Date: Fri, 25 Nov 2022 15:17:46 -0800 From: Rick Macklem <rick.macklem@gmail.com> To: freebsd-current@freebsd.org Cc: bz@freebsd.org Subject: RFC: nfsd in a vnet jail Message-ID: <CAM5tNy7CQaBTRWG0m0aN6T0xG2L2zSQJGa%2BatGaH%2BmW%2BwEpdyQ@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
--00000000000063da1b05ee53bbd2
Content-Type: text/plain; charset="UTF-8"
Hi,
bz@ has encouraged me to fiddle with the nfsd
so that it works in a vnet jail.
I have now basically done so, specifically for
NFSv4, since NFSv3 presents various issues.
What I have not yet done is put global variables
in the vnet. This needs to be done so that the nfsd
can be run in multiple jail instances and/or in and
outside of a jail.
The problem is that there are 100s of global variables.
I can see two approaches:
1 - Move them all into the vnet jail. This would imply
that all the sysctls need to somehow be changed,
which would seem to be a POLA violation.
It also implies a lot of stuff in the vnet.
2 - Just move the global variables that will always
differ from one nfsd to another (this would make
the sysctls global and apply to all nfsds).
This will keep the number of globals in the vnet
smaller.
I am currently leaning towards #2, put what do others
think?
rick
ps: Personally, I don't know what use there is of
running the nfsd inside a vnet jail, but bz@ has
some use case.
--00000000000063da1b05ee53bbd2
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div class=3D"gmail_default" style=3D"font-family:monospac=
e">Hi,</div><div class=3D"gmail_default" style=3D"font-family:monospace"><b=
r></div><div class=3D"gmail_default" style=3D"font-family:monospace">bz@ ha=
s encouraged me to fiddle with the nfsd</div><div class=3D"gmail_default" s=
tyle=3D"font-family:monospace">so that it works in a vnet jail.</div><div c=
lass=3D"gmail_default" style=3D"font-family:monospace">I have now basically=
done so, specifically for</div><div class=3D"gmail_default" style=3D"font-=
family:monospace">NFSv4, since NFSv3 presents various issues.</div><div cla=
ss=3D"gmail_default" style=3D"font-family:monospace"><br></div><div class=
=3D"gmail_default" style=3D"font-family:monospace">What I have not yet done=
is put global variables</div><div class=3D"gmail_default" style=3D"font-fa=
mily:monospace">in the vnet. This needs to be done so that the nfsd</div><d=
iv class=3D"gmail_default" style=3D"font-family:monospace">can be run in mu=
ltiple jail instances and/or in and</div><div class=3D"gmail_default" style=
=3D"font-family:monospace">outside of a jail.</div><div class=3D"gmail_defa=
ult" style=3D"font-family:monospace">The problem is that there are 100s of =
global variables.</div><div class=3D"gmail_default" style=3D"font-family:mo=
nospace"><br></div><div class=3D"gmail_default" style=3D"font-family:monosp=
ace">I can see two approaches:</div><div class=3D"gmail_default" style=3D"f=
ont-family:monospace">1 - Move them all into the vnet jail. This would impl=
y</div><div class=3D"gmail_default" style=3D"font-family:monospace">=C2=A0 =
=C2=A0 that all the sysctls need to somehow be changed,</div><div class=3D"=
gmail_default" style=3D"font-family:monospace">=C2=A0 =C2=A0 which would se=
em to be a POLA violation.</div><div class=3D"gmail_default" style=3D"font-=
family:monospace">=C2=A0 =C2=A0 It also implies a lot of stuff in the vnet.=
</div><div class=3D"gmail_default" style=3D"font-family:monospace">2 - Just=
move the global variables that will always</div><div class=3D"gmail_defaul=
t" style=3D"font-family:monospace">=C2=A0 =C2=A0 differ from one nfsd to an=
other (this would make</div><div class=3D"gmail_default" style=3D"font-fami=
ly:monospace">=C2=A0 =C2=A0 the sysctls global and apply to all nfsds).</di=
v><div class=3D"gmail_default" style=3D"font-family:monospace">=C2=A0 =C2=
=A0 This will keep the number of globals in the vnet</div><div class=3D"gma=
il_default" style=3D"font-family:monospace">=C2=A0 =C2=A0 smaller.</div><di=
v class=3D"gmail_default" style=3D"font-family:monospace"><br></div><div cl=
ass=3D"gmail_default" style=3D"font-family:monospace">I am currently leanin=
g towards #2, put what do others</div><div class=3D"gmail_default" style=3D=
"font-family:monospace">think?</div><div class=3D"gmail_default" style=3D"f=
ont-family:monospace"><br></div><div class=3D"gmail_default" style=3D"font-=
family:monospace">rick</div><div class=3D"gmail_default" style=3D"font-fami=
ly:monospace">ps: Personally, I don't know what use there is of</div><d=
iv class=3D"gmail_default" style=3D"font-family:monospace">=C2=A0 =C2=A0 ru=
nning the nfsd inside a vnet jail, but bz@ has</div><div class=3D"gmail_def=
ault" style=3D"font-family:monospace">=C2=A0 =C2=A0 some use case.</div><di=
v class=3D"gmail_default" style=3D"font-family:monospace"><br></div></div>
--00000000000063da1b05ee53bbd2--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAM5tNy7CQaBTRWG0m0aN6T0xG2L2zSQJGa%2BatGaH%2BmW%2BwEpdyQ>