[ceph.git] / ceph / doc / radosgw / nfs.rst

===
NFS
===

.. versionadded:: Jewel

.. note:: Only the NFSv4 protocol is supported when using a cephadm or rook based deployment.

Ceph Object Gateway namespaces can be exported over the file-based
NFSv4 protocols, alongside traditional HTTP access
protocols (S3 and Swift).

In particular, the Ceph Object Gateway can now be configured to
provide file-based access when embedded in the NFS-Ganesha NFS server.

The simplest and preferred way of managing nfs-ganesha clusters and rgw exports
is using ``ceph nfs ...`` commands. See :doc:`/mgr/nfs` for more details.

librgw
======

The librgw.so shared library (Unix) provides a loadable interface to
Ceph Object Gateway services, and instantiates a full Ceph Object Gateway
instance on initialization.

In turn, librgw.so exports rgw_file, a stateful API for file-oriented
access to RGW buckets and objects.  The API is general, but its design
is strongly influenced by the File System Abstraction Layer (FSAL) API
of NFS-Ganesha, for which it has been primarily designed.

A set of Python bindings is also provided.

Namespace Conventions
=====================

The implementation conforms to Amazon Web Services (AWS) hierarchical
namespace conventions which map UNIX-style path names onto S3 buckets
and objects.

The top level of the attached namespace consists of S3 buckets,
represented as NFS directories. Files and directories subordinate to
buckets are each represented as objects, following S3 prefix and
delimiter conventions, with '/' being the only supported path
delimiter [#]_.

For example, if an NFS client has mounted an RGW namespace at "/nfs",
then a file "/nfs/mybucket/www/index.html" in the NFS namespace
corresponds to an RGW object "www/index.html" in a bucket/container
"mybucket."

Although it is generally invisible to clients, the NFS namespace is
assembled through concatenation of the corresponding paths implied by
the objects in the namespace.  Leaf objects, whether files or
directories, will always be materialized in an RGW object of the
corresponding key name, "<name>" if a file, "<name>/" if a directory.
Non-leaf directories (e.g., "www" above) might only be implied by
their appearance in the names of one or more leaf objects. Directories
created within NFS or directly operated on by an NFS client (e.g., via
an attribute-setting operation such as chown or chmod) always have a
leaf object representation used to store materialized attributes such
as Unix ownership and permissions.

Supported Operations
====================

The RGW NFS interface supports most operations on files and
directories, with the following restrictions:

- Links, including symlinks, are not supported.
- NFS ACLs are not supported.

  + Unix user and group ownership and permissions *are* supported.

- Directories may not be moved/renamed.

  + Files may be moved between directories.

- Only full, sequential *write* I/O is supported

  + i.e., write operations are constrained to be **uploads**.
  + Many typical I/O operations such as editing files in place will necessarily fail as they perform non-sequential stores.
  + Some file utilities *apparently* writing sequentially (e.g., some versions of GNU tar) may fail due to infrequent non-sequential stores.
  + When mounting via NFS, sequential application I/O can generally be constrained to be written sequentially to the NFS server via a synchronous mount option (e.g. -osync in Linux).
  + NFS clients which cannot mount synchronously (e.g., MS Windows) will not be able to upload files.

Security
========

The RGW NFS interface provides a hybrid security model with the
following characteristics:

- NFS protocol security is provided by the NFS-Ganesha server, as negotiated by the NFS server and clients

  + e.g., clients can by trusted (AUTH_SYS), or required to present Kerberos user credentials (RPCSEC_GSS)
  + RPCSEC_GSS wire security can be integrity only (krb5i) or integrity and privacy (encryption, krb5p)
  + various NFS-specific security and permission rules are available

    * e.g., root-squashing

- a set of RGW/S3 security credentials (unknown to NFS) is associated with each RGW NFS mount (i.e., NFS-Ganesha EXPORT)

  + all RGW object operations performed via the NFS server will be performed by the RGW user associated with the credentials stored in the export being accessed (currently only RGW and RGW LDAP credentials are supported)

    * additional RGW authentication types such as Keystone are not currently supported

Manually configuring an NFS-Ganesha Instance
============================================

Each NFS RGW instance is an NFS-Ganesha server instance *embeddding*
a full Ceph RGW instance.

