From: Stanislav Kinsbursky <skinsbursky@parallels.com>
To: "J. Bruce Fields" <bfields@fieldses.org>
Cc: Simo Sorce <simo@redhat.com>,
"bfields@redhat.com" <bfields@redhat.com>,
"linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>
Subject: Re: [PATCH 3/4] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth
Date: Tue, 22 May 2012 19:19:29 +0400 [thread overview]
Message-ID: <4FBBAE81.9010708@parallels.com> (raw)
In-Reply-To: <20120522150748.GF891@fieldses.org>
On 22.05.2012 19:07, J. Bruce Fields wrote:
> On Tue, May 22, 2012 at 06:44:55PM +0400, Stanislav Kinsbursky wrote:
>> Yep, we discussed it already.
>> The problem is that connect call to unix sockets is done from rpciod
>> workqueue because of selinux restrictions.
>> IOW UNIX socket path will be traversed staring from rpciod kernel
>> thread root. Currently this problem is existent for portmapper
>> registration calls - for example LockD, started in container with
>> nested root, will be registered in global rpcbind instead of local
>> (container's) one.
>
> Thanks for the reminder!
>
>> One of solutions was to export set_fs_root(), but Al Viro doesn't like it.
>>
>> So currently I'm thinking about patching network layer - i.e.
>> implementing an ability to pass desired path to unix sockets connect
>> and bind calls.
>> IOW, I'm talking about introducing of "bindat" and "connectat" system calls...
>
> So then we'd resolve the path in the right context and pass down a
> (vfsmount, dentry) that rpciod could use in bindat/connectat calls?
>
A kind of this, yes. Of course, if community will accept the idea.
Actually, bindat/connectat will be user space interfaces (they will be useful
for out CRIU project and also will allow to remove UNIX socket path length
limitation to 108 bytes).
On kernel level I'm going to add some way to pass "struct path" to connect/bind
calls.
>>> In particular: the current svcgssd communication method is using one of
>>> the sunrpc caches. If we convert now to this method (which uses a unix
>>> socket) would there be a loss in functionality, until the unix sockets
>>> problems are fixed?
>>>
>>
>> I'm afraid, that you are right...
>> This new client will connect to root daemon - not containerized one...
>> How soon this new unix-socket way will become common practice?
>> Maybe I'd be able to patch unix sockets before distro's will use this new version.
>> But I don't know, what would be best to do...
>
> Ugh.
>
> Simo, remind me of the reasons for using a unix socket?
>
Just a reminder: abstract (is it the right name?) UNIX sockets (with '\0' as a
first character in name) are containerized already.
If UNIX socket is the only way. then maybe this "abstract" socket can be used?
> --b.
--
Best regards,
Stanislav Kinsbursky
next prev parent reply other threads:[~2012-05-22 15:19 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-15 13:12 [PATCH 0/4] Add support for new upcall mechanism for nfsd Simo Sorce
2012-05-15 13:12 ` [PATCH 1/4] SUNRPC: conditionally return endtime from import_sec_context Simo Sorce
2012-05-21 21:52 ` J. Bruce Fields
2012-05-15 13:12 ` [PATCH 2/4] SUNRPC: Document a bit RPCGSS handling in the NFS Server Simo Sorce
2012-05-21 21:55 ` J. Bruce Fields
2012-05-22 0:37 ` Simo Sorce
2012-05-15 13:12 ` [PATCH 3/4] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth Simo Sorce
2012-05-22 12:47 ` J. Bruce Fields
2012-05-22 13:00 ` Simo Sorce
2012-05-22 13:17 ` Stanislav Kinsbursky
2012-05-22 13:22 ` Simo Sorce
2012-05-22 13:32 ` Stanislav Kinsbursky
2012-05-22 14:20 ` J. Bruce Fields
2012-05-22 14:44 ` Stanislav Kinsbursky
2012-05-22 15:07 ` J. Bruce Fields
2012-05-22 15:16 ` Simo Sorce
2012-05-22 15:31 ` J. Bruce Fields
2012-05-22 15:44 ` Simo Sorce
2012-05-22 15:19 ` Stanislav Kinsbursky [this message]
2012-05-22 18:11 ` J. Bruce Fields
2012-05-22 18:41 ` Stanislav Kinsbursky
2012-05-22 14:58 ` Simo Sorce
2012-05-22 15:10 ` Stanislav Kinsbursky
2012-05-22 15:18 ` Simo Sorce
2012-05-22 15:23 ` Stanislav Kinsbursky
2012-05-22 13:00 ` Stanislav Kinsbursky
2012-05-22 15:02 ` J. Bruce Fields
2012-05-22 15:15 ` Simo Sorce
2012-05-22 15:29 ` J. Bruce Fields
2012-05-22 15:40 ` Simo Sorce
2012-05-22 22:49 ` J. Bruce Fields
2012-05-22 22:52 ` Simo Sorce
2012-05-22 15:03 ` J. Bruce Fields
2012-05-22 15:12 ` Simo Sorce
2012-05-22 15:24 ` J. Bruce Fields
2012-05-22 15:36 ` Simo Sorce
2012-05-15 13:12 ` [PATCH 4/4] SUNRPC: Use gssproxy upcall for nfsd's RPCGSS authentication Simo Sorce
2012-05-22 22:48 ` J. Bruce Fields
2012-05-24 4:31 ` Simo Sorce
2012-05-24 11:08 ` J. Bruce Fields
2012-05-24 13:19 ` Simo Sorce
2012-05-25 14:05 ` J. Bruce Fields
2012-05-25 15:37 ` Simo Sorce
2012-05-25 22:09 [PATCH 0/4] Add support for new RPCSEC_GSS upcall mechanism for nfsd Simo Sorce
2012-05-25 22:09 ` [PATCH 3/4] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth Simo Sorce
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4FBBAE81.9010708@parallels.com \
--to=skinsbursky@parallels.com \
--cc=bfields@fieldses.org \
--cc=bfields@redhat.com \
--cc=linux-nfs@vger.kernel.org \
--cc=simo@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.