From: Trond Myklebust <trondmy@hammerspace.com>
To: "amir73il@gmail.com" <amir73il@gmail.com>
Cc: "bfields@fieldses.org" <bfields@fieldses.org>,
"samba-technical@lists.samba.org"
<samba-technical@lists.samba.org>,
"linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>,
"jlayton@kernel.org" <jlayton@kernel.org>,
"Volker.Lendecke@sernet.de" <Volker.Lendecke@sernet.de>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
"pshilov@microsoft.com" <pshilov@microsoft.com>
Subject: Re: Better interop for NFS/SMB file share mode/reservation
Date: Mon, 29 Apr 2019 00:57:42 +0000 [thread overview]
Message-ID: <b4ee6b6f5544114c3974790a784c3e784e617ccf.camel@hammerspace.com> (raw)
In-Reply-To: <CAOQ4uxhQOLZ_Hyrnvu56iERPZ7CwfKti2U+OgyaXjM9acCN2LQ@mail.gmail.com>
On Sun, 2019-04-28 at 18:33 -0400, Amir Goldstein wrote:
> On Sun, Apr 28, 2019 at 6:08 PM Trond Myklebust <
> trondmy@hammerspace.com> wrote:
> > On Sun, 2019-04-28 at 18:00 -0400, Amir Goldstein wrote:
> > > On Sun, Apr 28, 2019 at 11:06 AM Trond Myklebust
> > > <trondmy@hammerspace.com> wrote:
> > > > On Sun, 2019-04-28 at 09:45 -0400, Amir Goldstein wrote:
> > > > > On Sun, Apr 28, 2019 at 8:09 AM Jeff Layton <
> > > > > jlayton@kernel.org>
> > > > > wrote:
> > > > > > On Sat, 2019-04-27 at 16:16 -0400, Amir Goldstein wrote:
> > > > > > > [adding back samba/nfs and fsdevel]
> > > > > > >
> > > > > >
> > > > > > cc'ing Pavel too -- he did a bunch of work in this area a
> > > > > > few
> > > > > > years
> > > > > > ago.
> > > > > >
> > > > > > > On Fri, Apr 26, 2019 at 6:22 PM Jeff Layton <
> > > > > > > jlayton@kernel.org>
> > > > > > > wrote:
> > > > > > > > On Fri, 2019-04-26 at 10:50 -0400, J. Bruce Fields
> > > > > > > > wrote:
> > > > > > > > > On Fri, Apr 26, 2019 at 04:11:00PM +0200, Amir
> > > > > > > > > Goldstein
> > > > > > > > > wrote:
> > > > > > > > > > On Fri, Apr 26, 2019, 4:00 PM J. Bruce Fields <
> > > > > > > > > > bfields@fieldses.org> wrote:
> > > > > > > > > >
> > > > > > > > That said, we could also look at a vfs-level mount
> > > > > > > > option
> > > > > > > > that
> > > > > > > > would
> > > > > > > > make the kernel enforce these for any opener. That
> > > > > > > > could
> > > > > > > > also
> > > > > > > > be useful,
> > > > > > > > and shouldn't be too hard to implement. Maybe even make
> > > > > > > > it
> > > > > > > > a
> > > > > > > > vfsmount-
> > > > > > > > level option (like -o ro is).
> > > > > > > >
> > > > > > >
> > > > > > > Yeh, I am humbly going to leave this struggle to someone
> > > > > > > else.
> > > > > > > Not important enough IMO and completely independent
> > > > > > > effort to
> > > > > > > the
> > > > > > > advisory atomic open&lock API.
> > > > > >
> > > > > > Having the kernel allow setting deny modes on any open call
> > > > > > is
> > > > > > a
> > > > > > non-
> > > > > > starter, for the reasons Bruce outlined earlier. This
> > > > > > _must_ be
> > > > > > restricted in some fashion or we'll be opening up a
> > > > > > ginormous
> > > > > > DoS
> > > > > > mechanism.