Therefore, the RGW NFS configuration includes Ceph and Ceph Object
Gateway-specific configuration in a local ceph.conf, as well as
NFS-Ganesha-specific configuration in the NFS-Ganesha config file,
ganesha.conf.

ceph.conf
---------

Required ceph.conf configuration for RGW NFS includes:

* valid [client.radosgw.{instance-name}] section
* valid values for minimal instance configuration, in particular, an installed and correct ``keyring``

Other config variables are optional, front-end-specific and front-end
selection variables (e.g., ``rgw data`` and ``rgw frontends``) are
optional and in some cases ignored.

A small number of config variables (e.g., ``rgw_nfs_namespace_expire_secs``)
are unique to RGW NFS.

ganesha.conf
------------

A strictly minimal ganesha.conf for use with RGW NFS includes one
EXPORT block with embedded FSAL block of type RGW::

   EXPORT
   {
        Export_ID={numeric-id};
        Path = "/";
        Pseudo = "/";
        Access_Type = RW;
        SecType = "sys";
        NFS_Protocols = 4;
        Transport_Protocols = TCP;

        # optional, permit unsquashed access by client "root" user
        #Squash = No_Root_Squash;

        FSAL {
                Name = RGW;
                User_Id = {s3-user-id};
                Access_Key_Id ="{s3-access-key}";
                Secret_Access_Key = "{s3-secret}";
        }
   }

``Export_ID`` must have an integer value, e.g., "77"

``Path`` (for RGW) should be "/"

``Pseudo`` defines an NFSv4 pseudo root name (NFSv4 only)

``SecType = sys;`` allows clients to attach without Kerberos
authentication

``Squash = No_Root_Squash;`` enables the client root user to override
permissions (Unix convention).  When root-squashing is enabled,
operations attempted by the root user are performed as if by the local
"nobody" (and "nogroup") user on the NFS-Ganesha server

The RGW FSAL additionally supports RGW-specific configuration
variables in the RGW config section::

 RGW {
     cluster = "{cluster name, default 'ceph'}";
     name = "client.rgw.{instance-name}";
     ceph_conf = "/opt/ceph-rgw/etc/ceph/ceph.conf";
     init_args = "-d --debug-rgw=16";
 }

``cluster`` sets a Ceph cluster name (must match the cluster being exported)

``name`` sets an RGW instance name (must match the cluster being exported)

``ceph_conf`` gives a path to a non-default ceph.conf file to use


Other useful NFS-Ganesha configuration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Any EXPORT block which should support NFSv3 should include version 3
in the NFS_Protocols setting. Additionally, NFSv3 is the last major
version to support the UDP transport. To enable UDP, include it in the
Transport_Protocols setting. For example::

 EXPORT {
  ...
    NFS_Protocols = 3,4;
    Transport_Protocols = UDP,TCP;
  ...
 }

One important family of options pertains to interaction with the Linux
idmapping service, which is used to normalize user and group names
across systems.  Details of idmapper integration are not provided here.

With Linux NFS clients, NFS-Ganesha can be configured
to accept client-supplied numeric user and group identifiers with
NFSv4, which by default stringifies these--this may be useful in small
setups and for experimentation::

