Linux-NFS Archive on lore.kernel.org
 help / color / Atom feed
From: bfields@fieldses.org (J. Bruce Fields)
To: Trond Myklebust <trondmy@gmail.com>
Cc: steved@redhat.com, linux-nfs@vger.kernel.org
Subject: Re: [RFC PATCH 0/5] Add a chroot option to nfs.conf
Date: Wed, 15 May 2019 10:01:12 -0400
Message-ID: <20190515140112.GA9291@fieldses.org> (raw)
In-Reply-To: <20190514204153.79603-1-trond.myklebust@hammerspace.com>

On Tue, May 14, 2019 at 04:41:48PM -0400, Trond Myklebust wrote:
> The following patchset aims to allow the configuration of a 'chroot
> jail' to rpc.nfsd, and allowing us to export a filesystem /foo (and
> possibly subtrees) as '/'.

This is great, thanks!  Years ago I did an incomplete version that
worked by just string manipulations on paths.  Running part of mountd in
a chrooted thread is a neat way to do it.

If I understand right, the only part that's being run in a chroot is the
writes to /proc/net/sunrpc/*/channel files.  So that means that the path
included in writes to /proc/net/sunrpc/nfsd_fh/channel will be resolved
with respect to the chroot by the kernel code handling the write.

That's not the only place in mountd that uses export paths, though.
What about:

	- next_mnt(), which compares paths from the export file to paths
	  in /etc/mtab.
	- is_mountpoint, which stats export paths.
	- match_fsid, which stats export paths.

Etc.  Doesn't that stuff also need to be done with respect to the
chroot?  Am I missing something?

--b.

> 
> Trond Myklebust (5):
>   mountd: Ensure we don't share cache file descriptors among processes.
>   Add a simple workqueue mechanism
>   Add a helper to write to a file through the chrooted thread
>   Add support for chrooted exports
>   Add support for chroot in exportfs
> 
>  aclocal/libpthread.m4      |  13 +-
>  configure.ac               |   6 +-
>  nfs.conf                   |   1 +
>  support/include/misc.h     |  11 ++
>  support/misc/Makefile.am   |   2 +-
>  support/misc/workqueue.c   | 267 +++++++++++++++++++++++++++++++++++++
>  systemd/nfs.conf.man       |   3 +-
>  utils/exportfs/Makefile.am |   2 +-
>  utils/exportfs/exportfs.c  |  31 ++++-
>  utils/mountd/Makefile.am   |   3 +-
>  utils/mountd/cache.c       |  39 +++++-
>  utils/mountd/mountd.c      |   5 +-
>  utils/nfsd/nfsd.man        |   4 +
>  13 files changed, 369 insertions(+), 18 deletions(-)
>  create mode 100644 support/misc/workqueue.c
> 
> -- 
> 2.21.0

  parent reply index

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-14 20:41 Trond Myklebust
2019-05-14 20:41 ` [RFC PATCH 1/5] mountd: Ensure we don't share cache file descriptors among processes Trond Myklebust
2019-05-14 20:41   ` [RFC PATCH 2/5] Add a simple workqueue mechanism Trond Myklebust
2019-05-14 20:41     ` [RFC PATCH 3/5] Add a helper to write to a file through the chrooted thread Trond Myklebust
2019-05-14 20:41       ` [RFC PATCH 4/5] Add support for chrooted exports Trond Myklebust
2019-05-14 20:41         ` [RFC PATCH 5/5] Add support for chroot in exportfs Trond Myklebust
2019-05-15 14:14         ` [RFC PATCH 4/5] Add support for chrooted exports bfields
2019-05-15 14:01 ` bfields [this message]
2019-05-15 14:38   ` [RFC PATCH 0/5] Add a chroot option to nfs.conf Trond Myklebust

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190515140112.GA9291@fieldses.org \
    --to=bfields@fieldses.org \
    --cc=linux-nfs@vger.kernel.org \
    --cc=steved@redhat.com \
    --cc=trondmy@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-NFS Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-nfs/0 linux-nfs/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-nfs linux-nfs/ https://lore.kernel.org/linux-nfs \
		linux-nfs@vger.kernel.org linux-nfs@archiver.kernel.org
	public-inbox-index linux-nfs


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-nfs


AGPL code for this site: git clone https://public-inbox.org/ public-inbox