Date: Fri, 2 Dec 2022 06:44:30 -0800 From: Rick Macklem <rick.macklem@gmail.com> To: Olivier Certner <olivier.freebsd@free.fr> Cc: freebsd-current@freebsd.org Subject: Re: RFC: nfsd in a vnet jail Message-ID: <CAM5tNy5a9GYjJcjXLQvsjF77Gsu6yej5XR=mMTAuVKWxoNfR1A@mail.gmail.com> In-Reply-To: <1955021.aDjkhKmpDe@ravel> References: <CAM5tNy7CQaBTRWG0m0aN6T0xG2L2zSQJGa%2BatGaH%2BmW%2BwEpdyQ@mail.gmail.com> <20221201110137.08b2b68c@zeta.dino.sk> <CAM5tNy5pkONY5X9a3LU0u2EmcA3OYpeS9AdpSuYK9gMHAVFxmg@mail.gmail.com> <1955021.aDjkhKmpDe@ravel>
next in thread | previous in thread | raw e-mail | index | archive | help
--000000000000a7568c05eed96081 Content-Type: text/plain; charset="UTF-8" On Fri, Dec 2, 2022 at 2:03 AM Olivier Certner <olivier.freebsd@free.fr> wrote: > Hi, > > > (snip) > > > > #2 - Require separate file systems and run mountd inside the jail(s). > > > > I think that allowing both alternatives would be too confusing > > and it seems that most want mountd to run within the jail(s). > > As such, unless others prefer #1, I think #2 is the way to go. > > Just to be sure I've understood correctly: You plan to make a separate > filesystem as jail's root a requirement but only in the case of using > mountd(8) in the jail? Or in general? > Certainly not in general. Current plan is for the case of mountd/nfsd. To enforce it for cases where mountd/nfsd is not being run would definitely be a POLA violation. rick > > While I think doing so in the NFSv4/mountd case is indeed a good idea, I > don't > think enforcing it in general is. It would generally degrade the multiple > jails management experience on UFS (in the absence of a volume manager), > where > all jails have roots in the same filesystem (to avoid > allocating/deallocating > space as jails come and go or must be resized). > > Regards. > > -- > Olivier Certner > > > --000000000000a7568c05eed96081 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div dir=3D"ltr"><div class=3D"gmail_default" style=3D"fon= t-family:monospace"><br></div></div><br><div class=3D"gmail_quote"><div dir= =3D"ltr" class=3D"gmail_attr">On Fri, Dec 2, 2022 at 2:03 AM Olivier Certne= r <<a href=3D"mailto:olivier.freebsd@free.fr">olivier.freebsd@free.fr</a= >> wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px= 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi,= <br> <br> > (snip)<br> ><br> > #2 - Require separate file systems and run mountd inside the jail(s).<= br> ><br> > I think that allowing both alternatives would be too confusing<br> > and it seems that most want mountd to run within the jail(s).<br> > As such, unless others prefer #1, I think #2 is the way to go.<br> <br> Just to be sure I've understood correctly: You plan to make a separate = <br> filesystem as jail's root a requirement but only in the case of using <= br> mountd(8) in the jail? Or in general?<br></blockquote><div><span class=3D"g= mail_default" style=3D"font-family:monospace">Certainly not in general. Cur= rent plan is for the case of mountd/nfsd.</span></div><div><span class=3D"g= mail_default" style=3D"font-family:monospace"><br></span></div><div><span c= lass=3D"gmail_default" style=3D"font-family:monospace">To enforce it for ca= ses where mountd/nfsd is not being run would</span></div><div><span class= =3D"gmail_default" style=3D"font-family:monospace">definitely be a POLA vio= lation.</span></div><div><span class=3D"gmail_default" style=3D"font-family= :monospace"><br></span></div><div><span class=3D"gmail_default" style=3D"fo= nt-family:monospace">rick</span></div><div><span class=3D"gmail_default" st= yle=3D"font-family:monospace"></span>=C2=A0</div><blockquote class=3D"gmail= _quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204= ,204);padding-left:1ex"> <br> While I think doing so in the NFSv4/mountd case is indeed a good idea, I do= n't <br> think enforcing it in general is. It would generally degrade the multiple <= br> jails management experience on UFS (in the absence of a volume manager), wh= ere <br> all jails have roots in the same filesystem (to avoid allocating/deallocati= ng <br> space as jails come and go or must be resized).<br> <br> Regards.<br> <br> -- <br> Olivier Certner<br> <br> <br> </blockquote></div></div> --000000000000a7568c05eed96081--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAM5tNy5a9GYjJcjXLQvsjF77Gsu6yej5XR=mMTAuVKWxoNfR1A>