in  some  common  deployment  environments.
       Even an insignificant packet loss rate results in the loss of whole NFS requests; as such,
       retransmit timeouts are usually in the subsecond range to allow clients to recover quickly
       from dropped requests, but this can result in extraneous network traffic and server load.

       However,  UDP  can  be  quite  effective in specialized settings where the networks MTU is
       large relative to NFSs data transfer size (such as network environments that enable  jumbo
       Ethernet  frames).   In  such  environments, trimming the rsize and wsize settings so that
       each NFS read or write request fits in just a few network frames (or  even  in   a  single
       frame)  is  advised.   This  reduces  the  probability that the loss of a single MTU-sized
       network frame results in the loss of an entire large read or write request.

       TCP is the default transport  protocol  used  for  all  modern  NFS  implementations.   It
       performs  well  in  almost  every  conceivable  network environment and provides excellent
       guarantees against data corruption caused  by  network  unreliability.   TCP  is  often  a
       requirement for mounting a server through a network firewall.

       Under  normal  circumstances,  networks drop packets much more frequently than NFS servers
       drop requests.  As such, an aggressive retransmit timeout  setting for  NFS  over  TCP  is
       unnecessary.  Typical  timeout  settings for NFS over TCP are between one and ten minutes.
       After  the client exhausts its retransmits (the value of the  retrans  mount  option),  it
       assumes  a  network  partition  has occurred, and attempts to reconnect to the server on a
       fresh socket. Since TCP itself makes network data transfer reliable, rsize and  wsize  can
       safely  be  allowed  to default to the largest values supported by both client and server,
       independent of the network's MTU size.

   Using the mountproto mount option
       This section applies only to NFS version 3 mounts since NFS  version  4  does  not  use  a
       separate protocol for mount requests.

       The  Linux NFS client can use a different transport for contacting an NFS server's rpcbind
       service, its mountd service, its Network Lock Manager (NLM) service, and its NFS  service.
       The  exact transports employed by the Linux NFS client for each mount point depends on the
       settings of the transport mount options, which include proto, mountproto, udp, and tcp.

       The client sends Network Status  Manager  (NSM)  notifications  via  UDP  no  matter  what
       transport  options are specified, but listens for server NSM notifications on both UDP and
       TCP.  The NFS Access Control List (NFSACL) protocol shares the same transport as the  main
       NFS service.

       If  no  transport  options  are  specified,  the  Linux NFS client uses UDP to contact the
       server's mountd service, and TCP to contact its NLM and NFS services by default.

       If the server does not support these transports for these services, the  mount(8)  command
       attempts  to  discover  what  the server supports, and then retries the mount request once
       using the discovered transports.  If the server does not advertise any transport supported
       by  the  client  or  is  misconfigured,  the  mount request fails.  If the bg option is in
       effect, the mount command backgrounds itself and continues to attempt the specified  mount
       request.

       When  the  proto option, the udp option, or the tcp option is specified but the mountproto
       option is not, the specified transport is used to contact both the server's mountd service
       and for the NLM and NFS services.

       If  the  mountproto  option  is  specified  but  none of the proto, udp or tcp options are
       specified, then the specified transport is used for the initial mountd  request,  but  the
       mount  command  attempts  to  discover  what  the  server  supports  for the NFS protocol,
       preferring TCP if both transports are supported.

       If both the mountproto and proto (or udp or tcp) options are specified, then the transport
       specified  by  the  mountproto  option  is  used  for  the initial mountd request, and the
       transport specified by the proto option (or the udp or tcp options) is used  for  NFS,  no
       matter  what  order  these options appear.  No automatic service discovery is performed if
       these options are specified.

       If any of the proto, udp, tcp, or mountproto options are specified more than once  on  the
       same mount command line, then the value of the rightmost instance of each of these options
       takes effect.

   Using NFS over UDP on high-speed links
       Using NFS over UDP on high-speed links such as Gigabit can cause silent data corruption.

