other versions
- wheezy 6.10-2
- wheezy-backports 7.11-1~bpo70+1
- jessie 7.11-1
- testing 11.8-1
- unstable 11.8-2
GLOBUS-GRIDFTP-SER(8) | Globus Tookit | GLOBUS-GRIDFTP-SER(8) |
NAME¶
globus-gridftp-server - The Globus GridFTP server daemonSYNOPSIS¶
globus-gridftp-server
[ -options]
DESCRIPTION¶
The globus-gridftp-server program is a ftp server with support for GridFTP protocol extensions, including strong authentication, parallel data transfers, and parallel data layouts. The list below contains the command-line options for the server, and also the name of the configuration file entry that implements that option. Note that any boolean flag can be negated on the command line by preceding the specified option with -no- or -n. Example: -no-fork or -nf.INFORMATIONAL OPTIONS¶
-h , -helpShow usage information and exit. This option
can also be set in the configuration file as help.
-hh , -longhelp
Show more usage information and exit. This
option can also be set in the configuration file as longhelp.
-v , -version
Show version information for the server and
exit. This option can also be set in the configuration file as version.
-V , -versions
Show version information for all loaded globus
libraries and exit. This option can also be set in the configuration file as
versions.
MODES OF OPERATION¶
-i , -inetdRun under an inetd service. This option can
also be set in the configuration file as inetd.
-s , -daemon
Run as a daemon. All connections will fork off
a new process and setuid if allowed. This option can also be set in the
configuration file as daemon.
-S , -detach
Run as a background daemon detached from any
controlling terminals. This option can also be set in the configuration file
as detach.
-ssh
Run over a connected ssh session. This option
can also be set in the configuration file as ssh.
-exec string
For statically compiled or non-GLOBUS_LOCATION
standard binary locations, specify the full path of the server binary here.
Only needed when run in daemon mode. This option can also be set in the
configuration file as exec.
-chdir
Change directory when the server starts. This
will change directory to the dir specified by the chdir_to option. This option
can also be set in the configuration file as chdir.
-chdir-to string
Directory to chdir to after starting. Will use
/ if not set. This option can also be set in the configuration file as
chdir_to.
-f , -fork
Server will fork for each new connection.
Disabling this option is only recommended when debugging. Note that non-forked
servers running as ´root´ will only accept a single connection, and
then exit. This option can also be set in the configuration file as
fork.
-1 , -single
Exit after a single connection. This option
can also be set in the configuration file as single.
-chroot-path string
Path to become the new root after
authentication. This path must contain a valid certificate structure,
/etc/passwd, and /etc/groups. The command globus-gridftp-server-setup-chroot
can help create a suitable directory structure. This option can also be set in
the configuration file as chroot_path.
AUTHENTICATION, AUTHORIZATION, AND SECURITY OPTIONS¶
-auth-level numberAdd levels together to use more than one.
If not set, uses level 2 for front ends and level 1 for data nodes. Note that
levels 2 and 4 imply level 1 as well. This option can also be set in the
configuration file as auth_level.
-ipc-allow-from string
•0 = Disables all authorization
checks.
•1 = Authorize identity.
•2 = Authorize all file/resource
accesses.
•4 = Disable changing process uid to
authenticated user (no setuid) -- DO NOT use this when process is started as
root.
Only allow connections from these source ip
addresses. Specify a comma separated list of ip address fragments. A match is
any ip address that starts with the specified fragment. Example:
´192.168.1.´ will match and allow a connection from 192.168.1.45.
Note that if this option is used any address not specifically allowed will be
denied. This option can also be set in the configuration file as
ipc_allow_from.
-ipc-deny-from string
Deny connections from these source ip
addresses. Specify a comma separated list of ip address fragments. A match is
any ip address that starts with the specified fragment. Example:
´192.168.2.´ will match and deny a connection from 192.168.2.45.
This option can also be set in the configuration file as ipc_deny_from.
