From nobody Sat Jan 20 15:09:40 2024 X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4THKfK3tZ9z57Km2 for ; Sat, 20 Jan 2024 15:10:01 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Received: from mail-pf1-x429.google.com (mail-pf1-x429.google.com [IPv6:2607:f8b0:4864:20::429]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4THKfK1r7cz4tx7 for ; Sat, 20 Jan 2024 15:10:01 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-pf1-x429.google.com with SMTP id d2e1a72fcca58-6da6b0eb2d4so1070534b3a.1 for ; Sat, 20 Jan 2024 07:10:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1705763400; x=1706368200; darn=freebsd.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=FDyj7pCsSu0BMPV2ZjxIN5LkhmWn4jztyxF7Jszj30Q=; b=mM2yKY0lWGgNOY5UfbxvBu6tiWfhe7PRKVl0dxaIVx/GWNl9a9Mo/OQv3SJBftPbrM 7VeTshDV4rWd1zzB0MX8BPYVMGKLPt14UbI6s5Y65EeT1inmETBjms2ecONs/L7Fhbao NMsEYDhxNPxFCPOEn9m3hgiwtlJ5mkJ2huix7kXdb1jyKze4LHwaxjPDpGZAGowdQEr4 4dWZV1bgXoEiYBBrIFCn561KhNfzQLm+B2gT/otc807Q0jdFax6kr5rcGcO5duAwGxxQ mzrKdPCuWgvcQgl1WonpcJMHVvSV1qYnKtChkfAYNemaMkoSd8Z+9eD5FgVNKIJnfbW7 YiIw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705763400; x=1706368200; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=FDyj7pCsSu0BMPV2ZjxIN5LkhmWn4jztyxF7Jszj30Q=; b=IkWbQbyJbrKWfgxhnqiHl3qnqxnZPxVPLHTUBpNw/O6vDadoS6UPNApjORMYW/Qt31 I1QQ9dslUiwBwi4Ieig43Qt9f2Zyg0dxRaBDNMdOhejAaYIOmbs+2RnNxebOJv2jllKY Gp2aoSril7Ma+qSNqVxZOYMgiK8ncMuXZgp70MCtwJJoAJmNFA6PLua4d88lZ8RhU9r6 jfzDn5zba+EYGWZeDbH6YSNukLsdiXhV2KkaK4s3sswjJ34bfKu/kjpm1p9Se7isfe2m NpJ2+h4zVyNTGu7aJg54uTUg2nLF3Bu2ZiPdFRaKK/aC9vN8APQaQ0u5xOAG2VkXUCsd C1uQ== X-Gm-Message-State: AOJu0YylV02Hwhwwm2u3oqYpNySZkl+vhDctlhBtiJo9ubdDwQW2jLjL IQLvJDoeqEXqbSD2E2ysgjGwKKE6bOhK7/txSBe1Y1XnI8mxmV9tolhnhL/HX9oldourbKFlZDP ld561KMrgmBUInUVgj3+RhOD8OQQWpDA= X-Google-Smtp-Source: AGHT+IH+wO2Jkktim06l/TpF4GuJkJCQPIh/jUnDnd3oY806S/H/PBwnwPs5MKJrR4OQAUXXELE5AN0cFmLpY6TPuP0= X-Received: by 2002:a05:6a20:4a30:b0:19a:e284:7117 with SMTP id fr48-20020a056a204a3000b0019ae2847117mr670752pzb.57.1705763399673; Sat, 20 Jan 2024 07:09:59 -0800 (PST) List-Id: Production branch of FreeBSD source code List-Archive: https://lists.freebsd.org/archives/freebsd-stable List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org MIME-Version: 1.0 References: In-Reply-To: From: Rick Macklem Date: Sat, 20 Jan 2024 07:09:40 -0800 Message-ID: Subject: Re: mounting NFS share from the jail To: Marek Zarychta Cc: freeBSd-stable@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4THKfK1r7cz4tx7 X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; TAGGED_FROM(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] On Sat, Jan 20, 2024 at 6:48=E2=80=AFAM Marek Zarychta wrote: > > Dear List, > > there were some efforts to allow running nfsd(8) inside the jail, but is > mounting an NFS share from the jail allowed? Inside the jail > "security.jail.mount_allowed" is set to 1, I also added "add path net > unhide" to the ruleset in devfs.rules but when trying to mount the NFS > share I get only the error: > > mount_nfs: nmount: /usr/src: Operation not permitted > > It's not a big deal, the shares can be mounted from the jail host, but I > am surprised that one can run NFSD inside the jail while mounting NFS > shares is still denied. > > Am I missing anything or is mounting NFS from inside the jail still > unsupported? The tests were done on the recent stable/14 from the vnet > jail. Any clues h will be appreciated. You are correct. Mounting from inside a jail is not supported. After doing the vnet conversion for nfsd, I tried doing it for the NFS clie= nt. There were a moderate # of global variables that needed to be vnet'd, which I did. The hard/messy part was having the threads (anything that calls an NFS VFS/VOP call) set to the proper vnet. It would have required a massive # of CURVET_SET()/CURVET_RESTORE() macros and I decided that it was just too messy. If it becomes a necessary feature, it is ugly but doable. rick > > Cheers > > -- > Marek Zarychta >