[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1109999: [nfs-common] default option (${STATDOPTS}) is not used

Le 28/07/2025 à 10:50, Jean-Marc LACROIX a écrit :

Le 28/07/2025 à 07:12, Jochen Sprickerhof a écrit :

Hi Jean-Marc,

* Jean-Marc LACROIX <jeanmarc.lacroix@free.fr> [2025-07-27 23:43]:
In order to increase (a little !) security, and as defined into http://wiki.debian.org/SecuringNFS, it is a good practice to defined one static port for nfs-stad daemon.
This feature is available in the man. Furthermore, it is implemented into /etc/default/nfs-common into variable STATDOPTS.
But is seems that /etc/init/nfs-common script has forgotten to use this variable when launching daemon. As a result it is not possible to change ANY option available for this daemon. 


On debian bookwoorm, it works.
Find following diff bettween Bookworm and Trixie

diff /tmp/nfs-common-trixie /tmp/nfs-common-bookworm
22a23

RPCGSSDOPTS=

30c31
< [ -x /usr/sbin/rpc.statd ] || exit 0
---

[ -x /sbin/rpc.statd ] || exit 0

42c43
<     while read -r DEV _ _ OPTS _
---

    while read DEV MTPT FSTYPE OPTS REST

89c90
<     if [ -x /sbin/modprobe ] && [ -f /proc/modules ]
---

    if [ -x /sbin/modprobe -a -f /proc/modules ]

136c137
<               --exec /usr/sbin/rpc.statd
---

              --exec /sbin/rpc.statd -- $STATDOPTS


This is no longer supported as stated in the NEWS file:
https://salsa.debian.org/kernel-team/nfs-utils/-/blob/debian/latest/ debian/nfs-common.NEWS?ref_type=heads 

The complete removal was done here:
https://salsa.debian.org/kernel-team/nfs-utils/-/ commit/6824312704bc066b5867b9777695e46cce52dcbc
So maybe this needs an other NEWS entry and/or mention in the release- notes. 

Cheers Jochen


According ...
https://salsa.debian.org/kernel-team/nfs-utils/-/blob/debian/latest/ debian/nfs-common.NEWS?ref_type=heads 

i understand there is now one new configuration file , Ok.
But, for daemon rpcbind, it seems that previous old configuration file is still valid, because ... 

ansible@vn-nfs-110:~$ uname -a
Linux vn-nfs-110 6.12.30+bpo-armmp-lpae #1 SMP Debian 6.12.30-1~bpo12+1 (2025-06-14) armv7l GNU/Linux 
ansible@vn-nfs-110:~$ cat /etc/debian_version
13.0
ansible@vn-nfs-110:~$ dpkg -L rpcbind |grep etc
/etc
/etc/default
/etc/default/rpcbind
/etc/init.d
/etc/init.d/rpcbind
/etc/insserv.conf.d
/etc/insserv.conf.d/rpcbind
ansible@vn-nfs-110:~$
So please, could you confirm that new configuration file /etc/nfs.conf is not used for this daemon ? 


Cordialement
When making migration from old Debian to Trixie, there is still one warning when launching /etc/init.d/nfs-kernel-server (with sysvinit) 

ansible@vn-nfs-110:~$ sudo /etc/init.d/nfs-kernel-server restart
Stopping NFS kernel daemon: mountd nfsd.
Unexporting directories for NFS kernel daemon...done.
Exporting directories for NFS kernel daemon...done.
Starting NFS kernel daemon: nfsd mountdrpc.mountd: svc_tli_create: could not open connection for udp6 
rpc.mountd: svc_tli_create: could not open connection for tcp6
rpc.mountd: svc_tli_create: could not open connection for udp6
rpc.mountd: svc_tli_create: could not open connection for tcp6
rpc.mountd: svc_tli_create: could not open connection for udp6
rpc.mountd: svc_tli_create: could not open connection for tcp6
.

My new config file is ....

ansible@vn-nfs-110:~$ sudo cat /etc/nfs.conf  |grep -v "#" |grep -v ^$
[nfsrahead]
[exports]
rootdir=/
[exportfs]
debug=all
[gssd]
[lockd]
debug=all
[exportd]
debug=all
state-directory-path=/var/lib/nfs
[mountd]
debug=all
manage-gids=y
state-directory-path=/var/lib/nfs
[nfsdcld]
[nfsd]
debug=all
threads=6
host=vn-nfs-110-service.sub-dns-test.TLD.jml
port=32767
grace-time=90
lease-time=90
udp=n
tcp=y
vers3=y
vers4=y
vers4.0=y
vers4.1=y
vers4.2=y
rdma=n
[statd]
debug=all
port=32766
outgoing-port=32765
name=vn-nfs-110-service.sub-dns-test.TLD.jml
state-directory-path=/var/lib/nfs/statd
no-notify=0
[sm-notify]
[svcgssd]