       The problem can be triggered at high loads, and is  caused  by  problems  in  IP  fragment
       reassembly.  NFS  read  and  writes typically transmit UDP packets of 4 Kilobytes or more,
       which have to be broken up into several fragments in order to be sent  over  the  Ethernet
       link,  which  limits  packets  to  1500  bytes  by default. This process happens at the IP
       network layer and is called fragmentation.

       In order to identify fragments that belong together, IP assigns a 16bit  IP  ID  value  to
       each  packet;  fragments  generated from the same UDP packet will have the same IP ID. The
       receiving system will collect these fragments and combine them to form  the  original  UDP
       packet. This process is called reassembly. The default timeout for packet reassembly is 30
       seconds; if the network stack does not receive all fragments of a given packet within this
       interval,  it  assumes  the  missing  fragment(s)  got  lost and discards those it already
       received.

       The problem this creates over high-speed links is that it is possible to  send  more  than
       65536  packets within 30 seconds. In fact, with heavy NFS traffic one can observe that the
       IP IDs repeat after about 5 seconds.

       This has serious effects on reassembly: if one fragment gets lost, another fragment from a
       different packet but with the same IP ID will arrive within the 30 second timeout, and the
       network stack will combine these fragments to form a new packet. Most of the time, network
       layers  above  IP  will  detect  this  mismatched reassembly - in the case of UDP, the UDP
       checksum, which is a 16 bit checksum over the entire  packet  payload,  will  usually  not
       match, and UDP will discard the bad packet.

       However,  the UDP checksum is 16 bit only, so there is a chance of 1 in 65536 that it will
       match even if the packet payload is completely random (which very often isn't  the  case).
       If that is the case, silent data corruption will occur.

       This potential should be taken seriously, at least on Gigabit Ethernet.  Network speeds of
       100Mbit/s should be considered less problematic, because with most traffic patterns IP  ID
       wrap around will take much longer than 30 seconds.

       It  is  therefore  strongly recommended to use NFS over TCP where possible, since TCP does
       not perform fragmentation.

       If you absolutely have to use NFS over UDP over Gigabit Ethernet, some steps can be  taken
       to mitigate the problem and reduce the probability of corruption:

       Jumbo frames:  Many  Gigabit  network cards are capable of transmitting frames bigger than
                      the 1500 byte limit of traditional Ethernet, typically  9000  bytes.  Using
                      jumbo  frames  of  9000  bytes will allow you to run NFS over UDP at a page
                      size of 8K without fragmentation. Of course, this is only feasible  if  all
                      involved stations support jumbo frames.

                      To  enable  a  machine to send jumbo frames on cards that support it, it is
                      sufficient to configure the interface for a MTU value of 9000.

       Lower reassembly timeout:
                      By lowering this timeout below the time it takes the IP ID counter to  wrap
                      around,  incorrect  reassembly of fragments can be prevented as well. To do
                      so,  simply  write  the  new  timeout  value  (in  seconds)  to  the   file
                      /proc/sys/net/ipv4/ipfrag_time.

                      A value of 2 seconds will greatly reduce the probability of IPID clashes on
                      a single Gigabit link, while still allowing for a reasonable  timeout  when
                      receiving fragmented traffic from distant peers.

DATA AND METADATA COHERENCE

       Some  modern  cluster  file  systems  provide perfect cache coherence among their clients.
       Perfect cache coherence among disparate NFS clients is expensive to achieve, especially on
       wide  area  networks.   As such, NFS settles for weaker cache coherence that satisfies the
       requirements of most file sharing types.

   Close-to-open cache consistency
       Typically file sharing is completely sequential.  First client  A  opens  a  file,  writes
       something  to  it,  then  closes  it.   Then  client  B opens the same file, and reads the
       changes.

       When an application opens a file stored on an NFS version 3 server, the NFS client  checks
       that  the file exists on the server and is permitted to the opener by sending a GETATTR or
       ACCESS request.  The NFS client sends these requests regardless of the  freshness  of  the
       file's cached attributes.

       When  the  application  closes the file, the NFS client writes back any pending changes to
       the file so that the next opener can view the changes.  This also gives the NFS client  an
       opportunity to report write errors to the application via the return code from close(2).

