From nobody Fri Nov 25 23:17:46 2022
X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NJrXc2YYhz4hkBv
	for <freebsd-current@mlmmj.nyi.freebsd.org>; Fri, 25 Nov 2022 23:24:00 +0000 (UTC)
	(envelope-from rick.macklem@gmail.com)
Received: from mail-oa1-x32.google.com (mail-oa1-x32.google.com [IPv6:2001:4860:4864:20::32])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4NJrXb1Jypz3lQ1;
	Fri, 25 Nov 2022 23:23:59 +0000 (UTC)
	(envelope-from rick.macklem@gmail.com)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=gmail.com header.s=20210112 header.b=BrhbFlu5;
	spf=pass (mx1.freebsd.org: domain of rick.macklem@gmail.com designates 2001:4860:4864:20::32 as permitted sender) smtp.mailfrom=rick.macklem@gmail.com;
	dmarc=pass (policy=none) header.from=gmail.com
Received: by mail-oa1-x32.google.com with SMTP id 586e51a60fabf-1433ef3b61fso6705864fac.10;
        Fri, 25 Nov 2022 15:23:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=GhqUYDkUfFO/EWpqtr6qDfEOLz0Q9pGWZNExtqPemMc=;
        b=BrhbFlu5hruLmUJlNxIqO48ckbl42JRIjEgcN4O1tJPyalmBjVqsoy3oS54xSqSEC8
         N/taIGBqrJYwksXac/J9YIojQWLXoPcZvKpSUnW/rRWw8Bma5azgT0ZMiit5GjXJJxyw
         oLoQ6QpxHPasG31eg1gh52W3Ok/srYs4J3RP4jIYSAFOVu62RBlhc2RsI30FZO35fwyS
         hr3Y8IwKLBpJBl+jEjOvrumUl+pEzyKMJLsYggwkG3PVuNk19PvVXpfSCkf9aENzR3EB
         gdEzKEACBP/k+/v+mI+oWXfChkKZEWm76yN8nOHMcuxqolZSXgXBy90idqQoaEgHk6lS
         vtjQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=GhqUYDkUfFO/EWpqtr6qDfEOLz0Q9pGWZNExtqPemMc=;
        b=mEtbXEnhv0qzpqTXM6xP3MEyAohJ8E5bYRlN0/LonJz30xbSaatW8xKTZZ8JCmBhun
         efoqb561Eqvp+Xx+cap80AaKSJqvNNmT/ejPl5FHFeGfOKFMUc+rgqOQ/tyIay/n0rWZ
         FDndekZF1zQeYpIlkLHKHFWCYNgPq5M6p5HOSkocxdm0jvPJF2QcVv6llDOv155gULMQ
         WtpiFCMNAbiztx/cIUnPWaOy1P3Yb8hCefFXRSLQrzSpIC80OsFvg+MZFCl1dL7VAXMZ
         JpWcxGuHYsvZr9IqfvYxS3jx7NrYoOmxNOsApSPX6FiCSha44s92lcZp3I4+YKacFEv0
         Yrsg==
X-Gm-Message-State: ANoB5pkscsNFa9bT9l7uU+qWKp3fsk0unq27+AjCR3MYhKiJWM9VaW6x
	JJlReTf1qMbBzkEAT1cFmdc5p8F1YNwq2V1c/OZIMpM=
X-Google-Smtp-Source: AA0mqf45CFXsSbFoESV8z5DqxfhYX1+FeItoBnJxEHR+XkYK6/XFg0Ih2QHXGQrWFXncs+vNSoWIedY6oXLEyIq0otY=
X-Received: by 2002:a17:90a:2f23:b0:218:72e0:307b with SMTP id
 s32-20020a17090a2f2300b0021872e0307bmr42646593pjd.183.1669418277131; Fri, 25
 Nov 2022 15:17:57 -0800 (PST)
List-Id: Discussions about the use of FreeBSD-current <freebsd-current.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-current
List-Help: <mailto:freebsd-current+help@freebsd.org>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Subscribe: <mailto:freebsd-current+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-current+unsubscribe@freebsd.org>
Sender: owner-freebsd-current@freebsd.org
MIME-Version: 1.0
From: Rick Macklem <rick.macklem@gmail.com>
Date: Fri, 25 Nov 2022 15:17:46 -0800
Message-ID: <CAM5tNy7CQaBTRWG0m0aN6T0xG2L2zSQJGa+atGaH+mW+wEpdyQ@mail.gmail.com>
Subject: RFC: nfsd in a vnet jail
To: freebsd-current@freebsd.org
Cc: bz@freebsd.org
Content-Type: multipart/alternative; boundary="00000000000063da1b05ee53bbd2"
X-Spamd-Result: default: False [-3.37 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-0.95)[-0.952];
	DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
	NEURAL_HAM_SHORT(-0.42)[-0.418];
	R_SPF_ALLOW(-0.20)[+ip6:2001:4860:4000::/36];
	R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112];
	MIME_GOOD(-0.10)[multipart/alternative,text/plain];
	RCVD_TLS_LAST(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-current@freebsd.org];
	FROM_EQ_ENVFROM(0.00)[];
	ASN(0.00)[asn:15169, ipnet:2001:4860:4864::/48, country:US];
	RCVD_IN_DNSWL_NONE(0.00)[2001:4860:4864:20::32:from];
	FREEMAIL_ENVFROM(0.00)[gmail.com];
	MIME_TRACE(0.00)[0:+,1:+,2:~];
	RCPT_COUNT_TWO(0.00)[2];
	MID_RHS_MATCH_FROMTLD(0.00)[];
	TAGGED_FROM(0.00)[];
	FROM_HAS_DN(0.00)[];
	ARC_NA(0.00)[];
	DKIM_TRACE(0.00)[gmail.com:+];
	DWL_DNSWL_NONE(0.00)[gmail.com:dkim];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	FREEMAIL_FROM(0.00)[gmail.com];
	TO_DN_NONE(0.00)[];
	RCVD_COUNT_TWO(0.00)[2]
X-Rspamd-Queue-Id: 4NJrXb1Jypz3lQ1
X-Spamd-Bar: ---
X-ThisMailContainsUnwantedMimeParts: N

--00000000000063da1b05ee53bbd2
Content-Type: text/plain; charset="UTF-8"

Hi,

bz@ has encouraged me to fiddle with the nfsd
so that it works in a vnet jail.
I have now basically done so, specifically for
NFSv4, since NFSv3 presents various issues.

What I have not yet done is put global variables
in the vnet. This needs to be done so that the nfsd
can be run in multiple jail instances and/or in and
outside of a jail.
The problem is that there are 100s of global variables.

I can see two approaches:
1 - Move them all into the vnet jail. This would imply
    that all the sysctls need to somehow be changed,
    which would seem to be a POLA violation.
    It also implies a lot of stuff in the vnet.
2 - Just move the global variables that will always
    differ from one nfsd to another (this would make
    the sysctls global and apply to all nfsds).
    This will keep the number of globals in the vnet
    smaller.

I am currently leaning towards #2, put what do others
think?

rick
ps: Personally, I don't know what use there is of
    running the nfsd inside a vnet jail, but bz@ has
    some use case.

--00000000000063da1b05ee53bbd2
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_default" style=3D"font-family:monospac=
e">Hi,</div><div class=3D"gmail_default" style=3D"font-family:monospace"><b=
r></div><div class=3D"gmail_default" style=3D"font-family:monospace">bz@ ha=
s encouraged me to fiddle with the nfsd</div><div class=3D"gmail_default" s=
tyle=3D"font-family:monospace">so that it works in a vnet jail.</div><div c=
lass=3D"gmail_default" style=3D"font-family:monospace">I have now basically=
 done so, specifically for</div><div class=3D"gmail_default" style=3D"font-=
family:monospace">NFSv4, since NFSv3 presents various issues.</div><div cla=
ss=3D"gmail_default" style=3D"font-family:monospace"><br></div><div class=
=3D"gmail_default" style=3D"font-family:monospace">What I have not yet done=
 is put global variables</div><div class=3D"gmail_default" style=3D"font-fa=
mily:monospace">in the vnet. This needs to be done so that the nfsd</div><d=
iv class=3D"gmail_default" style=3D"font-family:monospace">can be run in mu=
ltiple jail instances and/or in and</div><div class=3D"gmail_default" style=
=3D"font-family:monospace">outside of a jail.</div><div class=3D"gmail_defa=
ult" style=3D"font-family:monospace">The problem is that there are 100s of =
global variables.</div><div class=3D"gmail_default" style=3D"font-family:mo=
nospace"><br></div><div class=3D"gmail_default" style=3D"font-family:monosp=
ace">I can see two approaches:</div><div class=3D"gmail_default" style=3D"f=
ont-family:monospace">1 - Move them all into the vnet jail. This would impl=
y</div><div class=3D"gmail_default" style=3D"font-family:monospace">=C2=A0 =
=C2=A0 that all the sysctls need to somehow be changed,</div><div class=3D"=
gmail_default" style=3D"font-family:monospace">=C2=A0 =C2=A0 which would se=
em to be a POLA violation.</div><div class=3D"gmail_default" style=3D"font-=
family:monospace">=C2=A0 =C2=A0 It also implies a lot of stuff in the vnet.=
</div><div class=3D"gmail_default" style=3D"font-family:monospace">2 - Just=
 move the global variables that will always</div><div class=3D"gmail_defaul=
t" style=3D"font-family:monospace">=C2=A0 =C2=A0 differ from one nfsd to an=
other (this would make</div><div class=3D"gmail_default" style=3D"font-fami=
ly:monospace">=C2=A0 =C2=A0 the sysctls global and apply to all nfsds).</di=
v><div class=3D"gmail_default" style=3D"font-family:monospace">=C2=A0 =C2=
=A0 This will keep the number of globals in the vnet</div><div class=3D"gma=
il_default" style=3D"font-family:monospace">=C2=A0 =C2=A0 smaller.</div><di=
v class=3D"gmail_default" style=3D"font-family:monospace"><br></div><div cl=
ass=3D"gmail_default" style=3D"font-family:monospace">I am currently leanin=
g towards #2, put what do others</div><div class=3D"gmail_default" style=3D=
"font-family:monospace">think?</div><div class=3D"gmail_default" style=3D"f=
ont-family:monospace"><br></div><div class=3D"gmail_default" style=3D"font-=
family:monospace">rick</div><div class=3D"gmail_default" style=3D"font-fami=
ly:monospace">ps: Personally, I don&#39;t know what use there is of</div><d=
iv class=3D"gmail_default" style=3D"font-family:monospace">=C2=A0 =C2=A0 ru=
nning the nfsd inside a vnet jail, but bz@ has</div><div class=3D"gmail_def=
ault" style=3D"font-family:monospace">=C2=A0 =C2=A0 some use case.</div><di=
v class=3D"gmail_default" style=3D"font-family:monospace"><br></div></div>

--00000000000063da1b05ee53bbd2--