On this server, ipv6 is prohibited with sysctl usage ...
ansible@hn-odroid-hc1-110:~$ sudo cat /etc/sysctl.d/kernel_sysctl_ipv6.conf |grep -v "#" |grep -v ^$ 
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1
net.ipv6.conf.all.forwarding=0
net.ipv6.conf.all.autoconf=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_source_route=0
net.ipv6.conf.all.accept_source_route=0
Therefore, it is not possible to bind one socket to inet6, and this is behaviour that y want.
The server is running without errors, but because i dont see any configuration item into /etc/nfs.conf, i would like to remove this warning ? 

If you have any suggestion, thanks in advance for your help.
Please note that on previous nfs Debian release (<= bookworm), in the same context, there is no warning because .... 

ansible@vn-nfs-400:~$ cat /etc/debian_version
12.11
ansible@vn-nfs-400:~$ sudo /etc/init.d/nfs-kernel-server restart
Stopping NFS kernel daemon: mountd nfsd.
Unexporting directories for NFS kernel daemon...done.
Exporting directories for NFS kernel daemon...done.
Starting NFS kernel daemon: nfsd mountd.
ansible@vn-nfs-400:~$

ansible@vn-nfs-400:~$ sudo pstree -anp
init,1
  |-rpcbind,663 -w -h vn-nfs-400-service
  |-syslog-ng,749
  |   `-syslog-ng,751 -p /var/run/syslog-ng.pid --no-caps
  |       `-{syslog-ng},26053
  |-cron,809
  |-sshd,818
  |   `-sshd,28381
  |       `-sshd,28383
  |           `-bash,28384
  |               `-sudo,28584 pstree -anp
  |                   `-pstree,28585 -anp
  |-monit,832 -c /etc/monit/monitrc
  |   |-{monit},1927
  |   |-{monit},1936
  |   `-(verify_rpc_stat,28509)
  |-getty,837 115200 console
  |-mqtt_send_tempe,924 /usr/local/bin/mqtt_send_temperature.sh
  |   `-sleep,28583 10
|-rpc.statd,8769 --state-directory-path /var/lib/nfs --port 32766 --outgoing-port 32765 --name vn-nfs-400-service `-rpc.mountd,28569 --state-directory-path /var/lib/nfs --manage-gids --port 32767 --num-threads=6 |-rpc.mountd,28570 --state-directory-path /var/lib/nfs --manage-gids --port 32767 --num-threads=6 |-rpc.mountd,28571 --state-directory-path /var/lib/nfs --manage-gids --port 32767 --num-threads=6 |-rpc.mountd,28572 --state-directory-path /var/lib/nfs --manage-gids --port 32767 --num-threads=6 |-rpc.mountd,28573 --state-directory-path /var/lib/nfs --manage-gids --port 32767 --num-threads=6 |-rpc.mountd,28574 --state-directory-path /var/lib/nfs --manage-gids --port 32767 --num-threads=6 `-rpc.mountd,28575 --state-directory-path /var/lib/nfs --manage-gids --port 32767 --num-threads=6 
ansible@vn-nfs-400:~$

Second question.
In man nfs, i ha read ....

nfsvers=n
"The NFS protocol version number used to contact the server's NFS service. If the server does not support the requested version, the mount request fails. If this option is not specified, the client negotiates a suitable version with the server, trying version 4 first, version 3 second, and version 2 last. " 


Therefore, because i have set all protocols on the /etc/nfs.conf file, i
expect that my client can mount directory with nfs version 4.2, but

jean-marc@vn-trixie-armhf-110:~$ mount |grep nfs
/etc/auto.master.d/autofs_home.autofs on /nfs-home type autofs (rw,relatime,fd=7,pgrp=786,timeout=7201,minproto=5,maxproto=5,indirect,pipe_ino=7366434) vn-nfs-110-service:/srv/nfs/home/jean-marc on /nfs-home/jean-marc type nfs (rw,noatime,nodiratime,vers=3,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=32767,timeo=600,retrans=2,sec=sys,mountaddr=192.168.54.88,mountvers=3,mountport=60593,mountproto=tcp,local_lock=none,addr=192.168.54.88) 

Do you have any suggestion why this client is using vers=3, instead of 4.2 ?


Best regards
--
  -- Jean-Marc LACROIX  () --
    -- mailto : jeanmarc.lacroix@free.fr   --
Reply to: