Description of problem:
The NFS client delegation port is set to a random value by default. If an NFS client is running a firewall, the server will attempt (repeatedly, as per bug #1073196) to connect to that delegation port on the client and fail.
The solution to this is to set the port to a fixed value via sysctl i.e.:
fs.nfs.nfs_callback_tcpport = xxxx
However, doing this via a file in /etc/sysctl.d/ which is read by systemd systemd-sysctl.service at startup does not work correctly, since this value appears to be undefined by the kernel when systemd-sysctl.service is executed. The value only appears in /proc/sys once an NFS fs has been mounted.
Systemd does not report any errors at startup time (which is in itself an annoying problem as the sysop has no indication of why the value was not set properly), but when running:
the output states that fs.nfs.nfs_callback_tcpport does not exist.
Version-Release number of selected component (if applicable):
# rpm -q systemd
# uname -a
Linux edison 3.13.6-200.fc20.x86_64 #1 SMP Fri Mar 7 17:02:28 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
100% of the time. Simply reboot.
Steps to Reproduce:
1. Define /etc/sysctl.d/nfs.conf containing a fixed port e.g.:
fs.nfs.nfs_callback_tcpport = 4005
3. Mount an NFS fs
The callback port is "0", i.e. random.
The callback port should be configurable.
Forcing NFS to version 4.1 works around the problem, as in NFS 4.1 the client creates the callback channel, and so the callback port is no longer necessary.
But I'm not sure why 4.1 needs to be forced anyway, it seems like it should be enabled by default:
# cat /proc/fs/nfsd/versions
-2 +3 +4 +4.1 -4.2
The systemd sysctl variable logic doesn't work for "dynamic" sysctls that come and go, and I am pretty sure we shouldn't have anything like that ever.
The NFS folks really need to deal with this one. or stop doing magic sysctls that come and go.
Thanks Lennart. That makes sense.
For the NFS folks: this is even worse than Lennart describes -- this sysctl only shows up *after* a mount command is executed. So one has to mount before one can change the callback port sysctl. That's really dumb.
That's not exactly true. It shows up when nfsv4.ko is plugged in, it's just that the mount in your case is triggering that module load as well.
The best way to configure this is to use the nfs.ko module parm:
So dropping a file that has contents like this in /etc/modprobe.d ought to do it:
options nfs callback_tcpport=4005
...but I haven't the time to test it at the moment.
(In reply to Jeff Layton from comment #4)
> That's not exactly true. It shows up when nfsv4.ko is plugged in, it's just
> that the mount in your case is triggering that module load as well.
> The best way to configure this is to use the nfs.ko module parm:
> parm: callback_tcpport:portnr
Jeff, thanks, that explains the proper way to set the callback port. I'll close this as WONTFIX, given Lennart's comments and that explanation.