Date: Fri, 2 Dec 2022 06:44:30 -0800 From: Rick Macklem <rick.macklem@gmail.com> To: Olivier Certner <olivier.freebsd@free.fr> Cc: freebsd-current@freebsd.org Subject: Re: RFC: nfsd in a vnet jail Message-ID: <CAM5tNy5a9GYjJcjXLQvsjF77Gsu6yej5XR=mMTAuVKWxoNfR1A@mail.gmail.com> In-Reply-To: <1955021.aDjkhKmpDe@ravel> References: <CAM5tNy7CQaBTRWG0m0aN6T0xG2L2zSQJGa%2BatGaH%2BmW%2BwEpdyQ@mail.gmail.com> <20221201110137.08b2b68c@zeta.dino.sk> <CAM5tNy5pkONY5X9a3LU0u2EmcA3OYpeS9AdpSuYK9gMHAVFxmg@mail.gmail.com> <1955021.aDjkhKmpDe@ravel>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Fri, Dec 2, 2022 at 2:03 AM Olivier Certner <olivier.freebsd@free.fr> wrote: > Hi, > > > (snip) > > > > #2 - Require separate file systems and run mountd inside the jail(s). > > > > I think that allowing both alternatives would be too confusing > > and it seems that most want mountd to run within the jail(s). > > As such, unless others prefer #1, I think #2 is the way to go. > > Just to be sure I've understood correctly: You plan to make a separate > filesystem as jail's root a requirement but only in the case of using > mountd(8) in the jail? Or in general? > Certainly not in general. Current plan is for the case of mountd/nfsd. To enforce it for cases where mountd/nfsd is not being run would definitely be a POLA violation. rick > > While I think doing so in the NFSv4/mountd case is indeed a good idea, I > don't > think enforcing it in general is. It would generally degrade the multiple > jails management experience on UFS (in the absence of a volume manager), > where > all jails have roots in the same filesystem (to avoid > allocating/deallocating > space as jails come and go or must be resized). > > Regards. > > -- > Olivier Certner > > > [-- Attachment #2 --] <div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-family:monospace"><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Dec 2, 2022 at 2:03 AM Olivier Certner <<a href="mailto:olivier.freebsd@free.fr">olivier.freebsd@free.fr</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi,<br> <br> > (snip)<br> ><br> > #2 - Require separate file systems and run mountd inside the jail(s).<br> ><br> > I think that allowing both alternatives would be too confusing<br> > and it seems that most want mountd to run within the jail(s).<br> > As such, unless others prefer #1, I think #2 is the way to go.<br> <br> Just to be sure I've understood correctly: You plan to make a separate <br> filesystem as jail's root a requirement but only in the case of using <br> mountd(8) in the jail? Or in general?<br></blockquote><div><span class="gmail_default" style="font-family:monospace">Certainly not in general. Current plan is for the case of mountd/nfsd.</span></div><div><span class="gmail_default" style="font-family:monospace"><br></span></div><div><span class="gmail_default" style="font-family:monospace">To enforce it for cases where mountd/nfsd is not being run would</span></div><div><span class="gmail_default" style="font-family:monospace">definitely be a POLA violation.</span></div><div><span class="gmail_default" style="font-family:monospace"><br></span></div><div><span class="gmail_default" style="font-family:monospace">rick</span></div><div><span class="gmail_default" style="font-family:monospace"></span> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> <br> While I think doing so in the NFSv4/mountd case is indeed a good idea, I don't <br> think enforcing it in general is. It would generally degrade the multiple <br> jails management experience on UFS (in the absence of a volume manager), where <br> all jails have roots in the same filesystem (to avoid allocating/deallocating <br> space as jails come and go or must be resized).<br> <br> Regards.<br> <br> -- <br> Olivier Certner<br> <br> <br> </blockquote></div></div>help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAM5tNy5a9GYjJcjXLQvsjF77Gsu6yej5XR=mMTAuVKWxoNfR1A>