From nobody Fri Dec 02 01:14:53 2022 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NNZk14pRcz4jvTK for ; Fri, 2 Dec 2022 01:15:05 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Received: from mail-pf1-x42c.google.com (mail-pf1-x42c.google.com [IPv6:2607:f8b0:4864:20::42c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NNZk12ryFz469n; Fri, 2 Dec 2022 01:15:05 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-pf1-x42c.google.com with SMTP id l127so2887444pfl.2; Thu, 01 Dec 2022 17:15:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=f4NLHJQm6JDDiccjNK99upryKrGTdftx6RD4WPG+NI0=; b=ow79V1A+ep9u2AEIGUmd9ICjJIn5oJglHW72cJUfAClMAQjioLlC/CikJHWIg74Awg gUTxEcXHDqaPbd5ByLFlevEiv+1KQjscJnPYTnnKH3HbCnXCUHA2LusVJyjR/UN19ujI qcBNCRpYQo3qCp2Qb4prDQG72uRtJVc8u9j06JXTsy42m/ylfwMdTi3G5aig/7cSPZAj yMhXrIZVmC40iHICh/Mu4b2Ksp+KyaI9gmLkwvhPJRLxHzJFxWxo7lmuMoRiBYSjnTah 4VzaHfuXqdAzbvfn5T7ddIMaT8GyVGJ6tiNL4HZdyADAFg7L+NBtmwc9GliOGv0kLFkG +AWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=f4NLHJQm6JDDiccjNK99upryKrGTdftx6RD4WPG+NI0=; b=AE5/STTdbNCxY+up9mXNSAwBmG0bjaA9vh/8CalpQ6FJfkZlrxk4GqnXGzFfcGkjKd j4X3AxLT1VD1KaRsMwtkeozUjOikY21t5IupA6bz+419mgOAp5F+UBH1oVDV+08FMzFV 0J0NZrBepXRoCGBt6TyBc7J3ncjrIKcflqxXSk+Y1wc9siDoZl1IcaRWL7nd97yiiQV1 E0PUyKgOtAKkU4bRWG3sZ16tDZ5qws6UOZ3LHxD5gzPaq2rWJfOoJ1qVNNPPRtdZHtR0 3WLGNYQfEsJUKJcWDiqXqfjMYcSfjA4Gstvtqvkhm+ygCu/jhaTbJ7uoZhflUz1QkUBs A84g== X-Gm-Message-State: ANoB5pmEuXHKne+hV/VfepuvWMAd6lLU+S5EcBqlep03hJrktEbewKw+ P+ofuxEMDveINBmaw6oV/KHZdkirdFr5uppVYZMY2qg= X-Google-Smtp-Source: AA0mqf7yxnM+iT/S8HCFBfMs6/N+mN2mkYc3eS5tlQNPbqDAh3XFiViL0OtzjTrZtVUnirPyzI2U/F1ltw7ZKLqaKgY= X-Received: by 2002:a63:4944:0:b0:44e:466f:4759 with SMTP id y4-20020a634944000000b0044e466f4759mr43495628pgk.194.1669943703711; Thu, 01 Dec 2022 17:15:03 -0800 (PST) List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org MIME-Version: 1.0 References: <82103A1E-9D39-47B0-9520-205583C8B680@lysator.liu.se> <20221201102925.Horde.uAC-87YyIRDDnqJTmvsFwNm@webmail.leidinger.net> In-Reply-To: <20221201102925.Horde.uAC-87YyIRDDnqJTmvsFwNm@webmail.leidinger.net> From: Rick Macklem Date: Thu, 1 Dec 2022 17:14:53 -0800 Message-ID: Subject: Re: RFC: nfsd in a vnet jail To: Alexander Leidinger Cc: Alan Somers , Peter Eriksson , FreeBSD CURRENT , "Bjoern A. Zeeb" Content-Type: multipart/alternative; boundary="00000000000041358305eece11a9" X-Rspamd-Queue-Id: 4NNZk12ryFz469n X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N --00000000000041358305eece11a9 Content-Type: text/plain; charset="UTF-8" On Thu, Dec 1, 2022 at 1:29 AM Alexander Leidinger wrote: > > Quoting Alan Somers (from Tue, 29 Nov 2022 > 17:28:10 -0700): > > > On Tue, Nov 29, 2022 at 5:21 PM Rick Macklem > wrote: > > >> So, what do others think of enforcing the requirement that each jail > >> have its own file systems for this? > > > > I think that's a totally reasonable requirement. Especially so for > > ZFS users, who already create a filesystem per jail for other reasons. > > While I agree that it is a reasonable requirement, just a note that we > can not assume that every existing jail resides on its own file > system. The base system jail infrastructure doesn't check this, and > the ezjail port doesn't either. The iocage port does it. > > Is there a way to detect this inside a jail and error out in nfsd/mountd? I think the check (...->pr_root->v_vflag & VV_ROOT) is sufficient. At least it is working for current testing. rick > > Bye, > Alexander. > > -- > http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF > http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF > --00000000000041358305eece11a9 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Thu, Dec 1, 2022 at 1:29 AM Alexander Leid= inger <Alexander@leidinger.ne= t> wrote:

Quoting Alan Somers <asomers@freebsd.org> (from Tue, 29 Nov 2022=C2=A0
17:28:10 -0700):

> On Tue, Nov 29, 2022 at 5:21 PM Rick Macklem <rick.macklem@gmail.com> wrote= :

>> So, what do others think of enforcing the requirement that each ja= il
>> have its own file systems for this?
>
> I think that's a totally reasonable requirement.=C2=A0 Especially = so for
> ZFS users, who already create a filesystem per jail for other reasons.=

While I agree that it is a reasonable requirement, just a note that we=C2= =A0
can not assume that every existing jail resides on its own file=C2=A0
system. The base system jail infrastructure doesn't check this, and=C2= =A0
the ezjail port doesn't either. The iocage port does it.

Is there a way to detect this inside a jail and error out in nfsd/mountd?
I think the check (...->pr_root->v_vflag & VV_ROOT) is suffici= ent.
At least it is working for current testing.

<= div>rick=C2= =A0
=C2=A0
Bye,
Alexander.

--
h= ttp://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF=
htt= p://www.FreeBSD.org=C2=A0 =C2=A0 netchild@FreeBSD.org=C2=A0 : PGP 0x8F3= 1830F9F2772BF
--00000000000041358305eece11a9--