vserver nfs create
Create an NFS configuration for a Vserver
Availability: This command is available to cluster and Vserver administrators at the admin privilege level.
Description
The vserver nfs create command enables and configures a Vserver to serve NFS clients. The Vserver must already exist. An NFS-enabled Vserver is associated with an NIS domain.
Parameters
- -vserver <vserver name> - Vserver
- This parameter specifies the Vserver on which you want to create the NFS configuration.
- [-access {true|false}] - General NFS Access
- This optional parameter specifies whether to enable NFS access on the Vserver. The default setting is true.
- [-rpcsec-ctx-high <integer>] - RPC GSS Context Cache High Water Mark (privilege: advanced)
- This optional parameter specifies the maximum number of RPCSEC_GSS authentication contexts, which are used by Kerberos. The default setting is zero. See RFC 2203 for information about RPCSEC_GSS contexts.
- [-rpcsec-ctx-idle <integer>] - RPC GSS Context Idle (privilege: advanced)
- This optional parameter specifies, in seconds, the amount of time a RPCSEC_GSS context is permitted to remain unused before it is deleted. The default setting is zero seconds. See RFC 2203 for information about RPCSEC_GSS contexts.
- [-v3 {enabled|disabled}] - NFS v3
- This optional parameter specifies whether to enable access for NFSv3 clients. The default setting is enabled.
- [-v4.0 {enabled|disabled}] - NFS v4.0
- This optional parameter specifies whether to enable access for NFSv4.0 clients. The default setting is enabled.
- [-udp {enabled|disabled}] - UDP Protocol
- This optional parameter specifies whether to enable NFS access over UDP. The default setting is enabled.NoteEven if UDP is disabled, if TCP is enabled, the Vserver does not block NFSv3 traffic over UDP. By allowing this traffic, the storage system can process NFS_NULL ops that the Solaris automounter sends to determine if the storage system is alive. (Solaris sends these ops over UDP even if configured to use TCP.) To disallow access for certain clients, including over UDP, you can use export-policy rules. For more information, see thevserver export-policy rule create command. 
- [-tcp {enabled|disabled}] - TCP Protocol
- This optional parameter specifies whether to enable NFS access over TCP. The default setting is enabled.
- [-default-win-user <text>] - Default Windows User
- This optional parameter specifies a list of default Windows users for the NFS server.
- [-enable-ejukebox {true|false}] - Enable NFSv3 EJUKEBOX error (privilege: advanced)
- This optional parameter specifies whether EJUKEBOX errors are enabled for NFSv3. The default setting is true.
- [-v3-require-read-attributes {true|false}] - Require All NFSv3 Reads to Return Read Attributes (privilege: advanced)
- This optional parameter specifies whether NFSv3 read operations are required to return read attributes. The default setting is false.
- [-v3-fsid-change {enabled|disabled}] - Show Change in FSID as NFSv3 Clients Traverse Filesystems (privilege: advanced)
- This optional parameter specifies whether Data ONTAP shows changes in file system identifiers (FSIDs) as NFSv3 clients traverse file systems. The default setting is enabled.
- [-v3-connection-drop {enabled|disabled}] - Enable the Dropping of a Connection When an NFSv3 Request is Dropped (privilege: advanced)
- This optional parameter specifies whether Data ONTAP allows to drop the connection when a NFSv3 request is dropped. The default setting is enabled.
- [-ntfs-unix-security-ops {fail|ignore|use-export-policy}] - Vserver NTFS Unix Security Options (privilege: advanced)
- This optional parameter specifies how NFSv3 security changes affect NTFS volumes. If you set this parameter to ignore, Data ONTAP ignores NFSv3 security changes. If you set this parameter to fail, this overrides the unix security options set in the relevant export rules. If you set this parameter to use_export_policy, Data ONTAP processes NFSv3 security changes in accordance with the relevant export rules. The default setting is use_export_policy at the time of creation.
