GLOBUS-GRIDFTP-SER(8) Grid Community Toolkit Manual GLOBUS-GRIDFTP-SER(8)
NAME
globus-gridftp-server - The Globus GridFTP server daemon
SYNOPSIS
globus-gridftp-server OPTIONS
DESCRIPTION
The globus-gridftp-server program is a ftp server with support for GridFTP protocol extensions, including strong authentication, parallel data transfers, and parallel data
layouts.
OPTIONS
The list below contains the command-line options for the server, and also the name of the configuration file entry that implements that option. Note that any boolean option
can be negated on the command line by preceding the specified option with -no- or -n. example: -no-cas or -nf.
Informational Options
-h,-help
Show usage information and exit.
This option can also be set in the configuration file as help. The default value of this option is FALSE.
-hh,-longhelp
Show more usage information and exit.
This option can also be set in the configuration file as longhelp. The default value of this option is FALSE.
-v,-version
Show version information for the server and exit.
This option can also be set in the configuration file as version. The default value of this option is FALSE.
-V,-versions
Show version information for all loaded globus libraries and exit.
This option can also be set in the configuration file as versions. The default value of this option is FALSE.
Modes of Operation
-i,-inetd
Run under an inetd service.
This option can also be set in the configuration file as inetd. The default value of this option is FALSE.
-s,-daemon
Run as a daemon. All connections will fork off a new process and setuid if allowed.
This option can also be set in the configuration file as daemon. The default value of this option is TRUE.
-S,-detach
Run as a background daemon detached from any controlling terminals.
This option can also be set in the configuration file as detach. The default value of this option is FALSE.
-ssh
Run over a connected ssh session.
This option can also be set in the configuration file as ssh. The default value of this option is FALSE.
-exec string
For statically compiled or non-GLOBUS_LOCATION standard binary locations, specify the full path of the server binary here. Only needed when run in daemon mode.
This option can also be set in the configuration file as exec.
-chdir
Change directory when the server starts. This will change directory to the dir specified by the chdir_to option.
This option can also be set in the configuration file as chdir. The default value of this option is TRUE.
-chdir-to string
Directory to chdir to after starting. Will use / if not set. Note that this is the directory of the process, not the client’s home directory.
This option can also be set in the configuration file as chdir_to.
-threads number
Enable threaded operation and set the number of threads. The default is 0, which is non-threaded. When threading is required, a thread count of 1 or 2 should be
sufficient.
This option can also be set in the configuration file as threads.
-f,-fork
Server will fork for each new connection. Disabling this option is only recommended when debugging. Note that non-forked servers running as root will only accept a single
connection, and then exit.
This option can also be set in the configuration file as fork. The default value of this option is TRUE.
-1,-single
Exit after a single connection.
This option can also be set in the configuration file as single. The default value of this option is FALSE.
-chroot-path string
Path to become the new root after authentication. This path must contain a valid certificate structure, /etc/passwd, and /etc/group. The command
globus-gridftp-server-setup-chroot can help create a suitable directory structure.
This option can also be set in the configuration file as chroot_path.
Authentication, Authorization, and Security Options
-auth-level number
Add levels together to use more than one. If not set uses level 2 for front ends and level 1 for data nodes. Note that levels 2 and 4 imply level 1 as well.
0 = Disables all authorization checks.
1 = Authorize identity.
2 = Authorize all file/resource accesses.
4 = Disable changing process uid to authenticated user (no
setuid) -- DO NOT use this when process is started as root.
This option can also be set in the configuration file as auth_level.
-process-user string
User to setuid to upon login for all connections. Only applies when running as root.
This option can also be set in the configuration file as process_user.
-process-group string
Group to setgid to upon login for all connections. If unset, the default group of process_user will be used.
This option can also be set in the configuration file as process_group.
-ipc-allow-from string
Only allow connections from these source ip addresses. Specify a comma separated list of ip address fragments. A match is any ip address that starts with the specified
fragment. Example: 192.168.1. will match and allow a connection from 192.168.1.45. Note that if this option is used any address not specifically allowed will be denied.
This option can also be set in the configuration file as ipc_allow_from.
-ipc-deny-from string
Deny connections from these source ip addresses. Specify a comma separated list of ip address fragments. A match is any ip address that starts with the specified fragment.
Example: 192.168.2. will match and deny a connection from 192.168.2.45.
This option can also be set in the configuration file as ipc_deny_from.
