On Sun, Sep 20, 2020 at 10:56:28AM +0100, Chris Hall wrote:
> On 19/09/2020 17:40, J. Bruce Fields wrote:
> >On Sat, Sep 19, 2020 at 12:33:53PM -0400, J. Bruce Fields wrote:
> >>For the server, you don't need rpcbind or rpc.statd for v4, but you do
> >>need rpc.idmapd, rpc.mountd and nfsdcld.
> >>
> >>rpc.mountd is the only one of those three that needs to listen on a
> >>network port, but that's only in the NFSv2/v3 case. I'm not sure if
> >>we're getting that right.
>
> >Looking at the code, it looks correct--I see mountd starting those
> >listeners only when v2 or v3 are configured.
>
> Well, on the machine in question, after a reboot I have:
>
> [root@cerberus ~]# netstat ...
> Proto Local Address Foreign Address State PID/Prog
> tcp 10.25.54.61:1022 0.0.0.0:* LISTEN 767/sshd
> tcp 10.25.54.61:1022 79.xx.xx.xx:57456 ESTAB. 770/sshd root
> [root@cerberus ~]# pstree
> systemd─┬─agetty
> ├─atd
> ├─auditd───{auditd}
> ├─crond
> ├─dbus-broker-lau───dbus-broker
> ├─gssproxy───5*[{gssproxy}]
> ├─mcelog
> ├─rngd───4*[{rngd}]
> ├─rsyslogd───2*[{rsyslogd}]
> ├─sshd───sshd───sshd───bash───pstree
> ├─systemd-homed
> ├─systemd-journal
> ├─systemd-logind
> └─systemd-udevd
>
> where the only port which is open is the "obscure" sshd.
>
> Then I start nfs-server and:
>
> [root@cerberus ~]# systemctl start nfs-server
> [root@cerberus ~]# netstat ...
> Proto Local Address Foreign Address State PID/Prog
> tcp 10.25.54.61:1022 0.0.0.0:* LISTEN 767/sshd
> tcp 79.xx.xx.xx:1001 0.0.0.0:* LISTEN -
> tcp 0.0.0.0:46921 0.0.0.0:* LISTEN 817/rpc.statd
> tcp 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd
> tcp 10.25.54.61:1022 79.xx.xx.xx:57456 ESTAB. 770/sshd:
> tcp6 :::35545 :::* LISTEN 817/rpc.statd
> tcp6 :::111 :::* LISTEN 1/systemd
> udp 0.0.0.0:54902 0.0.0.0:* 817/rpc.statd
> udp 0.0.0.0:111 0.0.0.0:* 1/systemd
> udp 0.0.0.0:62840 0.0.0.0:* 815/rpcbind
> udp6 :::61316 :::* 815/rpcbind
> udp6 :::111 :::* 1/systemd
> udp6 :::58536 :::* 817/rpc.statd
> [root@cerberus ~]# pstree
> systemd─┬─agetty
> ├─atd
> ├─auditd───{auditd}
> ├─crond
> ├─dbus-broker-lau───dbus-broker
> ├─gssproxy───5*[{gssproxy}]
> ├─mcelog
> ├─nfsdcld
> ├─rngd───4*[{rngd}]
> ├─rpc.idmapd
> ├─rpc.mountd
> ├─rpc.statd
> ├─rpcbind
> ├─rsyslogd───2*[{rsyslogd}]
> ├─sshd───sshd───sshd───bash───pstree
> ├─systemd-homed
> ├─systemd-journal
> ├─systemd-logind
> └─systemd-udevd
>
> Where nfsdcld, rpc.idmapd and rpc.mountd have indeed been started
> but are not bound to any ports.
That looks good. (And rpc.mountd does still serve a purpose in the
NFSv4 case, answering requests from the kernel for information related
to exported filesystems.)
> But rpc.statd and rpcbind have also been started, and various ports
> have been opened, including port 111 which is bound to systemd. Is
> there a way to inhibit that for nfs4 only ?
Unlike rpc.mountd, there's no reason for those to be running at all.
You can mask thoe corresponding systemd units.
It'd be nice if there was a way to make that happen automatically if v2
and v3 are configured out in the configuration files, but I don't know
how to make that happen.
--b.
>
> The /etc/nfs.conf says:
>
> [nfsd]
> debug=0
> threads=8
> host=cerberus
> port=1001
> udp=n
> tcp=y
> vers2=n
> vers3=n
> vers4=y
> vers4.0=y
> vers4.1=y
> vers4.2=y
>
> And nothing else. And yes, the port is intended to be "obscure".
