lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20130215162021.GK8343@fieldses.org>
Date:	Fri, 15 Feb 2013 11:20:21 -0500
From:	"J. Bruce Fields" <bfields@...ldses.org>
To:	Stanislav Kinsbursky <skinsbursky@...allels.com>
Cc:	linux-nfs@...r.kernel.org, Trond.Myklebust@...app.com,
	linux-kernel@...r.kernel.org, devel@...nvz.org
Subject: Re: [PATCH v2 0/4] nfsd: make is works in a container

On Fri, Feb 01, 2013 at 03:56:05PM +0300, Stanislav Kinsbursky wrote:
> This patch set finally enables NFSd in container.
> I've tested it in container with it's own root, and also pid, net and mount
> namespaces.

Thanks, these look fine to me; applying.  They should show up in my
for-3.9 branch sometime today.

--b.

> 
> There are some limitations, which are listed below:
> 1) only nfsdclt client tracker supported for container. It's deprecated and
> going to be removed soon. UMH tracker requires switching root. Legacy tracker
> requires something like RB tree of opened inodes to make sure, that any
> recovery directory will be opened only once.
> 2) Enabled versions are controlled globally (should be fixed).
> 3) Server should be stopped by writing "0" to
> /proc/fs/nfsd/threads instead of sending signals to NFSd threads (they are
> working in init_pid). Sending signals will either won't work if container wich
> its own pid namespace, or will kill all nfsd threads for all containers in
> init_pid namesapce.
> 4) Currently, if container was stopped without stopping NFS server (i.e. it's
> init was killed), NFSd kthreads will remain running. One of possible solutions
> is to not hold network by NFSd service sockets, but register oer-net callback
> and kill all the threads on network namespace exit.
> 5) NFSd filesystem superblock holds network namespace. I.e. if some process
> will hold container's NFSd supeblock, then sthe whole container's network
> naemspace will stay alive even is container is destroyed already.
> 
> There may be more limitations, which are not clear to me yet.
> 
> v2:
> 1) removed root swap - deprecated
> 2) rebased on current tree
> 
> The following series implements...
> 
> ---
> 
> Stanislav Kinsbursky (4):
>       nfsd: containerize NFSd filesystem
>       nfsd: use proper net while reading "exports" file
>       nfsd: disable usermode helper client tracker in container
>       nfsd: enable NFSv4 state in containers
> 
> 
>  fs/nfsd/nfs4recover.c |    6 ++++
>  fs/nfsd/nfs4state.c   |   10 ------
>  fs/nfsd/nfsctl.c      |   77 +++++++++++++++++++++++++++++++++++++------------
>  fs/nfsd/nfssvc.c      |    5 +--
>  4 files changed, 66 insertions(+), 32 deletions(-)
> 
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