How to disable rpcbind on LKE nodes

Linode Staff

I received a ticket regarding a security vulnerability notification regarding the Portmapper service:

the Portmapper service (portmap, rpcbind) is required for mapping RPC
requests to a network service. The Portmapper service is needed e.g.
for mounting network shares using the Network File System (NFS).
The Portmapper service runs on port 111 tcp/udp.

How should I proceed with this? This is a Kubernetes node and I cannot log in to it directly to enable a firewall and block traffic on UDP/111.

If I change the node password, I have to rebuild it, so it won't rejoin the cluster and my SSH key doesn't seem to have been copied to the machine, as it is still asking for a password, which I didn't set during node creation, as it was automated by Kubernetes.

2 Replies

Linode doesn't require you to do anything regarding this notices. They are simply sent as a courtesy.

With that said, if you would like to log in to the node, you should be able to do so without rebuilding it. I just tested this out on one of my nodes in a cluster and after resetting the root password, kubectl get nodes showed it was available as part of the cluster, shortly after booting it back up.

Someone on our LKE team wrote up the following Community post regarding securing your LKE cluster, which may help:

Additionally, we've brought this up to our LKE team in the past (specifically regarding this potentially security issue with rpcbind) and they mentioned the following.

rpcbind is required for an NFS server, to allow other RPC services to discover the port that nfsd is listening on. We recently added the nfs-common package to all LKE nodes, per customer request for NFS volume support. rpcbind is a direct dependency of the nfs-common package, however it is not needed for NFS clients using nfsv4 (below v4 it is required for file locking).

Since it does have potential for abuse, our team will look into securing this, though we don't have an ETA for when it will be addressed. It's also worth noting that default Debian installations includes nfs-common, and thus rpcbind.

If you are not interested in using NFS volumes, you can disable the rpcbind service on your LKE nodes by resetting the root password and shelling in, and running these commands:

systemctl stop rpcbind.service

systemctl disable rpcbind.service

The above method requires that you SSH into each node in your cluster to disable rpcbind individually. This also means that if nodes are recycled, new nodes will still have rpcbind enabled and you will have to manually disable it for each node again.

An easier way of disabling rpcbind so that it will not be enabled for new nodes is to implement the following daemonset:

apiVersion: apps/v1
kind: DaemonSet
  name: disable-rpcbindsocket
  namespace: kube-system
      run: disable-rpcbindsocket
        run: disable-rpcbindsocket
      # needs hostPID to use systemctl
      hostPID: true
      # tolerate everyting
      - operator: Exists
      - name: startup-script
          privileged: true
        - name: STARTUP_SCRIPT
          value: |
            set -o errexit
            set -o xtrace
            if systemctl is-active rpcbind.socket; then
              systemctl stop rpcbind.socket
            if systemctl is-enabled rpcbind.socket; then
              systemctl disable rpcbind.socket

This will ensure that rpcbind will be enabled for all nodes, including new nodes after a recycle.


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct