Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp2670690pxk; Sun, 20 Sep 2020 12:33:23 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxXWe6i0aPKnx0A+u7UGIFPeBIOTXrHjtllGHJNMbIDZhQ8A4F46QnZr2JWEJzyRrJmZx/2 X-Received: by 2002:aa7:da48:: with SMTP id w8mr48237342eds.165.1600630402931; Sun, 20 Sep 2020 12:33:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600630402; cv=none; d=google.com; s=arc-20160816; b=wpvimJRXSWxiLf7z9K3Crgz/5Iyq5QsJsewqivGUeWMpy4EodXoxTRwU4e0vOv51Pr jqhJ/2wIFBfbcbTzhYQgJNRhy6RVmSy3U7BZP+8SGTfS0Ivoi29H3MH6xyj5H+aSDHqi CZl/ntZHuzy6yi6fu3bmaZOrvgu0jfQjYr9AjJXBMHgqjhsU6bwA3b9EMY0uH8TZj75A D5sz7XEVfO5A8QNvApu/46F/tNLl46B/T7GkYLHAt+KazzViolEWiCBY3LyzvE7341hd r9AdL+1Hvj2a3AeRLGlgNsNQBu3Qj2Rwidtgz4nj53vsSmde6TgfXM3XUjQ+/WLIW05p 2P3w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:dkim-filter; bh=xVzUnc6SfnhfZS+0QOQMLGDYvpjRIEhgZoSBY3y8Puc=; b=zu2h3wb0SsrJtxzMy6AoZNq04VILiVuzLZFaKwwlqec9g2z1WOr1byZnb/pLGqKbbJ Ei969b1g72RqyzQA8VL/oV0MC7MhG9iN0OT6tlojTQ/chcTJ5dCfveBq8Wd8t9FaWLI7 /wBNGuoqjUqvzJxNTtl0OTuR6kQsUtJrBnrP1H60MvT9XhrN2VfLlLd78dlxo4gmxvid hdBdTxFx6fARKVO1N4Zni/pfRu7X4C1bvkvkHB85odiKPLJcVgF1LBfw0W///8LLY/Eb iy8i9NPryqaHEd+2NFBa2ScQBRGxtpkmYKbZNcGH88aPmubOQmBxP00wXnTFJyW9cJQM EJVA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@fieldses.org header.s=default header.b=A1bYD+rJ; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q26si7097969eji.610.2020.09.20.12.32.48; Sun, 20 Sep 2020 12:33:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@fieldses.org header.s=default header.b=A1bYD+rJ; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726148AbgITTcs (ORCPT + 99 others); Sun, 20 Sep 2020 15:32:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36214 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726126AbgITTcr (ORCPT ); Sun, 20 Sep 2020 15:32:47 -0400 Received: from fieldses.org (fieldses.org [IPv6:2600:3c00:e000:2f7::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A6319C061755 for ; Sun, 20 Sep 2020 12:32:47 -0700 (PDT) Received: by fieldses.org (Postfix, from userid 2815) id CEBF71C15; Sun, 20 Sep 2020 15:32:45 -0400 (EDT) DKIM-Filter: OpenDKIM Filter v2.11.0 fieldses.org CEBF71C15 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fieldses.org; s=default; t=1600630365; bh=xVzUnc6SfnhfZS+0QOQMLGDYvpjRIEhgZoSBY3y8Puc=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=A1bYD+rJfU5QCdOLZNB1aseVUr6OBD4P2WO6eVl6QgkqnrAISksutcz+863KXngeu nhT0nwKuC5VFfKp/DdKWF/iGmJTarev0ZLt2oPRGYFnB4Sj2SHGeeEP4cSYhPTiUcT xjuT9hquIyl7c3FahI1uu30zyMtYGKhTa0wnyMw8= Date: Sun, 20 Sep 2020 15:32:45 -0400 From: "J. Bruce Fields" To: Chris Hall Cc: linux-nfs@vger.kernel.org Subject: Re: mount.nfs4 and logging Message-ID: <20200920193245.GC28449@fieldses.org> References: <20200919163353.GA15785@fieldses.org> <20200919164020.GB15785@fieldses.org> <12298172-f830-4f22-8612-dfbbc74b8a40@gmch.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <12298172-f830-4f22-8612-dfbbc74b8a40@gmch.uk> User-Agent: Mutt/1.5.21 (2010-09-15) Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Sun, Sep 20, 2020 at 10:56:28AM +0100, Chris Hall wrote: > On 19/09/2020 17:40, J. Bruce Fields wrote: > >On Sat, Sep 19, 2020 at 12:33:53PM -0400, J. Bruce Fields wrote: > >>For the server, you don't need rpcbind or rpc.statd for v4, but you do > >>need rpc.idmapd, rpc.mountd and nfsdcld. > >> > >>rpc.mountd is the only one of those three that needs to listen on a > >>network port, but that's only in the NFSv2/v3 case. I'm not sure if > >>we're getting that right. > > >Looking at the code, it looks correct--I see mountd starting those > >listeners only when v2 or v3 are configured. > > Well, on the machine in question, after a reboot I have: > > [root@cerberus ~]# netstat ... > Proto Local Address Foreign Address State PID/Prog > tcp 10.25.54.61:1022 0.0.0.0:* LISTEN 767/sshd > tcp 10.25.54.61:1022 79.xx.xx.xx:57456 ESTAB. 770/sshd root > [root@cerberus ~]# pstree > systemd─┬─agetty > ├─atd > ├─auditd───{auditd} > ├─crond > ├─dbus-broker-lau───dbus-broker > ├─gssproxy───5*[{gssproxy}] > ├─mcelog > ├─rngd───4*[{rngd}] > ├─rsyslogd───2*[{rsyslogd}] > ├─sshd───sshd───sshd───bash───pstree > ├─systemd-homed > ├─systemd-journal > ├─systemd-logind > └─systemd-udevd > > where the only port which is open is the "obscure" sshd. > > Then I start nfs-server and: > > [root@cerberus ~]# systemctl start nfs-server > [root@cerberus ~]# netstat ... > Proto Local Address Foreign Address State PID/Prog > tcp 10.25.54.61:1022 0.0.0.0:* LISTEN 767/sshd > tcp 79.xx.xx.xx:1001 0.0.0.0:* LISTEN - > tcp 0.0.0.0:46921 0.0.0.0:* LISTEN 817/rpc.statd > tcp 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd > tcp 10.25.54.61:1022 79.xx.xx.xx:57456 ESTAB. 770/sshd: > tcp6 :::35545 :::* LISTEN 817/rpc.statd > tcp6 :::111 :::* LISTEN 1/systemd > udp 0.0.0.0:54902 0.0.0.0:* 817/rpc.statd > udp 0.0.0.0:111 0.0.0.0:* 1/systemd > udp 0.0.0.0:62840 0.0.0.0:* 815/rpcbind > udp6 :::61316 :::* 815/rpcbind > udp6 :::111 :::* 1/systemd > udp6 :::58536 :::* 817/rpc.statd > [root@cerberus ~]# pstree > systemd─┬─agetty > ├─atd > ├─auditd───{auditd} > ├─crond > ├─dbus-broker-lau───dbus-broker > ├─gssproxy───5*[{gssproxy}] > ├─mcelog > ├─nfsdcld > ├─rngd───4*[{rngd}] > ├─rpc.idmapd > ├─rpc.mountd > ├─rpc.statd > ├─rpcbind > ├─rsyslogd───2*[{rsyslogd}] > ├─sshd───sshd───sshd───bash───pstree > ├─systemd-homed > ├─systemd-journal > ├─systemd-logind > └─systemd-udevd > > Where nfsdcld, rpc.idmapd and rpc.mountd have indeed been started > but are not bound to any ports. That looks good. (And rpc.mountd does still serve a purpose in the NFSv4 case, answering requests from the kernel for information related to exported filesystems.) > But rpc.statd and rpcbind have also been started, and various ports > have been opened, including port 111 which is bound to systemd. Is > there a way to inhibit that for nfs4 only ? Unlike rpc.mountd, there's no reason for those to be running at all. You can mask thoe corresponding systemd units. It'd be nice if there was a way to make that happen automatically if v2 and v3 are configured out in the configuration files, but I don't know how to make that happen. --b. > > The /etc/nfs.conf says: > > [nfsd] > debug=0 > threads=8 > host=cerberus > port=1001 > udp=n > tcp=y > vers2=n > vers3=n > vers4=y > vers4.0=y > vers4.1=y > vers4.2=y > > And nothing else. And yes, the port is intended to be "obscure".