[linux] Force mountd to use UDP

zanfur at zanfur.com zanfur at zanfur.com
Thu Dec 2 18:05:29 PST 2004


On Thu, Dec 02, 2004 at 04:02:09PM -0800, Cere M. Davis wrote:

>

> I just new you'd come up with some kind of elaborate yet does-the-job kind

> of answer. ;)


/me bows

Thank you, but I really can't take the credit on this one. Just a couple
days ago, Another sysadmin and I were playing around with jury-rigging
portmap, nfsd, and mountd for a related problem (trying to mount an nfs
share via udp inside/through of a FreeBSD jail, over tcp ssh tunnels -- it
was a mess). Also, I know Michal, and we've put our heads together on nfs
problems on his machines before, so I had all kinds of recent research and
experience still banging around in my head. It just happened to be one of
the questions I could answer, as opposed to the millions I can't ...
portmap (and rpc in general) has ever confused me.

I don't know why RedHat comes with nfs over tcp as the default protocol.
It's a huge slowdown in performace, and nfsd already handles
retransmission of dropped packets, etc. I suppose it allows for easier
passages through firewalls, but the idea of allowing nfs packets past any
border router at all gives me the willies.

Cheers!
-robin



>

> -Cere

>

> On Thu, 2 Dec 2004 zanfur at zanfur.com wrote:

>

> > Date: Thu, 2 Dec 2004 14:46:08 -0800

> > From: zanfur at zanfur.com

> > Reply-To: Linux/Unix Users Group at the UW <linux at u.washington.edu>

> > To: Michal <michalg at gmail.com>,

> > Linux/Unix Users Group at the UW <linux at u.washington.edu>

> > Subject: Re: [linux] Force mountd to use UDP

> >

> > Michal:

> >

> > The rpc.mountd daemon registers program 100005 (mountd) with the

> > portmapper, not 100003 (nfs). this is the daemon that handles the mount

> > rpc call, but the nfs daemon handles the nfs requests -- so you can have a

> > tcp mount request that mounts nfs over udp, for example.

> >

> > To disable nfs over tcp functionality, you need to set CONFIG_NFSD_TCP=N

> > in the kernel configuration and recompile the module. You will of course

> > have to set CONFIG_NFSD equal to M or Y for this to work. I recommend

> > compiling it as a module twice, once with the tcp option turned on and

> > once with it turned off, so you can choose at a whim which one to load at

> > any given time.

> >

> > However, this isn't necessary to stop it from exporting over tcp. The

> > problem is that portmap is advertising nfs over tcp -- the kernel can

> > allow it all it wants, but if the rpcinfo call returns just the udp

> > services, that's all that will get used. There's a trick to unregistering

> > particular portmap services (blank lines added between commands for

> > clarity):

