Date: Thu, 1 Dec 2022 17:21:49 -0800 From: Rick Macklem <rick.macklem@gmail.com> To: Milan Obuch <freebsd-current@dino.sk> Cc: freebsd-current@freebsd.org, Alexander Leidinger <Alexander@leidinger.net>, Alan Somers <asomers@freebsd.org>, Peter Eriksson <pen@lysator.liu.se>, bz@freebsd.org Subject: Re: RFC: nfsd in a vnet jail Message-ID: <CAM5tNy5pkONY5X9a3LU0u2EmcA3OYpeS9AdpSuYK9gMHAVFxmg@mail.gmail.com> In-Reply-To: <20221201110137.08b2b68c@zeta.dino.sk> References: <CAM5tNy7CQaBTRWG0m0aN6T0xG2L2zSQJGa%2BatGaH%2BmW%2BwEpdyQ@mail.gmail.com> <CAOtMX2hxeeNMxxdpma8NJ7ms60eRfuCWoFi7FixdSe83=qibkA@mail.gmail.com> <82103A1E-9D39-47B0-9520-205583C8B680@lysator.liu.se> <CAM5tNy71UAOkCQb9upc_OxhM-y5rp9jMKbKTJr619JFCGsfRkg@mail.gmail.com> <CAOtMX2jtCJgUpwbW7QUxDRYhXVXAyj8LqPYcuT=F-Dz4kS4J-Q@mail.gmail.com> <20221201102925.Horde.uAC-87YyIRDDnqJTmvsFwNm@webmail.leidinger.net> <20221201110137.08b2b68c@zeta.dino.sk>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Thu, Dec 1, 2022 at 2:01 AM Milan Obuch <freebsd-current@dino.sk> wrote: > On Thu, 01 Dec 2022 10:29:25 +0100 > Alexander Leidinger <Alexander@leidinger.net> wrote: > > > Quoting Alan Somers <asomers@freebsd.org> (from Tue, 29 Nov 2022 > > 17:28:10 -0700): > > > > > On Tue, Nov 29, 2022 at 5:21 PM Rick Macklem > > > <rick.macklem@gmail.com> wrote: > > > > >> So, what do others think of enforcing the requirement that each > > >> jail have its own file systems for this? > > > > > > I think that's a totally reasonable requirement. Especially so for > > > ZFS users, who already create a filesystem per jail for other > > > reasons. > > > > While I agree that it is a reasonable requirement, just a note that > > we can not assume that every existing jail resides on its own file > > system. The base system jail infrastructure doesn't check this, and > > the ezjail port doesn't either. The iocage port does it. > > > > My position would be 'recommended, but not forced-to' one. I have > various installations with jails sharing parts of filesystem (like > ports or src tree for development, or even local git repository), or > even running with exactly the same directory as root of number of > jails. Probably not a common scenario for sure, but still useful. > Others indicate they want mountd to run inside the jail. To get that to work, the jail needs to be in a separate file system, since it is the file system(s) mount point(s) that the export information is attached to in the kernel. It comes down to... #1 - Run mountd outside of the jails and encourage use of separate file systems. (Also, since the exports information would be applied to the file system(s) and not the jails, a malicious NFS client could "guess" a file handle and access files outside of the jail. This seems counter to what a jail should provide.) OR #2 - Require separate file systems and run mountd inside the jail(s). I think that allowing both alternatives would be too confusing and it seems that most want mountd to run within the jail(s). As such, unless others prefer #1, I think #2 is the way to go. rick > > Regards, > Milan > [-- Attachment #2 --] <div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-family:monospace"><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Dec 1, 2022 at 2:01 AM Milan Obuch <<a href="mailto:freebsd-current@dino.sk">freebsd-current@dino.sk</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Thu, 01 Dec 2022 10:29:25 +0100<br> Alexander Leidinger <<a href="mailto:Alexander@leidinger.net" target="_blank">Alexander@leidinger.net</a>> wrote:<br> <br> > Quoting Alan Somers <<a href="mailto:asomers@freebsd.org" target="_blank">asomers@freebsd.org</a>> (from Tue, 29 Nov 2022 <br> > 17:28:10 -0700):<br> > <br> > > On Tue, Nov 29, 2022 at 5:21 PM Rick Macklem<br> > > <<a href="mailto:rick.macklem@gmail.com" target="_blank">rick.macklem@gmail.com</a>> wrote: <br> > <br> > >> So, what do others think of enforcing the requirement that each<br> > >> jail have its own file systems for this? <br> > ><br> > > I think that's a totally reasonable requirement. Especially so for<br> > > ZFS users, who already create a filesystem per jail for other<br> > > reasons. <br> > <br> > While I agree that it is a reasonable requirement, just a note that<br> > we can not assume that every existing jail resides on its own file <br> > system. The base system jail infrastructure doesn't check this, and <br> > the ezjail port doesn't either. The iocage port does it.<br> ><br> <br> My position would be 'recommended, but not forced-to' one. I have<br> various installations with jails sharing parts of filesystem (like<br> ports or src tree for development, or even local git repository), or<br> even running with exactly the same directory as root of number of<br> jails. Probably not a common scenario for sure, but still useful.<br></blockquote><div><span class="gmail_default" style="font-family:monospace">Others indicate they want mountd to run inside the jail.</span></div><div><span class="gmail_default" style="font-family:monospace">To get that to work, the jail needs to be in a separate file</span></div><div><span class="gmail_default" style="font-family:monospace">system, since it is the file system(s) mount point(s) that the</span></div><div><span class="gmail_default" style="font-family:monospace">export information is attached to in the kernel.</span></div><div><span class="gmail_default" style="font-family:monospace"><br></span></div><div><span class="gmail_default" style="font-family:monospace">It comes down to...</span></div><div><span class="gmail_default" style="font-family:monospace">#1 - Run mountd outside of the jails and encourage use of separate</span></div><div><span class="gmail_default" style="font-family:monospace"> file systems.</span></div><div><span class="gmail_default" style="font-family:monospace"> (Also, since the exports information would be applied to the file</span></div><div><span class="gmail_default" style="font-family:monospace"> system(s) and not the jails, a malicious NFS client could</span></div><div><span class="gmail_default" style="font-family:monospace"> "guess" a file handle and access files outside of the jail.</span></div><div><span class="gmail_default" style="font-family:monospace"> This seems counter to what a jail should provide.)</span></div><div><span class="gmail_default" style="font-family:monospace">OR</span></div><div><span class="gmail_default" style="font-family:monospace">#2 - Require separate file systems and run mountd inside the jail(s).</span></div><div><span class="gmail_default" style="font-family:monospace"><br></span></div><div><span class="gmail_default" style="font-family:monospace">I think that allowing both alternatives would be too confusing</span></div><div><span class="gmail_default" style="font-family:monospace">and it seems that most want mountd to run within the jail(s).</span></div><div><span class="gmail_default" style="font-family:monospace">As such, unless others prefer #1, I think #2 is the way to go.</span></div><div><span class="gmail_default" style="font-family:monospace"><br></span></div><div><span class="gmail_default" style="font-family:monospace">rick</span> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> <br> Regards,<br> Milan<br> </blockquote></div></div>help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAM5tNy5pkONY5X9a3LU0u2EmcA3OYpeS9AdpSuYK9gMHAVFxmg>