From: Mike Snitzer <snitzer@kernel.org>
To: Christoph Hellwig <hch@infradead.org>
Cc: Jeff Layton <jlayton@kernel.org>,
Chuck Lever III <chuck.lever@oracle.com>,
Linux NFS Mailing List <linux-nfs@vger.kernel.org>,
Anna Schumaker <anna@kernel.org>,
Trond Myklebust <trondmy@hammerspace.com>,
Neil Brown <neilb@suse.de>, Dave Chinner <david@fromorbit.com>
Subject: Re: [PATCH v11 00/20] nfs/nfsd: add support for localio
Date: Thu, 4 Jul 2024 14:31:46 -0400 [thread overview]
Message-ID: <ZobqkgBeQaPwq7ly@kernel.org> (raw)
In-Reply-To: <ZoY6e-BmRJFLkziG@infradead.org>
On Wed, Jul 03, 2024 at 11:00:27PM -0700, Christoph Hellwig wrote:
> On Wed, Jul 03, 2024 at 01:06:51PM -0400, Jeff Layton wrote:
> > The other problem with doing this is that if a server is running in a
> > container, how is it to know that the client is in different container
> > on the same host, and hence that it can give out a localio layout? We'd
> > still need some way to detect that anyway, which would probably look a
> > lot like the localio protocol.
(NOTE, Jeff's message above was him stating flaws in his O_TMPFILE
idea that we discussed at LSF, his idea wasn't pusued for many
reasons. And Jeff has stated he believes localio better)
> We'll need some way to detect that client and server are capable
> of the bypass. And from all it looks that's actually the hard and
> complicated part, and we'll need that for any scheme.
Yes, hence the localio protocol that has wide buyin. To the point I
ran with registering an NFS Program number with iana.org for the
effort. My doing the localio protocol was born out of the requirement
to support NFSv3.
Neil's proposed refinement to add a a localio auth_domain to the
nfsd_net and his proposed risk-averse handshake within the localio
protocol will both improve security.
> And then we need a way to bypass the server for I/O, which currently is
> rather complex in the patchset and would be almost trivial with a new
> pNFS layout.
Some new layout misses the entire point of having localio work for
NFSv3 and NFSv4. NFSv3 is very ubiquitous.
And in this localio series, flexfiles is trained to use localio.
(Which you apparently don't recognize or care about because nfsd
doesn't have flexfiles server support).
> > Can the client use its localio access to bypass that since it's not
> > going across the network anymore? Maybe by using open_by_handle_at on
> > the NFS share on a guessed filehandle? I think we need to ensure that
> > that isn't possible.
>
> If a file system is shared by containers and users in containers have
> the capability to use open_by_handle_at the security model is already
> broken without NFS or localio involved.
Containers deployed by things like podman.io and kubernetes are
perfectly happy to allow containers permission to drive knfsd threads
in the host kernel. That this is foreign to you is odd.
An NFS client that happens to be on the host should work perfectly
fine too (if it has adequate permissions).
> > I wonder if it's also worthwhile to gate localio access on an export
> > option, just out of an abundance of caution.
>
> export and mount option. We're speaking a non-standard side band
> protocol here, there is no way that should be done without explicit
> opt-in from both sides.
That is already provided my existing controls. With both Kconfig
options that default to N, and the ability to disable the use of
localio entirely even if enabled in the Kconfig:
echo N > /sys/module/nfs/parameters/localio_enabled
And then ontop of it you have to loopback NFS mount.
next prev parent reply other threads:[~2024-07-04 18:31 UTC|newest]
Thread overview: 77+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-02 16:28 [PATCH v11 00/20] nfs/nfsd: add support for localio Mike Snitzer
2024-07-02 16:28 ` [PATCH v11 01/20] SUNRPC: add rpcauth_map_to_svc_cred_local Mike Snitzer
2024-07-02 16:28 ` [PATCH v11 02/20] nfs: factor out {encode,decode}_opaque_fixed to nfs_xdr.h Mike Snitzer
2024-07-02 16:28 ` [PATCH v11 03/20] nfs_common: add NFS LOCALIO auxiliary protocol enablement Mike Snitzer
2024-07-02 16:28 ` [PATCH v11 04/20] nfsd: add "localio" support Mike Snitzer