-allow-from string
Only allow connections from these source ip
addresses. Specify a comma separated list of ip address fragments. A match is
any ip address that starts with the specified fragment. Example:
´192.168.1.´ will match and allow a connection from 192.168.1.45.
Note that if this option is used any address not specifically allowed will be
denied. This option can also be set in the configuration file as
allow_from.
-deny-from string
Deny connections from these source ip
addresses. Specify a comma separated list of ip address fragments. A match is
any ip address that starts with the specified fragment. Example:
´192.168.2.´ will match and deny a connection from 192.168.2.45.
This option can also be set in the configuration file as deny_from.
-si , -secure-ipc
Use GSI security on ipc channel. This option
can also be set in the configuration file as secure_ipc.
-ia string, -ipc-auth-mode string
Set GSI authorization mode for the ipc
connection. Options are: none, host, self or subject:[subject]. This option
can also be set in the configuration file as ipc_auth_mode.
-aa , -allow-anonymous
Allow clear text anonymous access. If server
is running as root anonymous_user must also be set. Disables ipc security.
This option can also be set in the configuration file as
allow_anonymous.
-anonymous-names-allowed string
Comma separated list of names to treat as
anonymous users when allowing anonymous access. If not set, the default names
of ´anonymous´ and ´ftp´ will be allowed. Use
´*´ to allow any username. This option can also be set in the
configuration file as anonymous_names_allowed.
-anonymous-user string
User to setuid to for an anonymous connection.
Only applies when running as root. This option can also be set in the
configuration file as anonymous_user.
-anonymous-group string
Group to setgid to for an anonymous
connection. If unset, the default group of anonymous_user will be used. This
option can also be set in the configuration file as anonymous_group.
-allow-root
Allow clients to be mapped to the root
account. This option can also be set in the configuration file as
allow_root.
-password-file string
Enable clear text access and authenticate
users against this /etc/passwd formatted file. This option can also be set in
the configuration file as pw_file.
-connections-max number
Maximum concurrent connections allowed. Only
applies when running in daemon mode. Unlimited if not set. This option can
also be set in the configuration file as connections_max.
-connections-disabled
Disable all new connections. Does not affect
ongoing connections. This would have be set in the configuration file and then
the server issued a SIGHUP in order to reload that config. This option can
also be set in the configuration file as connections_disabled.
-offline-msg string
Custom message to be displayed to clients when
the server is offline via the connections_disabled or connections_max = 0
options. This option can also be set in the configuration file as
offline_msg.
-disable-command-list string
A comma separated list of client commands that
will be disabled. This option can also be set in the configuration file as
disable_command_list.
-authz-callouts , -cas
Enable the GSI authorization callout
framework, for callouts such as CAS. This option can also be set in the
configuration file as cas.
-rp string, -restrict-paths string
A comma separated list of full paths that
clients may access. Each path may be prefixed by R and/or W, denoting read or
write access, otherwise full access is granted. If a given path is a
directory, all contents and subdirectories will be given the same access.
Order of paths does not matter -- the permissions on the longest matching path
will apply. The special character ´~´ will be replaced by the
authenticated user´s home directory. Note that if the authenticated
user´s home directory is not accessible, the home directory and starting
path will be set to ´/´. By default all paths are allowed, and
access control is handled by the OS. This option can also be set in the
configuration file as restrict_paths.
-rp-follow-symlinks
Allow following symlinks that lead to
restricted paths. This option can also be set in the configuration file as
rp_follow_symlinks.
-em string, -acl string
A comma separated list of ACL or event modules
to load. This option can also be set in the configuration file as acl.
LOGGING OPTIONS¶
-d string, -log-level stringLog level. A comma separated list of levels
from: ´ERROR, WARN, INFO, TRANSFER, DUMP, ALL´. TRANSFER includes
the same statistics that are sent to the separate transfer log when
-log-transfer is used. Example: error,warn,info. You may also specify a
numeric level of 1-255. The default level is ERROR. This option can also be
set in the configuration file as log_level.
