Date: Sun, 27 Nov 2022 10:18:51 -0800 From: James Gritton <jamie@freebsd.org> To: freebsd-current@freebsd.org Cc: Rick Macklem <rick.macklem@gmail.com>, bz@freebsd.org Subject: Re: RFC: nfsd in a vnet jail Message-ID: <d565689e2e61b48bb208cd4ea9f5e392@freebsd.org> In-Reply-To: <CAM5tNy7CQaBTRWG0m0aN6T0xG2L2zSQJGa%2BatGaH%2BmW%2BwEpdyQ@mail.gmail.com> References: <CAM5tNy7CQaBTRWG0m0aN6T0xG2L2zSQJGa%2BatGaH%2BmW%2BwEpdyQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--=_d129efa9d504031e718030baf8bed06e Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed On 2022-11-25 15:17, Rick Macklem wrote: > Hi, > > bz@ has encouraged me to fiddle with the nfsd > so that it works in a vnet jail. > I have now basically done so, specifically for > NFSv4, since NFSv3 presents various issues. > > What I have not yet done is put global variables > in the vnet. This needs to be done so that the nfsd > can be run in multiple jail instances and/or in and > outside of a jail. > The problem is that there are 100s of global variables. > > I can see two approaches: > 1 - Move them all into the vnet jail. This would imply > that all the sysctls need to somehow be changed, > which would seem to be a POLA violation. > It also implies a lot of stuff in the vnet. > 2 - Just move the global variables that will always > differ from one nfsd to another (this would make > the sysctls global and apply to all nfsds). > This will keep the number of globals in the vnet > smaller. > > I am currently leaning towards #2, put what do others > think? > > rick > ps: Personally, I don't know what use there is of > running the nfsd inside a vnet jail, but bz@ has > some use case. I would prefer closer to #2, unless you want to support only one jail running nfsd (which is admittedly one of the more likely scenarios). I imagine it's a case-by-case judgement call, as to whether a particular knob should be global or per-jail. - Jamie --=_d129efa9d504031e718030baf8bed06e Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=UTF-8 <html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; charset= =3DUTF-8" /></head><body style=3D'font-size: 10pt; font-family: Verdana,Gen= eva,sans-serif'> <p id=3D"reply-intro">On 2022-11-25 15:17, Rick Macklem wrote:</p> <blockquote type=3D"cite" style=3D"padding: 0 0.4em; border-left: #1010ff 2= px solid; margin: 0"> <div id=3D"replybody1"> <div dir=3D"ltr"> <div class=3D"v1gmail_default" style=3D"font-family: monospace;">Hi,</div> <div class=3D"v1gmail_default" style=3D"font-family: monospace;"> </di= v> <div class=3D"v1gmail_default" style=3D"font-family: monospace;">bz@ has en= couraged me to fiddle with the nfsd</div> <div class=3D"v1gmail_default" style=3D"font-family: monospace;">so that it= works in a vnet jail.</div> <div class=3D"v1gmail_default" style=3D"font-family: monospace;">I have now= basically done so, specifically for</div> <div class=3D"v1gmail_default" style=3D"font-family: monospace;">NFSv4, sin= ce NFSv3 presents various issues.</div> <div class=3D"v1gmail_default" style=3D"font-family: monospace;"> </di= v> <div class=3D"v1gmail_default" style=3D"font-family: monospace;">What I hav= e not yet done is put global variables</div> <div class=3D"v1gmail_default" style=3D"font-family: monospace;">in the vne= t. This needs to be done so that the nfsd</div> <div class=3D"v1gmail_default" style=3D"font-family: monospace;">can be run= in multiple jail instances and/or in and</div> <div class=3D"v1gmail_default" style=3D"font-family: monospace;">outside of= a jail.</div> <div class=3D"v1gmail_default" style=3D"font-family: monospace;">The proble= m is that there are 100s of global variables.</div> <div class=3D"v1gmail_default" style=3D"font-family: monospace;"> </di= v> <div class=3D"v1gmail_default" style=3D"font-family: monospace;">I can see = two approaches:</div> <div class=3D"v1gmail_default" style=3D"font-family: monospace;">1 - Move t= hem all into the vnet jail. This would imply</div> <div class=3D"v1gmail_default" style=3D"font-family: monospace;"> &nb= sp; that all the sysctls need to somehow be changed,</div> <div class=3D"v1gmail_default" style=3D"font-family: monospace;"> &nb= sp; which would seem to be a POLA violation.</div> <div class=3D"v1gmail_default" style=3D"font-family: monospace;"> &nb= sp; It also implies a lot of stuff in the vnet.</div> <div class=3D"v1gmail_default" style=3D"font-family: monospace;">2 - Just m= ove the global variables that will always</div> <div class=3D"v1gmail_default" style=3D"font-family: monospace;"> &nb= sp; differ from one nfsd to another (this would make</div> <div class=3D"v1gmail_default" style=3D"font-family: monospace;"> &nb= sp; the sysctls global and apply to all nfsds).</div> <div class=3D"v1gmail_default" style=3D"font-family: monospace;"> &nb= sp; This will keep the number of globals in the vnet</div> <div class=3D"v1gmail_default" style=3D"font-family: monospace;"> &nb= sp; smaller.</div> <div class=3D"v1gmail_default" style=3D"font-family: monospace;"> </di= v> <div class=3D"v1gmail_default" style=3D"font-family: monospace;">I am curre= ntly leaning towards #2, put what do others</div> <div class=3D"v1gmail_default" style=3D"font-family: monospace;">think?</di= v> <div class=3D"v1gmail_default" style=3D"font-family: monospace;"> </di= v> <div class=3D"v1gmail_default" style=3D"font-family: monospace;">rick</div> <div class=3D"v1gmail_default" style=3D"font-family: monospace;">ps: Person= ally, I don't know what use there is of</div> <div class=3D"v1gmail_default" style=3D"font-family: monospace;"> &nb= sp; running the nfsd inside a vnet jail, but bz@ has</div> <div class=3D"v1gmail_default" style=3D"font-family: monospace;"> &nb= sp; some use case.</div> </div> </div> </blockquote> <div id=3D"replybody1"> <div dir=3D"ltr"> <div class=3D"v1gmail_default" style=3D"font-family: monospace;"> </di= v> </div> </div> <div class=3D"v1gmail_default" style=3D"font-family: monospace;">I would pr= efer closer to #2, unless you want to support only one jail running nfsd (w= hich is admittedly one of the more likely scenarios). I imagine it's = a case-by-case judgement call, as to whether a particular knob should be gl= obal or per-jail.</div> <div class=3D"v1gmail_default" style=3D"font-family: monospace;"> </di= v> <div class=3D"v1gmail_default" style=3D"font-family: monospace;">- Jamie</d= iv> </body></html> --=_d129efa9d504031e718030baf8bed06e--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d565689e2e61b48bb208cd4ea9f5e392>