Legacy NFS v3 on Debian Buster (10)

Obviously, I don’t update this blog as I used to do, but as an update to my previous post regarding NFS v3 on Debian 7, here’s the same thing for Debian 10.

apt-get update
apt-get install nfs-kernel-server

Stop and disable rpc.idmapd used for NFSv4 (nfs-idmapd.service binds to nfs-server.service, so it needs to be masked):

systemctl disable nfs-idmapd.service
systemctl mask nfs-idmapd.service
systemct stop nfs-idmapd.service

Stop and disable blkmapd used for pNFS:

systemctl disable nfs-blkmap.service
systemct stop nfs-blkmap.service

No need for client support on a server (which would also start blkmapd etc.):

systemctl disable nfs-client.target

NLM (in the kernel server) should use static ports (2050), which is defined via sysctl:

printf 'fs.nfs.nlm_%sport = 2050\n' tcp udp > /etc/sysctl.d/nfs-nlm-port.conf
sysctl -p /etc/sysctl.d/nfs-nlm-port.conf

This works for now, but not after a reboot apparently. So set it for the module as well:

printf 'options lockd nlm_udpport=2050 nlm_tcpport=2050\n' > /etc/modprobe.d/lockd.conf

NFSv4 should be disabled in the kernel server, so rpc.nfsd needs to be started with “–no-nfs-version 4”, which is achieved by doing:

printf 'RPCNFSDOPTS="--no-nfs-version 4"\n' >> /etc/default/nfs-kernel-server
systemctl restart nfs-server.service

Long story: nfs-server.service wants nfs-config.service, which triggers /usr/lib/systemd/scripts/nfs-utils_env.sh (disgusting quoting stuff in that one), which reads /etc/default/nfs-common and /etc/default/nfs-kernel-server to finally write /run/sysconfig/nfs-utils, that nfs-server.service is using as envfile. In that envfile there’s a RPCNFSDARGS, which needs to have “–no-nfs-version 4”. In turn nfs-utils_env.sh uses $RPCNFSDOPTS to set the RPCNFSDARGS env.

NFSv4 should be disabled for rpc.mountd as well, and it’s the same story as above, but for RPCMOUNTDARGS instead. It should also use a static port (2048):

sed -ri 's/^(RPCMOUNTDOPTS)=.*/\1="--manage-gids --no-nfs-version 4 --port 2048"/' /etc/default/nfs-kernel-server
systemctl restart nfs-mountd.service

Personally, I just use NFS for streaming files to my HTPC, and at least in that setup I don’t need rpc.statd (which was mentioned in the previous article). However, if that service would be needed, make it use a static port as well:

sed -ri 's/^(STATDOPTS)=.*/\1="--port 2046"/' /etc/default/nfs-common
systemctl enable rpc-statd.service
systemctl start rpc-statd.service

/etc/services can be updated, just for making tcpdump etc. nicer without the -n argument:

cat << 'EOF' >> /etc/services
nfs.mountd 2048/tcp
nfs.mountd 2048/udp
nfs.lockd 2050/tcp
nfs.lockd 2050/udp

And iptables is still the same (except statd/2046, add that if needed):

-p udp -m multiport --dports 111,2048,2049,2050 -m state --state NEW -j ACCEPT
-p tcp -m multiport --dports 111,2048,2049,2050 -m state --state NEW -j ACCEPT

There you go, you should now have a nice and easily firewalled NFSv3 setup using Debian 10.

One Reply to “Legacy NFS v3 on Debian Buster (10)”

Leave a Reply

Your email address will not be published. Required fields are marked *