NFS v4-only on modern Debian

A small how-to on configuring a modern Debian 12 "bookworm" installation using systemd as its init system for serving NFS v4 shares, disabling the services related to legacy NFS v2 and NFS v3.

Until the Debian maintainers realize that v4 came out at the turn of the millenia (23 years ago and counting), and that v3 is just an archaic nuissance that is virtually unused at this point, we'll have to go through this procedure.

All commands must be run as root.

For clients

1. Install the NFS common package, which includes the needed mount.nfs command. This pulls the rpcbind package that is only used for v2 and v3, but can't do shit about it:

   Text Only

   apt-get install nfs-common
   

2. Disable completely rpcbind service and socket:

   Text Only

   systemctl mask rpcbind rpcbind.socket
   systemctl stop rpcbind rpcbind.socket
   

3. Disable completely the rpc-statd-notify service:

   Text Only

   systemctl mask rpc-statd-notify
   systemctl stop rpc-statd-notify
   

Done.

For servers

1. Install the NFS server. Since it depends on common, it will also pull the useless rpcbind package.

   Text Only

   apt-get install nfs-kernel-server
   

2. Disable completely rpcbind service and socket:

   Text Only

   systemctl mask rpcbind rpcbind.socket
   systemctl stop rpcbind rpcbind.socket
   

3. Disable completely rpc-statd and rpc-statd-notify services:

   Text Only

   systemctl mask rpc-statd rpc-statd-notify
   systemctl stop rpc-statd rpc-statd-notify
   

4. Override the nfs-kernel-server unit to disable v3:

   Text Only

   mkdir -p /etc/systemd/system/nfs-server.service.d
   cat <<'EOF' >/etc/systemd/system/nfs-server.service.d/override.conf
   [Service]
   ExecStart=
   ExecStart=/usr/sbin/rpc.nfsd --no-nfs-version 3
   EOF
   

   This can also be achieved using systemctl edit nfs-server and manually entering:

   Text Only

   [Service]
   ExecStart=
   ExecStart=/usr/sbin/rpc.nfsd --no-nfs-version 3
   EOF
   

   We don't need to disable v2 since the kernel (as of Debian 12 "bookworm") does not support it, and in fact the servicec fail to start if we explicitely attempt to disable it.

   The reason we have an empty ExecStart= before the actual command, is that ExecStart is a list, and that's the means to clear it to remove the original start command before we push the correct one.

5. Override the nfs-mound unit to disable both v2 and v3:

   Text Only

   mkdir -p /etc/systemd/system/nfs-mountd.service.d
   cat <<'EOF' >/etc/systemd/system/nfs-mountd.service.d/override.conf
   [Service]
   ExecStart=
   ExecStart=/usr/sbin/rpc.mountd --no-nfs-version 2 --no-nfs-version 3
   EOF
   

   This can also be achieved using systemctl edit nfs-mountd and manually entering:

   Text Only

   [Service]
   ExecStart=
   ExecStart=/usr/sbin/rpc.mountd --no-nfs-version 2 --no-nfs-version 3
   EOF
   

   Unlike the server, rpc.mountd still supports v2, so we also have to pass that.

6. Restart both services:

   Text Only

   systemctl restart nfs-server nfs-mountd
   

7. Check using ss -lutpn that the port 2049 remains open (only port required for NFS v4), and that rpc.mountd is not listening in any port.