.sp
.RE
-The same filesystem may be mounted more than once, and in some cases (e.g.
-network filesystems) the same filesystem maybe be mounted on the same
+The same filesystem may be mounted more than once, and in some cases (e.g.,
+network filesystems) the same filesystem may be mounted on the same
mountpoint more times. The mount command does not implement any policy to
-control this behavior. All behavior is controlled by kernel and it is usually
-specific to filesystem driver. The exception is \fB\-\-all\fR, in this case
+control this behavior. All behavior is controlled by the kernel and it is usually
+specific to the filesystem driver. The exception is \fB\-\-all\fR, in this case
already mounted filesystems are ignored (see \fB\-\-all\fR below for more details).
.SS Listing the mounts
or UUID. Partition identifiers are supported for example for GUID Partition
Tables (GPT).
-The device name of disk partitions are unstable; hardware reconfiguration,
-adding or removing a device can cause change in names. This is reason why it's
-strongly recommended to use filesystem or partition identificators like UUID or
+The device names of disk partitions are unstable; hardware reconfiguration,
+adding or removing a device can cause changes in names. This is the reason why it's
+strongly recommended to use filesystem or partition identifiers like UUID or
LABEL.
-The command \fBlsblk --fs\fR provides overview of filesystems, LABELs and UUIDs
-on available block devices. The command \fBblkid -p <device>\fR provides details about
+The command \fBlsblk \-\-fs\fR provides an overview of filesystems, LABELs and UUIDs
+on available block devices. The command \fBblkid \-p <device>\fR provides details about
a filesystem on the specified device.
Don't forget that there is no guarantee that UUIDs and labels are really
specify filesystem, otherwise \fBmount\fR may fail. For example it's bad idea
to use NFS or CIFS source on command line.
.PP
+Since version 2.35 \fBmount\fR command does not exit when user permissions are
+inadequate by internal libmount security rules. It drops suid permissions
+and continue as regular non-root user. It allows to support use-cases where
+root permissions are not necessary (e.g., fuse filesystems, user namespaces,
+etc).
+.PP
For more details, see
.BR fstab (5).
Only the user that mounted a filesystem can unmount it again.
or special node in the kernel VFS. The "bind" is just another operation to
attach a filesystem. There is nowhere stored information that the filesystem
has been attached by "bind" operation. The \fIolddir\fR and \fInewdir\fR are
-independent and the \fIolddir\fR maybe be umounted.
+independent and the \fIolddir\fR may be umounted.
One can also remount a single file (on a single file). It's also
possible to use the bind mount to create a mountpoint from a regular
.RE
Note that the filesystem mount options maintained by kernel will remain the same as those
-on the original mount point. The userspace mount options (e.g. _netdev) will not be copied
+on the original mount point. The userspace mount options (e.g., _netdev) will not be copied
by
.BR mount (8)
and it's necessary explicitly specify the options on mount command line.
.RS
.br
-.B mount -o bind,ro foo foo
+.B mount \-o bind,ro foo foo
.RE
This feature is not supported by the Linux kernel; it is implemented in userspace
It's also possible to change nosuid, nodev, noexec, noatime, nodiratime and
relatime VFS entry flags by "remount,bind" operation. The another (for example
filesystem specific flags) are silently ignored. It's impossible to change mount
-options recursively (for example with \fB-o rbind,ro\fR).
+options recursively (for example with \fB\-o rbind,ro\fR).
.BR mount (8)
since v2.31 ignores the \fBbind\fR flag from
.I /etc/fstab
on
.B remount operation
-(if "-o remount" specified on command line). This is necessary to fully control
+(if "\-o remount" specified on command line). This is necessary to fully control
mount options on remount by command line. In the previous versions the bind
flag has been always applied and it was impossible to re-define mount options
without interaction with the bind semantic. This
behavior does not affect situations when "remount,bind" is specified in the
.I /etc/fstab
file.
-.RE
.SS The move operation
Move a
case all filters (\fB\-t\fR and \fB\-O\fR) are applied to the table of already
mounted filesystems.