 NFSV4 {
     Allow_Numeric_Owners = true;
     Only_Numeric_Owners = true;
 }

Troubleshooting
~~~~~~~~~~~~~~~

NFS-Ganesha configuration problems are usually debugged by running the
server with debugging options, controlled by the LOG config section.

NFS-Ganesha log messages are grouped into various components, logging
can be enabled separately for each component. Valid values for
component logging include::

  *FATAL* critical errors only
  *WARN* unusual condition
  *DEBUG* mildly verbose trace output
  *FULL_DEBUG* verbose trace output

Example::
  
  LOG {

	Components {
		MEMLEAKS = FATAL;
		FSAL = FATAL;
		NFSPROTO = FATAL;
		NFS_V4 = FATAL;
		EXPORT = FATAL;
		FILEHANDLE = FATAL;
		DISPATCH = FATAL;
		CACHE_INODE = FATAL;
		CACHE_INODE_LRU = FATAL;
		HASHTABLE = FATAL;
		HASHTABLE_CACHE = FATAL;
		DUPREQ = FATAL;
		INIT = DEBUG;
		MAIN = DEBUG;
		IDMAPPER = FATAL;
		NFS_READDIR = FATAL;
		NFS_V4_LOCK = FATAL;
		CONFIG = FATAL;
		CLIENTID = FATAL;
		SESSIONS = FATAL;
		PNFS = FATAL;
		RW_LOCK = FATAL;
		NLM = FATAL;
		RPC = FATAL;
		NFS_CB = FATAL;
		THREAD = FATAL;
		NFS_V4_ACL = FATAL;
		STATE = FATAL;
		FSAL_UP = FATAL;
		DBUS = FATAL;
	}
	# optional: redirect log output
 #	Facility {
 #		name = FILE;
 #		destination = "/tmp/ganesha-rgw.log";
 #		enable = active;
	}
 }

Running Multiple NFS Gateways
=============================

Each NFS-Ganesha instance acts as a full gateway endpoint, with the
limitation that currently an NFS-Ganesha instance cannot be configured
to export HTTP services. As with ordinary gateway instances, any
number of NFS-Ganesha instances can be started, exporting the same or
different resources from the cluster. This enables the clustering of
NFS-Ganesha instances. However, this does not imply high availability.

When regular gateway instances and NFS-Ganesha instances overlap the
same data resources, they will be accessible from both the standard S3
API and through the NFS-Ganesha instance as exported. You can
co-locate the NFS-Ganesha instance with a Ceph Object Gateway instance
on the same host. 

RGW vs RGW NFS
==============

Exporting an NFS namespace and other RGW namespaces (e.g., S3 or Swift
via the Civetweb HTTP front-end) from the same program instance is
currently not supported.

When adding objects and buckets outside of NFS, those objects will
appear in the NFS namespace in the time set by
``rgw_nfs_namespace_expire_secs``, which defaults to 300 seconds (5 minutes).
Override the default value for ``rgw_nfs_namespace_expire_secs`` in the
Ceph configuration file to change the refresh rate.

If exporting Swift containers that do not conform to valid S3 bucket
naming requirements, set ``rgw_relaxed_s3_bucket_names`` to true in the
[client.radosgw] section of the Ceph configuration file. For example,
if a Swift container name contains underscores, it is not a valid S3
bucket name and will be rejected unless ``rgw_relaxed_s3_bucket_names``
is set to true.

Configuring NFSv4 clients
=========================

To access the namespace, mount the configured NFS-Ganesha export(s)
into desired locations in the local POSIX namespace. As noted, this
implementation has a few unique restrictions:

- NFS 4.1 and higher protocol flavors are preferred

  + NFSv4 OPEN and CLOSE operations are used to track upload transactions

- To upload data successfully, clients must preserve write ordering

  + on Linux and many Unix NFS clients, use the -osync mount option

Conventions for mounting NFS resources are platform-specific. The
following conventions work on Linux and some Unix platforms:

From the command line::

  mount -t nfs -o nfsvers=4.1,noauto,soft,sync,proto=tcp <ganesha-host-name>:/ <mount-point>

In /etc/fstab::

<ganesha-host-name>:/ <mount-point> nfs noauto,soft,nfsvers=4.1,sync,proto=tcp 0 0

Specify the NFS-Ganesha host name and the path to the mount point on
the client.

