NFS-Ganesha obtains configuration data from the configuration file:
/etc/ganesha/ganesha.conf
This file lists NFS-Ganesha Export block config options.
EXPORTPERMISSIONS
These options are all "export permissions" options, and are available in EXPORT_DEFAULTS {}, EXPORT {}
and CLIENT {} blocks.
These options will all be dynamically updateable.
Access_Type(enum,defaultNone)Possiblevalues:
None, RW, RO, MDONLY, MDONLY_RO
Protocols(enumlist,defaultnone)Possiblevalues:
3, 4, NFS3, NFS4, V3, V4, NFSv3, NFSv4, 9P
Transports(enum list, values [UDP, TCP, RDMA], default [UDP, TCP])
Anonymous_uid(anonid, range INT32_MIN to UINT32_MAX, default -2)
Anonymous_gid(anonid, range INT32_MIN to UINT32_MAX, default -2)
SecType(enumlist,default[none,sys])Possiblevalues:
none, sys, krb5, krb5i, krb5p
PrivilegedPort(bool, default false)
Manage_Gids(bool, default false)
Squash(enum,defaultroot_sqaush)Possiblevalues:
root, root_squash, rootsquash, rootid, root_id_squash, rootidsquash, all, all_squash,
allsquash, all_anomnymous, allanonymous, no_root_squash, none, noidsquash
Each line of defaults above are synonyms
NFS_Commit(bool,defaultfalse)Delegations(enum,defaultNone)Possiblevalues:
None, read, write, readwrite, r, w, rw
CLIENT{}
CLIENT blocks are used in EXPORT_DEFAULTS {}, EXPORT {}, and PSEUDOFS {} blocks.
Each CLIENT block provides a list of clients and the permissions granted those clients. These blocks form
an ordered "access control list" for the export. If no client block matches for a particular client, then
the permissions in the EXPORT {} block will be used (and if any permissions are not set between the
CLIENT and the EXPORT, then the permissions set in EXPORT_DEFAULTS will be used and if still not set,
then the code default will be used.
If an EXPORT does not have any CLIENT blocks then the list of CLIENT blocks in EXPORT_DEFAULTS (if any)
will be used. No matter the source of the CLIENT blocks, if the client matches none, then the permissions
in the EXPORT will be applied next.
To override a restrictive default client list with "everyone" a non-empty client list would have to be
specified. Clients = "*" would do the trick.
Even when a CLIENT block matches a client, if a particular export permission is not explicit in that
CLIENT block, the permission specified in the EXPORT block will be used, or if not specified there, from
the EXPORT_DEFAULTS block, and if not specified there, the permission will default to the default code
value noted in the permission option descriptions above.
Note that when the CLIENT blocks are processed on config reload, a new client access list is constructed
and atomically swapped in. This allows adding, removing, and re-arranging clients as well as changing the
access for any give client.
CLIENT blocks use all the EXPORT PERMISSIONS options (except PSEUDOFS CLIENT blocks which are limited to
the same options the PSEUDOFS block is allowed) plus:
Clients(clientlist,empty)
Client list entries can take on one of the following forms. This parameter may be repeated to
extend the list.
* Match any client @name Netgroup name x.x.x.x/y IPv4 network address, IPv6
addresses are also allowed
but the format is too complex to show here
wildcardedIfthestringcontainsatleastone?or*
character (and is not simply "*"), the string is used to pattern match host names. Note
that [] may also be used, but the pattern MUST have at least one ? or *
hostnameMatchasingleclient(matchisbyIPaddress,all
addresses returned by getaddrinfo will match, the getaddrinfo call is made at config
parsing time)
IP address Match a single client
EXPORT_DEFAULTS{}
All the EXPORT PERMISSIONS options plus:
Attr_Expiration_Time(int32,range-1toINT32_MAX,default60)CLIENT(optional)
See the CLIENT{} block description. There may be any number of these.
EXPORT_DEFAULTS{CLIENT{}}
See the CLIENT{} block description.
EXPORT{}
All options below are dynamically changeable with config update unless specified below. This block may be
repeated to define multiple exports.
All the EXPORT_PERMISSIONS plus:
Export_id(required):
An identifier for the export, must be unique and between 0 and 65535. If Export_Id 0 is
specified, Pseudo must be the root path (/).
Export_id is not dynamic per se, changing it essentially removes the old export and introduces a
new export.
Path(required)
The directory in the exported file system this export is rooted on (may be ignored for some
FSALs). It need not be unique if Pseudo and/or Tag are specified.
Note that if it is not unique, and the core option mount_path_pseudo is not set true, a v3 mount
using the path will ONLY be able to access the first export configured. To access other exports
the Tag option would need to be used.
This option is NOT dynamically updateable since it fundamentally changes the export. To change the
path exported, export_id should be changed also.
Pseudo(requiredv4)
This option specifies the position in the Pseudo Filesystem this export occupies if this is an NFS
v4 export. It must be unique. By using different Pseudo options, the same Path may be exported
multiple times.
This option is used to place the export within the NFS v4 Pseudo Filesystem. This creates a single
name space for NFS v4. Clients may mount the root of the Pseudo Filesystem and navigate to
exports. Note that the Path and Tag options are not at all visible to NFS v4 clients.
Export id 0 is automatically created to provide the root and any directories necessary to navigate
to exports if there is no other export specified with Pseudo = /;. Note that if an export is
specified with Pseudo = /;, it need not be export id 0. Specifying such an export with FSAL { name
= PSEUDO; } may be used to create a Pseudo Filesystem with specific options. Such an export may
also use other FSALs (though directories to reach exports will ONLY be automatically created on
FSAL PSEUDO exports).
This option is dynamically changeable and changing it will move the export within the pseudo
filesystem. This may be disruptive to clients. Note that if the mount_path_pseudo NFS_CORE_PARAM
option is true, the NFSv3 mount path will also change (that should not be disruptive to clients
that have the export mounted).
Tag(nodefault)
This option allows an alternative access for NFS v3 mounts. The option MUST not have a leading /.
Clients may not mount subdirectories (i.e. if Tag = foo, the client may not mount foo/baz). By
using different Tag options, the same Path may be exported multiple times.
This option is not dynamically updatable.
Filesystem_id(fsid,formatisuint64.uint64,defaultunused)
This option allows overriding the filesystem ID provided by the underlying filesystem. Use of this
option is discouraged, It will not work if VFS or GPFS is exporting a filesystem that has other
filesystems mounted on sub-directories and exported with the same export.
This option is not dynamically updateable.
Read_Access_Check_Policy(enum,values[pre,post,all],defaultpre)
Whether to run permission check for read before sending the read to the FSAL, after getting the
read response from the FSAL, or both before and after. This allows to optimize performance for
failure flow by always checking access before sending the read, or to optimize performance for
success path by storing access check result in the FSAL cache during the read and perform the
access check after the read (requires the FSAL implementation to support it, so should only be
used with supported FSALs). It also allow to optimize for security by running permission check
both before and after.
MaxRead(64*1024*1024)
The maximum read size on this export
MaxWrite(64*1024*1024)
The maximum write size on this export
PrefRead(64*1024*1024)
The preferred read size on this export. Note that some older nfs client (e.g. libnfs 1.x) would
not handle well for large preferred read size. If so, please try to decrease this size (usually
less than 1M is suitable for older nfs client).
PrefWrite(64*1024*1024)
The preferred write size on this export. Note that some older nfs client (e.g. libnfs 1.x) would
not handle well for large preferred write size. If so, please try to decrease this size (usually
less than 1M is suitable for older nfs client).
PrefReaddir(16384)
The preferred readdir size on this export
MaxOffsetWrite(INT64_MAX)
Maximum file offset that may be written Range is 512 to UINT64_MAX
MaxOffsetRead(INT64_MAX)
Maximum file offset that may be read Range is 512 to UINT64_MAX
DisableReaddirPlus(bool, default false)
Trust_Readdir_Negative_Cache(bool, default false)
The following options may have limits on dynamic effect
UseCookieVerifier(bool,defaulttrue)
Updating UseCookieVerifier while a readdir is in progress may result in unexpected behavior.
Disable_ACL(bool,defaultfalse)
Disable_ACL is processed at create_export time currently which makes it effectively a static
option.
Security_Label(bool, default false)
Attr_Expiration_Time(int32,range-1toINT32_MAX,default60)
Attr_Expiration_Time is evaluated when an MDCACHE entry is created, so the dynamic effect of this
option may be constrained to new entries.
CLIENT(optional)
See the CLIENT{} block description. There may be any number of these.
FSAL(required)
See the EXPORT{FSAL{}} block.
The FSAL for an export can not be changed dynamically. In order to change the FSAL, a new export
must be created.
At this time, no FSAL actually supports any updatable options.
EXPORT{CLIENT{}}
See the CLIENT{} block description.
EXPORT{FSAL{}}
NFS-Ganesha supports the following FSALs: CephGlusterGPFSPROXY_V3PROXY_V4RGWVFSXFSLUSTRELIzardFSKVSFS
Refer to individual FSAL config file for list of config options.
The FSAL blocks generally are less updatable
PSEUDOFS{}
This block allows specifying some options for the pseudofs root export. It is very similar to an EXPORT
block, except only the following options may be specified. CLIENT blocks may be used just like an EXPORT
block, however, they are also limited to the same options.
This is basically a shortcut rather than having to fill out options in an EXPORT block. Note that Path,
Pseudo, and Export_Id are not included as those values will be fixed ("/" for the paths, and 0 for
Export_Id). Other options that don't make sense for the pseudofs root are also not allowed.
An empty PSEUDOFS {} block will produce the same default pseudofs root export as generated if no pseudofs
root export is otherwise specified.
This block is most useful to override a restrictive CLIENT list in EXPORT_DEFAULTS {}.
These options will all be dynamically updateable.
Access_Type(enum,defaultMDONLY_RO)Possiblevalues:
None, MDONLY_RO
Transports(enum list, values [UDP, TCP, RDMA], default [TCP])
SecType(enumlist,default[none,sys,krb5,krb5i,krb5p])Possiblevalues:
none, sys, krb5, krb5i, krb5p
PrivilegedPort(bool, default false)
Export_id(uint16,range0toUINT16_MAX,default0)
An identifier for the export, must be unique and between 0 and 65535.
Export_id is not dynamic per se, changing it essentially removes the old export and introduces a
new export.
Filesystem_id(fsid,formatisuint64.uint64,default152.152)
Unlike standard exports, there is no underlying filesystem to get an ID from, so this option is
important, however the default value may be used so it need not be specified.
This option is not dynamically updateable.
DisableReaddirPlus(bool, default false)
Trust_Readdir_Negative_Cache(bool, default false)
The following options may have limits on dynamic effect
UseCookieVerifier(bool,defaulttrue)
Updating UseCookieVerifier while a readdir is in progress may result in unexpected behavior.
PSEUDOFS{CLIENT{}}
See the CLIENT{} block description but note that beyond the Clients options that works as described,
the other options available are as for the PSEUDOFS {} block.
If it is desired to override a restrictive CLIENT list in EXPORT_DEFAULTS, the following PSEUDOFS could
be defined that will give all clients the default access to the pseudofs root that otherwise would have
been granted if EXPORT_DEFAULTS was not used.
PSEUDOFS{CLIENT{
Clients =
*
;
}
}