.sp
+Since version 2.35 is possible to use the command line option \fB\-o\fR to
+alter mount options from fstab (see also \fB\-\-options\-mode\fR).
+.sp
Note that it is a bad practice to use \fBmount \-a\fR for
.I fstab
checking. The recommended solution is \fBfindmnt \-\-verify\fR.
together with the
.B \-f
flag for already canonicalized absolute paths. The option is designed for mount
-helpers which call \fBmount -i\fR. It is strongly recommended to not use this
+helpers which call \fBmount \-i\fR. It is strongly recommended to not use this
command-line option for normal mount operations.
.sp
Note that \fBmount\fR(8) does not pass this option to the
interpreted as target (mountpoint) or source (device). This option allows to
explicitly define that the argument is the mount target.
.TP
+.BI \-\-target\-prefix " directory"
+Prepend specified directory to all mount targets. This option allows to follow
+fstab, but mount operations is done on another place, for example:
+.RS
+.RS
+.sp
+.B "mount \-\-all \-\-target\-prefix /chroot \-o X\-mount.mkdir
+.sp
+.RE
+mounts all from system fstab to /chroot, all missing muontpoint are created
+(due to X-mount.mkdir). See also \fB\-\-fstab\fP to use an alternative fstab.
+.RE
+.TP
.BR \-T , " \-\-fstab " \fIpath
Specifies an alternative fstab file. If \fIpath\fP is a directory then the files
in the directory are sorted by
currently supported depend on the running kernel. See
.I /proc/filesystems
and
-.I /lib/modules/$(uname -r)/kernel/fs
+.I /lib/modules/$(uname \-r)/kernel/fs
for a complete list of the filesystems. The most common are ext2, ext3, ext4,
xfs, btrfs, vfat, sysfs, proc, nfs and cifs.
.sp
which match a specified filter (\fB\-O\fR and \fB\-t\fR). For example:
.sp
.in +4
-.B "mount \-\-all \-o remount,ro -t vfat"
+.B "mount \-\-all \-o remount,ro \-t vfat"
.in
.sp
remounts all already mounted vfat filesystems in read-only mode. The each of the
.TP
.B X-*
All options prefixed with "X-" are interpreted as comments or as userspace
-application-specific options. These options are not stored in the user space (e.g. mtab file),
+application-specific options. These options are not stored in the user space (e.g., mtab file),
nor sent to the mount.\fItype\fR helpers nor to the
.BR mount (2)
system call. The suggested format is \fBX-\fIappname\fR.\fIoption\fR.
without a change.
.TP
.BR X-mount.mkdir [ = \fImode\fR ]
-Allow to make a target directory (mountpoint). The optional argument
+Allow to make a target directory (mountpoint) if it does not exit yet.
+The optional argument
.I mode
specifies the filesystem access mode used for
.BR mkdir (2)
in octal notation. The default mode is 0755. This functionality is supported
-only for root users. The option is also supported as x-mount.mkdir, this notation
-is deprecated for mount.mkdir since v2.30.
+only for root users or when mount executed without suid permissions. The option
+is also supported as x-mount.mkdir, this notation is deprecated since v2.30.
.SH "FILESYSTEM-SPECIFIC MOUNT OPTIONS"
You should consult the respective man page for the filesystem first.
All mounts of devpts without this
.B newinstance
-option share the same set of pty indices (i.e. legacy mode).
+option share the same set of pty indices (i.e., legacy mode).
Each mount of devpts with the
.B newinstance
option has a private set of pty indices.
potentially causing data corruption. For this reason, this
option also mounts the filesystem readonly.
-To maintain backward compatibility, '-o nfs' is also accepted,
+To maintain backward compatibility, '\-o nfs' is also accepted,
defaulting to
.BR stale_rw .
.TP
.TP
.B user_xattr
Enable Extended User Attributes. See the
-.BR attr (5)
+.BR attr (1)
manual page.
.TP
.B acl
uid=forget can be specified independently of (or usually in
addition to) uid=<user> and results in UDF
not storing uids to the media. In fact the recorded uid
-is the 32-bit overflow uid -1 as defined by the UDF standard.
+is the 32-bit overflow uid \-1 as defined by the UDF standard.
