Date: Sun, 27 Nov 2022 10:18:51 -0800 From: James Gritton <jamie@freebsd.org> To: freebsd-current@freebsd.org Cc: Rick Macklem <rick.macklem@gmail.com>, bz@freebsd.org Subject: Re: RFC: nfsd in a vnet jail Message-ID: <d565689e2e61b48bb208cd4ea9f5e392@freebsd.org> In-Reply-To: <CAM5tNy7CQaBTRWG0m0aN6T0xG2L2zSQJGa%2BatGaH%2BmW%2BwEpdyQ@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On 2022-11-25 15:17, Rick Macklem wrote: > Hi, > > bz@ has encouraged me to fiddle with the nfsd > so that it works in a vnet jail. > I have now basically done so, specifically for > NFSv4, since NFSv3 presents various issues. > > What I have not yet done is put global variables > in the vnet. This needs to be done so that the nfsd > can be run in multiple jail instances and/or in and > outside of a jail. > The problem is that there are 100s of global variables. > > I can see two approaches: > 1 - Move them all into the vnet jail. This would imply > that all the sysctls need to somehow be changed, > which would seem to be a POLA violation. > It also implies a lot of stuff in the vnet. > 2 - Just move the global variables that will always > differ from one nfsd to another (this would make > the sysctls global and apply to all nfsds). > This will keep the number of globals in the vnet > smaller. > > I am currently leaning towards #2, put what do others > think? > > rick > ps: Personally, I don't know what use there is of > running the nfsd inside a vnet jail, but bz@ has > some use case. I would prefer closer to #2, unless you want to support only one jail running nfsd (which is admittedly one of the more likely scenarios). I imagine it's a case-by-case judgement call, as to whether a particular knob should be global or per-jail. - Jamie [-- Attachment #2 --] <html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /></head><body style='font-size: 10pt; font-family: Verdana,Geneva,sans-serif'> <p id="reply-intro">On 2022-11-25 15:17, Rick Macklem wrote:</p> <blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0"> <div id="replybody1"> <div dir="ltr"> <div class="v1gmail_default" style="font-family: monospace;">Hi,</div> <div class="v1gmail_default" style="font-family: monospace;"> </div> <div class="v1gmail_default" style="font-family: monospace;">bz@ has encouraged me to fiddle with the nfsd</div> <div class="v1gmail_default" style="font-family: monospace;">so that it works in a vnet jail.</div> <div class="v1gmail_default" style="font-family: monospace;">I have now basically done so, specifically for</div> <div class="v1gmail_default" style="font-family: monospace;">NFSv4, since NFSv3 presents various issues.</div> <div class="v1gmail_default" style="font-family: monospace;"> </div> <div class="v1gmail_default" style="font-family: monospace;">What I have not yet done is put global variables</div> <div class="v1gmail_default" style="font-family: monospace;">in the vnet. This needs to be done so that the nfsd</div> <div class="v1gmail_default" style="font-family: monospace;">can be run in multiple jail instances and/or in and</div> <div class="v1gmail_default" style="font-family: monospace;">outside of a jail.</div> <div class="v1gmail_default" style="font-family: monospace;">The problem is that there are 100s of global variables.</div> <div class="v1gmail_default" style="font-family: monospace;"> </div> <div class="v1gmail_default" style="font-family: monospace;">I can see two approaches:</div> <div class="v1gmail_default" style="font-family: monospace;">1 - Move them all into the vnet jail. This would imply</div> <div class="v1gmail_default" style="font-family: monospace;"> that all the sysctls need to somehow be changed,</div> <div class="v1gmail_default" style="font-family: monospace;"> which would seem to be a POLA violation.</div> <div class="v1gmail_default" style="font-family: monospace;"> It also implies a lot of stuff in the vnet.</div> <div class="v1gmail_default" style="font-family: monospace;">2 - Just move the global variables that will always</div> <div class="v1gmail_default" style="font-family: monospace;"> differ from one nfsd to another (this would make</div> <div class="v1gmail_default" style="font-family: monospace;"> the sysctls global and apply to all nfsds).</div> <div class="v1gmail_default" style="font-family: monospace;"> This will keep the number of globals in the vnet</div> <div class="v1gmail_default" style="font-family: monospace;"> smaller.</div> <div class="v1gmail_default" style="font-family: monospace;"> </div> <div class="v1gmail_default" style="font-family: monospace;">I am currently leaning towards #2, put what do others</div> <div class="v1gmail_default" style="font-family: monospace;">think?</div> <div class="v1gmail_default" style="font-family: monospace;"> </div> <div class="v1gmail_default" style="font-family: monospace;">rick</div> <div class="v1gmail_default" style="font-family: monospace;">ps: Personally, I don't know what use there is of</div> <div class="v1gmail_default" style="font-family: monospace;"> running the nfsd inside a vnet jail, but bz@ has</div> <div class="v1gmail_default" style="font-family: monospace;"> some use case.</div> </div> </div> </blockquote> <div id="replybody1"> <div dir="ltr"> <div class="v1gmail_default" style="font-family: monospace;"> </div> </div> </div> <div class="v1gmail_default" style="font-family: monospace;">I would prefer closer to #2, unless you want to support only one jail running nfsd (which is admittedly one of the more likely scenarios). I imagine it's a case-by-case judgement call, as to whether a particular knob should be global or per-jail.</div> <div class="v1gmail_default" style="font-family: monospace;"> </div> <div class="v1gmail_default" style="font-family: monospace;">- Jamie</div> </body></html>help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d565689e2e61b48bb208cd4ea9f5e392>