From nobody Sat Jan 20 22:06:04 2024 X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4THVtp0Kjkz57cHw for ; Sat, 20 Jan 2024 22:06:26 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com [IPv6:2607:f8b0:4864:20::1032]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4THVtn5jxRz4yC4 for ; Sat, 20 Jan 2024 22:06:25 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-pj1-x1032.google.com with SMTP id 98e67ed59e1d1-2907a17fa34so282829a91.1 for ; Sat, 20 Jan 2024 14:06:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1705788383; x=1706393183; darn=freebsd.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=GpBAkm6AhNxn1LXFYnfKA6SCa+wl43EtMy1KwPiozOw=; b=PM2+QBZrjxKVn157z6FbdEXEPQnxGdM0nMeQ5PThgpEL9i6wrIypx2vcmfLfu1TCgV yqMw3DQcF4n4bIil7uEK4ubnPeeek7KQgbNTs39ejarsOuu/G8XhWnQswxCUY1cHrogn qxekxACDGcr8IJxnQLveeJGXxYCEpvPkEWXFKVskRdeWn0PG81jeSfeB8DR/cQF8VSC2 4tmkqzwrxhSRlKeES8HbOuBB9Y4+1T3tfPl/4eA65B10UsD6XNrKN0x12vO20OYjENRA cdtNcFnkdsqQ6NuADPre43YRT+UndxA8JBCTjFvtt2z34oU0VIhafZO2uzOl7s/8EKko ZROA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705788383; x=1706393183; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=GpBAkm6AhNxn1LXFYnfKA6SCa+wl43EtMy1KwPiozOw=; b=txRAkz8LshHCwstSSZg8Ejbf5P6AJPImmo9usG5kSlTUbnqSLFZjVeP1r1gp6Ax8ux 2xBV+L3TkTVMxY+4vX2gET4DmsPa/9s7R+SmIbJFsLIjg1keJ40kx46kmG22fbTITQU/ 18zh+TpzCxA7yHSl+dll4eA5JsbGwUa+ijZF0daajGhks17ZpgIArQ7afujL9xRCdQef hrpNFX3YCTowaz35MuSWmJ2p3g4XZi2b7o5hMSxfp00K9lqAgNpaJcdf6wStsfgwAKJh 6xAIMAibIWsP+SxyS1AO21NFzocdP28PPxRgQbLsrPZVXaB2XYOzJMpZiq4Zl759Xv+3 0L2A== X-Gm-Message-State: AOJu0Ywj00jrOFuFWDb4bQ4KfxDjazlKSeUHxqtgSxKHXHUCUGDbz7zi UNUnTfvWFdnkbdWnAJE/Vh2vgExcMP1uJDfA/S2aBJSUqsX+K5FoGQPFkmvIr0Mea2M6dZ903kO T4UZX2J5OwDofBbf16fNuLYghGFo4BjI= X-Google-Smtp-Source: AGHT+IEcfz8xJ0bYusF0aWOdJAMYtWYBDt4URqzGFiR5nubt660aHMoVj2azAfwGaHeKVNPpSSyMnifRRJjUjGssXUk= X-Received: by 2002:a17:902:7404:b0:1d4:3eb1:1e3 with SMTP id g4-20020a170902740400b001d43eb101e3mr2270707pll.13.1705788383621; Sat, 20 Jan 2024 14:06:23 -0800 (PST) List-Id: Production branch of FreeBSD source code List-Archive: https://lists.freebsd.org/archives/freebsd-stable List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org MIME-Version: 1.0 References: <40470D94-B175-4718-A80E-23B06B747C52@bway.net> In-Reply-To: <40470D94-B175-4718-A80E-23B06B747C52@bway.net> From: Rick Macklem Date: Sat, 20 Jan 2024 14:06:04 -0800 Message-ID: Subject: Re: mounting NFS share from the jail To: Charles Sprickman Cc: Marek Zarychta , freeBSd-stable@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4THVtn5jxRz4yC4 X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; TAGGED_FROM(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] On Sat, Jan 20, 2024 at 10:55=E2=80=AFAM Charles Sprickman = wrote: > > > > > On Jan 20, 2024, at 10:09=E2=80=AFAM, Rick Macklem wrote: > > > > On Sat, Jan 20, 2024 at 6:48=E2=80=AFAM Marek Zarychta > > wrote: > >> > >> Dear List, > >> > >> there were some efforts to allow running nfsd(8) inside the jail, but = is > >> mounting an NFS share from the jail allowed? Inside the jail > >> "security.jail.mount_allowed" is set to 1, I also added "add path net > >> unhide" to the ruleset in devfs.rules but when trying to mount the NFS > >> share I get only the error: > >> > >> mount_nfs: nmount: /usr/src: Operation not permitted > >> > >> It's not a big deal, the shares can be mounted from the jail host, but= I > >> am surprised that one can run NFSD inside the jail while mounting NFS > >> shares is still denied. > >> > >> Am I missing anything or is mounting NFS from inside the jail still > >> unsupported? The tests were done on the recent stable/14 from the vne= t > >> jail. Any clues h will be appreciated. > > You are correct. Mounting from inside a jail is not supported. > > After doing the vnet conversion for nfsd, I tried doing it for the NFS = client. > > There were a moderate # of global variables that needed to be vnet'd, > > which I did. The hard/messy part was having the threads (anything that > > calls an NFS VFS/VOP call) set to the proper vnet. > > It would have required a massive # of CURVET_SET()/CURVET_RESTORE() > > macros and I decided that it was just too messy. > > (slight hijack) > > I'm curious, I currently have a need for either have an nfs server or cli= ent in a jail and have had no luck even with the userspace nfsd (https://un= fs3.github.io/ / https://www.freshports.org/net/unfs3/). Is there any in-ja= il solution that works on FreeBSD? It's mainly for very light log-parsing a= nd I want it all inside a jail for portability between hosts. Not even marr= ied to nfs if there's another in-jail option... As above, NFS client mount no, nfsd yes. See: https://people.freebsd.org/~rmacklem/nfsd-vnet-prison-setup.txt rick > > Charles > > > > If it becomes a necessary feature, it is ugly but doable. > > > > rick > > > >> > >> Cheers > >> > >> -- > >> Marek Zarychta > >