From mboxrd@z Thu Jan 1 00:00:00 1970 From: "J. Bruce Fields" Subject: Re: [RFC] vfs generic subtree support Date: Tue, 16 Feb 2010 14:25:40 -0500 Message-ID: <20100216192540.GA26292@fieldses.org> References: <87tythtptw.fsf@openvz.org> <20100216122029.GC30031@ZenIV.linux.org.uk> <87bpfpcq55.fsf@openvz.org> <20100216133836.GD30031@ZenIV.linux.org.uk> <87mxz9nutb.fsf@openvz.org> <20100216142154.GE30031@ZenIV.linux.org.uk> <87hbphns33.fsf@openvz.org> <20100216151257.GK11239@parisc-linux.org> <87sk91i4bk.fsf@openvz.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Matthew Wilcox , Al Viro , linux-fsdevel@vger.kernel.org To: Dmitry Monakhov Return-path: Received: from fieldses.org ([174.143.236.118]:37977 "EHLO fieldses.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757023Ab0BPTZU (ORCPT ); Tue, 16 Feb 2010 14:25:20 -0500 Content-Disposition: inline In-Reply-To: <87sk91i4bk.fsf@openvz.org> Sender: linux-fsdevel-owner@vger.kernel.org List-ID: On Tue, Feb 16, 2010 at 06:32:47PM +0300, Dmitry Monakhov wrote: > Matthew Wilcox writes: > > > On Tue, Feb 16, 2010 at 06:00:32PM +0300, Dmitry Monakhov wrote: > >> Use-cases: > >> *Assing maximum disc space consumption for some hierarchy * > >> > >> 1) Create chroot environment > >> # tar xf chroot_env.tar /var/xxx/chroot > >> 2) Assign some metagroup id to the chroot content (via not yet > >> existent ./metagroup cmd-tool) > >> # find /var/xxx/chroot | xargs ./metagroup --set 1000 > >> > >> 3) Setup quota limits > >> # quota-set --type metagroup --blk_soft=1024M blk_hard=1024M /var > >> > >> 4) Export this tree (it may be more complex) > >> # mount /var/xxx/chroot /mnt/chroot -obound > >> > >> 5)Now we may use this /mnt/chroot as: > >> 5A) A regular chroot envirement, user is unable to exceed metagroup > >> quota, regardless to real available space on /var/ > >> 5B) As a container's (namespace) root. > >> 5C) export this /mnt/chroot to nfs server and nfs client can not > >> overcome given metagroup quota limit. > > > > This all seems quota-related ... do you envisage uses that aren't > > quota-related? > Yes. Since link/rename behavior is no longer depends on metagroup > I'm consider it as quota related only. It'd allow nfsd to implement export subtrees safely. (The current problem: there's not an easy way to determine whether an inode (looked up from a filehandle) is reachable from a given directory. So if you export a directory that isn't the root of a filesystem, you have an unfortunate choice: - turn on the "subtree_check" export option: add information sufficient to lookup the parent directory to each filehandle. But then filehandles change (and clients get ESTALE) on cross-directory rename. - Accept the possibility that someone could fake up a filehandle that grants access to files outside the exported subtree. OK if you're exporting the subtree just for convenience, but bad if you're exporting /usr/local and think /etc/some-secret is safe without /usr/local being on a separate partition. With subtrees presumably we could stick the subtree-id in the filehandle, and the subtree would provide a security boundary that's easy to check on filehandle lookup (by comparing the subtree-id in the filehandle to the one in the inode you find). And subtrees would be simpler to manage than separate partitions.) --b.