Date: Fri, 25 Nov 2022 22:06:44 -0700 From: Alan Somers <asomers@freebsd.org> To: Rick Macklem <rick.macklem@gmail.com> Cc: FreeBSD CURRENT <freebsd-current@freebsd.org>, "Bjoern A. Zeeb" <bz@freebsd.org> Subject: Re: RFC: nfsd in a vnet jail Message-ID: <CAOtMX2hxeeNMxxdpma8NJ7ms60eRfuCWoFi7FixdSe83=qibkA@mail.gmail.com> In-Reply-To: <CAM5tNy7CQaBTRWG0m0aN6T0xG2L2zSQJGa%2BatGaH%2BmW%2BwEpdyQ@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Fri, Nov 25, 2022, 4:24 PM Rick Macklem <rick.macklem@gmail.com> wrote: > Hi, > > bz@ has encouraged me to fiddle with the nfsd > so that it works in a vnet jail. > I have now basically done so, specifically for > NFSv4, since NFSv3 presents various issues. > > What I have not yet done is put global variables > in the vnet. This needs to be done so that the nfsd > can be run in multiple jail instances and/or in and > outside of a jail. > The problem is that there are 100s of global variables. > > I can see two approaches: > 1 - Move them all into the vnet jail. This would imply > that all the sysctls need to somehow be changed, > which would seem to be a POLA violation. > It also implies a lot of stuff in the vnet. > 2 - Just move the global variables that will always > differ from one nfsd to another (this would make > the sysctls global and apply to all nfsds). > This will keep the number of globals in the vnet > smaller. > > I am currently leaning towards #2, put what do others > think? > > rick > ps: Personally, I don't know what use there is of > running the nfsd inside a vnet jail, but bz@ has > some use case. > This is super-awesome! Thank you so much! I've got a use case too. I think it would be fine to leave most of the settings global, like max_threads. But we should probably decide on a case by case basis . > > [-- Attachment #2 --] <div dir="auto"><div><br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Nov 25, 2022, 4:24 PM Rick Macklem <<a href="mailto:rick.macklem@gmail.com">rick.macklem@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-family:monospace">Hi,</div><div class="gmail_default" style="font-family:monospace"><br></div><div class="gmail_default" style="font-family:monospace">bz@ has encouraged me to fiddle with the nfsd</div><div class="gmail_default" style="font-family:monospace">so that it works in a vnet jail.</div><div class="gmail_default" style="font-family:monospace">I have now basically done so, specifically for</div><div class="gmail_default" style="font-family:monospace">NFSv4, since NFSv3 presents various issues.</div><div class="gmail_default" style="font-family:monospace"><br></div><div class="gmail_default" style="font-family:monospace">What I have not yet done is put global variables</div><div class="gmail_default" style="font-family:monospace">in the vnet. This needs to be done so that the nfsd</div><div class="gmail_default" style="font-family:monospace">can be run in multiple jail instances and/or in and</div><div class="gmail_default" style="font-family:monospace">outside of a jail.</div><div class="gmail_default" style="font-family:monospace">The problem is that there are 100s of global variables.</div><div class="gmail_default" style="font-family:monospace"><br></div><div class="gmail_default" style="font-family:monospace">I can see two approaches:</div><div class="gmail_default" style="font-family:monospace">1 - Move them all into the vnet jail. This would imply</div><div class="gmail_default" style="font-family:monospace"> that all the sysctls need to somehow be changed,</div><div class="gmail_default" style="font-family:monospace"> which would seem to be a POLA violation.</div><div class="gmail_default" style="font-family:monospace"> It also implies a lot of stuff in the vnet.</div><div class="gmail_default" style="font-family:monospace">2 - Just move the global variables that will always</div><div class="gmail_default" style="font-family:monospace"> differ from one nfsd to another (this would make</div><div class="gmail_default" style="font-family:monospace"> the sysctls global and apply to all nfsds).</div><div class="gmail_default" style="font-family:monospace"> This will keep the number of globals in the vnet</div><div class="gmail_default" style="font-family:monospace"> smaller.</div><div class="gmail_default" style="font-family:monospace"><br></div><div class="gmail_default" style="font-family:monospace">I am currently leaning towards #2, put what do others</div><div class="gmail_default" style="font-family:monospace">think?</div><div class="gmail_default" style="font-family:monospace"><br></div><div class="gmail_default" style="font-family:monospace">rick</div><div class="gmail_default" style="font-family:monospace">ps: Personally, I don't know what use there is of</div><div class="gmail_default" style="font-family:monospace"> running the nfsd inside a vnet jail, but bz@ has</div><div class="gmail_default" style="font-family:monospace"> some use case.</div><div class="gmail_default" style="font-family:monospace"></div></div></blockquote></div></div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-family:monospace"></div></div></blockquote></div></div><div dir="auto"><br></div><div dir="auto">This is super-awesome! Thank you so much! I've got a use case too. I think it would be fine to leave most of the settings global, like max_threads. But we should probably decide on a case by case basis .</div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-family:monospace"><br></div></div> </blockquote></div></div></div>home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOtMX2hxeeNMxxdpma8NJ7ms60eRfuCWoFi7FixdSe83=qibkA>