Debian Bug report logs - #477503
nfs-common: tcp mounts require udp

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Andy Wettstein <ajw1980@gmail.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: nfs-common: tcp mounts require udp

Date: Wed, 23 Apr 2008 10:44:46 -0500

Package: nfs-common
Version: 1:1.1.2-2
Severity: normal

If I block UDP connections to a NFS server and try to NFS mount
something on the server with TCP it fails.

# iptables -A OUTPUT -p udp -d nfs-server -j DROP
# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       udp  --  anywhere             nfs-server.localdomain  

# mount -t nfs -o tcp -v nfs-server:/data /mnt
mount.nfs: timeout set for Wed Apr 23 10:33:14 2008
mount.nfs: text-based options: 'tcp,addr=192.168.0.1'
mount.nfs: internal error

# iptables -F
# mount -t nfs -o tcp -v nfs-server:/data /mnt
mount.nfs: timeout set for Wed Apr 23 10:39:45 2008
mount.nfs: text-based options: 'tcp,addr=192.168.0.1'
nfs-server:/data on /mnt type nfs (rw,tcp)

I've tested a few other distros ( Ubuntu 6.06, Scientific Linux 4,
Scientific Linux 5 ) and TCP mounts still work if I block UDP.  

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.24-1-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages nfs-common depends on:
ii  adduser               3.107              add and remove users and groups
ii  initscripts           2.86.ds1-56        Scripts for initializing and shutt
ii  libc6                 2.7-10             GNU C Library: Shared libraries
ii  libcomerr2            1.40.8-2           common error description library
ii  libevent1             1.3e-2             An asynchronous event notification
ii  libgssglue1           0.1-2              mechanism-switch gssapi library
ii  libkrb53              1.6.dfsg.3~beta1-4 MIT Kerberos runtime libraries
ii  libldap-2.4-2         2.4.7-6.2          OpenLDAP libraries
ii  libnfsidmap2          0.20-1             An nfs idmapping library
ii  librpcsecgss3         0.18-1             allows secure rpc communication us
ii  libwrap0              7.6.q-15           Wietse Venema's TCP wrappers libra
ii  lsb-base              3.2-10             Linux Standard Base 3.2 init scrip
ii  netbase               4.32               Basic TCP/IP networking system
ii  portmap               6.0-5              RPC port mapper
ii  ucf                   3.006              Update Configuration File: preserv

nfs-common recommends no packages.

-- no debconf information

Message #10 received at 477503-done@bugs.debian.org (full text, mbox, reply):

From: "Steinar H. Gunderson" <sgunderson@bigfoot.com>

To: Andy Wettstein <ajw1980@gmail.com>, 477503-done@bugs.debian.org

Subject: Re: Bug#477503: nfs-common: tcp mounts require udp

Date: Wed, 23 Apr 2008 18:14:39 +0200

On Wed, Apr 23, 2008 at 10:44:46AM -0500, Andy Wettstein wrote:
> If I block UDP connections to a NFS server and try to NFS mount
> something on the server with TCP it fails.

NFS needs portmapper to work, which uses UDP. Don't block it.

/* Steinar */
-- 
Homepage: http://www.sesse.net/

Message #15 received at 477503@bugs.debian.org (full text, mbox, reply):

From: Andy Wettstein <ajw1980@gmail.com>

To: 477503@bugs.debian.org

Subject: Re: Bug#477503 closed by "Steinar H. Gunderson" <sgunderson@bigfoot.com> (Re: Bug#477503: nfs-common: tcp mounts require udp)

Date: Wed, 23 Apr 2008 12:17:14 -0500

On Wed, Apr 23, 2008 at 04:18:07PM +0000, Debian Bug Tracking System wrote:
> 
> From: "Steinar H. Gunderson" <sgunderson@bigfoot.com>
> Date: Wed, 23 Apr 2008 18:14:39 +0200
> To: Andy Wettstein <ajw1980@gmail.com>, 477503-done@bugs.debian.org
> Subject: Re: Bug#477503: nfs-common: tcp mounts require udp
> 
> On Wed, Apr 23, 2008 at 10:44:46AM -0500, Andy Wettstein wrote:
> > If I block UDP connections to a NFS server and try to NFS mount
> > something on the server with TCP it fails.
> 
> NFS needs portmapper to work, which uses UDP. Don't block it.

The portmapper works just fine over TCP.  rpcinfo -p returns all the
information it should when UDP is blocked.  It would seem that when
performing an actual mount, though, a TCP connection to the portmapper 
is never attempted.

As I said, I've tested 3 other distributions that work fine when I do
this, so there has been some change in behavior to cause this.

Message #20 received at 477503@bugs.debian.org (full text, mbox, reply):

From: Andy Wettstein <ajw1980@gmail.com>

To: 477503@bugs.debian.org

Subject: Re: Bug#477503: Info received (Bug#477503 closed by "Steinar H. Gunderson" <sgunderson@bigfoot.com> (Re: Bug#477503: nfs-common: tcp mounts require udp))

Date: Wed, 23 Apr 2008 14:36:48 -0500

Did a little more testing.

This works fine with nfs-common 1:1.1.1-14, but breaks with 1:1.1.2-1.

Message #25 received at 477503@bugs.debian.org (full text, mbox, reply):

From: "Steinar H. Gunderson" <sgunderson@bigfoot.com>

To: Andy Wettstein <ajw1980@gmail.com>, 477503@bugs.debian.org

Subject: Re: Bug#477503: closed by "Steinar H. Gunderson" <sgunderson@bigfoot.com> (Re: Bug#477503: nfs-common: tcp mounts require udp)

Date: Wed, 23 Apr 2008 21:58:08 +0200

On Wed, Apr 23, 2008 at 12:17:14PM -0500, Andy Wettstein wrote:
>> NFS needs portmapper to work, which uses UDP. Don't block it.
> The portmapper works just fine over TCP.  rpcinfo -p returns all the
> information it should when UDP is blocked.  It would seem that when
> performing an actual mount, though, a TCP connection to the portmapper 
> is never attempted.
> 
> As I said, I've tested 3 other distributions that work fine when I do
> this, so there has been some change in behavior to cause this.

Do they have separate /sbin/mount.nfs? Debian was, TTBOMK, one of the first
distributions that enabled this (new in nfs-utils 1.1.1, IIRC), so there
might be a difference there.

In any case, DROPing packets is fundamentally Not A Good Thing -- there
should at least be a REJECT so the other side has a reasonable chance of
knowing what's going on.

/* Steinar */
-- 
Homepage: http://www.sesse.net/

Message #30 received at 477503@bugs.debian.org (full text, mbox, reply):

From: Andy Wettstein <ajw1980@gmail.com>

To: "Steinar H. Gunderson" <sgunderson@bigfoot.com>

Cc: 477503@bugs.debian.org

Subject: Re: Bug#477503: closed by "Steinar H. Gunderson" <sgunderson@bigfoot.com> (Re: Bug#477503: nfs-common: tcp mounts require udp)

Date: Wed, 23 Apr 2008 16:08:13 -0500

On Wed, Apr 23, 2008 at 09:58:08PM +0200, Steinar H. Gunderson wrote:
> On Wed, Apr 23, 2008 at 12:17:14PM -0500, Andy Wettstein wrote:
> >> NFS needs portmapper to work, which uses UDP. Don't block it.
> > The portmapper works just fine over TCP.  rpcinfo -p returns all the
> > information it should when UDP is blocked.  It would seem that when
> > performing an actual mount, though, a TCP connection to the portmapper 
> > is never attempted.
> > 
> > As I said, I've tested 3 other distributions that work fine when I do
> > this, so there has been some change in behavior to cause this.
> 
> Do they have separate /sbin/mount.nfs? Debian was, TTBOMK, one of the first
> distributions that enabled this (new in nfs-utils 1.1.1, IIRC), so there
> might be a difference there.

