Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp3343204rwb; Sun, 9 Oct 2022 03:33:43 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5Q5cZeYMy2+86GeONngVafMVm9+ZKPcCYlQPshgZ9T7/mgk2w6DV4KPqyNlEG6sHQt55q1 X-Received: by 2002:a17:906:8457:b0:78d:98e9:ad59 with SMTP id e23-20020a170906845700b0078d98e9ad59mr4976933ejy.29.1665311623660; Sun, 09 Oct 2022 03:33:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1665311623; cv=none; d=google.com; s=arc-20160816; b=rW7uVJ8Fn7Uy0Vum5OIlJt7PlL4wG2acVtYnMYzacA96EcGvAoPBnoLU3kd2hdwiIO g9cYWoDdIgnyeZOB2hi/o4sH5lJmjHCsVFe9SOHcaYIm6F/ZOYmTQPEID9811cNM3mlb w5q4A8r8z+iofm14fnpXqS/E8btZbV6vRJFik0DGrQjNzG6Dya5WTl1vCaXgdaMYxqCO 0Fb8CVX+0y5KQwAUwd4nO5Fr7ogxqQNvvn8KeFCsuzR5FB9zZ1GcjIYqDSD/QtATEMsy IjA5XOGbs46TWWTHR0DixwZmK+4SZP1UYrXqEJovmXfUZF7/MeXhbYxn0YJvpWghh9sH q6YA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=Ucto18LgoEv5+ynUqvo1ZWAC+UUGL5/WVlhSeckRLK0=; b=QA1WLKw0/SbwdlsW6hIXeigLWW5TMTcrmzxchMrGmPD4VPl+iSK5U/Ih//vzQhVRxx 5p7BUUHiVsPa0VwNn1av+XkzXvs5/ias7dTViB+PAOxWmA18A5CAnZdCDZM/lVrV4uOr QFBACOAuSK1+HzklWgltYR76SLUf8n/6+6Ay7KqjhoGDr6qTaS8NPjErbzhEOEMdAcn8 NQ8k3+dUdxPV7zCZ9p9xjjO7l35NHFq2xDulSUxTu7M7jmKHOl6741CCgBEBb6iXRlO8 +K5Gm/SinhWsfyIpJOZF9jTgtShPl7rAwV6C+OUDVE00rudVR0lGArGwB6wNyxIifJES Rq5A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ionos.com header.s=google header.b=PWSQ3Q8k; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ionos.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id xf13-20020a17090731cd00b00788361f96a2si6641868ejb.776.2022.10.09.03.33.17; Sun, 09 Oct 2022 03:33:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ionos.com header.s=google header.b=PWSQ3Q8k; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ionos.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229979AbiJIK2I (ORCPT + 99 others); Sun, 9 Oct 2022 06:28:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60678 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229909AbiJIK2E (ORCPT ); Sun, 9 Oct 2022 06:28:04 -0400 Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E1ECD2A429 for ; Sun, 9 Oct 2022 03:28:02 -0700 (PDT) Received: by mail-ej1-x631.google.com with SMTP id qw20so18954777ejc.8 for ; Sun, 09 Oct 2022 03:28:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ionos.com; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Ucto18LgoEv5+ynUqvo1ZWAC+UUGL5/WVlhSeckRLK0=; b=PWSQ3Q8kYqxErLOrdWe7bQBGHUYVGp/JFkzqyRwFKxUXzH38xKyUPgfNc3qPYTjm/c jc30LY6aBNyOPjnnqZQLkoyx3oe9BU+vMvSFHXdqFhbRk0fnRQ6ERI9YzRgI4qCzful8 DV1kM+49C6wYuI4Hs1QqaZo/jgp28qRLs/1KDe55mM4Ndl56SFAPK1cPjuz4lz3R4q6B X2unAD8mwvKA6QzGellvYmxEOiiBGuwwrfvLqftbxEVAFLW1s0KCADPDF+r6mQobFDEt DygAi/yfqYfLyBsxbC01STKU2w8BbryI4AqVGyrBZEtKiVA33mf01viklrONBZ8ss8qv zbVQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Ucto18LgoEv5+ynUqvo1ZWAC+UUGL5/WVlhSeckRLK0=; b=annuJ3pTDUAB0dgACRENj5uSnc5HwFDZnpmuKFrB05uO2a24GD8MA1td0i2NeKnftK NV3WRNZlCIn6GsxUBGv66DzRHVmRoI9KDXH55Yge2u73UzTN5VHezEkl2j9KzgxlNUrl M0R/9hYyuLBrAgOKTLP+j1MAFdvVr3Rctvk8jk60Tlyo4j4HKDQDOITU7HZcmQ2dDGYY