> > > > > >
> > > > > > My proposal was to make this only be enforced by
> > > > > > applications
> > > > > > that
> > > > > > explicitly opt-in by setting O_SH*/O_EX* flags. It wouldn't
> > > > > > be
> > > > > > too
> > > > > > difficult to also allow them to be enforced on a per-fs
> > > > > > basis
> > > > > > via
> > > > > > mount
> > > > > > option or something. Maybe we could expand the meaning of
> > > > > > '-o
> > > > > > mand'
> > > > > > ?
> > > > > >
> > > > > > How would you propose that we restrict this?
> > > > > >
> > > > >
> > > > > Our communication channel is broken.
> > > > > I did not intend to propose any implicit locking.
> > > > > If samba and nfsd can opt-in with O_SHARE flags, I do not
> > > > > understand why a mount option is helpful for the cause of
> > > > > samba/nfsd interop.
> > > > >
> > > > > If someone else is interested in samba/local interop than
> > > > > yes, a mount option like suggested by Pavel could be a good
> > > > > option,
> > > > > but it is an orthogonal effort IMO.
> > > >
> > > > If an NFS client 'opts in' to set share deny, then that still
> > > > makes
> > > > it
> > > > a non-optional lock for the other NFS clients, because all
> > > > ordinary
> > > > open() calls will be gated by the server whether or not their
> > > > application specifies the O_SHARE flag. There is no flag in the
> > > > NFS
> > > > protocol that could tell the server to ignore deny modes.
> > > >
> > > > IOW: it would suffice for 1 client to use O_SHARE|O_DENY* to
> > > > opt
> > > > all
> > > > the other clients in.
> > > >
> > >
> > > Sorry for being thick, I don't understand if we are in agreement
> > > or
> > > not.
> > >
> > > My understanding is that the network file server implementations
> > > (i.e. samba, knfds, Ganesha) will always use share/deny modes.
> > > So for example nfs v3 opens will always use O_DENY_NONE
> > > in order to have correct interop with samba and nfs v4.
> > >
> > > If I am misunderstanding something, please enlighten me.
> > > If there is a reason why mount option is needed for the sole
> > > purpose
> > > of interop between network filesystem servers, please enlighten
> > > me.
> > >
> > >
> >
> > Same difference. As long as nfsd and/or Ganesha are translating
> > OPEN4_SHARE_ACCESS_READ and OPEN4_SHARE_ACCESS_WRITE into share
> > access
> > locks, then those will conflict with any deny locks set by whatever
> > application that uses them.
> >
> > IOW: any open(O_RDONLY) and open(O_RDWR) will conflict with an
> > O_DENY_READ that is set on the server, and any open(O_WRONLY) and
> > open(O_RDWR) will conflict with an O_DENY_WRITE that is set on the
> > server. There is no opt-out for NFS clients on this issue, because
> > stateful NFSv4 opens MUST set one or more of
> > OPEN4_SHARE_ACCESS_READ
> > and OPEN4_SHARE_ACCESS_WRITE.
> >
>
> Urgh! I *think* I understand the confusion.
>
> I believe Jeff was talking about implementing a mount option
> similar to -o mand for local fs on the server.
> With that mount option, *any* open() by any app of file from
> that mount will use O_DENY_NONE to interop correctly with
> network servers that explicitly opt-in for interop on share modes.
> I agree its a nice feature that is easy to implement - not important
> for first version IMO.
>
> I *think* you are talking on nfs client mount option for
> opt-in/out of share modes? there was no such intention.
>
No. I'm saying that whether you intended to or not, you _are_
implementing a mandatory lock over NFS. No talk about O_SHARE flags and
it being an opt-in process for local applications changes the fact that
non-local applications (i.e. the ones that count ☺) are being subjected
to a mandatory lock with all the potential for denial of service that
implies.
So we need a mechanism beyond O_SHARE in order to ensure this system
cannot be used on sensitive files that need to be accessible to all. It
could be an export option, or a mount option, or it could be a more
specific mechanism (e.g. the setgid with no execute mode bit as using
in POSIX mandatory locks).
--
Trond Myklebust
Linux NFS client maintainer, Hammerspace
trond.myklebust@hammerspace.com
next prev parent reply other threads:[~2019-04-29 0:57 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-08 11:20 Better interop for NFS/SMB file share mode/reservation Amir Goldstein
2019-02-08 13:10 ` Jeff Layton
2019-02-08 14:45 ` Amir Goldstein
2019-02-08 15:50 ` J. Bruce Fields
2019-02-08 20:02 ` Amir Goldstein
2019-02-08 20:16 ` J. Bruce Fields
2019-02-08 20:31 ` Amir Goldstein
2019-02-14 20:51 ` J. Bruce Fields
2019-02-15 7:31 ` Amir Goldstein
2019-02-15 20:09 ` J. Bruce Fields
2019-02-08 22:12 ` Jeremy Allison
2019-02-09 4:04 ` Amir Goldstein
2019-02-14 21:06 ` J. Bruce Fields
2019-03-05 21:47 ` J. Bruce Fields
2019-03-06 7:09 ` Amir Goldstein
2019-03-06 15:17 ` J. Bruce Fields
2019-03-06 15:37 ` [NFS-Ganesha-Devel] " Frank Filz
2019-03-08 21:38 ` 'J. Bruce Fields'
2019-03-08 21:53 ` Frank Filz
2019-03-06 15:11 ` J. Bruce Fields
2019-03-06 20:31 ` Jeff Layton
2019-03-06 21:07 ` Jeremy Allison
2019-03-06 21:25 ` Ralph Böhme
2019-03-07 11:03 ` Stefan Metzmacher
2019-03-07 16:47 ` Simo
2019-04-25 18:11 ` Amir Goldstein
2019-05-24 7:12 ` Amir Goldstein
2019-05-24 13:15 ` Ralph Boehme
2019-05-24 15:07 ` J. Bruce Fields
2019-03-06 21:55 ` Jeff Layton
2019-02-08 16:03 ` Jeff Layton
2019-02-08 16:28 ` Jeffrey Layton
[not found] ` <CAOQ4uxgQsRaEOxz1aYzP1_1fzRpQbOm2-wuzG=ABAphPB=7Mxg@mail.gmail.com>
[not found] ` <20190426140023.GB25827@fieldses.org>
[not found] ` <CAOQ4uxhuxoEsoBbvenJ8eLGstPc4AH-msrxDC-tBFRhvDxRSNg@mail.gmail.com>
[not found] ` <20190426145006.GD25827@fieldses.org>
[not found] ` <e69d149c80187b84833fec369ad8a51247871f26.camel@kernel.org>
2019-04-27 20:16 ` Amir Goldstein
2019-04-28 12:09 ` Jeff Layton
2019-04-28 13:45 ` Amir Goldstein
2019-04-28 15:06 ` Trond Myklebust
2019-04-28 22:00 ` Amir Goldstein
2019-04-28 22:08 ` Trond Myklebust
2019-04-28 22:33 ` Amir Goldstein
2019-04-29 0:57 ` Trond Myklebust [this message]
2019-04-29 11:42 ` Amir Goldstein
2019-04-29 13:10 ` Trond Myklebust
2019-04-29 20:29 ` Jeff Layton
2019-04-29 22:33 ` Pavel Shilovskiy
2019-04-30 0:31 ` Amir Goldstein
2019-04-30 8:12 ` Uri Simchoni
2019-04-30 9:22 ` Amir Goldstein
2019-02-11 5:31 ` ronnie sahlberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b4ee6b6f5544114c3974790a784c3e784e617ccf.camel@hammerspace.com \
--to=trondmy@hammerspace.com \
--cc=Volker.Lendecke@sernet.de \
--cc=amir73il@gmail.com \
--cc=bfields@fieldses.org \
--cc=jlayton@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=pshilov@microsoft.com \
--cc=samba-technical@lists.samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).