Obviously, I don’t update this blog as I used to do, but as an update to my previous post regarding NFS v3 on Debian 7, here’s the same thing for Debian 10.
apt-get updateapt-get install nfs-kernel-server
Stop and disable rpc.idmapd used for NFSv4 (nfs-idmapd.service binds to nfs-server.service, so it needs to be masked):
systemctl disable nfs-idmapd.servicesystemctl mask nfs-idmapd.servicesystemct stop nfs-idmapd.service
Stop and disable blkmapd used for pNFS:
systemctl disable nfs-blkmap.servicesystemct stop nfs-blkmap.service
No need for client support on a server (which would also start blkmapd etc.):
systemctl disable nfs-client.target
NLM (in the kernel server) should use static ports (2050), which is defined via sysctl:
printf 'fs.nfs.nlm_%sport = 2050\n' tcp udp > /etc/sysctl.d/nfs-nlm-port.confsysctl -p /etc/sysctl.d/nfs-nlm-port.conf
This works for now, but not after a reboot apparently. So set it for the module as well:
printf 'options lockd nlm_udpport=2050 nlm_tcpport=2050\n' > /etc/modprobe.d/lockd.conf
NFSv4 should be disabled in the kernel server, so rpc.nfsd needs to be started with “–no-nfs-version 4”, which is achieved by doing:
printf 'RPCNFSDOPTS="--no-nfs-version 4"\n' >> /etc/default/nfs-kernel-serversystemctl restart nfs-server.service
Long story: nfs-server.service wants nfs-config.service, which triggers /usr/lib/systemd/scripts/nfs-utils_env.sh (disgusting quoting stuff in that one), which reads /etc/default/nfs-common and /etc/default/nfs-kernel-server to finally write /run/sysconfig/nfs-utils, that nfs-server.service is using as envfile. In that envfile there’s a RPCNFSDARGS, which needs to have “–no-nfs-version 4”. In turn nfs-utils_env.sh uses $RPCNFSDOPTS to set the RPCNFSDARGS env.
NFSv4 should be disabled for rpc.mountd as well, and it’s the same story as above, but for RPCMOUNTDARGS instead. It should also use a static port (2048):
sed -ri 's/^(RPCMOUNTDOPTS)=.*/\1="--manage-gids --no-nfs-version 4 --port 2048"/' /etc/default/nfs-kernel-serversystemctl restart nfs-mountd.service
Personally, I just use NFS for streaming files to my HTPC, and at least in that setup I don’t need rpc.statd (which was mentioned in the previous article). However, if that service would be needed, make it use a static port as well:
sed -ri 's/^(STATDOPTS)=.*/\1="--port 2046"/' /etc/default/nfs-commonsystemctl enable rpc-statd.servicesystemctl start rpc-statd.service
/etc/services can be updated, just for making tcpdump etc. nicer without the -n argument:
cat << 'EOF' >> /etc/servicesnfs.mountd 2048/tcpnfs.mountd 2048/udpnfs.lockd 2050/tcpnfs.lockd 2050/udpEOF
And iptables is still the same (except statd/2046, add that if needed):
-p udp -m multiport --dports 111,2048,2049,2050 -m state --state NEW -j ACCEPT-p tcp -m multiport --dports 111,2048,2049,2050 -m state --state NEW -j ACCEPT
There you go, you should now have a nice and easily firewalled NFSv3 setup using Debian 10.
Nice to see another blog post. It’s been a while 🙂
Nice seeing that you’re still following 😀