From nobody Sat Jan 20 18:54:51 2024 X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4THQf25BHvz56WLn for ; Sat, 20 Jan 2024 18:55:06 +0000 (UTC) (envelope-from spork@bway.net) Received: from smtp2.bway.net (smtp2.bway.net [216.220.96.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4THQf102l9z4dht for ; Sat, 20 Jan 2024 18:55:05 +0000 (UTC) (envelope-from spork@bway.net) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=bway.net header.s=mail header.b=C5AH6vSq; dmarc=pass (policy=quarantine) header.from=bway.net; spf=pass (mx1.freebsd.org: domain of spork@bway.net designates 216.220.96.28 as permitted sender) smtp.mailfrom=spork@bway.net Received: from smtpclient.apple (pool-71-187-164-80.nwrknj.fios.verizon.net [71.187.164.80]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: spork@bway.net) by smtp2.bway.net (Postfix) with ESMTPSA id 40ACF4586E; Sat, 20 Jan 2024 13:55:02 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bway.net; s=mail; t=1705776902; bh=VQkSjyIqTtOgPwFPMIsJAoAbMpG0CwAKXDr3YlhPv4M=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=C5AH6vSqHVCnO/69qj44gL90CiGkwGJmqyS9KbhQvrDeRpf2YvmOXtU8BCLVg+gOk j3gSVJZz5EG9j1JjuC1Vhfve4cltc/twHiPbx75h4hdEuy4UnLfsTLWg/673EbvRXN L17hfOqh6wa/52TvSg6cJ/mcyYzc7qBlytxa8qXA= Content-Type: text/plain; charset=utf-8 List-Id: Production branch of FreeBSD source code List-Archive: https://lists.freebsd.org/archives/freebsd-stable List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.300.61.1.2\)) Subject: Re: mounting NFS share from the jail From: Charles Sprickman In-Reply-To: Date: Sat, 20 Jan 2024 13:54:51 -0500 Cc: Marek Zarychta , freeBSd-stable@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <40470D94-B175-4718-A80E-23B06B747C52@bway.net> References: To: Rick Macklem X-Mailer: Apple Mail (2.3774.300.61.1.2) X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.50 / 15.00]; DWL_DNSWL_LOW(-1.00)[bway.net:dkim]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; DMARC_POLICY_ALLOW(-0.50)[bway.net,quarantine]; MV_CASE(0.50)[]; R_DKIM_ALLOW(-0.20)[bway.net:s=mail]; R_SPF_ALLOW(-0.20)[+ip4:216.220.96.28/32]; ONCE_RECEIVED(0.10)[]; MIME_GOOD(-0.10)[text/plain]; RCVD_IN_DNSWL_LOW(-0.10)[216.220.96.28:from]; DKIM_TRACE(0.00)[bway.net:+]; FREEMAIL_TO(0.00)[gmail.com]; RCVD_TLS_ALL(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; ASN(0.00)[asn:8059, ipnet:216.220.96.0/19, country:US]; MLMMJ_DEST(0.00)[freeBSd-stable@freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; TAGGED_RCPT(0.00)[]; MIME_TRACE(0.00)[0:+]; TO_DN_SOME(0.00)[] X-Rspamd-Queue-Id: 4THQf102l9z4dht > On Jan 20, 2024, at 10:09=E2=80=AFAM, Rick Macklem = wrote: >=20 > On Sat, Jan 20, 2024 at 6:48=E2=80=AFAM Marek Zarychta > wrote: >>=20 >> Dear List, >>=20 >> there were some efforts to allow running nfsd(8) inside the jail, but = is >> mounting an NFS share from the jail allowed? Inside the jail >> "security.jail.mount_allowed" is set to 1, I also added "add path net >> unhide" to the ruleset in devfs.rules but when trying to mount the = NFS >> share I get only the error: >>=20 >> mount_nfs: nmount: /usr/src: Operation not permitted >>=20 >> It's not a big deal, the shares can be mounted from the jail host, = but I >> am surprised that one can run NFSD inside the jail while mounting NFS >> shares is still denied. >>=20 >> Am I missing anything or is mounting NFS from inside the jail still >> unsupported? The tests were done on the recent stable/14 from the = vnet >> jail. Any clues h will be appreciated. > You are correct. Mounting from inside a jail is not supported. > After doing the vnet conversion for nfsd, I tried doing it for the NFS = client. > There were a moderate # of global variables that needed to be vnet'd, > which I did. The hard/messy part was having the threads (anything = that > calls an NFS VFS/VOP call) set to the proper vnet. > It would have required a massive # of CURVET_SET()/CURVET_RESTORE() > macros and I decided that it was just too messy. (slight hijack) I'm curious, I currently have a need for either have an nfs server or = client in a jail and have had no luck even with the userspace nfsd = (https://unfs3.github.io/ / https://www.freshports.org/net/unfs3/). Is = there any in-jail solution that works on FreeBSD? It's mainly for very = light log-parsing and I want it all inside a jail for portability = between hosts. Not even married to nfs if there's another in-jail = option... Charles > If it becomes a necessary feature, it is ugly but doable. >=20 > rick >=20 >>=20 >> Cheers >>=20 >> -- >> Marek Zarychta