2008-07-29 17:52:08

by Mike Mackovitch

[permalink] [raw]
Subject: Re: Massive NFS problems on large cluster with large number of mounts

On Tue, Jul 29, 2008 at 07:32:03AM -0400, Jeff Layton wrote:
> IMNSHO, the whole concept of "privileged ports" is pretty antiquated
> anyway. It doesn't mean much unless you have a very tightly controlled
> physical network...
> Being able to allow the client to use non-privileged ports could be
> useful. It's less of a problem than it used to be since the NFS client
> shares sockets better now, but it could still be a problem in an HPC-type
> environment. The NFS server already has an option to allow for clients
> that do this so we might as well allow the client to do it too.
> I tend to be of the opinion that we should try to use option names that
> other OS's have already established where possible. This makes it easier
> for admins in mixed environments (shared autofs maps and fewer option
> synonyms to remember). My vote would be for calling the new option
> "insecure", or at least making "insecure" a synonym for whatever the
> new mount option is.

BSD has had such an option for years: "resvport"
You can make the default be enabled and if you don't
want it just specify "noresvport".

It has the added bonus that it doesn't falsely imply anything
about security. (If you want security, use Kerberos.)