From nobody Sat Dec  3 00:04:05 2022
X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NP95t41kLz4jkt2
	for <freebsd-current@mlmmj.nyi.freebsd.org>; Sat,  3 Dec 2022 00:04:18 +0000 (UTC)
	(envelope-from rick.macklem@gmail.com)
Received: from mail-pj1-x1033.google.com (mail-pj1-x1033.google.com [IPv6:2607:f8b0:4864:20::1033])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4NP95t1SwQz4dKL
	for <freebsd-current@freebsd.org>; Sat,  3 Dec 2022 00:04:18 +0000 (UTC)
	(envelope-from rick.macklem@gmail.com)
Authentication-Results: mx1.freebsd.org;
	none
Received: by mail-pj1-x1033.google.com with SMTP id t11-20020a17090a024b00b0021932afece4so9721984pje.5
        for <freebsd-current@freebsd.org>; Fri, 02 Dec 2022 16:04:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=5K51M0vHvQ3IK7ghya0YC4bKHOg9QFIg/WSHNWyseQM=;
        b=R4f6Li5fHxIZIkTnhIfgZFhXNWj92+Uh7oN4QuZsWG2CWrkORrXtpl8G3GsfCnDAUW
         8DNnjfDYc39WFmTqNGU9oZE2Vr9PjUdZp1bokipGx5uqLw5n66mtEL9gHUqQZbHbhr9Z
         LX55dlHqYn61A1FeFHBRngdrJlWuwFiUXtWjDgwHuQY0Fdj0XPp0X9VRthHUYNijAGAP
         EiLTiEfmbl59bXWtXTeuem1VVQ442BY0O4B0fdTH/lxr8+n+lQqCNs8d88uZ8obxC0n3
         4Nfsg12wIrdQ0fKLSJEzd5pC4SwSN0/2cfiOB7Df5EFesS7O6cX1dSh/fzPhhkMjMPX/
         xa3Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=5K51M0vHvQ3IK7ghya0YC4bKHOg9QFIg/WSHNWyseQM=;
        b=EH2Aynlnimxdh+vDlE8BsAVkGskL+SQ+nj7n2sIsVR2DKT3ze16iVzFB/yx6hHo2Uj
         FwOmSAY6hCbhrJNRjHRq0vVZyMQCjPjRD1diIcu0+NDblrDYDi/cckymskTVDH0RStWn
         DU1ZGrIYRKyIq4aodx9mY3uNPkBpiRjwO+mqobwu1paSaSj1nALqg/zbuBE9XcYOYwxy
         mTc5LjI7eCBf6blXeYMxa4larXZD9JyDe9SjwnDIosJUbqVta1VIk3lSJk+rcKs0tNNu
         ZhjHVQFtXGTHONsp6VARQveGfaDdX7Wsj2+qgcnP7+X9ErA2AKit92Gm4ZUvNCvqg/2I
         MjPQ==
X-Gm-Message-State: ANoB5pnPYMzE1GnibhL0aWJKIZrkJbbaJ686hfnA+33xMzl1XYc18jUB
	b4tEZclUj0e28bjKm5UJTysbRy7yvGDfTD3Uh8EqYSUHEQ==
X-Google-Smtp-Source: AA0mqf5z5XsE3hZziSEAcv8xwUyEVRY1Pq59bYqe4e8p+h3SRYA2TD0245ePkz3xNDafkO+j7vcyPZ2ANfXfdgs1frI=
X-Received: by 2002:a17:902:d585:b0:189:9fb2:2541 with SMTP id
 k5-20020a170902d58500b001899fb22541mr19386482plh.60.1670025856431; Fri, 02
 Dec 2022 16:04:16 -0800 (PST)
List-Id: Discussions about the use of FreeBSD-current <freebsd-current.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-current
List-Help: <mailto:freebsd-current+help@freebsd.org>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Subscribe: <mailto:freebsd-current+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-current+unsubscribe@freebsd.org>
Sender: owner-freebsd-current@freebsd.org
MIME-Version: 1.0
References: <CAM5tNy7CQaBTRWG0m0aN6T0xG2L2zSQJGa+atGaH+mW+wEpdyQ@mail.gmail.com>
 <1955021.aDjkhKmpDe@ravel> <CAM5tNy5a9GYjJcjXLQvsjF77Gsu6yej5XR=mMTAuVKWxoNfR1A@mail.gmail.com>
 <8351812.Gc231LQI4k@ravel>
In-Reply-To: <8351812.Gc231LQI4k@ravel>
From: Rick Macklem <rick.macklem@gmail.com>
Date: Fri, 2 Dec 2022 16:04:05 -0800
Message-ID: <CAM5tNy63yE+L0rjfdYSs_WVwh3_gi8fmRVNiTu9BEKzNj_iYgA@mail.gmail.com>
Subject: Re: RFC: nfsd in a vnet jail
To: Olivier Certner <olivier.freebsd@free.fr>
Cc: freebsd-current@freebsd.org
Content-Type: multipart/alternative; boundary="000000000000f03aeb05eee131b9"
X-Rspamd-Queue-Id: 4NP95t1SwQz4dKL
X-Spamd-Bar: ----
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
	TAGGED_FROM(0.00)[]
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-ThisMailContainsUnwantedMimeParts: N