2024-07-02 16:28 ` [PATCH v11 05/20] nfsd: add Kconfig options to allow localio to be enabled Mike Snitzer
2024-07-02 16:28 ` [PATCH v11 06/20] nfsd: manage netns reference in nfsd_open_local_fh Mike Snitzer
2024-07-02 16:28 ` [PATCH v11 07/20] nfsd: use percpu_ref to interlock nfsd_destroy_serv and nfsd_open_local_fh Mike Snitzer
2024-07-02 16:28 ` [PATCH v11 08/20] nfsd: implement server support for NFS_LOCALIO_PROGRAM Mike Snitzer
2024-07-02 16:28 ` [PATCH v11 09/20] SUNRPC: replace program list with program array Mike Snitzer
2024-07-02 16:28 ` [PATCH v11 10/20] nfs: pass nfs_client to nfs_initiate_pgio Mike Snitzer
2024-07-02 16:28 ` [PATCH v11 11/20] nfs: pass descriptor thru nfs_initiate_pgio path Mike Snitzer
2024-07-02 16:28 ` [PATCH v11 12/20] nfs: pass struct file to nfs_init_pgio and nfs_init_commit Mike Snitzer
2024-07-02 16:28 ` [PATCH v11 13/20] nfs: add "localio" support Mike Snitzer
2024-07-02 16:28 ` [PATCH v11 14/20] nfs: fix nfs_localio_vfs_getattr() to properly support v4 Mike Snitzer
2024-07-02 16:28 ` [PATCH v11 15/20] nfs: enable localio for non-pNFS I/O Mike Snitzer
2024-07-02 16:28 ` [PATCH v11 16/20] pnfs/flexfiles: enable localio for flexfiles I/O Mike Snitzer
2024-07-02 16:28 ` [PATCH v11 17/20] SUNRPC: remove call_allocate() BUG_ON if p_arglen=0 to allow RPC with void arg Mike Snitzer
2024-07-02 16:28 ` [PATCH v11 18/20] nfs/localio: use dedicated workqueues for filesystem read and write Mike Snitzer
2024-07-02 16:28 ` [PATCH v11 19/20] nfs: implement client support for NFS_LOCALIO_PROGRAM Mike Snitzer
2024-07-02 16:28 ` [PATCH v11 20/20] nfs: add Documentation/filesystems/nfs/localio.rst Mike Snitzer
2024-07-02 18:06 ` [PATCH v11 00/20] nfs/nfsd: add support for localio Chuck Lever III
2024-07-02 18:32 ` Mike Snitzer
2024-07-02 20:10 ` Chuck Lever III
2024-07-03 0:57 ` Mike Snitzer
2024-07-03 0:52 ` NeilBrown
2024-07-03 1:13 ` Mike Snitzer
2024-07-03 5:04 ` Christoph Hellwig
2024-07-03 8:52 ` Mike Snitzer
2024-07-03 14:16 ` Christoph Hellwig
2024-07-03 15:11 ` Mike Snitzer
2024-07-03 15:18 ` Christoph Hellwig
2024-07-03 15:24 ` Chuck Lever III
2024-07-03 15:29 ` Christoph Hellwig
2024-07-03 15:36 ` Mike Snitzer
2024-07-03 17:06 ` Jeff Layton
2024-07-04 6:00 ` Christoph Hellwig
2024-07-04 18:31 ` Mike Snitzer [this message]
2024-07-05 5:18 ` Christoph Hellwig
2024-07-05 13:35 ` Chuck Lever III
2024-07-05 13:39 ` Christoph Hellwig
2024-07-05 14:15 ` Mike Snitzer
2024-07-05 14:18 ` Christoph Hellwig
2024-07-05 14:36 ` Mike Snitzer
2024-07-05 14:59 ` Chuck Lever III
2024-07-06 3:58 ` Mike Snitzer
2024-07-06 5:52 ` NeilBrown
2024-07-06 13:05 ` "why NFSv3?" [was: Re: [PATCH v11 00/20] nfs/nfsd: add support for localio] Mike Snitzer
2024-07-06 5:58 ` [PATCH v11 00/20] nfs/nfsd: add support for localio Christoph Hellwig
2024-07-06 13:12 ` Mike Snitzer
2024-07-08 9:46 ` Christoph Hellwig
2024-07-08 12:55 ` Mike Snitzer
2024-07-06 16:58 ` Chuck Lever III
2024-07-07 0:42 ` Mike Snitzer
2024-07-05 18:59 ` Jeff Layton
2024-07-05 22:08 ` NeilBrown
2024-07-06 6:02 ` Christoph Hellwig
2024-07-06 6:37 ` NeilBrown
2024-07-06 6:42 ` Christoph Hellwig
2024-07-06 17:15 ` Chuck Lever III
2024-07-08 4:10 ` NeilBrown
2024-07-08 14:41 ` Chuck Lever III
2024-07-08 9:40 ` Christoph Hellwig
2024-07-08 4:03 ` NeilBrown
2024-07-08 9:37 ` Christoph Hellwig
2024-07-10 0:10 ` NeilBrown
2024-07-03 17:19 ` Chuck Lever III
2024-07-03 19:04 ` Mike Snitzer
2024-07-04 5:55 ` Christoph Hellwig
2024-07-03 21:35 ` NeilBrown
2024-07-04 6:01 ` Christoph Hellwig
2024-07-04 10:13 ` Jeff Layton
2024-07-03 15:26 ` Chuck Lever III
2024-07-03 15:37 ` Mike Snitzer
2024-07-03 15:16 ` Christoph Hellwig
2024-07-03 15:28 ` Mike Snitzer
2024-07-04 5:49 ` Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZobqkgBeQaPwq7ly@kernel.org \
--to=snitzer@kernel.org \
--cc=anna@kernel.org \
--cc=chuck.lever@oracle.com \
--cc=david@fromorbit.com \
--cc=hch@infradead.org \
--cc=jlayton@kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=neilb@suse.de \
--cc=trondmy@hammerspace.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox