From: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
To: NeilBrown <neilb@suse.de>
Cc: Petr Vorel <pvorel@suse.cz>, Jeff Layton <jlayton@kernel.org>,
ltp@lists.linux.it, Cyril Hrubis <chrubis@suse.cz>,
linux-nfs@vger.kernel.org, Steve Dickson <steved@redhat.com>,
Alexey Kodanev <aleksei.kodanev@bell-sw.com>
Subject: Re: [PATCH 1/1] nfslock01.sh: Don't test on NFS v3 on TCP
Date: Wed, 10 May 2023 08:44:18 +0600 [thread overview]
Message-ID: <f7bb2f33-ef06-b372-b296-49dc70d37c95@cogentembedded.com> (raw)
In-Reply-To: <168367324318.15152.8314945101964061099@noble.neil.brown.name>
>> The overall picture is:
>>
>> - by design, filesystem namespaces and network namespaces are independent, it is pretty ok for two
>> processes to share filesystem namespace and be in different network namespaces, or vice versa.
>>
>> - the code in question, while being in the kernel for ages, is breaking this basic design, by using
>> filesystem path to contact a network service,
>
> Not just in the kernel, but also in user-space. The kernel contacts
> rpcbind to find how to talk to statd. statd talks to rpcbind to tell it
> how it where it can be reached.
AFAIR the badness happens when in-kernel nfsd registers itself in rpcbind, using AF_LOCAL to contact it.
When nfsd is started for a child network namespace, it immediately breaks nfsd running in the root
network namespace, because ports used by the later get overwritten inside rpcbind and become no longer
available for local or remote clients.
I'd say it is userspace responsibility to make entire setup consistent against the used namespaces, but
it is kernel responsibility to keep namespaces isolation while executing individual operations. In the
case of registering in-kernel nfsd being started, using namespace-safe way to do it looks more important
for me than the reasoning outlined in commit 7402ab19cdd5 ("SUNRPC: Use AF_LOCAL for rpcbind upcalls")
that you mention.
And, this won't be fixed by trying to an abstract AF_LOCAL socket before using a filepath-bound one,
since if one is not available, the nfsd running in the root namespace will still get broken by starting
nfsd in a child namespace.
Maybe, the way used to reach rpcbind to register in-kernel services shall be special cased.
Nikita
next prev parent reply other threads:[~2023-05-10 2:44 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-02 7:59 [PATCH 1/1] nfslock01.sh: Don't test on NFS v3 on TCP Petr Vorel
2023-05-02 9:22 ` Petr Vorel
2023-05-02 12:25 ` Jeff Layton
2023-05-02 13:41 ` Petr Vorel
2023-05-08 2:50 ` Nikita Yushchenko
2023-05-09 23:00 ` NeilBrown
2023-05-10 2:44 ` Nikita Yushchenko [this message]
2023-05-02 21:21 ` NeilBrown
2023-05-04 20:37 ` Petr Vorel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f7bb2f33-ef06-b372-b296-49dc70d37c95@cogentembedded.com \
--to=nikita.yoush@cogentembedded.com \
--cc=aleksei.kodanev@bell-sw.com \
--cc=chrubis@suse.cz \
--cc=jlayton@kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=ltp@lists.linux.it \
--cc=neilb@suse.de \
--cc=pvorel@suse.cz \
--cc=steved@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox