NFS Server, Supporting Only Version 4

callmeshawn · Oct 7, 2013

Hello,

I have an NFS server running on FreeBSD 9.1 that I would like to configure to only allow clients to mount shares using version 4. Any requests for anything else should be denied. I have a proprietary system that supports such a configuration, for example:

If I try to mount this filesystem somewhere else using version 3, it will fail.

Code:

[CMD][root@hostname_obscured mnt]# df -TP /dir/obscured[/CMD]
Filesystem    Type 1024-blocks      Used Available Capacity Mounted on
nfs_only:/v4share_only nfs4  10325760    268192  10057568       3% /dir/mountpoint

[CMD][root@hostname_obscured mnt]# mount -o nfsvers=3 nfs_only:/v4share_only /dir/test/[/CMD]
mount.nfs: access denied by server while mounting nfs_only:/v4share_only

If I use version 4, the attempt to mount will succeed:

Code:

[CMD][root@hostname_obscured mnt]# mount -o nfsvers=4 nfs_only:/v4share_only /dir/test/[/CMD]
[CMD][root@lnxb40403 mnt]# echo $?[/CMD]
0

On the client (RHEL 6.2), the main nomenclature that I see "at a glance" with servers that permit NFSv4 only is df -T (on the Linux client), reports those shares as nfs4, versus servers that permit either NFSv4 or earlier simply report the mount as an "nfs" mount.

On my FreeBSD server, as well as on a storage platform we are evaluating (EMC Isilon), I can allow NFS, but I want to only permit version 4.

The following sites showed how to configure my FreeBSD server for NFS:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-nfs.html
http://forums.freebsd.org/showthread.php?t=23526

Based on those links I configured my server as follows:

Code:

[CMD][user@freebsd_server ~]$ cat /etc/exports[/CMD]
V4: / -network 192.168.0.0 -mask 255.255.255.0
/usr/local/nfs4_root/data -maproot=root nfs_client.company.com

From the client side, using version 3.

Code:

[CMD][root@nfs_client ~]# showmount -e freebsd_server[/CMD]
Export list for freebsd_server:
/usr/local/nfs4_root/data nfs_client.company.com
[CMD][root@nfs_client ~]# mount -onfsvers=3 freebsd_server:/usr/local/nfs4_root/data /mnt[/CMD]
[CMD][root@nfs_client ~]# echo $?[/CMD]
0
[CMD][root@nfs_client ~]# df -TP /mnt[/CMD]
Filesystem    Type 1024-blocks      Used Available Capacity Mounted on
freebsd_server:/usr/local/nfs4_root/data nfs 430894720  10113408 420781312       3% /mnt

From the client side, using version 4.

Code:

[CMD][root@nfs_client ~]# umount /mnt[/CMD]
[CMD][root@nfs_client ~]# mount -onfsvers=4 freebsd_server:/usr/local/nfs4_root/data /mnt[/CMD]
[CMD][root@nfs_client ~]# echo $?[/CMD]
0
[CMD][root@nfs_client ~]# df -TP /mnt[/CMD]
Filesystem    Type 1024-blocks      Used Available Capacity Mounted on
freebsd_server:/usr/local/nfs4_root/data nfs 430894720  10113408 420781312       3% /mnt

Any guidance and information that you can is greatly appreciated.

Radesh Singh

callmeshawn · Oct 7, 2013

I did a little more research and learned that a "pure" NFS Version 4 (NFSv4) server should not answer showmount requests, as there is no mountd in NFSv4. The examples I used would seem to show that nfsd running on my FreeBSD server is not configured in an NFSv4 only manner.

I noticed that I forgot to show my NFS-specific /etc/rc.conf configuration.

Code:

# enable NFS server
nfsv4_server_enable="YES"
nfsuserd_enable="YES"

SirDice · Oct 7, 2013

As far as I know you can only run it in NFSv3 mode or a combination of v3 and v4. It's not possible to run on v4 only.

callmeshawn · Oct 7, 2013

Do you know if any NFSv4 only enhancements/modifications are under development?

junovitch@ · Oct 9, 2013

Easy. Set this in your /etc/sysctl.conf.

Code:

vfs.nfsd.server_min_nfsvers=4

It will get picked up during the next reboot or you can just put it into effect by doing # sysctl vfs.nfsd.server_min_nfsvers=4

callmeshawn · Oct 9, 2013

Thanks for the information. I'm testing it out an will reply with my results.

The initial tests look very promising as once I changed it using sysctl vfs.nfsd.server_min_nfsvers=4 I couldn't mount the filesystem using mount -onfsvers=3. I tried to mount to use mount -onfsvers=4 and received an error, but that could be evidence of "some misconfiguration" on my part.

Thanks again.

callmeshawn · Oct 9, 2013

Ok, I just confirmed that setting sysctl vfs.nfsd.server_min_nfsvers=4 does in fact prevent non-v4 mounts.

Additionally, I have the following settings configured in my /etc/rc.conf:

Code:

nfsv4_server_enable="YES"
nfsuserd_enable="YES"
rpcbind_enable="YES"
nfs_server_enable="YES"
mountd_enable="YES"
mountd_flags="-r"
rpc_lockd_enable="YES"
rpc_statd_enable="YES"

I need to do some more testing to find out what options are required for an NFSv4 server, but nonetheless testing at least now results in only version 4 being available to be mounted.

Thanks again.

junovitch@ · Oct 9, 2013

Great. With regards to your comment regarding a "pure" NFSv4 server that doesn't respond to showmount -e requests, if you look at the file /etc/rc.d/nfsd it is fairly clear at what is going on. It sets a similar max NFS version sysctl and either starts the old or new NFS server based off /etc/rc.conf options. At the very end, it forces starting of rpcbind and mountd. So it would not appear you can get away from those at this time.

*EDIT*
I just noticed you are starting lockd and statd. That functionality is built into NFSv4 so those are irrelevant and you can safely disable them. I've been using that same configuration with the minimum version set for the past year.

callmeshawn · Oct 10, 2013

I haven't spent much time looking at the startup script, and will certainly do so in my testing. Thanks for the information.

NFS Server, Supporting Only Version 4

Administrator