Stay organized with collectionsSave and categorize content based on your preferences.
This page shows you how to set the ports for thestatdandnlockmgrdaemons
on your client VMs to make firewall configuration easier.
Filestore uses thenlockmgrandstatddaemons to enable file
locking. The ports for these services need to be properly exposed on your client
VMs through firewall rules so that clients can properly use locks. We recommend
setting thestatdandnlockmgrports so that they are consistent on all
client VMs, making it easier to configure ingress firewall rules.
For more information on determining if you need to configure a firewall rule for
the VPC network, seeConfigure firewall rules.
Check port settings
To check what values thestatdandnlockmgrports are currently set to, run
the following commands on the client VM instance. If the files don't exist, or
if the options don't have values, then the ports aren't set. In that case, the
daemons are dynamically assigned arbitrary available ports.
Debian/Ubuntu
To determine thestatdport, run the following command and look at theSTATDOPTSvalue:
cat /etc/default/nfs-common
To determine thenlockmgrport, run the following command and look at thenlm_tcpportandnlm_udpportvalues:
cat /etc/modprobe.d/lock.conf
RHEL/CentOS
To determine thestatdport, run the following command and look at theSTATD_PORTvalue:
cat /etc/sysconfig/nfs
To determine thenlockmgrport, run the following command and look at thenlm_tcpportandnlm_udpportvalues:
cat /etc/modprobe.d/lock.conf
SUSE
Run the following command:
cat /etc/sysconfig/nfs
Thestatdport is listed underSTATD_PORTand thenlockmgrport is
listed underLOCKD_TCPPORTandLOCKD_UDPPORT.
Windows
Setting NFS ports is not required on Windows.
Set ports
To set thestatdandnlockmgrports, run the following commands on the
client VM instance. These examples use thenanotext editor, but you can use any text editor. These examples also use 2046 as
the port forstatdand 4045 as the port fornlockmgrbecause these values
are common choices. You can use different ports based on your network
configuration. In this case, the ingress firewall rules must allow traffic to
the specific ports that you use.
To verify NFS ports have been opened properly, complete the following steps.
Install the following dependencies.
Debian/Ubuntu
From the command line, enter the following command:
sudo apt install nfs-common tcpdump tshark
RHEL/CentOS
From the command line, enter the following command:
sudoyuminstallnfs-utilstcpdumpwireshark
SUSE
From the command line, enter the following command:
sudozypperinstallnfs-clienttcpdumpwireshark
Windows
This verification process is not supported on Windows.
Create a script file calledverify-nfs-port-script.sh, copy and paste the
following script within it, and save it locally to your machine. Note the
location of the file and save it for the next step.
#!/bin/bash# This script is intended to run on client machines to verify that the ports# are properly open to allow the reception of NLM GRANT messages from the server.set-eufunctionkill_descendants(){forpidin$(ps-opid=--ppid"$1")dokill_descendants"$pid"doneif[[$1-ne$$]];thenkill"$1"2>/dev/null|truefi}functioncleanup{set+eu# Kill all background jobs and wait for it to end, makes sure locks are releasedkill_descendants$$# Wait for jobs to die and locks to be released, so mount is not busysleep2umount-f"$MNT1"umount-f"$MNT2"rmdir"$MNT1"2&>/dev/null||truermdir"$MNT2"2&>/dev/null||true}functionprint_help{echo"$0[server_ip] [mount_path]"echo-e"\t For example, if you mount a server using:"echo-e"\t\t \"mount 10.0.0.1:share /mnt/mount_point\""echo-e"\t Run the script: "echo-e"\t\t \"$010.0.0.1 share\""}if[$#-ne2];thenprint_helpexit1fiif[$(id-u)-ne0];thenecho"Failure! This script needs to run as root, use \"sudo$@\""exit1fiif![-x"$(command-vtshark)"];thenecho"The 'tshark' command does not exist and is needed for the script. Please install it"exit1fiif![-x"$(command-vtcpdump)"];thenecho"The 'tcpdump' command does not exist and is needed for the script. Please install it"exit1fiSERVER_IP=$1MOUNT_PATH=$2MNT1=$(mktemp-d)MNT2=$(mktemp-d)trapcleanupEXITecho"Mounting..."mount-onosharecache"$SERVER_IP":"$MOUNT_PATH""$MNT1"mount-onosharecache"$SERVER_IP":"$MOUNT_PATH""$MNT2"REC_FILE=$(mktemp/tmp/nlm_recording_XXXXXXXX.pcap)tcpdump-iany-s0-w"$REC_FILE""host$SERVER_IP"&TCPDUMP_PID=$!echo"Recording TCP dump to$REC_FILE"sleep5# wait for tcpdump to start runningecho"Running test..."flock"$MNT1"/lock_file-c"echo -n \"Got first lock: \" && date && sleep 5 && echo -n \"Releasing first lock: \" && date"&
sleep2# Wait for the first lock to actually be takenecho"Waiting for second lock:$(date)"flock"$MNT2"/lock_file-c"echo -n \"Got second lock: \" && date"sleep2# Wait for tcpdump to record everythingkill$TCPDUMP_PID# For quick analysis inspect recording with tshark, if you don't have it just inspect with Wiresharkecho"Inspecting results in$REC_FILEwith TShark"tshark-r"$REC_FILE"-Ynlm# First, print the outputtshark-r"$REC_FILE"-Ynlm2>/dev/null|grep-qGRANTEDEXIT_CODE=0if[$?-eq0];thenecho"The NLM GRANT message is working properly!"EXIT_CODE=0elseecho"The NLM GRANT message is not working properly!"EXIT_CODE=1fiecho"For debugging, please provide the printed output of the script, and$REC_FILE"exit${EXIT_CODE}
Enter the following command:
chmod +xSCRIPT_PATH
Replace the following:
SCRIPT_PATH: the path where your script file is
located. This should be run as root, otherwise addsudoto the beginning
of the command.
Enter the following command:
SCRIPT_PATHINSTANCE_IPSHARE_NAME
Replace the following:
SCRIPT_PATH: the path where your script file is
located. This should be run as root, otherwise addsudoto the beginning
of the command.
INSTANCE_IP: the IP address of the Filestore
instance
SHARE_NAME: the name of the file share
If the port is open, the script returns the following response:
The NLM GRANT message is working properly!
If the port is not open, the script returns the following error:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis guide outlines how to configure specific ports for the \u003ccode\u003estatd\u003c/code\u003e and \u003ccode\u003enlockmgr\u003c/code\u003e daemons on client VMs to simplify firewall setup for Filestore file locking.\u003c/p\u003e\n"],["\u003cp\u003eSetting consistent \u003ccode\u003estatd\u003c/code\u003e and \u003ccode\u003enlockmgr\u003c/code\u003e ports across all client VMs is recommended to make ingress firewall rule configuration more manageable, and these ports can be checked by running specific commands.\u003c/p\u003e\n"],["\u003cp\u003eThe document provides step-by-step instructions for setting the \u003ccode\u003estatd\u003c/code\u003e and \u003ccode\u003enlockmgr\u003c/code\u003e ports on Debian/Ubuntu, RHEL/CentOS, and SUSE systems, noting that Windows does not require this configuration.\u003c/p\u003e\n"],["\u003cp\u003eAfter setting the ports, a verification process is detailed using a provided script that confirms if the ports are open and properly receiving NLM GRANT messages, and this verification process is only supported on Debian/Ubuntu, RHEL/CentOS, and SUSE systems.\u003c/p\u003e\n"]]],[],null,["# Configure NFS ports on client VMs\n\nThis page shows you how to set the ports for the `statd` and `nlockmgr` daemons\non your client VMs to make firewall configuration easier.\n\nFilestore uses the `nlockmgr` and `statd` daemons to enable file\nlocking. The ports for these services need to be properly exposed on your client\nVMs through firewall rules so that clients can properly use locks. We recommend\nsetting the `statd` and `nlockmgr` ports so that they are consistent on all\nclient VMs, making it easier to configure ingress firewall rules.\n\nFor more information on determining if you need to configure a firewall rule for\nthe VPC network, see\n[Configure firewall rules](/filestore/docs/configuring-firewall).\n\nCheck port settings\n-------------------\n\nTo check what values the `statd` and `nlockmgr` ports are currently set to, run\nthe following commands on the client VM instance. If the files don't exist, or\nif the options don't have values, then the ports aren't set. In that case, the\ndaemons are dynamically assigned arbitrary available ports. \n\n### Debian/Ubuntu\n\n1. To determine the `statd` port, run the following command and look at the\n `STATDOPTS` value:\n\n cat /etc/default/nfs-common\n\n2. To determine the `nlockmgr` port, run the following command and look at the\n `nlm_tcpport` and `nlm_udpport` values:\n\n cat /etc/modprobe.d/lock.conf\n\n### RHEL/CentOS\n\n1. To determine the `statd` port, run the following command and look at the\n `STATD_PORT` value:\n\n cat /etc/sysconfig/nfs\n\n2. To determine the `nlockmgr` port, run the following command and look at the\n `nlm_tcpport` and `nlm_udpport` values:\n\n cat /etc/modprobe.d/lock.conf\n\n### SUSE\n\nRun the following command: \n\n cat /etc/sysconfig/nfs\n\nThe `statd` port is listed under `STATD_PORT` and the `nlockmgr` port is\nlisted under `LOCKD_TCPPORT` and `LOCKD_UDPPORT`.\n\n### Windows\n\nSetting NFS ports is not required on Windows.