-log-module string
globus_logging module that will be loaded. If
not set, the default ´stdio´ module will be used, and the logfile
options apply. Built in modules are ´stdio´ and ´syslog´.
Log module options may be set by specifying module:opt1=val1:opt2=val2.
Available options for the built in modules are ´interval´ and
´buffer´, for buffer flush interval and buffer size, respectively.
The default options are a 64k buffer size and a 5 second flush interval. A 0
second flush interval will disable periodic flushing, and the buffer will only
flush when it is full. A value of 0 for buffer will disable buffering and all
messages will be written immediately. Example: -log-module
stdio:buffer=4096:interval=10. This option can also be set in the
configuration file as log_module.
-l string, -logfile string
Path of a single file to log all activity to.
If neither this option or log_unique is set, logs will be written to stderr
unless the execution mode is detached or inetd, in which case logging will be
disabled. This option can also be set in the configuration file as
log_single.
-L string, -logdir string
Partial path to which
´gridftp.(pid).log´ will be appended to construct the log filename.
Example: -L /var/log/gridftp/ will create a separate log (
/var/log/gridftp/gridftp.xxxx.log ) for each process (which is normally each
new client session). If neither this option or log_single is set, logs will be
written to stderr unless the execution mode is detached or inetd, in which
case logging will be disabled. This option can also be set in the
configuration file as log_unique.
-Z string, -log-transfer string
Log netlogger style info for each transfer
into this file. You may also use the log-level of TRANSFER to include this
info in the standard log. This option can also be set in the configuration
file as log_transfer.
-log-filemode string
File access permissions of log files. Should
be an octal number such as 0644. This option can also be set in the
configuration file as log_filemode.
-disable-usage-stats
Disable transmission of per-transfer usage
statistics. See the Usage Statistics section in the online documentation for
more information. This option can also be set in the configuration file as
disable_usage_stats.
-usage-stats-target string
Comma separated list of contact strings
(host:port) for usage statistics receivers. The usage stats sent to a
particular receiver may be customized by configuring it with a taglist
(host:port!taglist) The taglist is a list of characters that each correspond
to a usage stats tag. When this option is unset, stats are reported to
usage-stats.globus.org:4810. If you set your own receiver, and wish to
continue reporting to the Globus receiver, you will need to add it manually.
The list of available tags follow. Tags marked * are reported by default.
•*(e) START - start time of
transfer
•*(E) END - end time of transfer
•*(v) VER - version string of gridftp
server
•*(b) BUFFER - tcp buffer size used for
transfer
•*(B) BLOCK - disk blocksize used for
transfer
•*(N) NBYTES - number of bytes
transferred
•*(s) STREAMS - number of parallel
streams used
•*(S) STRIPES - number of stripes
used
•*(t) TYPE - transfer command: RETR,
STOR, LIST, etc
•*(c) CODE - ftp result code (226 =
success, 5xx = fail)
•*(D) DSI - DSI module in use
•*(A) EM - event modules in use
•*(T) SCHEME - ftp, gsiftp, sshftp, etc.
(client supplied)
•*(a) APP - guc, rft, generic library
app, etc. (client supplied)
•*(V) APPVER - version string of above.
(client supplied)
•(f) FILE - name of file/data
transferred
•(i) CLIENTIP - ip address of host
running client (control channel)
•(I) DATAIP - ip address of source/dest
host of data (data channel)
•(u) USER - local user name the transfer
was performed as
•(d) USERDN - DN that was mapped to user
id
•(C) CONFID - ID defined by
-usage-stats-id config option
•(U) SESSID - unique id that can be used
to match transfers in a session and transfers across source/dest of a third
party transfer. (client supplied) .
This option can also be set in the
configuration file as usage_stats_target.
-usage-stats-id string
Identifying tag to include in usage statistics
data. This option can also be set in the configuration file as
usage_stats_id.
