Date: Thu, 1 Dec 2022 17:21:49 -0800 From: Rick Macklem <rick.macklem@gmail.com> To: Milan Obuch <freebsd-current@dino.sk> Cc: freebsd-current@freebsd.org, Alexander Leidinger <Alexander@leidinger.net>, Alan Somers <asomers@freebsd.org>, Peter Eriksson <pen@lysator.liu.se>, bz@freebsd.org Subject: Re: RFC: nfsd in a vnet jail Message-ID: <CAM5tNy5pkONY5X9a3LU0u2EmcA3OYpeS9AdpSuYK9gMHAVFxmg@mail.gmail.com> In-Reply-To: <20221201110137.08b2b68c@zeta.dino.sk> References: <CAM5tNy7CQaBTRWG0m0aN6T0xG2L2zSQJGa%2BatGaH%2BmW%2BwEpdyQ@mail.gmail.com> <CAOtMX2hxeeNMxxdpma8NJ7ms60eRfuCWoFi7FixdSe83=qibkA@mail.gmail.com> <82103A1E-9D39-47B0-9520-205583C8B680@lysator.liu.se> <CAM5tNy71UAOkCQb9upc_OxhM-y5rp9jMKbKTJr619JFCGsfRkg@mail.gmail.com> <CAOtMX2jtCJgUpwbW7QUxDRYhXVXAyj8LqPYcuT=F-Dz4kS4J-Q@mail.gmail.com> <20221201102925.Horde.uAC-87YyIRDDnqJTmvsFwNm@webmail.leidinger.net> <20221201110137.08b2b68c@zeta.dino.sk>
next in thread | previous in thread | raw e-mail | index | archive | help
--0000000000000a2a9805eece2a5f Content-Type: text/plain; charset="UTF-8" On Thu, Dec 1, 2022 at 2:01 AM Milan Obuch <freebsd-current@dino.sk> wrote: > On Thu, 01 Dec 2022 10:29:25 +0100 > Alexander Leidinger <Alexander@leidinger.net> wrote: > > > Quoting Alan Somers <asomers@freebsd.org> (from Tue, 29 Nov 2022 > > 17:28:10 -0700): > > > > > On Tue, Nov 29, 2022 at 5:21 PM Rick Macklem > > > <rick.macklem@gmail.com> wrote: > > > > >> So, what do others think of enforcing the requirement that each > > >> jail have its own file systems for this? > > > > > > I think that's a totally reasonable requirement. Especially so for > > > ZFS users, who already create a filesystem per jail for other > > > reasons. > > > > While I agree that it is a reasonable requirement, just a note that > > we can not assume that every existing jail resides on its own file > > system. The base system jail infrastructure doesn't check this, and > > the ezjail port doesn't either. The iocage port does it. > > > > My position would be 'recommended, but not forced-to' one. I have > various installations with jails sharing parts of filesystem (like > ports or src tree for development, or even local git repository), or > even running with exactly the same directory as root of number of > jails. Probably not a common scenario for sure, but still useful. > Others indicate they want mountd to run inside the jail. To get that to work, the jail needs to be in a separate file system, since it is the file system(s) mount point(s) that the export information is attached to in the kernel. It comes down to... #1 - Run mountd outside of the jails and encourage use of separate file systems. (Also, since the exports information would be applied to the file system(s) and not the jails, a malicious NFS client could "guess" a file handle and access files outside of the jail. This seems counter to what a jail should provide.) OR #2 - Require separate file systems and run mountd inside the jail(s). I think that allowing both alternatives would be too confusing and it seems that most want mountd to run within the jail(s). As such, unless others prefer #1, I think #2 is the way to go. rick > > Regards, > Milan > --0000000000000a2a9805eece2a5f Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div dir=3D"ltr"><div class=3D"gmail_default" style=3D"fon= t-family:monospace"><br></div></div><br><div class=3D"gmail_quote"><div dir= =3D"ltr" class=3D"gmail_attr">On Thu, Dec 1, 2022 at 2:01 AM Milan Obuch &l= t;<a href=3D"mailto:freebsd-current@dino.sk">freebsd-current@dino.sk</a>>= ; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px= 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Thu,= 01 Dec 2022 10:29:25 +0100<br> Alexander Leidinger <<a href=3D"mailto:Alexander@leidinger.net" target= =3D"_blank">Alexander@leidinger.net</a>> wrote:<br> <br> > Quoting Alan Somers <<a href=3D"mailto:asomers@freebsd.org" target= =3D"_blank">asomers@freebsd.org</a>> (from Tue, 29 Nov 2022=C2=A0 <br> > 17:28:10 -0700):<br> > <br> > > On Tue, Nov 29, 2022 at 5:21 PM Rick Macklem<br> > > <<a href=3D"mailto:rick.macklem@gmail.com" target=3D"_blank">r= ick.macklem@gmail.com</a>> wrote:=C2=A0 <br> > <br> > >> So, what do others think of enforcing the requirement that ea= ch<br> > >> jail have its own file systems for this?=C2=A0 <br> > ><br> > > I think that's a totally reasonable requirement.=C2=A0 Especi= ally so for<br> > > ZFS users, who already create a filesystem per jail for other<br> > > reasons.=C2=A0 <br> > <br> > While I agree that it is a reasonable requirement, just a note that<br= > > we can not assume that every existing jail resides on its own file=C2= =A0 <br> > system. The base system jail infrastructure doesn't check this, an= d=C2=A0 <br> > the ezjail port doesn't either. The iocage port does it.<br> ><br> <br> My position would be 'recommended, but not forced-to' one. I have<b= r> various installations with jails sharing parts of filesystem (like<br> ports or src tree for development, or even local git repository), or<br> even running with exactly the same directory as root of number of<br> jails. Probably not a common scenario for sure, but still useful.<br></bloc= kquote><div><span class=3D"gmail_default" style=3D"font-family:monospace">O= thers indicate they want mountd to run inside the jail.</span></div><div><s= pan class=3D"gmail_default" style=3D"font-family:monospace">To get that to = work, the jail needs to be in a separate file</span></div><div><span class= =3D"gmail_default" style=3D"font-family:monospace">system, since it is the = file system(s) mount point(s) that the</span></div><div><span class=3D"gmai= l_default" style=3D"font-family:monospace">export information is attached t= o in the kernel.</span></div><div><span class=3D"gmail_default" style=3D"fo= nt-family:monospace"><br></span></div><div><span class=3D"gmail_default" st= yle=3D"font-family:monospace">It comes down to...</span></div><div><span cl= ass=3D"gmail_default" style=3D"font-family:monospace">#1 - Run mountd outsi= de of the jails and encourage use of separate</span></div><div><span class= =3D"gmail_default" style=3D"font-family:monospace">=C2=A0 file systems.</sp= an></div><div><span class=3D"gmail_default" style=3D"font-family:monospace"= >=C2=A0 (Also, since the exports information would be applied to the file</= span></div><div><span class=3D"gmail_default" style=3D"font-family:monospac= e">=C2=A0 =C2=A0system(s) and not the jails, a malicious NFS client could</= span></div><div><span class=3D"gmail_default" style=3D"font-family:monospac= e">=C2=A0 =C2=A0"guess" a file handle and access files outside of= the jail.</span></div><div><span class=3D"gmail_default" style=3D"font-fam= ily:monospace">=C2=A0 =C2=A0This seems counter to what a jail should provid= e.)</span></div><div><span class=3D"gmail_default" style=3D"font-family:mon= ospace">OR</span></div><div><span class=3D"gmail_default" style=3D"font-fam= ily:monospace">#2 - Require separate file systems and run mountd inside the= jail(s).</span></div><div><span class=3D"gmail_default" style=3D"font-fami= ly:monospace"><br></span></div><div><span class=3D"gmail_default" style=3D"= font-family:monospace">I think that allowing both alternatives would be too= confusing</span></div><div><span class=3D"gmail_default" style=3D"font-fam= ily:monospace">and it seems that most want mountd to run within the jail(s)= .</span></div><div><span class=3D"gmail_default" style=3D"font-family:monos= pace">As such, unless others prefer #1, I think #2 is the way to go.</span>= </div><div><span class=3D"gmail_default" style=3D"font-family:monospace"><b= r></span></div><div><span class=3D"gmail_default" style=3D"font-family:mono= space">rick</span>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"ma= rgin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:= 1ex"> <br> Regards,<br> Milan<br> </blockquote></div></div> --0000000000000a2a9805eece2a5f--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAM5tNy5pkONY5X9a3LU0u2EmcA3OYpeS9AdpSuYK9gMHAVFxmg>