From nobody Sat Nov 26 05:06:44 2022 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NK08H43pjz4hQ0m for ; Sat, 26 Nov 2022 05:06:55 +0000 (UTC) (envelope-from asomers@gmail.com) Received: from mail-ua1-f45.google.com (mail-ua1-f45.google.com [209.85.222.45]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NK08G3CSzz47mY; Sat, 26 Nov 2022 05:06:54 +0000 (UTC) (envelope-from asomers@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of asomers@gmail.com designates 209.85.222.45 as permitted sender) smtp.mailfrom=asomers@gmail.com; dmarc=none Received: by mail-ua1-f45.google.com with SMTP id c26so2149304uak.5; Fri, 25 Nov 2022 21:06:54 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Ii/mCjMS7KHcTwlVhwu+p0U9EqM9JaFJIlHyo/fFR+g=; b=raN9IfviySbcY6ETxChHGG8k+jMuON8WLYmA2+ntJM8vzHIXcaZg29AjqDC5ttWJko MPS0ASGVaoRad29DF10Il9eaAgOEXVKjTrcHZv3VaHlKQlYnZLIo+dbRyg/I/X14atp1 3ldfUsafVYhst0D3eEDIjfYZnFIoConU4ZeJ7cajNCBqJO1Z4+XC5oYhy55D1tA6w/qA VqTL7KRno8c/q3opc0oOlLppXOj7nNN40rBh4a/uM1gMT3p08ooEGHtE01gDX++tJ8Ik fb9cVmwXiRzPCT4LKKFn96QNq/6+Nx6mHs9q27qPWyRi3z3P8AeCb01ejd4lugwPzXfh j3Eg== X-Gm-Message-State: ANoB5pmPeDAU1z87rWoJKxda4dTyLw8YvGHs1pnWp95cvDgEcbAI5JQB ZkrAsrJFxKKJp8Chxr/EvsUkAnPa6xtYe3WzFCo= X-Google-Smtp-Source: AA0mqf75uqEOdXGSt3/dW1rx7xsCIO0bZLyY+fNDvvPGX9kHEvP7XiNhxegGP2BcI0zFsGVB+EO1GNbn2q89ZSfoyGw= X-Received: by 2002:ab0:6994:0:b0:411:502d:7c67 with SMTP id t20-20020ab06994000000b00411502d7c67mr24328079uaq.29.1669439212956; Fri, 25 Nov 2022 21:06:52 -0800 (PST) List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org MIME-Version: 1.0 References: In-Reply-To: From: Alan Somers Date: Fri, 25 Nov 2022 22:06:44 -0700 Message-ID: Subject: Re: RFC: nfsd in a vnet jail To: Rick Macklem Cc: FreeBSD CURRENT , "Bjoern A. Zeeb" Content-Type: multipart/alternative; boundary="000000000000432f6805ee589b73" X-Spamd-Result: default: False [0.63 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_SPAM_MEDIUM(0.93)[0.932]; NEURAL_SPAM_SHORT(0.70)[0.699]; FORGED_SENDER(0.30)[asomers@freebsd.org,asomers@gmail.com]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; FREEMAIL_TO(0.00)[gmail.com]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.222.45:from]; R_DKIM_NA(0.00)[]; FROM_NEQ_ENVFROM(0.00)[asomers@freebsd.org,asomers@gmail.com]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; FREEMAIL_ENVFROM(0.00)[gmail.com]; RCVD_IN_DNSWL_NONE(0.00)[209.85.222.45:from]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_TLS_LAST(0.00)[]; FREEFALL_USER(0.00)[asomers]; ARC_NA(0.00)[]; TO_DN_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; TAGGED_RCPT(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; DMARC_NA(0.00)[freebsd.org]; RCVD_COUNT_TWO(0.00)[2] X-Rspamd-Queue-Id: 4NK08G3CSzz47mY X-Spamd-Bar: / X-ThisMailContainsUnwantedMimeParts: N --000000000000432f6805ee589b73 Content-Type: text/plain; charset="UTF-8" On Fri, Nov 25, 2022, 4:24 PM Rick Macklem wrote: > Hi, > > bz@ has encouraged me to fiddle with the nfsd > so that it works in a vnet jail. > I have now basically done so, specifically for > NFSv4, since NFSv3 presents various issues. > > What I have not yet done is put global variables > in the vnet. This needs to be done so that the nfsd > can be run in multiple jail instances and/or in and > outside of a jail. > The problem is that there are 100s of global variables. > > I can see two approaches: > 1 - Move them all into the vnet jail. This would imply > that all the sysctls need to somehow be changed, > which would seem to be a POLA violation. > It also implies a lot of stuff in the vnet. > 2 - Just move the global variables that will always > differ from one nfsd to another (this would make > the sysctls global and apply to all nfsds). > This will keep the number of globals in the vnet > smaller. > > I am currently leaning towards #2, put what do others > think? > > rick > ps: Personally, I don't know what use there is of > running the nfsd inside a vnet jail, but bz@ has > some use case. > This is super-awesome! Thank you so much! I've got a use case too. I think it would be fine to leave most of the settings global, like max_threads. But we should probably decide on a case by case basis . > > --000000000000432f6805ee589b73 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Fri, Nov 25, 2022, 4:24 PM Rick Macklem <rick.macklem@gmail.com> wrote:
Hi,

bz@ has encouraged me to fiddle with the nf= sd
so tha= t it works in a vnet jail.
I have now basically done so, specifically for
NFSv4, since NFSv3 = presents various issues.

What I have not yet done is put global variables
in the vnet. This needs= to be done so that the nfsd
can be run in multiple jail instances and/or in and
outside of a= jail.
Th= e problem is that there are 100s of global variables.

I can see two approaches:
1 - Move them all= into the vnet jail. This would imply
=C2=A0 =C2=A0 that all the sysctls need to som= ehow be changed,
=C2=A0 =C2=A0 which would seem to be a POLA violation.
=C2=A0 =C2=A0 It also= implies a lot of stuff in the vnet.
2 - Just move the global variables that will al= ways
=C2= =A0 =C2=A0 differ from one nfsd to another (this would make
=C2=A0 =C2=A0 the sysctl= s global and apply to all nfsds).
=C2=A0 =C2=A0 This will keep the number of globa= ls in the vnet
=C2=A0 =C2=A0 smaller.

I am currently leaning towards #2, put what do others
=
think?

rick
ps: Personally, I don= 9;t know what use there is of
=C2=A0 =C2=A0 running the nfsd inside a vnet jail, but= bz@ has
= =C2=A0 =C2=A0 some use case.
=
=

This i= s super-awesome! Thank you so much! I've got a use case too.=C2=A0 I th= ink it would be fine to leave most of the settings global,=C2=A0 like max_t= hreads. But we should probably decide on a case by case basis .
--000000000000432f6805ee589b73--