\n\nSet ports\n---------\n\nTo set the `statd` and `nlockmgr` ports, run the following commands on the\nclient VM instance. These examples use the\n[`nano`](https://www.nano-editor.org/)\ntext editor, but you can use any text editor. These examples also use 2046 as\nthe port for `statd` and 4045 as the port for `nlockmgr` because these values\nare common choices. You can use different ports based on your network\nconfiguration. In this case, the ingress firewall rules must allow traffic to\nthe specific ports that you use.\n**Important:** If you set ports on a client VM instance that already has file shares mounted on it, you must reboot the instance for the changes to take effect. \n\n### Debian/Ubuntu\n\n- Set the `statd` port:\n\n 1. Open the `/etc/default/nfs-common` file for editing:\n\n sudo nano /etc/default/nfs-common\n\n 2. Set the `STATDOPTS` option:\n\n STATDOPTS=\"-p 2046\"\n\n 3. Save the file and exit.\n\n- Set the `nlockmgr` port:\n\n 1. Create the `/etc/modprobe.d/lock.conf` file:\n\n sudo nano /etc/modprobe.d/lock.conf\n\n 2. Set the `nlm_tcpport` and `nlm_udpport` options:\n\n options lockd nlm_tcpport=4045\n options lockd nlm_udpport=4045\n\n 3. Save the file and exit.\n\n### RHEL/CentOS\n\n- Set the `statd` port:\n\n 1. Open the `/etc/sysconfig/nfs` file for editing:\n\n sudo nano /etc/sysconfig/nfs\n\n 2. Set the `STATD_PORT` option:\n\n STATD_PORT=2046\n\n 3. Save the file and exit.\n\n- Set the `nlockmgr` port:\n\n 1. Create the `/etc/modprobe.d/lock.conf` file:\n\n sudo nano /etc/modprobe.d/lock.conf\n\n 2. Set the `nlm_tcpport` and `nlm_udpport` options:\n\n options lockd nlm_tcpport=4045\n options lockd nlm_udpport=4045\n\n 3. Save the file and exit.\n\n### SUSE\n\nSet the `statd` and `nlockmgr` ports:\n\n1. Open the `/etc/sysconfig/nfs` file for editing:\n\n sudo nano /etc/sysconfig/nfs\n\n2. Set the `STATD_PORT`, `LOCKD_TCPPORT`, and `LOCKD_UDPPORT` options:\n\n STATD_PORT=2046\n LOCKD_TCPPORT=4045\n LOCKD_UDPPORT=4045\n\n3. Save the file and exit.\n\n### Windows\n\nSetting NFS ports is not required on Windows.\n\nVerify ports are open\n---------------------\n\nTo verify NFS ports have been opened properly, complete the following steps.\n\n1. Install the following dependencies.\n\n ### Debian/Ubuntu\n\n From the command line, enter the following command: \n\n sudo apt install nfs-common tcpdump tshark\n\n ### RHEL/CentOS\n\n From the command line, enter the following command: \n\n sudo yum install nfs-utils tcpdump wireshark\n\n ### SUSE\n\n From the command line, enter the following command: \n\n sudo zypper install nfs-client tcpdump wireshark\n\n ### Windows\n\n This verification process is not supported on Windows.\n2. Create a script file called `verify-nfs-port-script.sh`, copy and paste the\n following script within it, and save it locally to your machine. Note the\n location of the file and save it for the next step.\n\n #!/bin/bash\n\n # This script is intended to run on client machines to verify that the ports\n # are properly open to allow the reception of NLM GRANT messages from the server.\n\n set -eu\n\n function kill_descendants() {\n for pid in $(ps -o pid= --ppid \"$1\")\n do\n kill_descendants \"$pid\"\n done\n if [[ $1 -ne $$ ]]; then\n kill \"$1\" 2\u003e/dev/null | true\n fi\n }\n\n function cleanup {\n set +eu\n\n # Kill all background jobs and wait for it to end, makes sure locks are released\n kill_descendants $$\n\n # Wait for jobs to die and locks to be released, so mount is not busy\n sleep 2\n\n umount -f \"$MNT1\"\n umount -f \"$MNT2\"\n\n rmdir \"$MNT1\" 2&\u003e /dev/null || true\n rmdir \"$MNT2\" 2&\u003e /dev/null || true\n }\n\n function print_help {\n echo \"$0 [server_ip] [mount_path]\"\n echo -e \"\\t For example, if you mount a server using:\"\n echo -e \"\\t\\t \\\"mount 10.0.0.1:share /mnt/mount_point\\\"\"\n echo -e \"\\t Run the script: \"\n echo -e \"\\t\\t \\\"$0 10.0.0.1 share\\\"\"\n }\n\n if [ $# -ne 2 ]; then\n print_help\n exit 1\n fi\n\n if [ $(id -u) -ne 0 ]; then\n echo \"Failure! This script needs to run as root, use \\\"sudo $@\\\"\"\n exit 1\n fi\n\n if ! [ -x \"$(command -v tshark)\" ]; then\n echo \"The 'tshark' command does not exist and is needed for the script. Please install it\"\n exit 1\n fi\n\n if ! [ -x \"$(command -v tcpdump)\" ]; then\n echo \"The 'tcpdump' command does not exist and is needed for the script. Please install it\"\n exit 1\n fi\n\n SERVER_IP=$1\n MOUNT_PATH=$2\n\n MNT1=$(mktemp -d)\n MNT2=$(mktemp -d)\n\n trap cleanup EXIT\n\n echo \"Mounting...\"\n mount -o nosharecache \"$SERVER_IP\":\"$MOUNT_PATH\" \"$MNT1\"\n mount -o nosharecache \"$SERVER_IP\":\"$MOUNT_PATH\" \"$MNT2\"\n\n REC_FILE=$(mktemp /tmp/nlm_recording_XXXXXXXX.pcap)\n tcpdump -i any -s0 -w \"$REC_FILE\" \"host $SERVER_IP\" &\n TCPDUMP_PID=$!\n echo \"Recording TCP dump to $REC_FILE\"\n\n sleep 5 # wait for tcpdump to start running\n\n echo \"Running test...\"\n flock \"$MNT1\"/lock_file -c \"echo -n \\\"Got first lock: \\\" && date && sleep 5 && echo -n \\\"Releasing first lock: \\\" && date\" &\n sleep 2 # Wait for the first lock to actually be taken\n\n echo \"Waiting for second lock: $(date)\"\n flock \"$MNT2\"/lock_file -c \"echo -n \\\"Got second lock: \\\" && date\"\n\n sleep 2 # Wait for tcpdump to record everything\n kill $TCPDUMP_PID\n\n # For quick analysis inspect recording with tshark, if you don't have it just inspect with Wireshark\n echo \"Inspecting results in $REC_FILE with TShark\"\n tshark -r \"$REC_FILE\" -Y nlm # First, print the output\n\n tshark -r \"$REC_FILE\" -Y nlm 2\u003e/dev/null | grep -q GRANTED\n EXIT_CODE=0\n if [ $? -eq 0 ]; then\n echo \"The NLM GRANT message is working properly!\"\n EXIT_CODE=0\n else\n echo \"The NLM GRANT message is not working properly!\"\n EXIT_CODE=1\n fi\n echo \"For debugging, please provide the printed output of the script, and $REC_FILE\"\n exit ${EXIT_CODE}\n\n3. Enter the following command:\n\n chmod +x \u003cvar translate=\"no\"\u003eSCRIPT_PATH\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eSCRIPT_PATH\u003c/var\u003e: the path where your script file is located. This should be run as root, otherwise add `sudo` to the beginning of the command.\n4. Enter the following command:\n\n \u003cvar translate=\"no\"\u003eSCRIPT_PATH\u003c/var\u003e \u003cvar translate=\"no\"\u003eINSTANCE_IP\u003c/var\u003e \u003cvar translate=\"no\"\u003eSHARE_NAME\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eSCRIPT_PATH\u003c/var\u003e: the path where your script file is located. This should be run as root, otherwise add `sudo` to the beginning of the command.\n - \u003cvar translate=\"no\"\u003eINSTANCE_IP\u003c/var\u003e: the IP address of the Filestore instance\n - \u003cvar translate=\"no\"\u003eSHARE_NAME\u003c/var\u003e: the name of the file share\n\n If the port is open, the script returns the following response: \n\n The NLM GRANT message is working properly!\n\n If the port is not open, the script returns the following error: \n\n The NLM GRANT message is not working properly!\n\nWhat's next\n-----------\n\n- [Configure firewall rules](/filestore/docs/configuring-firewall).\n- [Learn more about the networking and IP resource requirements for using\n Filestore](/filestore/docs/networking)."]]
