From nobody Sun Nov 27 18:04:08 2022
X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NKxM16GP6z4jP5M
	for <freebsd-current@mlmmj.nyi.freebsd.org>; Sun, 27 Nov 2022 18:04:29 +0000 (UTC)
	(envelope-from pen@lysator.liu.se)
Received: from mail.lysator.liu.se (mail.lysator.liu.se [IPv6:2001:6b0:17:f0a0::3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4NKxM10h4cz44gn;
	Sun, 27 Nov 2022 18:04:28 +0000 (UTC)
	(envelope-from pen@lysator.liu.se)
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	spf=pass (mx1.freebsd.org: domain of pen@lysator.liu.se designates 2001:6b0:17:f0a0::3 as permitted sender) smtp.mailfrom=pen@lysator.liu.se;
	dmarc=pass (policy=none) header.from=lysator.liu.se
Received: from mail.lysator.liu.se (localhost [127.0.0.1])
	by mail.lysator.liu.se (Postfix) with ESMTP id 0D58A1C0CB;
	Sun, 27 Nov 2022 19:04:20 +0100 (CET)
Received: by mail.lysator.liu.se (Postfix, from userid 1004)
	id 0BD821C129; Sun, 27 Nov 2022 19:04:20 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	hermod.lysator.liu.se
X-Spam-Level: 
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,AWL,HTML_MESSAGE
	autolearn=disabled version=3.4.6
X-Spam-Score: -1.0
Received: from smtpclient.apple (unknown [IPv6:2001:9b1:28fa:7900:5426:ca66:1572:6f63])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.lysator.liu.se (Postfix) with ESMTPSA id 904851C127;
	Sun, 27 Nov 2022 19:04:18 +0100 (CET)
From: Peter Eriksson <pen@lysator.liu.se>
Message-Id: <82103A1E-9D39-47B0-9520-205583C8B680@lysator.liu.se>
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_787AA221-05D9-43E9-8A62-1E05DDA91853"
List-Id: Discussions about the use of FreeBSD-current <freebsd-current.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-current
List-Help: <mailto:freebsd-current+help@freebsd.org>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Subscribe: <mailto:freebsd-current+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-current+unsubscribe@freebsd.org>
Sender: owner-freebsd-current@freebsd.org
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.200.110.1.12\))
Subject: Re: RFC: nfsd in a vnet jail
Date: Sun, 27 Nov 2022 19:04:08 +0100
In-Reply-To: <CAOtMX2hxeeNMxxdpma8NJ7ms60eRfuCWoFi7FixdSe83=qibkA@mail.gmail.com>
Cc: FreeBSD CURRENT <freebsd-current@freebsd.org>,
 "Bjoern A. Zeeb" <bz@freebsd.org>,
 Alan Somers <asomers@freebsd.org>
To: Rick Macklem <rick.macklem@gmail.com>
References: <CAM5tNy7CQaBTRWG0m0aN6T0xG2L2zSQJGa+atGaH+mW+wEpdyQ@mail.gmail.com>
 <CAOtMX2hxeeNMxxdpma8NJ7ms60eRfuCWoFi7FixdSe83=qibkA@mail.gmail.com>
X-Mailer: Apple Mail (2.3731.200.110.1.12)
X-Virus-Scanned: ClamAV using ClamSMTP
X-Spamd-Result: default: False [-3.29 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-0.99)[-0.993];
	DMARC_POLICY_ALLOW(-0.50)[lysator.liu.se,none];
	MV_CASE(0.50)[];
	R_SPF_ALLOW(-0.20)[+a:mail.lysator.liu.se];
	MIME_GOOD(-0.10)[multipart/alternative,text/plain];
	MIME_TRACE(0.00)[0:+,1:+,2:~];
	MLMMJ_DEST(0.00)[freebsd-current@freebsd.org];
	FREEMAIL_TO(0.00)[gmail.com];
	ASN(0.00)[asn:1653, ipnet:2001:6b0::/32, country:EU];
	FROM_EQ_ENVFROM(0.00)[];
	R_DKIM_NA(0.00)[];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	RCVD_TLS_LAST(0.00)[];
	FROM_HAS_DN(0.00)[];
	ARC_NA(0.00)[];
	TO_DN_ALL(0.00)[];
	RCPT_COUNT_THREE(0.00)[4];
	RCVD_COUNT_THREE(0.00)[4];
	TAGGED_RCPT(0.00)[];
	MID_RHS_MATCH_FROM(0.00)[]
X-Rspamd-Queue-Id: 4NKxM10h4cz44gn
X-Spamd-Bar: ---
X-ThisMailContainsUnwantedMimeParts: N


--Apple-Mail=_787AA221-05D9-43E9-8A62-1E05DDA91853
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

Keep the global variables as defaults that apply to all nfsds and allow =
(at least some subset) to be overridden inside the net jails if some =
things need to be changed from the defaults?

- Peter


On Fri, Nov 25, 2022, 4:24 PM Rick Macklem <rick.macklem@gmail.com =
<mailto:rick.macklem@gmail.com>> wrote:
> Hi,
>=20
> bz@ has encouraged me to fiddle with the nfsd
> so that it works in a vnet jail.
> I have now basically done so, specifically for
> NFSv4, since NFSv3 presents various issues.
>=20
> What I have not yet done is put global variables
> in the vnet. This needs to be done so that the nfsd
> can be run in multiple jail instances and/or in and
> outside of a jail.
> The problem is that there are 100s of global variables.
>=20
> I can see two approaches:
> 1 - Move them all into the vnet jail. This would imply
>     that all the sysctls need to somehow be changed,
>     which would seem to be a POLA violation.
>     It also implies a lot of stuff in the vnet.
> 2 - Just move the global variables that will always
>     differ from one nfsd to another (this would make
>     the sysctls global and apply to all nfsds).
>     This will keep the number of globals in the vnet
>     smaller.
>=20
> I am currently leaning towards #2, put what do others
> think?
>=20
> rick
> ps: Personally, I don't know what use there is of
>     running the nfsd inside a vnet jail, but bz@ has
>     some use case.


--Apple-Mail=_787AA221-05D9-43E9-8A62-1E05DDA91853
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=us-ascii

<html><head><meta http-equiv=3D"content-type" content=3D"text/html; =
charset=3Dus-ascii"></head><body style=3D"overflow-wrap: break-word; =
-webkit-nbsp-mode: space; line-break: after-white-space;">Keep the =
global variables as defaults that apply to all nfsds and allow (at least =
some subset) to be overridden inside the net jails if some things need =
to be changed from the defaults?<div><br></div><div>- =
Peter</div><div><br></div><div><br><div><div><div dir=3D"auto"><div><div =
class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Fri, Nov =
25, 2022, 4:24 PM Rick Macklem &lt;<a =
href=3D"mailto:rick.macklem@gmail.com">rick.macklem@gmail.com</a>&gt; =
wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 =
.8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"ltr"><div =
class=3D"gmail_default" style=3D"font-family:monospace">Hi,</div><div =
class=3D"gmail_default" style=3D"font-family:monospace"><br></div><div =
class=3D"gmail_default" style=3D"font-family:monospace">bz@ has =
encouraged me to fiddle with the nfsd</div><div class=3D"gmail_default" =
style=3D"font-family:monospace">so that it works in a vnet =
jail.</div><div class=3D"gmail_default" style=3D"font-family:monospace">I =
have now basically done so, specifically for</div><div =
class=3D"gmail_default" style=3D"font-family:monospace">NFSv4, since =
NFSv3 presents various issues.</div><div class=3D"gmail_default" =
style=3D"font-family:monospace"><br></div><div class=3D"gmail_default" =
style=3D"font-family:monospace">What I have not yet done is put global =
variables</div><div class=3D"gmail_default" =
style=3D"font-family:monospace">in the vnet. This needs to be done so =
that the nfsd</div><div class=3D"gmail_default" =
style=3D"font-family:monospace">can be run in multiple jail instances =
and/or in and</div><div class=3D"gmail_default" =
style=3D"font-family:monospace">outside of a jail.</div><div =
class=3D"gmail_default" style=3D"font-family:monospace">The problem is =
that there are 100s of global variables.</div><div class=3D"gmail_default"=
 style=3D"font-family:monospace"><br></div><div class=3D"gmail_default" =
style=3D"font-family:monospace">I can see two approaches:</div><div =
class=3D"gmail_default" style=3D"font-family:monospace">1 - Move them =
all into the vnet jail. This would imply</div><div class=3D"gmail_default"=
 style=3D"font-family:monospace">&nbsp; &nbsp; that all the sysctls need =
to somehow be changed,</div><div class=3D"gmail_default" =
style=3D"font-family:monospace">&nbsp; &nbsp; which would seem to be a =
POLA violation.</div><div class=3D"gmail_default" =
style=3D"font-family:monospace">&nbsp; &nbsp; It also implies a lot of =
stuff in the vnet.</div><div class=3D"gmail_default" =
style=3D"font-family:monospace">2 - Just move the global variables that =
will always</div><div class=3D"gmail_default" =
style=3D"font-family:monospace">&nbsp; &nbsp; differ from one nfsd to =
another (this would make</div><div class=3D"gmail_default" =
style=3D"font-family:monospace">&nbsp; &nbsp; the sysctls global and =
apply to all nfsds).</div><div class=3D"gmail_default" =
style=3D"font-family:monospace">&nbsp; &nbsp; This will keep the number =
of globals in the vnet</div><div class=3D"gmail_default" =
style=3D"font-family:monospace">&nbsp; &nbsp; smaller.</div><div =
class=3D"gmail_default" style=3D"font-family:monospace"><br></div><div =
class=3D"gmail_default" style=3D"font-family:monospace">I am currently =
leaning towards #2, put what do others</div><div class=3D"gmail_default" =
style=3D"font-family:monospace">think?</div><div class=3D"gmail_default" =
style=3D"font-family:monospace"><br></div><div class=3D"gmail_default" =
style=3D"font-family:monospace">rick</div><div class=3D"gmail_default" =
style=3D"font-family:monospace">ps: Personally, I don't know what use =
there is of</div><div class=3D"gmail_default" =
style=3D"font-family:monospace">&nbsp; &nbsp; running the nfsd inside a =
vnet jail, but bz@ has</div><div class=3D"gmail_default" =
style=3D"font-family:monospace">&nbsp; &nbsp; some use =
case.</div></div></blockquote></div></div></div></div><blockquote =
type=3D"cite"><div><div dir=3D"auto"><div><div =
class=3D"gmail_quote"><blockquote class=3D"gmail_quote" style=3D"margin:0 =
0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div =
dir=3D"ltr"></div></blockquote></div></div></div>
</div></blockquote></div><br></div></body></html>=

--Apple-Mail=_787AA221-05D9-43E9-8A62-1E05DDA91853--