-allow-from string
Only allow connections from these source ip addresses. Specify a comma separated list of ip address fragments. A match is any ip address that starts with the specified
fragment. Example: 192.168.1. will match and allow a connection from 192.168.1.45. Note that if this option is used any address not specifically allowed will be denied.
This option can also be set in the configuration file as allow_from.
-deny-from string
Deny connections from these source ip addresses. Specify a comma separated list of ip address fragments. A match is any ip address that starts with the specified fragment.
Example: 192.168.2. will match and deny a connection from 192.168.2.45.
This option can also be set in the configuration file as deny_from.
-encrypt-data
Require encrypted data channels. This will cause an error and prevent all transfers in which the client does not request an authenticated and encrypted data channel.
This option can also be set in the configuration file as encrypt_data. The default value of this option is FALSE.
-si,-secure-ipc
Use GSI security on ipc channel.
This option can also be set in the configuration file as secure_ipc. The default value of this option is TRUE.
-ia string,-ipc-auth-mode string
Set GSI authorization mode for the ipc connection. Options are: none, host, self or subject:[subject].
This option can also be set in the configuration file as ipc_auth_mode. The default value of this option is host.
-aa,-allow-anonymous
Allow clear text anonymous access. If server is running as root anonymous_user must also be set. Disables ipc security.
This option can also be set in the configuration file as allow_anonymous. The default value of this option is FALSE.
-anonymous-names-allowed string
Comma separated list of names to treat as anonymous users when allowing anonymous access. If not set, the default names of anonymous and ftp will be allowed. Use * to
allow any username.
This option can also be set in the configuration file as anonymous_names_allowed.
-anonymous-user string
User to setuid to for an anonymous connection. Only applies when running as root.
This option can also be set in the configuration file as anonymous_user.
-anonymous-group string
Group to setgid to for an anonymous connection. If unset, the default group of anonymous_user will be used.
This option can also be set in the configuration file as anonymous_group.
-sharing-dn string
Allow sharing when using the supplied DN. A client connected with these credentials will be able to access any user for which sharing is enabled.
This option can also be set in the configuration file as sharing_dn.
-sharing-state-dir string
Full path to a directory that will contain files used by GridFTP to control sharing access for individual local accounts. The special variables $HOME and $USER can be used
to create a dynamic path that is unique to each local account. This pathmust be writable by the associated account. The default path is $HOME/.globus/sharing/. This must
refer to a path on the filesystem, not a path that is only accessible via a DSI plugin.
This option can also be set in the configuration file as sharing_state_dir.
-sharing-control
Allow a local user account to control its own sharing access via special GridFTP client commands. The user account must have filesystem write access to the sharing state
dir.
This option can also be set in the configuration file as sharing_control. The default value of this option is TRUE.
-sharing-rp string
Sharing specific path restrictions. This completely replaces the normal path restrictions (-rp) when an account is being shared by a sharing-dn login.Follows normal path
restriction semantics.
This option can also be set in the configuration file as sharing_rp.
-sharing-users-allow string
Comma separated list of usernames that are allowed to share unless matched in the user deny lists. If this list is set, users that are not included will be denied unless
matched in the group allow list.
This option can also be set in the configuration file as sharing_users_allow.
-sharing-users-deny string
Comma separated list of usernames that are denied sharing even if matched in the user or group allow lists.
This option can also be set in the configuration file as sharing_users_deny.
-sharing-groups-allow string
Comma separated list of groups whose members are allowed to share unless matched in the user or group deny lists. If this list is set, groups that are not included will be
denied unless matched in the user allow list.
This option can also be set in the configuration file as sharing_groups_allow.
-sharing-groups-deny string
Comma separated list of groups whose members will be denied sharing unless matched in the user allow list.
This option can also be set in the configuration file as sharing_groups_deny.
-allow-root
Allow clients to be mapped to the root account.
This option can also be set in the configuration file as allow_root. The default value of this option is FALSE.
-allow-disabled-login
Do not check if a user’s system account is disabled before allowing login.
This option can also be set in the configuration file as allow_disabled_login. The default value of this option is FALSE.
-password-file string
Enable clear text access and authenticate users against this /etc/passwd formatted file.
This option can also be set in the configuration file as pw_file.
-connections-max number
Maximum concurrent connections allowed. Only applies when running in daemon mode. Unlimited if not set.
This option can also be set in the configuration file as connections_max.
-connections-disabled
Disable all new connections. For daemon mode, issue a SIGHUP to the server process after changing the config file in order to not affect ongoing connections.
This option can also be set in the configuration file as connections_disabled. The default value of this option is FALSE.