       The  behavior of checking at open time and flushing at close time is referred to as close-
       to-open cache consistency, or CTO.  It can be disabled for an entire mount point using the
       nocto mount option.

   Weak cache consistency
       There  are  still  opportunities for a client's data cache to contain stale data.  The NFS
       version 3 protocol introduced "weak cache consistency" (also known as WCC) which  provides
       a way of efficiently checking a file's attributes before and after a single request.  This
       allows a client to help identify changes that could have been made by other clients.

       When a client is using many concurrent operations that update the same file  at  the  same
       time  (for  example,  during  asynchronous  write  behind),  it is still difficult to tell
       whether it was that client's updates or some other client's updates that altered the file.

   Attribute caching
       Use the noac mount option to achieve attribute cache  coherence  among  multiple  clients.
       Almost  every  file  system operation checks file attribute information.  The client keeps
       this information cached for a period of time to reduce network and server load.  When noac
       is in effect, a client's file attribute cache is disabled, so each operation that needs to
       check a file's attributes is forced to go back to the server.  This permits  a  client  to
       see changes to a file very quickly, at the cost of many extra network operations.

       Be  careful  not to confuse the noac option with "no data caching."  The noac mount option
       prevents the client from caching file metadata, but there are still races that may  result
       in data cache incoherence between client and server.

       The  NFS  protocol  is  not  designed  to support true cluster file system cache coherence
       without some type of application serialization.  If absolute cache coherence among clients
       is  required,  applications  should use file locking. Alternatively, applications can also
       open their files with the O_DIRECT flag to disable data caching entirely.

   File timestamp maintenance
       NFS servers are responsible for managing file and directory timestamps (atime, ctime,  and
       mtime).   When  a  file is accessed or updated on an NFS server, the file's timestamps are
       updated just like they would be on a filesystem local to an application.

       NFS clients cache file attributes, including timestamps.  A file's timestamps are  updated
       on  NFS  clients when its attributes are retrieved from the NFS server.  Thus there may be
       some delay before timestamp updates on  an  NFS  server  appear  to  applications  on  NFS
       clients.

       To  comply  with the POSIX filesystem standard, the Linux NFS client relies on NFS servers
       to keep a file's mtime and ctime timestamps properly up to date.  It does this by flushing
       local  data  changes to the server before reporting mtime to applications via system calls
       such as stat(2).

       The Linux client handles atime updates more loosely, however.  NFS clients  maintain  good
       performance  by caching data, but that means that application reads, which normally update
       atime, are not reflected to the server where a file's atime is actually maintained.

       Because of this caching behavior, the Linux NFS client does  not  support  generic  atime-
       related mount options.  See mount(8) for details on these options.

       In   particular,   the   atime/noatime,   diratime/nodiratime,   relatime/norelatime,  and
       strictatime/nostrictatime mount options have no effect on NFS mounts.

       /proc/mounts may report that the relatime mount option is set on NFS mounts, but  in  fact
       the atime semantics are always as described here, and are not like relatime semantics.

   Directory entry caching
       The  Linux  NFS  client  caches  the  result of all NFS LOOKUP requests.  If the requested
       directory entry exists on the server, the result is  referred  to  as  a  positive  lookup
       result.   If  the  requested  directory  entry  does not exist on the server (that is, the
       server returned ENOENT), the result is referred to as negative lookup result.

       To detect when directory entries have been added or removed on the server, the  Linux  NFS
       client  watches  a  directory's  mtime.   If  the client detects a change in a directory's
       mtime, the client  drops  all  cached  LOOKUP  results  for  that  directory.   Since  the
       directory's  mtime is a cached attribute, it may take some time before a client notices it
       has changed.  See the descriptions of the acdirmin, acdirmax, and noac mount  options  for
       more information about how long a directory's mtime is cached.

       Caching directory entries improves the performance of applications that do not share files
       with applications on other  clients.   Using  cached  information  about  directories  can
       interfere  with  applications that run concurrently on multiple clients and need to detect
       the creation or removal of files quickly, however.  The lookupcache  mount  option  allows
       some tuning of directory entry caching behavior.

