+Each
+.I mgsnode
+may specify a comma-separated list of NIDs, if there are different
+LNet interfaces for the same
+.IR mgsnode .
+.TP
+.BI mgssec= flavor
+Specifies the encryption flavour for the initial network RPC connection to
+the MGS node. Non-security flavors are:
+.BR null ,
+.BR plain ,
+and
+.BR gssnull ,
+which respectively disable, or have no encryption or integrity features for
+testing purposes. Kerberos flavors are:
+.BR krb5n ,
+.BR krb5a ,
+.BR krb5i ,
+and
+.BR krb5p .
+Shared-secret key flavors are:
+.BR skn ,
+.BR ska ,
+.BR ski ,
+and
+.BR skpi ,
+see
+.BR lgss_sk (8)
+for more details. The security flavour for client-to-server connections is
+specified in the filesystem configuration that the client fetches from the MGS.
+.TP
+.BI skpath= file|directory
+Path to a file or directory with the keyfile(s) to load for this mount command.
+Keys are inserted into the KEY_SPEC_SESSION_KEYRING keyring with a description
+containing "lustre:" and a suffix which depends on whether the context of the
+mount command is for an MGS, MDT/OST, or client.
+This option is only available when built with --enable-gss.
+.TP
+.BI exclude= ostlist
+Start a client or MDT with a (colon-separated) list of known inactive OSTs.
+.SH CLIENT OPTIONS