Configuring NFSv3 Clients
=========================

Linux clients can be configured to mount with NFSv3 by supplying
``nfsvers=3`` and ``noacl`` as mount options. To use UDP as the
transport, add ``proto=udp`` to the mount options. However, TCP is the
preferred transport::

  <ganesha-host-name>:/ <mount-point> nfs noauto,noacl,soft,nfsvers=3,sync,proto=tcp 0 0

Configure the NFS Ganesha EXPORT block Protocols setting with version
3 and the Transports setting with UDP if the mount will use version 3 with UDP.

NFSv3 Semantics
---------------

Since NFSv3 does not communicate client OPEN and CLOSE operations to
file servers, RGW NFS cannot use these operations to mark the
beginning and ending of file upload transactions. Instead, RGW NFS
starts a new upload when the first write is sent to a file at offset
0, and finalizes the upload when no new writes to the file have been
seen for a period of time, by default, 10 seconds. To change this
timeout, set an alternate value for ``rgw_nfs_write_completion_interval_s``
in the RGW section(s) of the Ceph configuration file. 

References
==========

.. [#] http://docs.aws.amazon.com/AmazonS3/latest/dev/ListingKeysHierarchy.html
Commit	Line	Data
31f18b77 FG	1	===
	2	NFS
	3	===
	4
	5	.. versionadded:: Jewel
	6
a4b75251 TL	7	.. note:: Only the NFSv4 protocol is supported when using a cephadm or rook based deployment.
	8
	9	Ceph Object Gateway namespaces can be exported over the file-based
	10	NFSv4 protocols, alongside traditional HTTP access
31f18b77 FG	11	protocols (S3 and Swift).
	12
	13	In particular, the Ceph Object Gateway can now be configured to
	14	provide file-based access when embedded in the NFS-Ganesha NFS server.
	15
a4b75251 TL	16	The simplest and preferred way of managing nfs-ganesha clusters and rgw exports
	17	is using ``ceph nfs ...`` commands. See :doc:`/mgr/nfs` for more details.
	18
31f18b77 FG	19	librgw
	20	======
	21
	22	The librgw.so shared library (Unix) provides a loadable interface to
	23	Ceph Object Gateway services, and instantiates a full Ceph Object Gateway
	24	instance on initialization.
	25
	26	In turn, librgw.so exports rgw_file, a stateful API for file-oriented
	27	access to RGW buckets and objects. The API is general, but its design
	28	is strongly influenced by the File System Abstraction Layer (FSAL) API
	29	of NFS-Ganesha, for which it has been primarily designed.
	30
	31	A set of Python bindings is also provided.
	32
	33	Namespace Conventions
	34	=====================
	35
	36	The implementation conforms to Amazon Web Services (AWS) hierarchical
	37	namespace conventions which map UNIX-style path names onto S3 buckets
	38	and objects.
	39
	40	The top level of the attached namespace consists of S3 buckets,
	41	represented as NFS directories. Files and directories subordinate to
	42	buckets are each represented as objects, following S3 prefix and
	43	delimiter conventions, with '/' being the only supported path
	44	delimiter [#]_.
	45
	46	For example, if an NFS client has mounted an RGW namespace at "/nfs",
	47	then a file "/nfs/mybucket/www/index.html" in the NFS namespace
	48	corresponds to an RGW object "www/index.html" in a bucket/container
	49	"mybucket."
	50
	51	Although it is generally invisible to clients, the NFS namespace is
	52	assembled through concatenation of the corresponding paths implied by
	53	the objects in the namespace. Leaf objects, whether files or
	54	directories, will always be materialized in an RGW object of the
	55	corresponding key name, "<name>" if a file, "<name>/" if a directory.
	56	Non-leaf directories (e.g., "www" above) might only be implied by
	57	their appearance in the names of one or more leaf objects. Directories
	58	created within NFS or directly operated on by an NFS client (e.g., via
	59	an attribute-setting operation such as chown or chmod) always have a
	60	leaf object representation used to store materialized attributes such
	61	as Unix ownership and permissions.
	62
	63	Supported Operations
	64	====================
	65
	66	The RGW NFS interface supports most operations on files and
	67	directories, with the following restrictions:
	68
a4b75251 TL	69	- Links, including symlinks, are not supported.
a4b75251 TL	70	- NFS ACLs are not supported.
31f18b77	71
a4b75251	72	+ Unix user and group ownership and permissions are supported.
31f18b77	73
a4b75251	74	- Directories may not be moved/renamed.
31f18b77	75
a4b75251	76	+ Files may be moved between directories.
31f18b77	77
a4b75251	78	- Only full, sequential write I/O is supported
31f18b77	79
a4b75251 TL	80	+ i.e., write operations are constrained to be uploads.
	81	+ Many typical I/O operations such as editing files in place will necessarily fail as they perform non-sequential stores.
	82	+ Some file utilities apparently writing sequentially (e.g., some versions of GNU tar) may fail due to infrequent non-sequential stores.
	83	+ When mounting via NFS, sequential application I/O can generally be constrained to be written sequentially to the NFS server via a synchronous mount option (e.g. -osync in Linux).
	84	+ NFS clients which cannot mount synchronously (e.g., MS Windows) will not be able to upload files.
31f18b77 FG	85
	86	Security
	87	========
	88
	89	The RGW NFS interface provides a hybrid security model with the
	90	following characteristics:
	91
	92	- NFS protocol security is provided by the NFS-Ganesha server, as negotiated by the NFS server and clients
	93
	94	+ e.g., clients can by trusted (AUTH_SYS), or required to present Kerberos user credentials (RPCSEC_GSS)
	95	+ RPCSEC_GSS wire security can be integrity only (krb5i) or integrity and privacy (encryption, krb5p)
	96	+ various NFS-specific security and permission rules are available
	97
	98	* e.g., root-squashing
	99
	100	- a set of RGW/S3 security credentials (unknown to NFS) is associated with each RGW NFS mount (i.e., NFS-Ganesha EXPORT)
	101
	102	+ all RGW object operations performed via the NFS server will be performed by the RGW user associated with the credentials stored in the export being accessed (currently only RGW and RGW LDAP credentials are supported)
	103
	104	* additional RGW authentication types such as Keystone are not currently supported
	105
a4b75251 TL	106	Manually configuring an NFS-Ganesha Instance
a4b75251 TL	107	============================================
31f18b77 FG	108
	109	Each NFS RGW instance is an NFS-Ganesha server instance embeddding
	110	a full Ceph RGW instance.
	111
	112	Therefore, the RGW NFS configuration includes Ceph and Ceph Object
	113	Gateway-specific configuration in a local ceph.conf, as well as
	114	NFS-Ganesha-specific configuration in the NFS-Ganesha config file,
	115	ganesha.conf.
	116
	117	ceph.conf
	118	---------
	119
	120	Required ceph.conf configuration for RGW NFS includes:
	121
	122	* valid [client.radosgw.{instance-name}] section
	123	* valid values for minimal instance configuration, in particular, an installed and correct ``keyring``
	124
	125	Other config variables are optional, front-end-specific and front-end
	126	selection variables (e.g., ``rgw data`` and ``rgw frontends``) are
	127	optional and in some cases ignored.
	128
11fdf7f2	129	A small number of config variables (e.g., ``rgw_nfs_namespace_expire_secs``)
31f18b77 FG	130	are unique to RGW NFS.
	131
	132	ganesha.conf
	133	------------
	134
	135	A strictly minimal ganesha.conf for use with RGW NFS includes one
	136	EXPORT block with embedded FSAL block of type RGW::
	137
	138	EXPORT
	139	{
	140	Export_ID={numeric-id};
	141	Path = "/";
	142	Pseudo = "/";
	143	Access_Type = RW;
	144	SecType = "sys";
	145	NFS_Protocols = 4;
	146	Transport_Protocols = TCP;
	147
	148	# optional, permit unsquashed access by client "root" user
	149	#Squash = No_Root_Squash;
	150
	151	FSAL {
	152	Name = RGW;
	153	User_Id = {s3-user-id};