       Before  kernel  release 2.6.28, the Linux NFS client tracked only positive lookup results.
       This permitted applications to detect new  directory  entries  created  by  other  clients
       quickly  while  still  providing  some  of  the  performance  benefits  of caching.  If an
       application depends on the previous lookup caching behavior of the Linux NFS  client,  you
       can use lookupcache=positive.

       If  the  client  ignores its cache and validates every application lookup request with the
       server, that client can immediately detect when a new  directory  entry  has  been  either
       created   or   removed   by   another   client.   You  can  specify  this  behavior  using
       lookupcache=none.  The extra NFS requests needed if the client does  not  cache  directory
       entries  can  exact a performance penalty.  Disabling lookup caching should result in less
       of a performance penalty than using noac, and has no effect on how the NFS  client  caches
       the attributes of files.

   The sync mount option
       The  NFS  client  treats  the  sync  mount option differently than some other file systems
       (refer to mount(8) for a description of the generic sync and  async  mount  options).   If
       neither  sync nor async is specified (or if the async option is specified), the NFS client
       delays sending application writes to the server until any of these events occur:

              Memory pressure forces reclamation of system memory resources.

              An application flushes file data explicitly with sync(2), msync(2), or fsync(3).

              An application closes a file with close(2).

              The file is locked/unlocked via fcntl(2).

       In other words, under normal  circumstances,  data  written  by  an  application  may  not
       immediately appear on the server that hosts the file.

       If  the  sync  option  is  specified on a mount point, any system call that writes data to
       files on that mount point causes that data to be flushed to the server before  the  system
       call  returns  control  to  user  space.  This provides greater data cache coherence among
       clients, but at a significant performance cost.

       Applications can use the O_SYNC open flag to force application writes to individual  files
       to go to the server immediately without the use of the sync mount option.

   Using file locks with NFS
       The  Network  Lock  Manager  protocol  is a separate sideband protocol used to manage file
       locks in NFS version 3.  To support lock recovery after  a  client  or  server  reboot,  a
       second  sideband  protocol  --  known  as  the  Network Status Manager protocol -- is also
       required.  In NFS version 4, file locking is supported directly in the main NFS  protocol,
       and the NLM and NSM sideband protocols are not used.

       In  most cases, NLM and NSM services are started automatically, and no extra configuration
       is required.  Configure all NFS clients with fully-qualified domain names to  ensure  that
       NFS servers can find clients to notify them of server reboots.

       NLM  supports  advisory file locks only.  To lock NFS files, use fcntl(2) with the F_GETLK
       and F_SETLK commands.  The NFS  client  converts  file  locks  obtained  via  flock(2)  to
       advisory locks.

       When mounting servers that do not support the NLM protocol, or when mounting an NFS server
       through a firewall that blocks the NLM service port, specify the nolock mount option.  NLM
       locking  must be disabled with the nolock option when using NFS to mount /var because /var
       contains files used by the NLM implementation on Linux.

       Specifying the nolock option  may  also  be  advised  to  improve  the  performance  of  a
       proprietary application which runs on a single client and uses file locks extensively.

   NFS version 4 caching features
       The  data  and  metadata  caching  behavior of NFS version 4 clients is similar to that of
       earlier versions.  However, NFS version 4 adds two features that improve  cache  behavior:
       change attributes and file delegation.

       The  change  attribute  is a new part of NFS file and directory metadata which tracks data
       changes.  It replaces the use of a file's modification and change time stamps as a way for
       clients to validate the content of their caches.  Change attributes are independent of the
       time stamp resolution on either the server or client, however.

       A file delegation is a contract between an NFS version 4 client and server that allows the
       client  to  treat  a  file  temporarily as if no other client is accessing it.  The server
       promises to notify the client (via a callback  request)  if  another  client  attempts  to
       access  that  file.  Once a file has been delegated to a client, the client can cache that
       file's data and metadata aggressively without contacting the server.