YJ3/lVFUFIhUUaqSu0bVaCyvqKtafBxBa+Wo5JvkZ2ERljtot8T5G7vAt4rsuQcx/3Gb KEeHa+fx/4Lz2APsnlBfGQQRYO/xsGSob4Q9MXRfK+BmCwxy9IAwCe56CvrhSONySdg2 thOA== X-Gm-Message-State: ACrzQf08QAInv/Q4VHtMcQDIn4Mhv3DKJ1+lSjCmxjPfsfP1daSMIi6l ZQ/cAoFDDYuWZNUJtUXnnddTBr3USNuaSCVMMOIzZA== X-Received: by 2002:a17:907:8a1f:b0:78d:3dbb:a017 with SMTP id sc31-20020a1709078a1f00b0078d3dbba017mr11003309ejc.54.1665311281487; Sun, 09 Oct 2022 03:28:01 -0700 (PDT) MIME-Version: 1.0 References: <20220927120857.639461-1-max.kellermann@ionos.com> <88f8941f-82bf-5152-b49a-56cb2e465abb@redhat.com> <75e7f676-8c85-af0a-97b2-43664f60c811@redhat.com> In-Reply-To: <75e7f676-8c85-af0a-97b2-43664f60c811@redhat.com> From: Max Kellermann Date: Sun, 9 Oct 2022 12:27:50 +0200 Message-ID: Subject: Re: [PATCH] fs/ceph/super: add mount options "snapdir{mode,uid,gid}" To: Xiubo Li Cc: idryomov@gmail.com, jlayton@kernel.org, ceph-devel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Oct 9, 2022 at 10:43 AM Xiubo Li wrote: > I mean CEPHFS CLIENT CAPABILITIES [1]. I know that, but that's suitable for me. This is client-specific, not user (uid/gid) specific. In my use case, a server can run unprivileged user processes which should not be able create snapshots for their own home directory, and ideally they should not even be able to traverse into the ".snap" directory and access the snapshots created of their home directory. Other (non-superuser) system processes however should be able to manage snapshots. It should be possible to bind-mount snapshots into the user's mount namespace. All of that is possible with my patch, but impossible with your suggestion. The client-specific approach is all-or-nothing (unless I miss something vital). > The snapdir name is a different case. But this is only about the snapdir. The snapdir does not exist on the server, it is synthesized on the client (in the Linux kernel cephfs code). > But your current approach will introduce issues when an UID/GID is reused after an user/groud is deleted ? The UID I would specify is one which exists on the client, for a dedicated system user whose purpose is to manage cephfs snapshots of all users. The UID is created when the machine is installed, and is never deleted. > Maybe the proper approach is the posix acl. Then by default the .snap dir will inherit the permission from its parent and you can change it as you wish. This permission could be spread to all the other clients too ? No, that would be impractical and unreliable. Impractical because it would require me to walk the whole filesystem tree and let the kernel synthesize the snapdir inode for all directories and change its ACL; impractical because walking millions of directories takes longer than I am willing to wait. Unreliable because there would be race problems when another client (or even the local client) creates a new directory. Until my local "snapdir ACL daemon" learns about the existence of the new directory and is able to update its ACL, the user can already have messed with it. Both of that is not a problem with my patch.