-offline-msg string
Custom message to be displayed to clients when the server is offline via the connections_disabled or connections_max = 0 options.
This option can also be set in the configuration file as offline_msg.
-disable-command-list string
A comma separated list of client commands that will be disabled.
This option can also be set in the configuration file as disable_command_list.
-authz-callouts,-cas
Enable the GSI authorization callout framework, for callouts such as CAS.
This option can also be set in the configuration file as cas. The default value of this option is TRUE.
-use-home-dirs
Set the starting directory to the authenticated users home dir. Disabling this is the same as setting -home-dir /.
This option can also be set in the configuration file as use_home_dirs. The default value of this option is TRUE.
-home-dir string
Set a path to override the system defined home/starting directory for authenticated users. The special variable strings $USER and $HOME may be used. The authenticated
username will be substituted for $USER, and the user’s real home dir will be substituted for $HOME. Be sure to escape the $ character if using these on the command line.
This option can also be set in the configuration file as home_dir.
-rp string,-restrict-paths string
A comma separated list of full paths that clients may access. Each path may be prefixed by R and/or W, denoting read or write access, otherwise full access is granted. If
a given path is a directory, all contents and subdirectories will be given the same access. Order of paths does not matter — the permissions on the longest matching path
will apply. The special character ~ will be replaced by the authenticated user’s home directory, or the -home-dir option, if used. Note that if the home directory is not
accessible, \~ will be set to /. By default all paths are allowed, and access control is handled by the OS. In a striped or split process configuration, this should be set
on both the frontend and data nodes.
This option can also be set in the configuration file as restrict_paths.
-rp-follow-symlinks
Do not verify that a symlink points to an allowed path before following. By default, symlinks are followed only when they point to an allowed path. By enabling this
option, symlinks will be followed even if they point to a path that is otherwise restricted.
This option can also be set in the configuration file as rp_follow_symlinks. The default value of this option is FALSE.
-em string,-acl string
A comma separated list of ACL or event modules to load.
This option can also be set in the configuration file as acl.
Logging Options
-d string,-log-level string
Log level. A comma separated list of levels from: ERROR, WARN, INFO, TRANSFER, DUMP, ALL. TRANSFER includes the same statistics that are sent to the separate transfer log
when -log-transfer is used. Example: error,warn,info. You may also specify a numeric level of 1-255. The default level is ERROR.
This option can also be set in the configuration file as log_level. The default value of this option is ERROR.
-log-module string
globus_logging module that will be loaded. If not set, the default stdio module will be used, and the logfile options apply. Built in modules are stdio and syslog. Log
module options may be set by specifying module:opt1=val1:opt2=val2. Available options for the built in modules are interval and buffer, for buffer flush interval and
buffer size, respectively. The default options are a 64k buffer size and a 5 second flush interval. A 0 second flush interval will disable periodic flushing, and the
buffer will only flush when it is full. A value of 0 for buffer will disable buffering and all messages will be written immediately. Example: -log-module
stdio:buffer=4096:interval=10
This option can also be set in the configuration file as log_module.
-l string,-logfile string
Path of a single file to log all activity to. If neither this option or log_unique is set, logs will be written to stderr unless the execution mode is detached or inetd,
in which case logging will be disabled.
This option can also be set in the configuration file as log_single.
-L string,-logdir string
Partial path to which gridftp.(pid).log will be appended to construct the log filename. Example: -L /var/log/gridftp/ will create a separate log (
/var/log/gridftp/gridftp.xxxx.log ) for each process (which is normally each new client session). If neither this option or log_single is set, logs will be written to
stderr unless the execution mode is detached or inetd, in which case logging will be disabled.
This option can also be set in the configuration file as log_unique.
-Z string,-log-transfer string
Log netlogger style info for each transfer into this file. You may also use the log-level of TRANSFER to include this info in the standard log.
This option can also be set in the configuration file as log_transfer.
-log-filemode string
File access permissions of log files. Should be an octal number such as 0644.
This option can also be set in the configuration file as log_filemode.
-disable-usage-stats
Usage statistics collection is no longer supported. This option is ignored.
This option can also be set in the configuration file as disable_usage_stats. The default value of this option is TRUE.
-usage-stats-target string
Usage statistics collection is no longer supported. This option is ignored.
This option can also be set in the configuration file as usage_stats_target.
-usage-stats-id string
Usage statistics collection is no longer supported. This option is ignored.
This option can also be set in the configuration file as usage_stats_id.
Single and Striped Remote Data Node Options
-r string,-remote-nodes string
Comma separated list of remote node contact strings.
This option can also be set in the configuration file as remote_nodes.
-hybrid
When a server is configured for striped operation with the remote_nodes option, both a frontend and backend process are started even if the client does not request
multiple stripes. This option will start backend processes only when striped operation is requested by the client, while servicing non-striped requests with a single
frontend process.
This option can also be set in the configuration file as hybrid. The default value of this option is FALSE.
-dn,-data-node
This server is a backend data node.
This option can also be set in the configuration file as data_node. The default value of this option is FALSE.
-sbs number,-stripe-blocksize number
Size in bytes of sequential data that each stripe will transfer.
This option can also be set in the configuration file as stripe_blocksize. The default value of this option is 1048576.
-stripe-count number
Number of number stripes to use per transfer when this server controls that number. If remote nodes are statically configured (via -r or remote_nodes), this will be set to
that number of nodes, otherwise the default is 1.
This option can also be set in the configuration file as stripe_count.
-sl number,-stripe-layout number
Stripe layout.
1 = Partitioned
2 = Blocked
This option can also be set in the configuration file as stripe_layout. The default value of this option is 2.
-stripe-blocksize-locked
Do not allow client to override stripe blocksize with the OPTS RETR command
This option can also be set in the configuration file as stripe_blocksize_locked. The default value of this option is FALSE.
-stripe-layout-locked
Do not allow client to override stripe layout with the OPTS RETR command
This option can also be set in the configuration file as stripe_layout_locked. The default value of this option is FALSE.
Disk Options
-bs number,-blocksize number
Size in bytes of data blocks to read from disk before posting to the network.
This option can also be set in the configuration file as blocksize. The default value of this option is 262144.
-sync-writes
Flush disk writes before sending a restart marker. This attempts to ensure that the range specified in the restart marker has actually been committed to disk. This option
will probably impact performance, and may result in different behavior on different storage systems. See the manpage for sync() for more information.
This option can also be set in the configuration file as sync_writes. The default value of this option is FALSE.
-perms string
Set the default permissions for created files. Should be an octal number such as 0644. The default is 0644. Note: If umask is set it will affect this setting — i.e. if the
umask is 0002 and this setting is 0666, the resulting files will be created with permissions of 0664.
This option can also be set in the configuration file as perms.
-file-timeout number
Timeout in seconds for all disk accesses. A value of 0 disables the timeout.
This option can also be set in the configuration file as file_timeout.
Network Options
-p number,-port number
Port on which a frontend will listen for client control channel connections, or on which a data node will listen for connections from a frontend. If not set a random port
will be chosen and printed via the logging mechanism.
This option can also be set in the configuration file as port.
-control-interface string
Hostname or IP address of the interface to listen for control connections on. If not set will listen on all interfaces.
This option can also be set in the configuration file as control_interface.
-data-interface string
Hostname or IP address of the interface to use for data connections. If not set will use the current control interface.
This option can also be set in the configuration file as data_interface.
-ipc-interface string
Hostname or IP address of the interface to use for ipc connections. If not set will listen on all interfaces.
This option can also be set in the configuration file as ipc_interface.
-hostname string
Effectively sets the above control_interface, data_interface and ipc_interface options.
This option can also be set in the configuration file as hostname.
-ipc-port number
Port on which the frontend will listen for data node connections.
This option can also be set in the configuration file as ipc_port.
-control-preauth-timeout number
Time in seconds to allow a client to remain connected to the control channel without activity before authenticating.
This option can also be set in the configuration file as control_preauth_timeout. The default value of this option is 120.
-control-idle-timeout number
Time in seconds to allow a client to remain connected to the control channel without activity.
This option can also be set in the configuration file as control_idle_timeout. The default value of this option is 600.
-ipc-idle-timeout number
Idle time in seconds before an unused ipc connection will close.
This option can also be set in the configuration file as ipc_idle_timeout. The default value of this option is 900.
-ipc-connect-timeout number
Time in seconds before canceling an attempted ipc connection.
This option can also be set in the configuration file as ipc_connect_timeout. The default value of this option is 60.
-allow-udt
Enable protocol support for UDT with NAT traversal if the udt driver is available. Requires threads.
This option can also be set in the configuration file as allow_udt. The default value of this option is FALSE.
-port-range string
Port range to use for incoming connections. The format is "startport,endport". This, along with -data-interface, can be used to enable operation behind a firewall and/or
when NAT is involved. This is the same as setting the environment variable GLOBUS_TCP_PORT_RANGE.
This option can also be set in the configuration file as port_range.
-epsv-ip
Adds an IPv6 address to EPSV response. Breaks RFC 2428, but allows redirection to work with IPv6.
This option can also be set in the configuration file as epsv_ip. The default value of this option is FALSE.
User Messages
-banner string
Message to display to the client before authentication.
This option can also be set in the configuration file as banner.
-banner-file string
File to read banner message from.
This option can also be set in the configuration file as banner_file.
-banner-terse
When this is set, the minimum allowed banner message will be displayed to unauthenticated clients.
This option can also be set in the configuration file as banner_terse. The default value of this option is FALSE.
-banner-append
When this is set, the message set in the banner or banner_file option will be appended to the default banner message rather than replacing it.
This option can also be set in the configuration file as banner_append. The default value of this option is FALSE.
-version-tag string
Add an identifying string to the existing toolkit version. This is displayed in the default banner message, the SITE VERSION command, and usage stats.
This option can also be set in the configuration file as version_tag.
-login-msg string
Message to display to the client after authentication.
This option can also be set in the configuration file as login_msg.
-login-msg-file string
File to read login message from.
This option can also be set in the configuration file as login_msg_file.
Module Options
-dsi string
Data Storage Interface module to load. File and remote modules are defined by the server. If not set, the file module is loaded, unless the remote option is specified, in
which case the remote module is loaded. An additional configuration string can be passed to the DSI using the format [module name]:[configuration string] to this option.
The format of the configuration string is defined by the DSI being loaded.
This option can also be set in the configuration file as load_dsi_module.
-allowed-modules string
Comma separated list of ERET/ESTO modules to allow, and optionally specify an alias for. Example: module1,alias2:module2,module3 (module2 will be loaded when a client asks
for alias2).
This option can also be set in the configuration file as allowed_modules.
-dc-whitelist string
A comma separated list of drivers allowed on the network stack.
This option can also be set in the configuration file as dc_whitelist.
-fs-whitelist string
A comma separated list of drivers allowed on the disk stack.
This option can also be set in the configuration file as fs_whitelist.
-popen-whitelist string
A comma separated list of programs that the popen driver is allowed to execute, when used on the network or disk stack. An alias may also be specified, so that a client
does not need to specify the full path. Format is [alias:]prog,[alias:]prog. example: /bin/gzip,tar:/bin/tar
This option can also be set in the configuration file as popen_whitelist.
-xnetmgr string
An option string to pass to the XIO Network Manager Driver, which will then be loaded for all data channel connections. This must be in the form
"manager=module;option1=value;option2=value;". See the Network Manager documentation for more info.
This option can also be set in the configuration file as xnetmgr.
-dc-default string
A comma separated list of XIO drivers and options representing the default network stack. Format is of each driver entry is driver1[:opt1=val1;opt2=val2;...]. The bottom
of the stack, the transport driver, is always first.
This option can also be set in the configuration file as dc_default.
-fs-default string
A comma separated list of XIO drivers and options representing the default disk stack. Format is of each driver entry is driver1[:opt1=val1;opt2=val2;...]. The bottom of
the stack, the transport driver, is always first.
This option can also be set in the configuration file as fs_default.
Other
-c string
Path to main configuration file that should be loaded. Otherwise will attempt to load $GLOBUS_LOCATION/etc/gridftp.conf and /etc/grid-security/gridftp.conf.
-C string
Path to directory holding configuration files that should be loaded. Files will be loaded in alphabetical order, and in the event of duplicate parameters the last loaded
file will take precedence. Backup files and files created by package updates (e.g. file.rpmsave) will be ignored. Note that the main configuration file, if one exists,
will always be loaded last.
This option can also be set in the configuration file as config_dir.
-config-base-path string
Base path to use when config and log path options are not full paths. By default this is the current directory when the process is started.
This option can also be set in the configuration file as config_base_path.
-debug
Sets options that make server easier to debug. Forces no-fork, no-chdir, and allows core dumps on bad signals instead of exiting cleanly. Not recommended for production
servers. Note that non-forked servers running as root will only accept a single connection, and then exit.
This option can also be set in the configuration file as debug. The default value of this option is FALSE.
-pidfile string
This option can also be set in the configuration file as pidfile.
EXIT STATUS
0
Successful program execution.
Grid Community Toolkit 6 12/06/2018 GLOBUS-GRIDFTP-SER(8)
经验首页