If you saw my other email 1.1.1 worked, so I did a git bisect and got this:
46704243eb10718c722607cc7f66703e3eb3ac9c is first bad commit
commit 46704243eb10718c722607cc7f66703e3eb3ac9c
Author: Steve Dickson <steved@redhat.com>
Date:   Fri Jan 4 10:26:21 2008 -0500

    Get rid of the "-i" option for mount.nfs[4] and always use the text-
    based mount(2) system call for kernel version 2.6.23 and later.
    
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
    Signed-off-by: Steve Dickson <steved@redhat.com>

:040000 040000 685d6be1c92aef0315bd8f60233df2251a1c4b46 d4d73fef7c72b5a0ac20b50c4ba9d0d0ec7247d0 M utils

Message #35 received at 477503@bugs.debian.org (full text, mbox, reply):

From: "Frank A. Kingswood" <frank@kingswood-consulting.co.uk>

To: 477503@bugs.debian.org

Subject: Also fails when using tunneling

Date: Sat, 26 Apr 2008 05:43:57 +0100

Another data point.

I'm using tunneling over an ssh connection as my only means of access to 
my nfs server.
This fails with a mount.nfs internal error since installing nfs-common 
1.1.2-2.

I hope this bug did not get closed?

Message #40 received at 477503@bugs.debian.org (full text, mbox, reply):

From: "Frank A. Kingswood" <frank@kingswood-consulting.co.uk>

To: 477503@bugs.debian.org

Subject: Workaround in mount.nfs code

Date: Sat, 26 Apr 2008 15:59:02 +0100

After downloading nfs-utils-1.1.2, I made this change:

--- nfs-utils-1.1.2/utils/mount/mount.c    2008-03-14 15:46:29.000000000 
+0000
+++ nfs-utils-1.1.2-changed/utils/mount/mount.c    2008-04-26 
15:49:55.000000000 +0100
@@ -191,7 +191,8 @@
        nfs_mount_data_version = NFS_MOUNT_VERSION;
    else
        if (kernel_version > MAKE_VERSION(2, 6, 22))
-            string++;
+            printf("/usr/local/sbin/mount.nfs: not using string\n");
+            /* string++; */
}

static void print_one(char *spec, char *node, char *type, char *opts)

and installing a symlink to this version as /sbin/mount.nfs makes it 
work for me again.

What is the kernel option supposed to be that enables nfs string options 
to be used?
I'm running 2.6.25, and part of my kernel config is

# CONFIG_UFS_FS is not set
CONFIG_NETWORK_FILESYSTEMS=y
CONFIG_NFS_FS=y
CONFIG_NFS_V3=y
# CONFIG_NFS_V3_ACL is not set
CONFIG_NFS_V4=y
# CONFIG_NFS_DIRECTIO is not set
# CONFIG_NFSD is not set
CONFIG_LOCKD=y
CONFIG_LOCKD_V4=y
CONFIG_NFS_COMMON=y
CONFIG_SUNRPC=y
CONFIG_SUNRPC_GSS=y
# CONFIG_SUNRPC_BIND34 is not set
CONFIG_RPCSEC_GSS_KRB5=y
# CONFIG_RPCSEC_GSS_SPKM3 is not set
# CONFIG_SMB_FS is not set

Frank

Message #45 received at 477503@bugs.debian.org (full text, mbox, reply):

From: Jose Paulo Moitinho de Almeida <moitinho@civil.ist.utl.pt>

To: 477503@bugs.debian.org

Subject: Same problem with a tru64 server and report on the workaround

Date: Mon, 5 May 2008 12:22:50 +0100

After installing the latest nfs-common package (1.1.2-2.) I got a
"mount.nfs: internal error" when mounting a device exported from a compaq 
tru64 machine, which has not been reconfigured fro a while. So  the problem 
is not (only) related to udp and tcp.

After applying the patch proposed by Frank A. Kingswood (remove string 
interface in mount.c) I got a working mount.nfs.

Regards

ZP

Message #50 received at 477503@bugs.debian.org (full text, mbox, reply):

From: "Christian Cier-Zniewski" <c.cier@gmx.de>

To: 477503@bugs.debian.org

Subject: RE: nfs-common: tcp mounts require udp

Date: Thu, 29 May 2008 16:31:46 +0200

Maybe another workaround:

Only one TCP port (2049) is allowed between my NFSv4 server (named fileserver) and the NFSv4 client. No UDP. Nothing else.

If I try to mount the NFSv4 share on the client, I get the "internal error" and dmesg says this:

[804341.976474] rpcbind: server fileserve not responding, timed out
[804620.312930] nfs: server fileserve not responding, timed out

As you can see, the last letter "r" is missing. This also happens to IP addresses where the last digit is missing then. But this does not seem to be the cause for the "internal error".

Now I found this in "man nfs":

[...]
Valid options for the nfs4 file system type

port=n         

The numeric value of the server's NFS service port.  If the server's NFS service is not available on the specified port,  the  mount                      request fails.

If  this mount option is not specified, the NFS client uses the standard NFS port number of 2049 without first checking the server's                      rpcbind service.  This allows an NFS version 4 client to contact an NFS version 4 server through a firewall that may  block  rpcbind                      requests.

[...]

Important is the _last_ part. The nfs client is supposed to try only TCP port 2049 without asking rpcbind first if the "port=" option is _NOT_ given.

But this is simply not the case. It definitly asks rpcbind which fails because UDP is blocked. So the whole mount requests times out and gives the "internal error" then.

I managed to get around this by specifing "port=2049" in the mount options. Now it seems to work. No more rpcbind errors in dmesg output. So I assume that rpcbind is not asked anymore. 

So at least there is a discrepancy between the man page and the actual behaviour of NFSv4 mounts with respect to one-tcp-port-only-mounts.

BR,
Christian

-- 
Super-Aktion nur in der GMX Spieleflat: 10 Tage für 1 Euro.
Über 180 Spiele downloaden: http://flat.games.gmx.de

Message #55 received at 477503@bugs.debian.org (full text, mbox, reply):

From: William Hammack <hammack@netbox.com>

To: 477503@bugs.debian.org

Subject: More detail on Frank's workaround?

Date: Sat, 31 May 2008 15:51:53 -0500

Frank,
 I very much appreciate you detailing a workaround to this most annoying
bug. When you modified mount.c did you then recreate the nfs-common.deb
and reinstall it? When I do this /usr/local/sbin/mount.nfs is NOT
generated ... perhaps I'm missing a step here. Any info on what what you
did after modifying source would be appreciated.

  Bill

Message #60 received at 477503@bugs.debian.org (full text, mbox, reply):

From: William Hammack <hammack@netbox.com>

To: 477503@bugs.debian.org

Subject: Rebuilding Deb packages

Date: 31 May 2008 19:28:24 -0500

I found all the detail I needed at

http://www.debian-administration.org/articles/20

Frank's workaround works well for me. (I am doing ssh tunnelling over
tcp.) Sorry I didn't find this earlier.

Message #65 received at 477503@bugs.debian.org (full text, mbox, reply):

From: William Hammack <hammack@netbox.com>

To: 477503@bugs.debian.org

Subject: Implementing workaround

Date: Sun, 01 Jun 2008 11:04:40 -0500

Frank Kingswood kindly spelled out the changes need to the source code
to enable nfs to use only tcp when doing ssh tunnelling. I have spelled
out clearly the procedure for implementing this solution for Ubuntu
Hardy at  https://bugs.launchpad.net/ubuntu/+bug/213444 (see post
"Details of Workaround"), although the .deb I created won't work for
debian sid, the process should be the same. I believe the only
difference is that the name of the newly created .deb will be different.
In ubuntu it is called nfs-common_1.1.2-2ubuntu2.1_i386.deb -- it would
be nice if users of Debian sid would chime on the proper name in Debian.
Regardless, if you follow the process described it will deposit the .deb
- without you knowing the correct name - in the subdirectory where you
create the new .deb.
-- 
--------------------------------------------------
William S. Hammack
Department of Chemical & Biomolecular Engineering
Box C-3, 600 S. Mathews Avenue
University of Illinois
Urbana, IL 61801
217-244-4146
hammack@netbox.com
www.engineerguy.com
IM: ProfHammack (AIM/AOL, MSN/Hotmail, GoogleTalk, Yahoo)

Send a report that this bug log contains spam.