The value is given as either <user> which is a valid user name or the corresponding
decimal user id, or the special string "forget".
.TP
gid=forget can be specified independently of (or usually in
addition to) gid=<group> and results in UDF
not storing gids to the media. In fact the recorded gid
-is the 32-bit overflow gid -1 as defined by the UDF standard.
+is the 32-bit overflow gid \-1 as defined by the UDF standard.
The value is given as either <group> which is a valid group name or the corresponding
decimal group id, or the special string "forget".
.TP
.I devices
(default: uid=gid=0, mode=0444). The mode is given in octal.
-.SH "THE LOOP DEVICE"
+.SH "DM-VERITY SUPPORT (experimental)"
+The device-mapper verity target provides read-only transparent integrity
+checking of block devices using kernel crypto API. The mount command can open
+the dm-verity device and do the integrity verification before on the device
+filesystem is mounted. Requires libcryptsetup with in libmount. If
+libcryptsetup supports extracting the root hash of an already mounted device,
+existing devices will be automatically reused in case of a match.
+Mount options for dm-verity:
+.TP
+\fBverity.hashdevice=\fP\,\fIpath\fP
+Path to the hash tree device associated with the source volume to pass to dm-verity.
+.TP
+\fBverity.roothash=\fP\,\fIhex\fP
+Hex-encoded hash of the root of
+.I verity.hashdevice
+Mutually exclusive with
+.I verity.roothashfile.
+.TP
+\fBverity.roothashfile=\fP\,\fIpath\fP
+Path to file containing the hex-encoded hash of the root of
+.I verity.hashdevice.
+Mutually exclusive with
+.I verity.roothash.
+.TP
+\fBverity.hashoffset=\fP\,\fIoffset\fP
+If the hash tree device is embedded in the source volume,
+.I offset
+(default: 0) is used by dm-verity to get to the tree.
+.TP
+\fBverity.fecdevice=\fP\,\fIpath\fP
+Path to the Forward Error Correction (FEC) device associated with the source volume to pass to dm-verity.
+Optional. Requires kernel built with CONFIG_DM_VERITY_FEC.
+.TP
+\fBverity.fecoffset=\fP\,\fIoffset\fP
+If the FEC device is embedded in the source volume,
+.I offset
+(default: 0) is used by dm-verity to get to the FEC area. Optional.
+.TP
+\fBverity.fecroots=\fP\,\fIvalue\fP
+Parity bytes for FEC (default: 2). Optional.
+.TP
+\fBverity.roothashsig=\fP\,\fIpath\fP
+Path to pkcs7 signature of root hash hex string. Requires crypt_activate_by_signed_key() from cryptsetup and
+kernel built with CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG. For device reuse, signatures have to be either used by all
+mounts of a device or by none. Optional.
+.RE
+.PP
+Supported since util-linux v2.35.
+.PP
+For example commands:
+.sp
+.RS
+.nf
+.B mksquashfs /etc /tmp/etc.squashfs
+.B dd if=/dev/zero of=/tmp/etc.hash bs=1M count=10
+.B veritysetup format /tmp/etc.squashfs /tmp/etc.hash
+.B openssl smime \-sign \-in <hash> \-nocerts \-inkey private.key \-signer private.crt \-noattr \-binary \-outform der \-out /tmp/etc.p7
+.B mount \-o verity.hashdevice=/tmp/etc.hash,verity.roothash=<hash>,verity.roothashsig=/tmp/etc.p7 /tmp/etc.squashfs /mnt
+.fi
+.RE
+.sp
+create squashfs image from /etc directory, verity hash device
+and mount verified filesystem image to /mnt.
+The kernel will verify that the root hash is signed by a key from the kernel keyring if roothashsig is used.
+
+.SH "LOOP-DEVICE SUPPORT"
One further possible type is a mount via the loop device. For example,
the command
.RS
.TP
.B 64
some mount succeeded
-.RE
The command \fBmount \-a\fR returns 0 (all succeeded), 32 (all failed), or 64 (some
failed, some succeeded).
projects / thirdparty / util-linux.git / blobdiff