	154	Access_Key_Id ="{s3-access-key}";
	155	Secret_Access_Key = "{s3-secret}";
	156	}
	157	}
	158
	159	``Export_ID`` must have an integer value, e.g., "77"
	160
	161	``Path`` (for RGW) should be "/"
	162
	163	``Pseudo`` defines an NFSv4 pseudo root name (NFSv4 only)
	164
	165	``SecType = sys;`` allows clients to attach without Kerberos
	166	authentication
	167
	168	``Squash = No_Root_Squash;`` enables the client root user to override
	169	permissions (Unix convention). When root-squashing is enabled,
	170	operations attempted by the root user are performed as if by the local
	171	"nobody" (and "nogroup") user on the NFS-Ganesha server
	172
	173	The RGW FSAL additionally supports RGW-specific configuration
	174	variables in the RGW config section::
	175
	176	RGW {
	177	cluster = "{cluster name, default 'ceph'}";
	178	name = "client.rgw.{instance-name}";
	179	ceph_conf = "/opt/ceph-rgw/etc/ceph/ceph.conf";
	180	init_args = "-d --debug-rgw=16";
	181	}
	182
	183	``cluster`` sets a Ceph cluster name (must match the cluster being exported)
	184
	185	``name`` sets an RGW instance name (must match the cluster being exported)
	186
	187	``ceph_conf`` gives a path to a non-default ceph.conf file to use
	188
	189
	190	Other useful NFS-Ganesha configuration:
	191	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	192
	193	Any EXPORT block which should support NFSv3 should include version 3
194	in the NFS_Protocols setting. Additionally, NFSv3 is the last major
195	version to support the UDP transport. To enable UDP, include it in the
196	Transport_Protocols setting. For example::
197
198	EXPORT {
199	...
200	NFS_Protocols = 3,4;
201	Transport_Protocols = UDP,TCP;
202	...
203	}
204
205	One important family of options pertains to interaction with the Linux
206	idmapping service, which is used to normalize user and group names
207	across systems. Details of idmapper integration are not provided here.
208
209	With Linux NFS clients, NFS-Ganesha can be configured
210	to accept client-supplied numeric user and group identifiers with
211	NFSv4, which by default stringifies these--this may be useful in small
212	setups and for experimentation::
213
214	NFSV4 {
215	Allow_Numeric_Owners = true;
216	Only_Numeric_Owners = true;
217	}
218
219	Troubleshooting
220	~~~~~~~~~~~~~~~
221
222	NFS-Ganesha configuration problems are usually debugged by running the
223	server with debugging options, controlled by the LOG config section.
224
225	NFS-Ganesha log messages are grouped into various components, logging
226	can be enabled separately for each component. Valid values for
227	component logging include::
228
229	FATAL critical errors only
230	WARN unusual condition
231	DEBUG mildly verbose trace output
232	FULL_DEBUG verbose trace output
233
234	Example::
235
236	LOG {
237
238	Components {
239	MEMLEAKS = FATAL;
240	FSAL = FATAL;
241	NFSPROTO = FATAL;
242	NFS_V4 = FATAL;
243	EXPORT = FATAL;
244	FILEHANDLE = FATAL;
245	DISPATCH = FATAL;
246	CACHE_INODE = FATAL;
247	CACHE_INODE_LRU = FATAL;
248	HASHTABLE = FATAL;
249	HASHTABLE_CACHE = FATAL;
250	DUPREQ = FATAL;
251	INIT = DEBUG;
252	MAIN = DEBUG;
253	IDMAPPER = FATAL;
254	NFS_READDIR = FATAL;
255	NFS_V4_LOCK = FATAL;
256	CONFIG = FATAL;
257	CLIENTID = FATAL;
258	SESSIONS = FATAL;
259	PNFS = FATAL;
260	RW_LOCK = FATAL;
261	NLM = FATAL;
262	RPC = FATAL;
263	NFS_CB = FATAL;
264	THREAD = FATAL;
265	NFS_V4_ACL = FATAL;
266	STATE = FATAL;
267	FSAL_UP = FATAL;
268	DBUS = FATAL;
269	}
270	# optional: redirect log output
271	# Facility {
272	# name = FILE;
273	# destination = "/tmp/ganesha-rgw.log";
274	# enable = active;
275	}
276	}
277
278	Running Multiple NFS Gateways
279	=============================
280
281	Each NFS-Ganesha instance acts as a full gateway endpoint, with the
282	limitation that currently an NFS-Ganesha instance cannot be configured
283	to export HTTP services. As with ordinary gateway instances, any
