Re: RFC: nfsd in a vnet jail

On 2022-11-25 15:17, Rick Macklem wrote:

> Hi,
> 
> bz@ has encouraged me to fiddle with the nfsd
> so that it works in a vnet jail.
> I have now basically done so, specifically for
> NFSv4, since NFSv3 presents various issues.
> 
> What I have not yet done is put global variables
> in the vnet. This needs to be done so that the nfsd
> can be run in multiple jail instances and/or in and
> outside of a jail.
> The problem is that there are 100s of global variables.
> 
> I can see two approaches:
> 1 - Move them all into the vnet jail. This would imply
> that all the sysctls need to somehow be changed,
> which would seem to be a POLA violation.
> It also implies a lot of stuff in the vnet.
> 2 - Just move the global variables that will always
> differ from one nfsd to another (this would make
> the sysctls global and apply to all nfsds).
> This will keep the number of globals in the vnet
> smaller.
> 
> I am currently leaning towards #2, put what do others
> think?
> 
> rick
> ps: Personally, I don't know what use there is of
> running the nfsd inside a vnet jail, but bz@ has
> some use case.

I would prefer closer to #2, unless you want to support only one jail 
running nfsd (which is admittedly one of the more likely scenarios).  I 
imagine it's a case-by-case judgement call, as to whether a particular 
knob should be global or per-jail.

- Jamie