Re: server-to-server copy by default

From: Trond Myklebust <trondmy@hammerspace.com>
To: "bfields@fieldses.org" <bfields@fieldses.org>,
	"schumakeranna@gmail.com" <schumakeranna@gmail.com>
Cc: "linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>,
	"dai.ngo@oracle.com" <dai.ngo@oracle.com>,
	"steved@redhat.com" <steved@redhat.com>,
	"olga.kornievskaia@gmail.com" <olga.kornievskaia@gmail.com>,
	"chuck.lever@oracle.com" <chuck.lever@oracle.com>
Subject: Re: server-to-server copy by default
Date: Thu, 21 Oct 2021 14:22:13 +0000	[thread overview]
Message-ID: <aec219339d8296b7e9b114d9d247a71fd47423c5.camel@hammerspace.com> (raw)
In-Reply-To: <20211021141329.GC25711@fieldses.org>

On Thu, 2021-10-21 at 10:13 -0400, Bruce Fields wrote:
> On Wed, Oct 20, 2021 at 07:04:53PM +0000, Chuck Lever III wrote:
> > Unprivileged mounting seems like a different question to me.
> > Related, possibly, but not the same. I'd rather leave that
> > discussion to another thread.
> 
> Well, I'd be curious if client maintainers have any thoughts.
> 
> The NFS client still disallows unprivileged mounts, right?  Is it
> something you think could be supported, and if so, do you have an
> idea
> what's left to do?
> 
> Trond, I remember asking you about unprivileged mounts at a bakeathon
> a
> few years ago, and at the time you seemed to think it'd be a
> reasonable
> thing to do eventually, and the one obstacle you mentioned was that
> the
> client wasn't capable of maintaining separate state in different
> namespaces.  That's fixed, isn't it?
> 

Yes, that's mostly fixed. As far as I'm concerned, there should be no
major obstacles to allowing unprivileged mounts in their own private
net namespace.
The one thing to note, though, is that AUTH_SYS still required that the
container be given a CAP_NET_BIND_SERVICE privilege to allow binding to
a privileged port.

-- 
Trond Myklebust
Linux NFS client maintainer, Hammerspace
trond.myklebust@hammerspace.com