284	number of NFS-Ganesha instances can be started, exporting the same or
285	different resources from the cluster. This enables the clustering of
286	NFS-Ganesha instances. However, this does not imply high availability.
287
288	When regular gateway instances and NFS-Ganesha instances overlap the
289	same data resources, they will be accessible from both the standard S3
290	API and through the NFS-Ganesha instance as exported. You can
291	co-locate the NFS-Ganesha instance with a Ceph Object Gateway instance
292	on the same host.
293
294	RGW vs RGW NFS
295	==============
296
297	Exporting an NFS namespace and other RGW namespaces (e.g., S3 or Swift
298	via the Civetweb HTTP front-end) from the same program instance is
299	currently not supported.
300
301	When adding objects and buckets outside of NFS, those objects will
302	appear in the NFS namespace in the time set by
303	``rgw_nfs_namespace_expire_secs``, which defaults to 300 seconds (5 minutes).
304	Override the default value for ``rgw_nfs_namespace_expire_secs`` in the
305	Ceph configuration file to change the refresh rate.
306
307	If exporting Swift containers that do not conform to valid S3 bucket
308	naming requirements, set ``rgw_relaxed_s3_bucket_names`` to true in the
309	[client.radosgw] section of the Ceph configuration file. For example,
310	if a Swift container name contains underscores, it is not a valid S3
311	bucket name and will be rejected unless ``rgw_relaxed_s3_bucket_names``
312	is set to true.
313
314	Configuring NFSv4 clients
315	=========================
316
317	To access the namespace, mount the configured NFS-Ganesha export(s)
318	into desired locations in the local POSIX namespace. As noted, this
319	implementation has a few unique restrictions:
320
321	- NFS 4.1 and higher protocol flavors are preferred
322
323	+ NFSv4 OPEN and CLOSE operations are used to track upload transactions
324
325	- To upload data successfully, clients must preserve write ordering
326
327	+ on Linux and many Unix NFS clients, use the -osync mount option
328
329	Conventions for mounting NFS resources are platform-specific. The
330	following conventions work on Linux and some Unix platforms:
331
332	From the command line::
333
11fdf7f2	334	mount -t nfs -o nfsvers=4.1,noauto,soft,sync,proto=tcp <ganesha-host-name>:/ <mount-point>
31f18b77 FG	335
	336	In /etc/fstab::
	337
	338	<ganesha-host-name>:/ <mount-point> nfs noauto,soft,nfsvers=4.1,sync,proto=tcp 0 0
	339
	340	Specify the NFS-Ganesha host name and the path to the mount point on
	341	the client.
	342
	343	Configuring NFSv3 Clients
	344	=========================
	345
	346	Linux clients can be configured to mount with NFSv3 by supplying
	347	``nfsvers=3`` and ``noacl`` as mount options. To use UDP as the
	348	transport, add ``proto=udp`` to the mount options. However, TCP is the
	349	preferred transport::
	350
	351	<ganesha-host-name>:/ <mount-point> nfs noauto,noacl,soft,nfsvers=3,sync,proto=tcp 0 0
	352
	353	Configure the NFS Ganesha EXPORT block Protocols setting with version
	354	3 and the Transports setting with UDP if the mount will use version 3 with UDP.
	355
	356	NFSv3 Semantics
	357	---------------
	358
	359	Since NFSv3 does not communicate client OPEN and CLOSE operations to
	360	file servers, RGW NFS cannot use these operations to mark the
	361	beginning and ending of file upload transactions. Instead, RGW NFS
	362	starts a new upload when the first write is sent to a file at offset
	363	0, and finalizes the upload when no new writes to the file have been
	364	seen for a period of time, by default, 10 seconds. To change this
	365	timeout, set an alternate value for ``rgw_nfs_write_completion_interval_s``
	366	in the RGW section(s) of the Ceph configuration file.
	367
	368	References
	369	==========
	370
	371	.. [#] http://docs.aws.amazon.com/AmazonS3/latest/dev/ListingKeysHierarchy.html