[LUNA] NFS on unprivileged ports ....

Bob Nance bob.nance at novationsys.com
Tue Aug 26 10:05:00 CDT 2014


Go look at your “mountd” options and see if there is one that allows connections from an unprivileged port (a port higher that 1024, as all ports under 1024 can only be opened by a “root” level account/process). It’s likely that it is NOT an option. I think at least one BSD build of mountd offered a “-n” option, but I don’t think it’s there in any of the Linux distros.

The real fix would be to get the offending connection to use the right port. Can you make it a system-based mount instead of a user-environment mount? That might fix it by allowing the NFS mount program to use a port lower than 1024.

-Bob



---
  Bob Nance
  Novation Systems
  bob.nance at novationsys.com
  256-534-4620

On Aug 26, 2014, at 9:30 AM, William A. Mahaffey III <wam at HiWAAY.net> wrote:

> 
> 
> .... I have nfsd running on my FBSD 9.3 desktop, exporting /home (~3.6 TiB). I can mount/see/use it from all other machines on my LAN (all Linux boxen) *except* for a CentOS 5.n VM running on one of the other boxen. When the VM tries to (auto)mount the exported partition on the FBSD box ('jaguar'), I get the following (from earlier this A.M.):
> 
> 
> [root at centos-5:/etc, Tue Aug 26, 06:28 AM] 1008 # lf /net/jaguar/home/ /net/q6600/home/   /net/opty165a/work/ /net/opty165a/home/   /net/cube/home/
> ls: /net/jaguar/home/: No such file or directory
> /net/cube/home/:
> Opty165A/  Q6600/  VMs/  archive/  lost+found/  makedepend*  pub/ wam/
> 
> /net/opty165a/home/:
> FTP/  RPMs/  SGI/  archive/  lost+found/  rsync/  wam/
> 
> /net/opty165a/work/:
> FTP/  ISOs/  RPMs/  VMs/  archive/  lost+found/  vmware/  wam/
> 
> /net/q6600/home/:
> FTP/  ISOs/  VMs/  archive/  lost+found/  rsync/  wam/  work/
> [root at centos-5:/etc, Tue Aug 26, 06:29 AM] 1009 # df ; w ; /sbin/swapon -s ; free -m ; uname -a ; hwclock  -r;  date
> Filesystem    Type   1K-blocks      Used Available Use% Mounted on
> /dev/mapper/VolGroup00-LogVol00
>              ext3    46691248   7505344  36775820  17% /
> /dev/hda1     ext3      101086     26854     69013  29% /boot
> tmpfs        tmpfs     1029372         0   1029372   0% /dev/shm
> q6600:/home    nfs   1906370560 1025951744 783581184  57% /net/q6600/home
> opty165a:/work nfs   480719104 410868736  45431040  91% /net/opty165a/work
> opty165a:/home nfs   473086208 351912192  96754944  79% /net/opty165a/home
> cube:/home     nfs   155794432 143113728   4638976  97% /net/cube/home
> 06:29:20 up 121 days, 12:12,  3 users,  load average: 0.04, 0.02, 0.00
> USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
> wam      pts/0    192.168.122.1    Thu07   46:20m  1.96s  1.96s -tcsh
> root     pts/1    192.168.122.1    Sun08   46:11m  0.09s  0.09s -bash
> root     pts/2    192.168.122.1    Sun08    0.00s  0.09s  0.08s -bash
> Filename                                Type            Size Used Priority
> /dev/mapper/VolGroup00-LogVol01         partition       4095992 76      -1
>             total       used       free     shared    buffers cached
> Mem:          2010       1891        118          0 327        943
> -/+ buffers/cache:        620       1389
> Swap:         3999          0       3999
> Linux centos-5.6-vm 2.6.18-371.8.1.el5.centos.plus #1 SMP Thu Apr 24 18:32:18 EDT 2014 x86_64 x86_64 x86_64 GNU/Linux
> Tue Aug 26 06:29:28 2014  -1.008094 seconds
> Tue Aug 26 06:29:21 CDT 2014
> [root at centos-5:/etc, Tue Aug 26, 06:29 AM] 1010 #
> 
> 
> i.e., it can see all other exported partitions except the FBSD (jaguar). On the FBSD box, I get the following:
> 
> 
> 
> [root at kabini1, /etc, 6:24:31am] 708 %  grep vfs LIST.sysctl-A.txt | grep nfs | grep priv
> vfs.nfsd.nfs_privport: 0
> [root at kabini1, /etc, 6:24:50am] 709 %  service  mountd  status
> Cannot 'status' mountd. Set mountd_enable to YES in /etc/rc.conf or use 'onestatus' instead of 'status'.
> [root at kabini1, /etc, 6:26:08am] 710 %  service mountd onestatus
> mountd is running as pid 718.
> [root at kabini1, /etc, 6:26:16am] 711 %  ps -aux | grep mountd
> root         718   0.0  0.0  16180  3836 ??  Is   15Aug14 0:00.03 /usr/sbin/mountd -r
> root       51859   0.0  0.0  16332  2024 10  S+    6:26AM 0:00.00 grep mountd
> wam        51820   0.0  0.0  14544  2428 17  I+    6:22AM 0:00.01 /bin/sh /usr/bin/man mountd
> [root at kabini1, /etc, 6:26:35am] 712 %  grep -i mountd rc.d/*
> rc.d/mountd:# $FreeBSD: releng/9.3/etc/rc.d/mountd 231792 2012-02-15 22:59:15Z dougb $
> rc.d/mountd:# PROVIDE: mountd
> rc.d/mountd:name="mountd"
> rc.d/mountd:rcvar="mountd_enable"
> rc.d/mountd:start_precmd="mountd_precmd"
> rc.d/mountd:mountd_precmd()
> rc.d/mountd:    # mountd flags will differ depending on rc.conf settings
> rc.d/mountd:            if checkyesno weak_mountd_authentication; then
> rc.d/mountd:                    rc_flags="${mountd_flags} -n"
> rc.d/mountd:            if checkyesno mountd_enable; then
> rc.d/mountd:                    checkyesno weak_mountd_authentication && rc_flags="-n"
> rc.d/mountd:    rm -f /var/db/mountdtab
> rc.d/mountd:    ( umask 022 ; > /var/db/mountdtab ) ||
> rc.d/mountd:        err 1 'Cannot create /var/db/mountdtab'
> rc.d/nfsd:# REQUIRE: mountd hostname gssd nfsuserd
> rc.d/nfsd:      force_depend mountd || return 1
> [root at kabini1, /etc, 6:27:19am] 713 %  (tail -10 /var/log/messages ; date)
> Aug 24 08:09:44 kabini1 mountd[718]: mount request from 192.168.0.9 from unprivileged port
> Aug 24 08:18:12 kabini1 mountd[718]: mount request from 192.168.0.9 from unprivileged port
> Aug 24 08:18:51 kabini1 su: wam to root on /dev/pts/19
> Aug 24 08:52:04 kabini1 mountd[718]: mount request from 192.168.0.9 from unprivileged port
> Aug 24 09:10:23 kabini1 ntpd[804]: time reset +0.186836 s
> Aug 24 11:37:21 kabini1 dbus[738]: [system] Failed to activate service 'org.freedesktop.Avahi': timed out
> Aug 24 11:38:57 kabini1 dbus[738]: [system] Failed to activate service 'org.freedesktop.Avahi': timed out
> Aug 24 11:40:21 kabini1 dbus[738]: [system] Failed to activate service 'org.freedesktop.Avahi': timed out
> Aug 24 11:48:49 kabini1 last message repeated 7 times
> Aug 26 06:29:25 kabini1 mountd[718]: mount request from 192.168.0.9 from unprivileged port
> Tue Aug 26 06:30:14 CDT 2014
> [root at kabini1, /etc, 6:30:14am] 714 %
> 
> 
> i.e., the mount request from the VM is apparently coming in on an unprivileged port & the FBSD box's mountd is dropping/ignoring it. The other boxen handle it OK. I have ipfw dropping all such traffic *not* originating on my LAN, so I don't mind using the unprivileged port (I don't think there are any security issues). How do I get FBSD's nfsd/mountd to allow/handle the mount request on unprivileged ports ? TIA ....
> 
> 
> 
> -- 
> 
> 	William A. Mahaffey III
> 
> ----------------------------------------------------------------------
> 
> 	"The M1 Garand is without doubt the finest implement of war
> 	 ever devised by man."
>                           -- Gen. George S. Patton Jr.
> 
> _______________________________________________
> LUNA mailing list
> LUNA at lunagroup.us
> http://lunagroup.us/mailman/listinfo/luna



More information about the LUNA mailing list