> >

> > # rpcinfo -u localhost 100003

> > program 100003 version 2 ready and waiting

> > program 100003 version 3 ready and waiting

> >

> > # rpcinfo -t localhost 100003

> > program 100003 version 2 ready and waiting

> > program 100003 version 3 ready and waiting

> >

> > # pmap_dump

> > 100000 2 tcp 111 portmapper

> > 100000 2 udp 111 portmapper

> > 100003 2 udp 2049 nfs

> > 100003 3 udp 2049 nfs

> > 100003 2 tcp 2049 nfs

> > 100003 3 tcp 2049 nfs

> > 100005 1 udp 769 mountd

> > 100005 1 tcp 772 mountd

> > 100005 2 udp 769 mountd

> > 100005 2 tcp 772 mountd

> > 100005 3 udp 769 mountd

> > 100005 3 tcp 772 mountd

> > 100024 1 udp 863 status

> > 100024 1 tcp 866 status

> >

> > # pmap_dump | egrep -v '100003.*tcp' > /tmp/pmap_dump.out

> >

> > # /etc/init.d/portmap stop

> >

> > # /etc/init.d/portmap start

> >

> > # pmap_dump

> > 100000 2 tcp 111 portmapper

> > 100000 2 udp 111 portmapper

> >

> > # pmap_set < /tmp/pmap_dump.out

> >

> > # pmap_dump

> > 100000 2 tcp 111 portmapper

> > 100000 2 udp 111 portmapper

> > 100003 2 udp 2049 nfs

> > 100003 3 udp 2049 nfs

> > 100005 1 udp 769 mountd

> > 100005 1 tcp 772 mountd

> > 100005 2 udp 769 mountd

> > 100005 2 tcp 772 mountd

> > 100005 3 udp 769 mountd

> > 100005 3 tcp 772 mountd

> > 100024 1 udp 863 status

> > 100024 1 tcp 866 status

> >

> > # rpcinfo -u localhost 100003

> > program 100003 version 2 ready and waiting

> > program 100003 version 3 ready and waiting

> >

> > # rpcinfo -t localhost 100003

> > rpcinfo: RPC: Program not registered

> > program 100003 is not available

> >

> > And viola! no more registered nfs over tcp, so no more exports over tcp.

> > To make it do that at boot, add the key lines of that to rc.local (these

> > are all you really need, the rest of the above was just information

> > commands to show the before and after states):

> >

> > # pmap_dump | egrep -v '100003.*tcp' > /tmp/pmap_dump.out

> >

> > # /etc/init.d/portmap stop

> >

> > # /etc/init.d/portmap start

> >

> > # pmap_set < /tmp/pmap_dump.out

> >

> > Cheers!

> > -robin

> >

> >

> > On Wed, Dec 01, 2004 at 05:54:22PM -0800, Michal wrote:

> > > I posted this question to comp.protocol.nfs this morning, but things

> > > are slow there.. so I'm hoping someone here can chime in with a clue.

> > > Thanks!

> > >

> > > ---

> > >

> > > My goal is to configure a server to avoid exporting its files over

> > > TCP. I want to force UDP.

> > >

> > > The server is Fedora Core 1, Linux kernel 2.4.22. On this server,

> > > "/usr/sbin/rpcinfo -p | grep nfs" reports:

> > >

> > > 100003 2 udp 2049 nfs

> > > 100003 3 udp 2049 nfs

> > > 100003 2 tcp 2049 nfs

> > > 100003 3 tcp 2049 nfs

> > >

> > > I modified the script /etc/init.d/nfs which starts NFS services such

> > > that rpc.mountd is started with the "--no-tcp" argument. The

> > > rpc.mountd documentation says this means "Don't advertise TCP for

> > > mount." Yet, rpcinfo still reports NFS services for both UDP and TCP.

> > > Mounting its exports on remote systems causes them to be mounted with

> > > "proto=tcp".

> > >

> > > There is another NFS server with an older version of Linux (2.4.18)

> > > running RedHat 7.3. Running "rpcinfo -p | grep nfs" on it reports:

> > >

> > > 100003 2 udp 2049 nfs

> > > 100003 3 udp 2049 nfs

> > >

> > > Mounting its exports on remote systems causes them to be mounted with

> > > "proto=udp".

> > >

> > > I don't know what else to try on the FC1 box to force it to stop

> > > servicing NFS/TCP services.

> > >

> > > Can anyone help?

> > >

> > > -Michal

> >

> >

>

> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

> Cere Davis

> Unix Systems Administrator - CSDE

> cere at u.washington.edu ph: 206.685.5346

> https://staff.washington.edu/cere

>

> GnuPG Key http://staff.washington.edu/cere/gpgkey.txt

> Key fingerprint = B63C 2361 3B9B 8599 ECC9 D061 3E48 A832 F455 9E7FA

>

>


--

Robin Battey
zanfur at zanfur.com

Messages from this address are signed with key 0x6A57B07D. Fingerprint:
3914 F63C A99C 8EC1 785B 8287 1D8B D2F3 6A57 B07D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: <http://mailman13.u.washington.edu/pipermail/linux/attachments/20041202/a3c0965f/attachment.sig>


More information about the Linux mailing list