- [-chown-mode {restricted|unrestricted|use-export-policy}] - Vserver Change Ownership Mode (privilege: advanced)
- This optional parameter specifies whether file ownership can be changed only by the superuser, or if a non-root user can also change file ownership. If you set this parameter to restricted, file ownership can be changed only by the superuser, even though the on-disk permissions allow a non-root user to change file ownership. If you set this parameter to unrestricted, file ownership can be changed by the superuser and by the non-root user, depending upon the access granted by on-disk permissions. If you set this parameter to use-export-policy, file ownership can be changed in accordance with the relevant export rules.
- [-trace-enabled {true|false}] - NFS Response Trace Enabled (privilege: advanced)
- This optional parameter specifies whether Data ONTAP logs NFS requests when they exceed the NFS response trigger time (see the trigger parameter). The default setting is false.
- [-trigger <integer>] - NFS Response Trigger (in secs) (privilege: advanced)
- This optional parameter specifies the amount of time, in seconds, after which Data ONTAP must log an NFS request if it has not completed (assuming the -trace-enabled option is true). The default setting is 60.
- [-udp-max-xfer-size <integer>] - UDP Maximum Transfer Size (bytes) (privilege: advanced)
- This optional parameter specifies the maximum transfer size (in bytes) that the NFS mount protocol will negotiate with the client for UDP transport. The range is 8192 to 57344. The default setting is 32768.
- [-tcp-max-xfer-size <integer>] - TCP Maximum Transfer Size (bytes) (privilege: advanced)
- This optional parameter specifies the maximum transfer size (in bytes) that the storage system negotiates with the client for TCP transport of data for NFSv3, and NFSv4.x protocols. The range is 8192 to 1048576. The default setting is 65536.NoteSetting the parameter value greater than 65536 may cause performance degradation for existing connections using smaller values. Contact technical support for guidance.
- [-v4.0-acl {enabled|disabled}] - NFSv4.0 ACL Support
- This optional parameter specifies whether Data ONTAP supports NFSv4.0 access control lists (ACLs). The default setting is disabled.
- [-v4.0-read-delegation {enabled|disabled}] - NFSv4.0 Read Delegation Support
- This optional parameter specifies whether Data ONTAP supports NFSv4.0 read delegations. The default setting is disabled.
- [-v4.0-write-delegation {enabled|disabled}] - NFSv4.0 Write Delegation Support
- This optional parameter specifies whether Data ONTAP supports NFSv4.0 write delegations. The default setting is disabled.
- [-v4-fsid-change {enabled|disabled}] - Show Change in FSID as NFSv4 Clients Traverse Filesystems (privilege: advanced)
- This optional parameter specifies whether Data ONTAP shows changes in file system identifiers (FSIDs) as NFSv4 clients traverse file systems. The default setting is enabled.NoteIf users access the storage system using NFSv4 from Solaris 10 clients, you must set this option todisabled. 
- [-v4.0-referrals {enabled|disabled}] - NFSv4.0 Referral Support (privilege: advanced)
- This optional parameter specifies whether Data ONTAP supports NFSv4.0 referrals. The default setting is disabled. You can set this parameter to enabled only if you also set the -v4-fsid-change to enabled. If clients accessing the node do not support NFSv4.0 referrals, set this option to disabled; otherwise, those clients will not be able to access the file system.
- [-v4-id-domain <nfs domain>] - NFSv4 ID Mapping Domain
- This optional parameter specifies the domain portion of the string form of user and group names as defined by the NFSv4 protocol. By default, the domain name is defaultv4iddomain.com. However, the value of this parameter overrides the default. The domain name must be agreed upon by both the NFS client and the storage controller before NFSv4 operations can be executed. It is recommended that the domain be specified in the fully qualified domain name format.
- [-v4-validate-symlinkdata {enabled|disabled}] - NFSv4 Validate UTF-8 Encoding of Symbolic Link Data (privilege: advanced)
- This optional parameter specifies whether Data ONTAP validates the UTF-8 encoding of symbolic link data. The default setting is disabled.
- [-v4-lease-seconds <integer>] - NFSv4 Lease Timeout Value (in secs) (privilege: advanced)
- This optional parameter specifies the time period in which Data ONTAP irrevocably grants a lock to a client. By default, the lease period is 30 seconds. The minimum value is 10. The maximum value is one less than the value of the -v4-grace-seconds parameter.
- [-v4-grace-seconds <integer>] - NFSv4 Grace Timeout Value (in secs)
- This optional parameter specifies the time period in which clients attempt to reclaim their locking state from Data ONTAP during server recovery. By default, the grace period is 45 seconds. The minimum value is 1 more than the value of the -v4-lease-seconds parameter. The maximum value is 90.
- [-v4-acl-preserve {enabled|disabled}] - Preserves and Modifies NFSv4 ACL (and NTFS File Permissions in Unified Security Style)
- This optional parameter specifies if the NFSv4 ACL is preserved or dropped when chmod is performed. In unified security style, this parameter also specifies if NTFS file permissions are preserved or dropped when chmod, chgrp, or chown are performed. The default is enabled.
- [-v4.1 {enabled|disabled}] - NFSv4.1 Minor Version Support
- This optional parameter specifies whether to enable access for NFSv4.1 or later clients. The default setting is enabled.
- [-rquota {enabled|disabled}] - Rquota Enable
- This optional parameter specifies whether to enable rquota over NFS. The default setting is disabled.
- [-v4.1-implementation-domain <nfs domain>] - NFSv4.1 Implementation ID Domain (privilege: advanced)
- This optional parameter specifies the NFSv4.1 or later implementation domain.
- [-v4.1-implementation-name <text>] - NFSv4.1 Implementation ID Name (privilege: advanced)
- This optional parameter specifies the NFSv4.1 or later implementation name.
- [-v4.1-implementation-date <Date>] - NFSv4.1 Implementation ID Date (privilege: advanced)
- This optional parameter specifies the NFSv4.1 or later implementation date.
- [-v4.1-pnfs {enabled|disabled}] - NFSv4.1 Parallel NFS Support
- This optional parameter specifies whether Data ONTAP supports parallel NFS over NFSv4.1 or later. The default setting is disabled.
- [-v4.1-referrals {enabled|disabled}] - NFSv4.1 Referral Support (privilege: advanced)
- This optional parameter specifies whether Data ONTAP supports NFSv4.1 or later referrals. The default setting is disabled. You can set this parameter to enabled only if you also set the -v4-fsid-change to enabled. If clients accessing the node do not support NFSv4.1 or later referrals, set this option to disabled; otherwise, those clients will not be able to access the file system.
- [-v4.1-acl {enabled|disabled}] - NFSv4.1 ACL Support
- This optional parameter specifies whether Data ONTAP supports NFSv4.1 or later access control lists (ACLs). The default setting is disabled.
- [-vstorage {enabled|disabled}] - NFS vStorage Support
- This optional parameter specifies whether to enable vstorage over NFS. The default setting is disabled.
- [-v4-numeric-ids {enabled|disabled}] - NFSv4 Support for Numeric Owner IDs
- This optional parameter specifies whether the support for numeric string identifiers in NFSv4 owner attributes is enabled. The default setting is enabled.
- [-default-win-group <text>] - Default Windows Group
- This optional parameter specifies a list of default Windows groups for the NFS server.
- [-v4.1-read-delegation {enabled|disabled}] - NFSv4.1 Read Delegation Support
- This optional parameter specifies whether Data ONTAP supports NFSv4.1 or later read delegations. The default setting is disabled.
- [-v4.1-write-delegation {enabled|disabled}] - NFSv4.1 Write Delegation Support
- This optional parameter specifies whether Data ONTAP supports NFSv4.1 or later write delegations. The default setting is disabled.
- [-v4.x-session-num-slots <integer>] - Number of Slots in the NFSv4.x Session slot tables (privilege: advanced)
- This optional parameter specifies the number of entries in the NFSv4.x session slot table. By default, the number of slots is 180. The maximum value is 2000.
- [-v4.x-session-slot-reply-cache-size <integer>] - Size of the Reply that will be Cached in Each NFSv4.x Session Slot (in bytes) (privilege: advanced)
- This optional parameter specifies the number of bytes of the reply that will be cached in each NFSv4.x session slot. By default, the size of the cached reply is 640 bytes. The maximum value is 4096.
- [-v4-acl-max-aces <integer>] - Maximum Number of ACEs per ACL (privilege: advanced)
- This optional parameter specifies the maximum number of ACEs in an NFSv4 ACL. The range is 192 to 1024. The default value is 400. Setting it to a value more than the default could cause performance problems for clients accessing files with NFSv4 ACLs.
- [-mount-rootonly {enabled|disabled}] - NFS Mount Root Only
- This optional parameter specifies whether the Vserver allows MOUNT protocol calls only from privileged ports (port numbers less than 1024). The default setting is enabled.
- [-nfs-rootonly {enabled|disabled}] - NFS Root Only
- This optional parameter specifies whether the Vserver allows NFS protocol calls only from privileged ports (port numbers less than 1024). The default setting is disabled.
- [-auth-sys-extended-groups {enabled|disabled}] - AUTH_SYS Extended Groups Enabled (privilege: advanced)
- This optional parameter specifies whether Data ONTAP supports fetching auxillary groups from a name service rather than from the RPC header. The default setting is disabled.
- [-extended-groups-limit <integer>] - AUTH_SYS and RPCSEC_GSS Auxillary Groups Limit (privilege: advanced)
- This optional parameter specifies the maximum number of auxillary groups supported over RPC security flavors AUTH_SYS and RPCSEC_GSS in Data ONTAP. The range is 32 to 1024. The default value is 32.
- [-validate-qtree-export {enabled|disabled}] - Validation of Qtree IDs for Qtree File Operations (privilege: advanced)
- This optional parameter specifies whether clustered Data ONTAP performs an additional validation on qtree IDs. The default setting is enabled. This parameter is ignored unless a non-inherited policy has been or is assigned to a qtree.
- [-mountd-port <integer>] - NFS Mount Daemon Port (privilege: advanced)
- This optional parameter specifies which port the NFS mount daemon (mountd) uses. The port numbers allowed are 635 (the default) and 1024 through 9999.
- [-nlm-port <integer>] - Network Lock Manager Port (privilege: advanced)
- This optional parameter specifies which port the network lock manager (NLM) uses. The port numbers allowed are 1024 through 9999. The default setting is 4045.
- [-nsm-port <integer>] - Network Status Monitor Port (privilege: advanced)
- This optional parameter specifies which port the network status monitor (NSM) uses. The port numbers allowed are 1024 through 9999. The default setting is 4046.
- [-rquotad-port <integer>] - NFS Quota Daemon Port (privilege: advanced)
- This optional parameter specifies which port the NFS quota daemon (rquotad) uses. The port numbers allowed are 1024 through 9999. The default setting is 4049.
- [-permitted-enc-types <NFS Kerberos Encryption Type>, ...] - Permitted Kerberos Encryption Types
- This optional parameter specifies the permitted encryption types for Kerberos over NFS. The default setting is des,des3,aes-128,aes-256.
- [-showmount {enabled|disabled}] - Showmount Enabled
- This optional parameter specifies whether to allow or disallow clients to see the Vserver's NFS exports list. The default setting is enabled.NoteShowmount leverages the MOUNT protocol in NFSv3 to issue an EXPORT query to the NFS server. If the mount port is not listening or blocked by a firewall, or if NFSv3 is disabled on the NFS server, showmount queries fail.
- [-name-service-lookup-protocol {TCP|UDP}] - Set the Protocol Used for Name Services Lookups for Exports
- This optional parameter specifies the protocol to use for doing name service lookups. The allowed values are TCP and UDP. The default setting is UDP.
- [-map-unknown-uid-to-default-windows-user {enable|disable}] - Map Unknown UID to Default Windows User (privilege: advanced)
- If you enable this optional parameter, unknown UNIX users that do not have a name mapping to a Windows user are mapped to the configured default Windows user. This allows all unknown UNIX users access with the credentials of the default Windows user. If you disable it, all unknown UNIX users without name mapping are always denied access. By default, this parameter is enabled.
- [-netgroup-dns-domain-search {enabled|disabled}] - DNS Domain Search Enabled During Netgroup Lookup (privilege: advanced)
- If you enable this optional parameter, during client access check evaluation in a netgroup, Data ONTAP performs an additional verification to ensure that the domain returned from DNS for that client is listed in the DNS configuration of the Vserver. This enables you to validate the domain when clients have the same short name in multiple domains. The default setting is enabled.
- [-netgroup-trust-any-ns-switch-no-match {enabled|disabled}] - Trust No-Match Result from Any Name Service Switch Source During Netgroup Lookup (privilege: advanced)
- This optional parameter specifies if you can consider a no-match result from any netgroup ns-switch source to be authoritative. If this option is enabled, then a no-match response from any one of the netgroup ns-switch sources is deemed conclusive even if other sources could not be searched. The default setting is 'disabled', which causes all netgroup ns-switch sources to be consulted before a no-match result is deemed conclusive.
- [-ntacl-display-permissive-perms {enabled|disabled}] - Display maximum NT ACL Permissions to NFS Client (privilege: advanced)
- This optional parameter controls the permissions that are displayed to NFSv3 and NFSv4 clients on a file or directory that has an NT ACL set. When true, the displayed permissions are based on the maximum access granted by the NT ACL to any user. When false, the displayed permissions are based on the minimum access granted by the NT ACL to any user. The default setting is false.
- [-v3-ms-dos-client {enabled|disabled}] - NFSv3 MS-DOS Client Support
- This optional parameter specifies whether to enable access for NFSv3 MS-DOS clients. The default setting is disabled.
- [-ignore-nt-acl-for-root {enabled|disabled}] - Ignore the NT ACL Check for NFS User 'root' (privilege: advanced)
- This optional parameter specifies whether Windows ACLs affect root access from NFS. If this option is enabled, root access from NFS ignores the NT ACL set on the file or directory. If auditing is enabled for the Vserver and there is no name-mapping present, then a default SMB credential (Builtin\administrator) is used for auditing, and an EMS warning is generated. The default setting is 'disabled', which causes NFS 'root' to be mapped to a Windows account, like any other NFS user.
- [-cached-cred-positive-ttl <integer>] - Time To Live Value (in msecs) of a Positive Cached Credential (privilege: advanced)
- This optional parameter specifies the age of the positive cached credentials after which they will be cleared from the cache. The value specified must be between 60000 and 604800000. The default setting is 86400000.
- [-cached-cred-negative-ttl <integer>] - Time To Live Value (in msecs) of a Negative Cached Credential (privilege: advanced)
- This optional parameter specifies the age of the negative cached credentials after which they will be cleared from the cache. The value specified must be between 60000 and 604800000. The default setting is 7200000.
- [-skip-root-owner-write-perm-check {enabled|disabled}] - Skip Permission Check for NFS Write Calls from Root/Owner (privilege: advanced)
- This optional parameter specifies if permission checks are to be skipped for NFS WRITE calls from root/owner. For copying read-only files to a destination folder which has inheritable ACLs, this option must be enabled. Warning: When enabled, if an NFS client does not make use of an NFS ACCESS call to check for user-level permissions and then tries to write onto read-only files, the operation will succeed. The default setting is disabled.
- [-v3-64bit-identifiers {enabled|disabled}] - Use 64 Bits for NFSv3 FSIDs and File IDs (privilege: advanced)
- This optional parameter specifies whether Data ONTAP uses 64 bits (instead of 32 bits) for file system identifiers (FSIDs) and file identifiers (file IDs) that are returned to NFSv3 clients. The default setting is disabled. When -v3-fsid-change is disabled, enable this parameter to avoid file ID collisions.
- [-v4-inherited-acl-preserve {enabled|disabled}] - Ignore Client Specified Mode Bits and Preserve Inherited NFSv4 ACL When Creating New Files or Directories (privilege: advanced)
- This optional parameter specifies whether the client-specified mode bits should be ignored and the inherited NFSv4 ACL should be preserved when creating new files or directories. The default setting is disabled.
- [-v3-search-unconverted-filename {enabled|disabled}] - Fallback to Unconverted Filename Search (privilege: advanced)
- This optional parameter specifies whether to continue search without converting the filename to the Unicode character set while doing lookup in a directory.
- [-file-session-io-grouping-count <integer>] - I/O Count to Be Grouped as a Session (privilege: advanced)
- This optional parameter specifies the number of read or write operations on a file from a single client that are grouped and considered as one session for event generation applications, such as FPolicy. The event is generated on the first read or write of a file, and subsequently the event is generated only after the specified -file-session-io-grouping-count. The default value is 5000.
- [-file-session-io-grouping-duration <integer>] - Duration for I/O to Be Grouped as a Session (Secs) (privilege: advanced)
- This optional parameter specifies the duration for which the read or write operationss on a file from a single client are grouped and considered as one session for event generation applications, such as FPolicy. The default value is 120 seconds.
- [-checksum-for-replay-cache {enabled|disabled}] - Enable or disable Checksum for Replay-Cache (privilege: advanced)
- This optional parameter specifies whether to enable replay cache checksum for NFS requests . The default value is enabled.
- [-cached-cred-harvest-timeout <integer>] - Harvest timeout (in msecs) for a Cached Credential (privilege: advanced)
- This optional parameter specifies the harvest timeout for cached credentials. The value specified must be between 60000 and 604800000. The default setting is 86400000.
- [-idle-connection-timeout <integer>] - Idle Connection Timeout Value (in seconds)
- This optional parameter specifies the idle connection timeout value for NFS connections in seconds. The value specified must be between 120 and 86400.
- [-allow-idle-connection {enabled|disabled}] - Are Idle NFS Connections Supported
- This optional parameter specifies whether to enable idle NFS connections. The default setting is disabled.
- [-v3-hide-snapshot {enabled|disabled}] - Hide Snapshot Directory under NFSv3 Mount Point
- This optional parameter specifies whether to hide the .snapshot directory while listing under NFSv3 mount points. However an explicit access to the .snapshot directory will still be allowed even though the option is enabled. The default setting is disabled.
- [-showmount-rootonly {enabled|disabled}] - Provide Root Path as Showmount State
- This optional parameter specifies whether to provide root path as showmount state when -showmount parameter is disabled. The default value for showmount-rootonly is disabled.
- [-v4-64bit-identifiers {enabled|disabled}] - Use 64 Bits for NFSv4.x FSIDs and File IDs (privilege: advanced)
- This optional parameter specifies whether Data ONTAP uses 64 bits (instead of 32 bits) for file system identifiers (FSIDs) and file identifiers (file IDs) that are returned to NFSv4.x clients. The default setting is enabled. When -v4-fsid-change is disabled, enable this parameter to avoid file ID collisions.
- [-v4.2-seclabel {enabled|disabled}] - NFSV4.2 Security Label Support (privilege: advanced)
- This optional parameter specifies whether to enable security labels for NFSv4.2. The default setting is disabled.
Examples
The following example enables and configures NFS access on a Vserver named vs0. NFS access is enabled. The maximum number of RPCSEC_GSS authentication contexts is set to 5. The RPCSEC_GSS idle time is set to 360 seconds. Access is enabled for NFS v3 clients over both UDP and TCP.
cluster1::> vserver nfs create -vserver vs0 -access true -rpcsec-ctx-high 5 -rpcsec-ctx-idle 360 -v3 enabled -udp enabled -tcp enabled
Give documentation feedback