--000000000000f03aeb05eee131b9
Content-Type: text/plain; charset="UTF-8"

I think this is worthy of third party testing now.
See https://people.freebsd.org/~rmacklem/nfsd-vnet-prison-setup.txt

I still haven't tried NFSv3 and I have not ported nfsuserd into the vnet,
but most NFSv4 setups don't need it anyhow.

Good luck with it if you test it, rick
ps: Just replied to a random post for this.


On Fri, Dec 2, 2022 at 7:41 AM Olivier Certner <olivier.freebsd@free.fr>
wrote:

> > To enforce it for cases where mountd/nfsd is not being run would
> > definitely be a POLA violation.
>
> I could not agree more.
>
> Thanks for the clarification.
>
> --
> Olivier Certner
>
>
>
>

--000000000000f03aeb05eee131b9
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_default" style=3D"font-family:monospac=
e">I think this is worthy of third party testing now.</div><div class=3D"gm=
ail_default" style=3D"font-family:monospace">See <a href=3D"https://people.=
freebsd.org/~rmacklem/nfsd-vnet-prison-setup.txt">https://people.freebsd.or=
g/~rmacklem/nfsd-vnet-prison-setup.txt</a></div><div class=3D"gmail_default=
" style=3D"font-family:monospace"><br></div><div class=3D"gmail_default" st=
yle=3D"font-family:monospace">I still haven&#39;t tried NFSv3 and I have no=
t ported nfsuserd into the vnet,</div><div class=3D"gmail_default" style=3D=
"font-family:monospace">but most NFSv4 setups don&#39;t need it anyhow.</di=
v><div class=3D"gmail_default" style=3D"font-family:monospace"><br></div><d=
iv class=3D"gmail_default" style=3D"font-family:monospace">Good luck with i=
t if you test it, rick</div><div class=3D"gmail_default" style=3D"font-fami=
ly:monospace">ps: Just replied to a random post for this.</div><div class=
=3D"gmail_default" style=3D"font-family:monospace"></div><div class=3D"gmai=
l_default" style=3D"font-family:monospace"><br></div></div><br><div class=
=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Fri, Dec 2, 2022 =
at 7:41 AM Olivier Certner &lt;<a href=3D"mailto:olivier.freebsd@free.fr">o=
livier.freebsd@free.fr</a>&gt; wrote:<br></div><blockquote class=3D"gmail_q=
uote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,2=
04);padding-left:1ex">&gt; To enforce it for cases where mountd/nfsd is not=
 being run would<br>
&gt; definitely be a POLA violation.<br>
<br>
I could not agree more.<br>
<br>
Thanks for the clarification.<br>
<br>
-- <br>
Olivier Certner<br>
<br>
<br>
<br>
</blockquote></div>

--000000000000f03aeb05eee131b9--