NFSv4 Minimal Service Configuration: Required Daemons and Firewall Ports for Ubuntu 18.04


10 views

When running pure NFSv4 (without v3 compatibility), the architecture simplifies significantly compared to earlier versions. Here's what changes:

  • rpcbind: Not strictly needed for NFSv4 (TCP port 2049 handles all traffic)
  • rpc.mountd: Only required if you maintain v3 compatibility
  • lockd/statd: Optional for file locking (NLM protocol)

For a pure NFSv4 setup on Ubuntu 18.04, edit your /etc/default/nfs-kernel-server:

# Disable NFSv3 and unnecessary services
RPCNFSDOPTS="--nfs-version 4 --no-nfs-version 3"
RPCMOUNTDOPTS="--no-nfs-version 3"

Then restart services:

sudo systemctl restart nfs-kernel-server
sudo systemctl disable --now rpcbind

For NFSv4-only operation, you only need:

sudo ufw allow 2049/tcp
sudo ufw allow 2049/udp

Check active NFS services:

rpcinfo -p | grep nfs

Expected output for pure NFSv4 should only show nfsd on port 2049.

If using sec=krb5 (recommended for security):

# In /etc/exports
/share *(rw,sync,sec=krb5)

# Required ports
sudo ufw allow 88/tcp  # Kerberos
sudo ufw allow 749/tcp # Kerberos admin

For granular control, create a custom systemd override:

# /etc/systemd/system/nfs-server.service.d/override.conf
[Service]
ExecStartPre=/usr/sbin/exportfs -r
ExecStart=/usr/sbin/rpc.nfsd $RPCNFSDARGS
ExecStopPost=/usr/sbin/rpc.nfsd 0

Unlike previous versions that relied heavily on RPC services, NFSv4 was designed to reduce complexity by consolidating functionality. Here's what you actually need:

# Required services for pure NFSv4
nfs-server.service  # Main NFS daemon
rpc-statd.service   # Status monitoring (optional but recommended)
rpc-svcgssd.service # Only if using Kerberos authentication

To achieve a clean v4-only setup on Ubuntu 18.04:

sudo systemctl stop rpcbind.service
sudo systemctl stop rpcbind.socket
sudo systemctl disable rpcbind.service
sudo systemctl disable rpcbind.socket
sudo systemctl mask rpcbind.service
sudo systemctl mask rpcbind.socket

# Edit /etc/nfs.conf to enforce NFSv4:
[general]
vers4=y
vers3=n
vers2=n

[nfsd]
udp=n
tcp=y

NFSv4 simplifies port requirements to just TCP 2049. Here's a UFW configuration example:

sudo ufw allow 2049/tcp
sudo ufw allow from client_ip to any port 2049 proto tcp

# For statd (optional):
sudo ufw allow 32765:32767/tcp
sudo ufw allow 32765:32767/udp

Check your running services:

rpcinfo -p | grep -v "no servers"  # Should show minimal output
showmount -e localhost             # Verify exports
sudo netstat -tulnp | grep 2049    # Confirm NFS listening port

If clients can't mount shares, check these logs:

journalctl -u nfs-server --no-pager -n 50
tail -f /var/log/syslog | grep -E 'nfs|mount'

For permission issues, ensure consistent UID/GID mapping between server and clients, especially when using all_squash in exports.