       File delegations come in two flavors: read and write.  A read delegation  means  that  the
       server  notifies  the  client  about  any other clients that want to write to the file.  A
       write delegation means that the client gets notified about either read or write accessors.

       Servers grant file delegations when a file is opened, and can recall  delegations  at  any
       time  when  another  client  wants  access to the file that conflicts with any delegations
       already granted.  Delegations on directories are not supported.

       In order to support delegation callback, the server checks the network return path to  the
       client  during  the  client's initial contact with the server.  If contact with the client
       cannot be established, the server simply does not grant any delegations to that client.

SECURITY CONSIDERATIONS

       NFS servers control access to file data, but they depend on their  RPC  implementation  to
       provide  authentication  of  NFS  requests.   Traditional  NFS  access  control mimics the
       standard mode bit  access  control  provided  in  local  file  systems.   Traditional  RPC
       authentication uses a number to represent each user (usually the user's own uid), a number
       to represent the user's group (the user's gid), and a set of  up  to  16  auxiliary  group
       numbers to represent other groups of which the user may be a member.

       Typically,  file  data  and user ID values appear unencrypted (i.e. "in the clear") on the
       network.  Moreover, NFS versions 2 and 3 use separate  sideband  protocols  for  mounting,
       locking  and  unlocking  files, and reporting system status of clients and servers.  These
       auxiliary protocols use no authentication.

       In addition to combining these sideband protocols with the main NFS protocol, NFS  version
       4  introduces  more  advanced forms of access control, authentication, and in-transit data
       protection.  The NFS version 4 specification mandates support  for  strong  authentication
       and  security flavors that provide per-RPC integrity checking and encryption.  Because NFS
       version 4 combines the function of the sideband protocols into the main NFS protocol,  the
       new  security  features  apply  to  all  NFS version 4 operations including mounting, file
       locking, and so on.  RPCGSS authentication can also be used with NFS versions 2 and 3, but
       it does not protect their sideband protocols.

       The  sec mount option specifies the security flavor used for operations on behalf of users
       on that NFS mount point.  Specifying sec=krb5 provides cryptographic  proof  of  a  user's
       identity  in each RPC request.  This provides strong verification of the identity of users
       accessing data on the server.  Note that  additional  configuration  besides  adding  this
       mount  option  is required in order to enable Kerberos security.  Refer to the rpc.gssd(8)
       man page for details.

       Two additional flavors of Kerberos security are supported: krb5i  and  krb5p.   The  krb5i
       security  flavor  provides  a cryptographically strong guarantee that the data in each RPC
       request has not been tampered with.  The krb5p security flavor encrypts every RPC  request
       to  prevent  data exposure during network transit; however, expect some performance impact
       when using  integrity  checking  or  encryption.   Similar  support  for  other  forms  of
       cryptographic security is also available.

   NFS version 4 filesystem crossing
       The  NFS  version  4  protocol allows a client to renegotiate the security flavor when the
       client crosses into a new filesystem on the server.  The newly negotiated  flavor  effects
       only accesses of the new filesystem.

       Such negotiation typically occurs when a client crosses from a server's pseudo-fs into one
       of the server's exported physical filesystems, which often have more restrictive  security
       settings than the pseudo-fs.

   NFS version 4 Leases
       In  NFS  version  4, a lease is a period during which a server irrevocably grants a client
       file locks.  Once  the  lease  expires,  the  server  may  revoke  those  locks.   Clients
       periodically renew their leases to prevent lock revocation.

       After  an  NFS  version 4 server reboots, each client tells the server about existing file
       open and lock state under its lease before operation can continue.  If a  client  reboots,
       the server frees all open and lock state associated with that client's lease.

       When  establishing  a  lease,  therefore, a client must identify itself to a server.  Each
       client presents an arbitrary string to distinguish itself from other clients.  The  client
       administrator  can  supplement  the  default identity string using the nfs4.nfs4_unique_id
       module parameter to avoid collisions with other client identity strings.

