From: "bfields@fieldses.org" <bfields@fieldses.org>
To: Trond Myklebust <trondmy@hammerspace.com>
Cc: "linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>,
"Anna.Schumaker@netapp.com" <Anna.Schumaker@netapp.com>
Subject: Re: [PATCH 6/9] NFSv4: Convert the NFS client idmapper to use the container user namespace
Date: Thu, 25 Apr 2019 16:16:26 -0400 [thread overview]
Message-ID: <20190425201626.GC9889@fieldses.org> (raw)
In-Reply-To: <67d3d9af243a0c4efa37c08532f5c0f5157bdb91.camel@hammerspace.com>
On Thu, Apr 25, 2019 at 04:48:54PM +0000, Trond Myklebust wrote:
> On Thu, 2019-04-25 at 12:45 -0400, bfields@fieldses.org wrote:
> > On Thu, Apr 25, 2019 at 04:40:18PM +0000, Trond Myklebust wrote:
> > > On Thu, 2019-04-25 at 11:33 -0400, bfields@fieldses.org wrote:
> > > > On Thu, Apr 25, 2019 at 03:00:22PM +0000, Trond Myklebust wrote:
> > > > > The assumption is that if you have enough privileges to mount a
> > > > > filesystem using the NFS client, then you would also have
> > > > > enough
> > > > > privileges to run a userspace client, so there is little point
> > > > > in
> > > > > restricting the NFS client.
> > > > >
> > > > > So the guiding principle is that a NFS client mount that is
> > > > > started
> > > > > in
> > > > > a container should behave as if it were started by a process in
> > > > > a
> > > > > "real
> > > > > VM". That means that the root uid/gid in the container maps to
> > > > > a
> > > > > root
> > > > > uid/gid on the wire.
> > > > > Ditto, if there is a need to run the idmapper in the container,
> > > > > then
> > > > > the expectation is that processes running as 'user' with uid
> > > > > 'u',
> > > > > will
> > > > > see their creds mapped correctly by the idmapper. Again, that's
> > > > > what
> > > > > you would see if the process were running in a VM instead of a
> > > > > container.
> > > > >
> > > > > Does that all make sense?
> > > >
> > > > Yes, thanks!
> > > >
> > > > I thought there was a problem that the idmapper depended on
> > > > keyring usermodehelper calls that it was hard to pass namespace
> > > > information to. Did that get fixed and I missed it or or forgot?
> > >
> > > No, you are correct, and so we assume the container is using
> > > rpc.idmapd
> > > (and rpc.gssd) if it is running NFSv4 with RPCSEC_GSS.
> > >
> > > If the keyring upcall gets fixed, then we may allow it to be used
> > > in
> > > future kernels.
> >
> > OK, got it. Is there anything we lose by using
> > idmapd? (IDMAP_NAMESZ
> > might be a limitation?)
>
> IDMAP_NAMESZ should be set to 128 by default, so should work for most
> cases. I don't think there are any further limitations.
Makes sense. Looks good to me!
--b.
next prev parent reply other threads:[~2019-04-25 20:16 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-24 21:46 [PATCH 0/9] Client container fixes Trond Myklebust
2019-04-24 21:46 ` [PATCH 1/9] SUNRPC: Cache cred of process creating the rpc_client Trond Myklebust
2019-04-24 21:46 ` [PATCH 2/9] NFS: Store the credential of the mount process in the nfs_server Trond Myklebust
2019-04-24 21:46 ` [PATCH 3/9] SUNRPC: Use the client user namespace when encoding creds Trond Myklebust
2019-04-24 21:46 ` [PATCH 4/9] SUNRPC: Use namespace of listening daemon in the client AUTH_GSS upcall Trond Myklebust
2019-04-24 21:46 ` [PATCH 5/9] NFS: Convert NFSv3 to use the container user namespace Trond Myklebust
2019-04-24 21:46 ` [PATCH 6/9] NFSv4: Convert the NFS client idmapper " Trond Myklebust
2019-04-24 21:46 ` [PATCH 7/9] NFS: Convert NFSv2 " Trond Myklebust
2019-04-24 21:46 ` [PATCH 8/9] NFS: When mounting, don't share filesystems between different user namespaces Trond Myklebust
2019-04-24 21:46 ` [PATCH 9/9] lockd: Store the lockd client credential in struct nlm_host Trond Myklebust
2019-04-25 14:32 ` [PATCH 6/9] NFSv4: Convert the NFS client idmapper to use the container user namespace J. Bruce Fields
2019-04-25 15:00 ` Trond Myklebust
2019-04-25 15:33 ` bfields
2019-04-25 16:40 ` Trond Myklebust
2019-04-25 16:45 ` bfields
2019-04-25 16:48 ` Trond Myklebust
2019-04-25 20:16 ` bfields [this message]
2019-06-14 18:52 ` [PATCH 1/9] SUNRPC: Cache cred of process creating the rpc_client Ido Schimmel
2019-06-20 12:33 ` Ido Schimmel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190425201626.GC9889@fieldses.org \
--to=bfields@fieldses.org \
--cc=Anna.Schumaker@netapp.com \
--cc=linux-nfs@vger.kernel.org \
--cc=trondmy@hammerspace.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.