SINGLE AND STRIPED REMOTE DATA NODE OPTIONS¶
-r string, -remote-nodes stringComma separated list of remote node contact
strings. This option can also be set in the configuration file as
remote_nodes.
-dn , -data-node
This server is a backend data node. This
option can also be set in the configuration file as data_node.
-sbs number, -stripe-blocksize number
Size in bytes of sequential data that each
stripe will transfer. This option can also be set in the configuration file as
stripe_blocksize.
-stripe-count number
Number of number stripes to use per transfer
when this server controls that number. If remote nodes are statically
configured (via -r or remote_nodes), this will be set to that number of nodes,
otherwise the default is 1. This option can also be set in the configuration
file as stripe_count.
-sl number, -stripe-layout number
Stripe layout.
This option can also be set in the configuration file as stripe_layout.
-stripe-blocksize-locked
•1 = Partitioned
•2 = Blocked
Do not allow client to override stripe
blocksize with the OPTS RETR command. This option can also be set in the
configuration file as stripe_blocksize_locked.
-stripe-layout-locked
Do not allow client to override stripe layout
with the OPTS RETR command. This option can also be set in the configuration
file as stripe_layout_locked.
DISK OPTIONS¶
-bs number, -blocksize numberSize in bytes of data blocks to read from disk
before posting to the network. This option can also be set in the
configuration file as blocksize.
-sync-writes
Flush disk writes before sending a restart
marker. This attempts to ensure that the range specified in the restart marker
has actually been committed to disk. This option will probably impact
performance, and may result in different behavior on different storage
systems. See the manpage for sync() for more information. This option can also
be set in the configuration file as sync_writes.
-use-home-dirs
Set the startup directory to the authenticated
users home dir. This option can also be set in the configuration file as
use_home_dirs.
-perms string
Set the default permissions for created files.
Should be an octal number such as 0644. The default is 0644. Note: If umask is
set it will affect this setting -- i.e. if the umask is 0002 and this setting
is 0666, the resulting files will be created with permissions of 0664. . This
option can also be set in the configuration file as perms.
-file-timeout number
Timeout in seconds for all disk accesses. A
value of 0 disables the timeout. This option can also be set in the
configuration file as file_timeout.
NETWORK OPTIONS¶
-p number, -port numberPort on which a frontend will listen for
client control channel connections, or on which a data node will listen for
connections from a frontend. If not set a random port will be chosen and
printed via the logging mechanism. This option can also be set in the
configuration file as port.
-control-interface string
Hostname or IP address of the interface to
listen for control connections on. If not set will listen on all interfaces.
This option can also be set in the configuration file as
control_interface.
-data-interface string
Hostname or IP address of the interface to use
for data connections. If not set will use the current control interface. This
option can also be set in the configuration file as data_interface.
-ipc-interface string
Hostname or IP address of the interface to use
for ipc connections. If not set will listen on all interfaces. This option can
also be set in the configuration file as ipc_interface.
-hostname string
Effectively sets the above control_interface,
data_interface and ipc_interface options. This option can also be set in the
configuration file as hostname.
-ipc-port number
Port on which the frontend will listen for
data node connections. This option can also be set in the configuration file
as ipc_port.
-control-preauth-timeout number
Time in seconds to allow a client to remain
connected to the control channel without activity before authenticating. This
option can also be set in the configuration file as
control_preauth_timeout.
-control-idle-timeout number
Time in seconds to allow a client to remain
connected to the control channel without activity. This option can also be set
in the configuration file as control_idle_timeout.
-ipc-idle-timeout number
Idle time in seconds before an unused ipc
connection will close. This option can also be set in the configuration file
as ipc_idle_timeout.
-ipc-connect-timeout number
Time in seconds before canceling an attempted
ipc connection. This option can also be set in the configuration file as
ipc_connect_timeout.
-port-range string
Port range to use for incoming connections.
The format is "startport,endport". This, along with -data-interface,
can be used to enable operation behind a firewall and/or when NAT is involved.
