[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAKPOu+-rKOVsZ1T=1X-T-Y5Fe1MW2Fs9ixQh8rgq3S9shi8Thw@mail.gmail.com>
Date: Sun, 9 Oct 2022 12:27:50 +0200
From: Max Kellermann <max.kellermann@...os.com>
To: Xiubo Li <xiubli@...hat.com>
Cc: idryomov@...il.com, jlayton@...nel.org, ceph-devel@...r.kernel.org,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] fs/ceph/super: add mount options "snapdir{mode,uid,gid}"
On Sun, Oct 9, 2022 at 10:43 AM Xiubo Li <xiubli@...hat.com> wrote:
> I mean CEPHFS CLIENT CAPABILITIES [1].
I know that, but that's suitable for me. This is client-specific, not
user (uid/gid) specific.
In my use case, a server can run unprivileged user processes which
should not be able create snapshots for their own home directory, and
ideally they should not even be able to traverse into the ".snap"
directory and access the snapshots created of their home directory.
Other (non-superuser) system processes however should be able to
manage snapshots. It should be possible to bind-mount snapshots into
the user's mount namespace.
All of that is possible with my patch, but impossible with your
suggestion. The client-specific approach is all-or-nothing (unless I
miss something vital).
> The snapdir name is a different case.
But this is only about the snapdir. The snapdir does not exist on the
server, it is synthesized on the client (in the Linux kernel cephfs
code).
> But your current approach will introduce issues when an UID/GID is reused after an user/groud is deleted ?
The UID I would specify is one which exists on the client, for a
dedicated system user whose purpose is to manage cephfs snapshots of
all users. The UID is created when the machine is installed, and is
never deleted.
> Maybe the proper approach is the posix acl. Then by default the .snap dir will inherit the permission from its parent and you can change it as you wish. This permission could be spread to all the other clients too ?
No, that would be impractical and unreliable.
Impractical because it would require me to walk the whole filesystem
tree and let the kernel synthesize the snapdir inode for all
directories and change its ACL; impractical because walking millions
of directories takes longer than I am willing to wait.
Unreliable because there would be race problems when another client
(or even the local client) creates a new directory. Until my local
"snapdir ACL daemon" learns about the existence of the new directory
and is able to update its ACL, the user can already have messed with
it.
Both of that is not a problem with my patch.
Powered by blists - more mailing lists