From nobody Fri Dec 2 14:44:30 2022 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NNwh971Hyz4jcv5 for ; Fri, 2 Dec 2022 14:44:41 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Received: from mail-pg1-x52f.google.com (mail-pg1-x52f.google.com [IPv6:2607:f8b0:4864:20::52f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NNwh93vL2z3Nr5 for ; Fri, 2 Dec 2022 14:44:41 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-pg1-x52f.google.com with SMTP id s196so4544927pgs.3 for ; Fri, 02 Dec 2022 06:44:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=JjpjTaGxUGAo7K328a+c2YpdWjGY6+2kmxC42oM1aI4=; b=bIGkTBmHFNXP6VEgt7XwmqwPOLfn7mxwOn//zKpxudaKSFXykoYc9iadKxrERNED/0 MNZUnyDuvQmWNB2NK6m5BccnYq7pNdulMFd84HZdn1XcNmFu3okyJWV9h0nyYk/Zxwnm t+/gWOC+fG0zx+h9kfTziznlkzxFF0Jfn7kaAJSfDBcHo96vCy60Vfgj2gRN27MT4XtV ZKWamkl6svk7BXRRTZc+XS9bkWxuRQa66KBVl6kQm1QvkmyxqybzdtgBTV4CBk5+1aob WOOd811OCdvoD3j6kZqXapDp9J9VGtSFlYKmnPqT775C2oSrRD4z93VirRtj5Cg/qgVM 2/Hg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=JjpjTaGxUGAo7K328a+c2YpdWjGY6+2kmxC42oM1aI4=; b=tEXO3ePhYJzC/kO5tAlBaVCcSUqON7tzNt4bBFr3TvphuaCAX0FEhFJj0+QG1tdVB3 uulODHGHk7ViBdV9NXu6kXOXGGpOvwTL8p5ZErUZ4PzDIQNEdtd3jApKqTWKtF6l8gyz LUJY5jDYda2xO3MsHvui24IueyNj+nys2uHMvUx0v+h2jAcffrfA6F1MHJ1jD05Ba4vc viVacEs5RAbmA8PUpGAhABc3D7wDKarzwTFe8iJuvvansleoG+OeUEN1IbgBO1mJ6vp1 Il6HExOUq65PtuPzw6TxxX4ZPlfuY/aWnesrUI36HB5Bm3KrkAjCP7Q7f9BigUmnfMqC XQKw== X-Gm-Message-State: ANoB5pkKFF7DOfv+LRCOQ851HUWGEhIT+1t92lXIS8GaFL0d5xpvXAxl Cj8V1GuILZZDjk2l+w5t4M6GlzoE2be1WYCn1w== X-Google-Smtp-Source: AA0mqf6gE/E6oIZl4BnciC49BUwWwMMmBCjj8uIZI/8ym3F9gbldxgZ3OCrQj0qd2iFLKzP1gSosZKyVj8x8GHB460s= X-Received: by 2002:a05:6a00:21c8:b0:562:e0fb:3c79 with SMTP id t8-20020a056a0021c800b00562e0fb3c79mr52376040pfj.39.1669992280445; Fri, 02 Dec 2022 06:44:40 -0800 (PST) List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org MIME-Version: 1.0 References: <20221201110137.08b2b68c@zeta.dino.sk> <1955021.aDjkhKmpDe@ravel> In-Reply-To: <1955021.aDjkhKmpDe@ravel> From: Rick Macklem Date: Fri, 2 Dec 2022 06:44:30 -0800 Message-ID: Subject: Re: RFC: nfsd in a vnet jail To: Olivier Certner Cc: freebsd-current@freebsd.org Content-Type: multipart/alternative; boundary="000000000000a7568c05eed96081" X-Rspamd-Queue-Id: 4NNwh93vL2z3Nr5 X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N --000000000000a7568c05eed96081 Content-Type: text/plain; charset="UTF-8" On Fri, Dec 2, 2022 at 2:03 AM Olivier Certner wrote: > Hi, > > > (snip) > > > > #2 - Require separate file systems and run mountd inside the jail(s). > > > > I think that allowing both alternatives would be too confusing > > and it seems that most want mountd to run within the jail(s). > > As such, unless others prefer #1, I think #2 is the way to go. > > Just to be sure I've understood correctly: You plan to make a separate > filesystem as jail's root a requirement but only in the case of using > mountd(8) in the jail? Or in general? > Certainly not in general. Current plan is for the case of mountd/nfsd. To enforce it for cases where mountd/nfsd is not being run would definitely be a POLA violation. rick > > While I think doing so in the NFSv4/mountd case is indeed a good idea, I > don't > think enforcing it in general is. It would generally degrade the multiple > jails management experience on UFS (in the absence of a volume manager), > where > all jails have roots in the same filesystem (to avoid > allocating/deallocating > space as jails come and go or must be resized). > > Regards. > > -- > Olivier Certner > > > --000000000000a7568c05eed96081 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Fri, Dec 2, 2022 at 2:03 AM Olivier Certne= r <olivier.freebsd@free.fr> wrote:
Hi,=

> (snip)
>
> #2 - Require separate file systems and run mountd inside the jail(s).<= br> >
> I think that allowing both alternatives would be too confusing
> and it seems that most want mountd to run within the jail(s).
> As such, unless others prefer #1, I think #2 is the way to go.

Just to be sure I've understood correctly: You plan to make a separate =
filesystem as jail's root a requirement but only in the case of using <= br> mountd(8) in the jail? Or in general?



While I think doing so in the NFSv4/mountd case is indeed a good idea, I do= n't
think enforcing it in general is. It would generally degrade the multiple <= br> jails management experience on UFS (in the absence of a volume manager), wh= ere
all jails have roots in the same filesystem (to avoid allocating/deallocati= ng
space as jails come and go or must be resized).

Regards.

--
Olivier Certner


--000000000000a7568c05eed96081--