       A client also uses a unique security flavor and principal when it establishes  its  lease.
       If  two  clients  present  the same identity string, a server can use client principals to
       distinguish between them, thus securely preventing one client from  interfering  with  the
       other's lease.

       The Linux NFS client establishes one lease on each NFS version 4 server.  Lease management
       operations, such as lease renewal, are not done on behalf  of  a  particular  file,  lock,
       user,  or  mount point, but on behalf of the client that owns that lease.  A client uses a
       consistent identity string, security flavor, and principal across client reboots to ensure
       that the server can promptly reap expired lease state.

       When  Kerberos  is  configured on a Linux NFS client (i.e., there is a /etc/krb5.keytab on
       that client), the client attempts  to  use  a  Kerberos  security  flavor  for  its  lease
       management  operations.   Kerberos  provides  secure  authentication  of  each client.  By
       default, the client uses the host/ or nfs/ service principal in its  /etc/krb5.keytab  for
       this purpose, as described in rpc.gssd(8).

       If  the client has Kerberos configured, but the server does not, or if the client does not
       have a keytab or the requisite service principals, the client uses AUTH_SYS and UID 0  for
       lease management.

   Using non-privileged source ports
       NFS  clients  usually  communicate  with  NFS  servers via network sockets.  Each end of a
       socket is assigned a port value, which is  simply  a  number  between  1  and  65535  that
       distinguishes  socket endpoints at the same IP address.  A socket is uniquely defined by a
       tuple that includes the transport protocol (TCP  or  UDP)  and  the  port  values  and  IP
       addresses of both endpoints.

       The  NFS  client  can  choose any source port value for its sockets, but usually chooses a
       privileged port.  A privileged port is a port value less than 1024.  Only a  process  with
       root privileges may create a socket with a privileged source port.

       The  exact range of privileged source ports that can be chosen is set by a pair of sysctls
       to avoid choosing a well-known port, such as the port used by ssh.  This means the  number
       of  source  ports  available  for  the  NFS  client,  and  therefore  the number of socket
       connections that can be used at the same time,  is  practically  limited  to  only  a  few
       hundred.

       As  described above, the traditional default NFS authentication scheme, known as AUTH_SYS,
       relies on sending local UID and GID numbers to identify users making NFS requests.  An NFS
       server  assumes that if a connection comes from a privileged port, the UID and GID numbers
       in the NFS requests on this connection have been verified by the client's kernel  or  some
       other local authority.  This is an easy system to spoof, but on a trusted physical network
       between trusted hosts, it is entirely adequate.

       Roughly speaking, one socket is used for each NFS mount point.  If a client could use non-
       privileged  source  ports  as  well,  the  number of sockets allowed, and thus the maximum
       number of concurrent mount points, would be much larger.

       Using non-privileged source ports may compromise server security somewhat, since any  user
       on  AUTH_SYS  mount points can now pretend to be any other when making NFS requests.  Thus
       NFS servers do not support this by default.  They  explicitly  allow  it  usually  via  an
       export option.

       To  retain  good  security  while allowing as many mount points as possible, it is best to
       allow non-privileged client connections only if the server and client both require  strong
       authentication, such as Kerberos.

   Mounting through a firewall
       A  firewall may reside between an NFS client and server, or the client or server may block
       some of its own ports via IP filter rules.  It is still possible to mount  an  NFS  server
       through  a  firewall,  though  some  of  the mount(8) command's automatic service endpoint
       discovery mechanisms may not work; this requires you to provide specific endpoint  details
       via NFS mount options.

       NFS  servers  normally  run  a  portmapper  or  rpcbind  daemon to advertise their service
       endpoints to clients. Clients use the rpcbind daemon to determine:

              What network port each RPC-based service is using

              What transport protocols each RPC-based service supports

       The rpcbind daemon uses a well-known port number (111) to  help  clients  find  a  service
       endpoint.   Although NFS often uses a standard port number (2049), auxiliary services such
       as the NLM service can choose any unused port number at random.

