Re: [PATCH v2 0/6] Make knfsd friendly to container uid/gid mapping

From: bfields@fieldses.org (J. Bruce Fields)
To: Trond Myklebust <trondmy@gmail.com>
Cc: "J. Bruce Fields" <bfields@redhat.com>, linux-nfs@vger.kernel.org
Subject: Re: [PATCH v2 0/6] Make knfsd friendly to container uid/gid mapping
Date: Tue, 9 Apr 2019 16:17:52 -0400	[thread overview]
Message-ID: <20190409201752.GB29099@fieldses.org> (raw)
In-Reply-To: <20190409161342.34338-1-trond.myklebust@hammerspace.com>

On Tue, Apr 09, 2019 at 12:13:36PM -0400, Trond Myklebust wrote:
> The following patchset attempts to make knfsd more friendly to
> containers that are set up with container-level uid/gid mapping. The
> principles used are as follows:

Thanks!  Applied v2.--b.

> 
> - Assume upcalls for idmapping and RPCSEC_GSS should make use of the
>   user namespace of the idmapper/rpcsec_gss daemon, which can be
>   extracted from the cred used to open the upcall/downcall pseudo file.
> - Assume downcalls may use the current_user_ns(), since the process
>   context is that of the userland daemon that performs the downcall.
> - Assume that wire protocols are mapped with of the user namespace of
>   the process that started the knfsd server in the first place.
>   i.e. that AUTH_UNIX and possibly the SETATTR/GETATTR uids and gids
>   belong to the same user namespace as the process that started knfsd.
>   This should ensure that knfsd matches the behaviour of a generic
>   userspace NFS server running in the same circumstances.
> 
> ---
> v2: Temporary server sockets need to inherit the cred from their parent
> 
> Trond Myklebust (6):
>   SUNRPC: Cache the process user cred in the RPC server listener
>   SUNRPC: Temporary sockets should inherit the cred from their parent
>   lockd: Pass the user cred from knfsd when starting the lockd server
>   SUNRPC: Fix the server AUTH_UNIX userspace mappings
>   SUNRPC: rsi_parse() should use the current user namespace
>   nfsd: knfsd must use the container user namespace
> 
>  fs/lockd/clntlock.c               |  4 ++--
>  fs/lockd/svc.c                    | 29 +++++++++++++++++------------
>  fs/nfs/callback.c                 |  7 +++++--
>  fs/nfs/client.c                   |  1 +
>  fs/nfsd/export.c                  | 18 ++++++++++--------
>  fs/nfsd/nfs3xdr.c                 | 21 +++++++++++----------
>  fs/nfsd/nfs4idmap.c               |  8 ++++----
>  fs/nfsd/nfs4xdr.c                 |  5 +++--
>  fs/nfsd/nfsctl.c                  | 16 ++++++++--------
>  fs/nfsd/nfsd.h                    |  9 ++++++++-
>  fs/nfsd/nfssvc.c                  | 16 ++++++++--------
>  fs/nfsd/nfsxdr.c                  | 17 +++++++++--------
>  include/linux/lockd/bind.h        |  3 ++-
>  include/linux/sunrpc/svc_xprt.h   |  4 +++-
>  include/linux/sunrpc/svcsock.h    |  3 ++-
>  net/sunrpc/auth_gss/svcauth_gss.c |  6 +++---
>  net/sunrpc/svc_xprt.c             | 17 +++++++++++------
>  net/sunrpc/svcauth_unix.c         | 15 +++++++++------
>  net/sunrpc/svcsock.c              |  4 +++-
>  19 files changed, 119 insertions(+), 84 deletions(-)
> 
> -- 
> 2.20.1