This is the same as setting the environment variable GLOBUS_TCP_PORT_RANGE.
This option can also be set in the configuration file as port_range.
USER MESSAGES¶
-banner stringMessage to display to the client before
authentication. This option can also be set in the configuration file as
banner.
-banner-file string
File to read banner message from. This option
can also be set in the configuration file as banner_file.
-banner-terse
When this is set, the minimum allowed banner
message will be displayed to unauthenticated clients. This option can also be
set in the configuration file as banner_terse.
-banner-append
When this is set, the message set in the
´banner´ or ´banner_file´ option will be appended to the
default banner message rather than replacing it. This option can also be set
in the configuration file as banner_append.
-login-msg string
Message to display to the client after
authentication. This option can also be set in the configuration file as
login_msg.
-login-msg-file string
File to read login message from. This option
can also be set in the configuration file as login_msg_file.
MODULE OPTIONS¶
-dsi stringData Storage Interface module to load. file
and remote modules are defined by the server. If not set, the file module is
loaded, unless the ´remote´ option is specified, in which case the
remote module is loaded. An additional configuration string can be passed to
the DSI using the format [module name]:[configuration string] to this option.
The format of the configuration string is defined by the DSI being loaded.
This option can also be set in the configuration file as
load_dsi_module.
-allowed-modules string
Comma separated list of ERET/ESTO modules to
allow, and optionally specify an alias for. Example:
module1,alias2:module2,module3 (module2 will be loaded when a client asks for
alias2). This option can also be set in the configuration file as
allowed_modules.
-dc-whitelist string
A comma separated list of drivers allowed on
the network stack. This option can also be set in the configuration file as
dc_whitelist.
-fs-whitelist string
A comma separated list of drivers allowed on
the disk stack. This option can also be set in the configuration file as
fs_whitelist.
-popen-whitelist string
A comma separated list of programs that the
popen driver is allowed to execute, when used on the network or disk stack. An
alias may also be specified, so that a client does not need to specify the
full path. Format is [alias:]prog,[alias:]prog. example:
/bin/gzip,tar:/bin/tar. This option can also be set in the configuration file
as popen_whitelist.
-dc-default string
A comma separated list of XIO drivers and
options representing the default network stack. Format is of each driver entry
is driver1[:opt1=val1;opt2=val2;...]. The bottom of the stack, the transport
driver, is always first. This option can also be set in the configuration file
as dc_default.
-fs-default string
A comma separated list of XIO drivers and
options representing the default disk stack. Format is of each driver entry is
driver1[:opt1=val1;opt2=val2;...]. The bottom of the stack, the transport
driver, is always first. This option can also be set in the configuration file
as fs_default.
OTHER¶
-c stringPath to main configuration file that should be
loaded. Otherwise will attempt to load $GLOBUS_LOCATION/etc/gridftp.conf and
/etc/grid-security/gridftp.conf.
-C string
Path to directory holding configuration files
that should be loaded. Files will be loaded in alphabetical order, and in the
event of duplcate parameters the last loaded file will take precedence. Note
that the main configurationfile, if one exists, will always be loaded last.
This option can also be set in the configuration file as config_dir.
-config-base-path string
Base path to use when config and log path
options are not full paths. By default this is the current directory when the
process is started. This option can also be set in the configuration file as
config_base_path.
-debug
Sets options that make server easier to debug.
Forces no-fork, no-chdir, and allows core dumps on bad signals instead of
exiting cleanly. Not recommended for production servers. Note that non-forked
servers running as ´root´ will only accept a single connection, and
then exit. This option can also be set in the configuration file as
debug.
-pidfile string
Write PID of the GridFTP server to this path.
May contain variable references to ${localstatedir}. This option can also be
set in the configuration file as pidfile.
EXIT STATUS¶
0Successful program execution.
AUTHOR¶
The Globus Alliance, http://www.globus.org/Author.
COPYRIGHT¶
Copyright © 1999-2012 University of Chicago02/09/2012 | The Globus Alliance |