Restricting UDP access triggers systemd dependency issues

Restricting UDP access triggers systemd dependency issues

[Patrick Goetz]

Not sure if this list is an appropriate venue for this issue, but I 
can't think of where else to post.

On an Ubuntu 18.04 machine, with version 1:1.3.4-2.1ubuntu5 of the 
nfs-kernel-server package, I have the following strange issue.  The 
machine is joined to an AD domain, but the NFS service is completely 
independent from the directory service.

If I enable an rpc.nfsd environment variable restricting UPD access:

root@snakeskin:/lib/systemd/system# cat /run/sysconfig/nfs-utils
PIPEFS_MOUNTPOINT=/run/rpc_pipefs
RPCNFSDARGS=" 8"
RPCMOUNTDARGS="--manage-gids -N 2 -N 3 -U"
STATDARGS=""
RPCSVCGSSDARGS=""


The nfs-kernel-server service refuses to start. (I've experimented with 
all RPCMOUNTDARGS options, and the problem only occurs when -U is in the 
list.)

root@snakeskin:/lib/systemd/system# systemctl restart nfs-kernel-server
A dependency job for nfs-server.service failed. See 'journalctl -xe' for 
details.

The failed service is rpc.svcgssd:

================================================
Aug 01 12:58:21 snakeskin rpc.svcgssd[5635]: ERROR: GSS-API: error in 
gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code 
may provide more information) - No key table entry found matching nfs/@
Aug 01 12:58:21 snakeskin rpc.svcgssd[5635]: unable to obtain root 
(machine) credentials
Aug 01 12:58:21 snakeskin rpc.svcgssd[5635]: do you have a keytab entry 
for nfs/<your.host>@<YOUR.REALM> in /etc/krb5.keytab?
Aug 01 12:58:21 snakeskin systemd[1]: rpc-svcgssd.service: Control 
process exited, code=exited status=1
Aug 01 12:58:21 snakeskin systemd[1]: rpc-svcgssd.service: Failed with 
result 'exit-code'.
Aug 01 12:58:21 snakeskin systemd[1]: Failed to start RPC security 
service for NFS server.
-- Subject: Unit rpc-svcgssd.service has failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- Unit rpc-svcgssd.service has failed.
=====================================================

As indicated in the /etc/default/nfs-kernel-server file, this service 
shouldn't even be needed unless kerberos is managing exports:

# Do you want to start the svcgssd daemon? It is only required for Kerberos
# exports. Valid alternatives are "yes" and "no"; the default is "no".
NEED_SVCGSSD=""

# Options for rpc.svcgssd.
RPCSVCGSSDOPTS=""


However, the "NEED_SVCGSSD" isn't processed by nfs-config.service, and 
setting it explicitly to "no" has no effect.  Also notice RPCSVCGSSDOPTS 
which is converted to RPCSVCGSSDARGS by the nfs-config.service script, 
/usr/lib/systemd/scripts/nfs-utils_env.sh:

   echo RPCSVCGSSDARGS=\"$RPCSVCGSSDOPTS\"

This isn't being picked up by the rpc-svcgssd service, which is looking 
for a differently named environment variable:

============================================================
root@snakeskin:/lib/systemd/system# cat rpc-svcgssd.service
[Unit]
Description=RPC security service for NFS server
DefaultDependencies=no
Requires=run-rpc_pipefs.mount
After=run-rpc_pipefs.mount local-fs.target
PartOf=nfs-server.service
PartOf=nfs-utils.service

ConditionPathExists=/etc/krb5.keytab

Wants=nfs-config.service
After=nfs-config.service

[Service]
EnvironmentFile=-/run/sysconfig/nfs-utils
Type=forking
ExecStart=/usr/sbin/rpc.svcgssd $SVCGSSDARGS
============================================================

It seems that someone clearly messed up the service files, but is it the 
Debian package maintainer or upstream?

Also, is there a solution to not allowing UDP service while still 
allowing rpc.nfsd to run?