| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 30 Dec 2010 05:05:22 -0600 From: Rob Landley <rob@...dley.net> To: "Kirill A. Shutemov" <kas@...nvz.org> Cc: Rob Landley <rlandley@...allels.com>, Trond Myklebust <Trond.Myklebust@...app.com>, "J. Bruce Fields" <bfields@...ldses.org>, Neil Brown <neilb@...e.de>, Pavel Emelyanov <xemul@...allels.com>, linux-nfs@...r.kernel.org, "David S. Miller" <davem@...emloft.net>, netdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH v2 00/12] make rpc_pipefs be mountable multiple time On Thu, Dec 30, 2010 at 4:44 AM, Kirill A. Shutemov <kas@...nvz.org> wrote: > On Thu, Dec 30, 2010 at 04:05:07AM -0600, Rob Landley wrote: >> On 12/30/2010 03:44 AM, Kirill A. Shutemov wrote: >> >>> If no rpcmount mountoption, no rpc_pipefs was found at >> >>> '/var/lib/nfs/rpc_pipefs' and we are in init's mount namespace, we use >> >>> init_rpc_pipefs. >> >> >> >> It's the "we are in init's mount namespace" that I was wondering about. >> >> >> >> So if I naievely chroot, nfs mount stops working the way it did before I >> >> chrooted unless I do an extra setup step? >> > >> > No. It will work as before since you are still in init's mount namespace. >> > Creating new mount namespace changes rules. >> >> Ah, CLONE_NEWNS and then you need /var/lib/nfs/rpc_pipefs. Got it. >> >> I'm kind of surprised that the kernel cares about a specific path under >> /var/lib. (Seems like policy in the kernel somehow.) > > Yep. It's bad, but there is way to overwrite the default. > > Other way is to leave 'rpcmount' mountoption without default. > get_rpc_pipefs(NULL) in init's mount namespace will always return > init_rpc_pipefs, without filesystem lookup. > get_rpc_pipefs(NULL) in non-init's mount namespace will always return > error. > > So you will have to specify 'rpcmount' mountoption for every nfs mount in > container. Hmm, I guess, it may confuse user. > > Or we can try to move the default to userspace. /sbin/mount.nfs? /proc/sys/kernel/hotplug exists to tell the kernel where to find the hotplug binary. Once upon a time /sys/hotplug was the default value, and that was there to overwrite it. (They changed the default to blank (disabled) not due to policy reasons, but due to adding the netlink hotplug notification mechanism and making that the default.) I bring that up to point out that the general consensus about policy in the kernel seems to be "when you really really can't avoid having any, make a sane default the user can override". (Of course adding another entry to the crawling horror of /proc may not be an improvement. But individual overrides at the mount -o level seem like a non-optimal granularity for this...) >> Can't it just >> check the current process's mount list to see if an instance of >> rpc_pipefs is mounted in the current namespace the way lxc looks for >> cgroups? Or are there potential performance/scalability issues with that? > > What should we do if we have several rpc_pipefs mounts in the namespace? You mean more than one inside a given process's view of the filesystem, taking into account chroot like /proc/mounts does? Before this patch series, there was one instance systemwide. The patch changed that to look a fixed location in the filesystem relative to the current chroot. Either way, there was one instance available to a given process doing an nfs mount. What's the use case for having more than one visible to a given process? (NUMA scalability? Some sort of multipath/VPN routing context?) Rob -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists