From nobody Thu Dec 01 16:37:57 2022 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NNMFZ1Tydz4jf0J for ; Thu, 1 Dec 2022 16:38:10 +0000 (UTC) (envelope-from asomers@gmail.com) Received: from mail-vs1-f42.google.com (mail-vs1-f42.google.com [209.85.217.42]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NNMFY6ltsz4Q1w; Thu, 1 Dec 2022 16:38:09 +0000 (UTC) (envelope-from asomers@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-vs1-f42.google.com with SMTP id 125so2115990vsi.9; Thu, 01 Dec 2022 08:38:09 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=WRTtAKf3cUWTcWlvU2Z/lXXaXs1VWdu0L1CFcke210s=; b=dqEpqvhUO7P/ltjw2SSZ/MZuHH513qVb4OzI1CO2PkJcIAGKA5vhcXS3BvXsCRWKhR NKryyMezPP3CJPr96QziXo/rfMAbBLNSToNX0rdxUIKSLMjmvv2WN25jNLOgis1N5XR5 IeF5rqlm33FGHiC9xVgDe3xTZbvsXV+yu6Fef1NG8iNU3TqIqVT6s3QpTdknesOMd3fm e6+YWEASQEFkOmr3pwJT4RSEfiD9I3crztbqzTi/mC0kahdhX7eQSNa0dmFdqJuqcyMZ Z53eFjWd/sUYiGT8I8WbIX5Ht+Dc5z43h1eSksACsIwcX8KmgKzwtdp2GxOGIME+qUe0 l04Q== X-Gm-Message-State: ANoB5pltabMqdFcTOCtqzyYMVsMuxaGK68nFnMnlfv6l8I51Dr//gsKB wsyE5N6KLYnBnJ+2BSeUpC+1TqKyuAg68QZ4/s5DDr2RJ9c= X-Google-Smtp-Source: AA0mqf7D8rYYAGkGMfUk2t/Jc+XPZKYPCoef8rHf4AZR25U+g2fzr64Bhz1eJJRRCYtaaGyytq+PvbEbDaBpjy29w6s= X-Received: by 2002:a05:6102:3911:b0:3af:b08c:9bbe with SMTP id e17-20020a056102391100b003afb08c9bbemr39797365vsu.76.1669912688941; Thu, 01 Dec 2022 08:38:08 -0800 (PST) List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org MIME-Version: 1.0 References: <82103A1E-9D39-47B0-9520-205583C8B680@lysator.liu.se> <2980bcbd22f884962d358808f9440d77@bsdforge.com> In-Reply-To: <2980bcbd22f884962d358808f9440d77@bsdforge.com> From: Alan Somers Date: Thu, 1 Dec 2022 09:37:57 -0700 Message-ID: Subject: Re: RFC: nfsd in a vnet jail To: Chris Cc: Rick Macklem , Peter Eriksson , FreeBSD CURRENT , "Bjoern A. Zeeb" Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4NNMFY6ltsz4Q1w X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; TAGGED_RCPT(0.00)[]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N > I don't care for any of it. It looks like additional overhead with the > addition of potential security risks. All for a very limited (and as yet > unknown) use case. Here's an example of a real-world use case. I'm responsible for supporting multiple products involving NFS, iSCSI, and other protocols. For security reasons, each product is placed on its own VLAN. Sometimes it's not practical to dedicate a physical server to a single product, so I have to double-up. For the products that don't involve NFS or iSCSI, I place them in a VNET jail. That way their processes can only access the correct VLAN. But NFS and iSCSI can't (yet) be jailed, so those products need to be served by JID 0. Therefore, those products' processes can access each other's VLANs. Clearly that's not ideal. Jailing different products is also good for manageability. It's easier to manage the list of packages that must be installed for each product, config file settings, etc. For example, some of our NFS products require vfs.nfsd.enable_stringtouid=1, but others could work without it. Right now, we're forced to turn it on for all products. -Alan