Date: Sun, 27 Nov 2022 19:04:08 +0100 From: Peter Eriksson <pen@lysator.liu.se> To: Rick Macklem <rick.macklem@gmail.com> Cc: FreeBSD CURRENT <freebsd-current@freebsd.org>, "Bjoern A. Zeeb" <bz@freebsd.org>, Alan Somers <asomers@freebsd.org> Subject: Re: RFC: nfsd in a vnet jail Message-ID: <82103A1E-9D39-47B0-9520-205583C8B680@lysator.liu.se> In-Reply-To: <CAOtMX2hxeeNMxxdpma8NJ7ms60eRfuCWoFi7FixdSe83=qibkA@mail.gmail.com> References: <CAM5tNy7CQaBTRWG0m0aN6T0xG2L2zSQJGa%2BatGaH%2BmW%2BwEpdyQ@mail.gmail.com> <CAOtMX2hxeeNMxxdpma8NJ7ms60eRfuCWoFi7FixdSe83=qibkA@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] Keep the global variables as defaults that apply to all nfsds and allow (at least some subset) to be overridden inside the net jails if some things need to be changed from the defaults? - Peter On Fri, Nov 25, 2022, 4:24 PM Rick Macklem <rick.macklem@gmail.com <mailto:rick.macklem@gmail.com>> wrote: > Hi, > > bz@ has encouraged me to fiddle with the nfsd > so that it works in a vnet jail. > I have now basically done so, specifically for > NFSv4, since NFSv3 presents various issues. > > What I have not yet done is put global variables > in the vnet. This needs to be done so that the nfsd > can be run in multiple jail instances and/or in and > outside of a jail. > The problem is that there are 100s of global variables. > > I can see two approaches: > 1 - Move them all into the vnet jail. This would imply > that all the sysctls need to somehow be changed, > which would seem to be a POLA violation. > It also implies a lot of stuff in the vnet. > 2 - Just move the global variables that will always > differ from one nfsd to another (this would make > the sysctls global and apply to all nfsds). > This will keep the number of globals in the vnet > smaller. > > I am currently leaning towards #2, put what do others > think? > > rick > ps: Personally, I don't know what use there is of > running the nfsd inside a vnet jail, but bz@ has > some use case. [-- Attachment #2 --] <html><head><meta http-equiv="content-type" content="text/html; charset=us-ascii"></head><body style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">Keep the global variables as defaults that apply to all nfsds and allow (at least some subset) to be overridden inside the net jails if some things need to be changed from the defaults?<div><br></div><div>- Peter</div><div><br></div><div><br><div><div><div dir="auto"><div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Nov 25, 2022, 4:24 PM Rick Macklem <<a href="mailto:rick.macklem@gmail.com">rick.macklem@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-family:monospace">Hi,</div><div class="gmail_default" style="font-family:monospace"><br></div><div class="gmail_default" style="font-family:monospace">bz@ has encouraged me to fiddle with the nfsd</div><div class="gmail_default" style="font-family:monospace">so that it works in a vnet jail.</div><div class="gmail_default" style="font-family:monospace">I have now basically done so, specifically for</div><div class="gmail_default" style="font-family:monospace">NFSv4, since NFSv3 presents various issues.</div><div class="gmail_default" style="font-family:monospace"><br></div><div class="gmail_default" style="font-family:monospace">What I have not yet done is put global variables</div><div class="gmail_default" style="font-family:monospace">in the vnet. This needs to be done so that the nfsd</div><div class="gmail_default" style="font-family:monospace">can be run in multiple jail instances and/or in and</div><div class="gmail_default" style="font-family:monospace">outside of a jail.</div><div class="gmail_default" style="font-family:monospace">The problem is that there are 100s of global variables.</div><div class="gmail_default" style="font-family:monospace"><br></div><div class="gmail_default" style="font-family:monospace">I can see two approaches:</div><div class="gmail_default" style="font-family:monospace">1 - Move them all into the vnet jail. This would imply</div><div class="gmail_default" style="font-family:monospace"> that all the sysctls need to somehow be changed,</div><div class="gmail_default" style="font-family:monospace"> which would seem to be a POLA violation.</div><div class="gmail_default" style="font-family:monospace"> It also implies a lot of stuff in the vnet.</div><div class="gmail_default" style="font-family:monospace">2 - Just move the global variables that will always</div><div class="gmail_default" style="font-family:monospace"> differ from one nfsd to another (this would make</div><div class="gmail_default" style="font-family:monospace"> the sysctls global and apply to all nfsds).</div><div class="gmail_default" style="font-family:monospace"> This will keep the number of globals in the vnet</div><div class="gmail_default" style="font-family:monospace"> smaller.</div><div class="gmail_default" style="font-family:monospace"><br></div><div class="gmail_default" style="font-family:monospace">I am currently leaning towards #2, put what do others</div><div class="gmail_default" style="font-family:monospace">think?</div><div class="gmail_default" style="font-family:monospace"><br></div><div class="gmail_default" style="font-family:monospace">rick</div><div class="gmail_default" style="font-family:monospace">ps: Personally, I don't know what use there is of</div><div class="gmail_default" style="font-family:monospace"> running the nfsd inside a vnet jail, but bz@ has</div><div class="gmail_default" style="font-family:monospace"> some use case.</div></div></blockquote></div></div></div></div><blockquote type="cite"><div><div dir="auto"><div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"></div></blockquote></div></div></div> </div></blockquote></div><br></div></body></html>help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?82103A1E-9D39-47B0-9520-205583C8B680>