       Common firewall configurations block the well-known rpcbind port.  In the  absense  of  an
       rpcbind service, the server administrator fixes the port number of NFS-related services so
       that the firewall can allow access to specific NFS service ports.   Client  administrators
       then  specify  the port number for the mountd service via the mount(8) command's mountport
       option.  It may also be necessary to enforce the use of TCP or UDP if the firewall  blocks
       one of those transports.

   NFS Access Control Lists
       Solaris allows NFS version 3 clients direct access to POSIX Access Control Lists stored in
       its local file systems.  This proprietary sideband protocol,  known  as  NFSACL,  provides
       richer  access  control  than mode bits.  Linux implements this protocol for compatibility
       with the Solaris NFS implementation.  The NFSACL protocol never became a standard part  of
       the NFS version 3 specification, however.

       The  NFS  version  4 specification mandates a new version of Access Control Lists that are
       semantically richer than POSIX ACLs.  NFS version 4 ACLs are  not  fully  compatible  with
       POSIX  ACLs;  as such, some translation between the two is required in an environment that
       mixes POSIX ACLs and NFS version 4.

THE REMOUNT OPTION

       Generic mount options such as rw and sync can be modified on NFS mount  points  using  the
       remount option.  See mount(8) for more information on generic mount options.

       With  few  exceptions,  NFS-specific options are not able to be modified during a remount.
       The underlying transport or NFS version cannot be changed by a remount, for example.

       Performing a remount on an  NFS  file  system  mounted  with  the  noac  option  may  have
       unintended consequences.  The noac option is a combination of the generic option sync, and
       the NFS-specific option actimeo=0.

   Unmounting after a remount
       For mount points that use NFS versions 2 or  3,  the  NFS  umount  subcommand  depends  on
       knowing  the  original  set  of  mount  options  used to perform the MNT operation.  These
       options are stored on disk by the NFS mount subcommand, and can be erased by a remount.

       To ensure that the saved mount options are not erased during a remount, specify either the
       local  mount directory, or the server hostname and export pathname, but not both, during a
       remount.  For example,

               mount -o remount,ro /mnt

       merges the mount option ro with the mount options already saved on disk for the NFS server
       mounted at /mnt.

FILES

       /etc/fstab     file system table

       /etc/nfsmount.conf
                      Configuration file for NFS mounts

NOTES

       Before 2.4.7, the Linux NFS client did not support NFS over TCP.

       Before 2.4.20, the Linux NFS client used a heuristic to determine whether cached file data
       was still valid rather than  using  the  standard  close-to-open  cache  coherency  method
       described above.

       Starting  with  2.4.22, the Linux NFS client employs a Van Jacobsen-based RTT estimator to
       determine retransmit timeout values when using NFS over UDP.

       Before 2.6.0, the Linux NFS client did not support NFS version 4.

       Before 2.6.8, the Linux NFS client used only synchronous reads and writes when  the  rsize
       and wsize settings were smaller than the system's page size.

       The  Linux  client's  support for protocol versions depend on whether the kernel was built
       with   options   CONFIG_NFS_V2,   CONFIG_NFS_V3,   CONFIG_NFS_V4,   CONFIG_NFS_V4_1,   and
       CONFIG_NFS_V4_2.

SEE ALSO

       fstab(5),  mount(8), umount(8), mount.nfs(5), umount.nfs(5), exports(5), nfsmount.conf(5),
       netconfig(5), ipv6(7), nfsd(8), sm-notify(8),  rpc.statd(8),  rpc.idmapd(8),  rpc.gssd(8),
       rpc.svcgssd(8), kerberos(1)

       RFC 768 for the UDP specification.
       RFC 793 for the TCP specification.
       RFC 1813 for the NFS version 3 specification.
       RFC 1832 for the XDR specification.
       RFC 1833 for the RPC bind specification.
       RFC 2203 for the RPCSEC GSS API protocol specification.
       RFC 7530 for the NFS version 4.0 specification.
       RFC 5661 for the NFS version 4.1 specification.
       RFC 7862 for the NFS version 4.2 specification.

                                          9 October 2012                                   NFS(5)