Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp115473rwi; Sun, 9 Oct 2022 19:47:43 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5lS/a+BBSKotTkSkMSHAvHSzIcm6peu3RFfNlFP5/KPQGG0XWm1inJ9uDzMq73d/Cct3Xh X-Received: by 2002:a17:903:124c:b0:179:da2f:2463 with SMTP id u12-20020a170903124c00b00179da2f2463mr16899545plh.128.1665370063181; Sun, 09 Oct 2022 19:47:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1665370063; cv=none; d=google.com; s=arc-20160816; b=t6nKVqhBhJUCJMDcNTVbfe2N2dpplz120H3axXAQlLT/T9xqy/H7ogjTDe82+/p04O v+T1VLc5uWyfAOW4gjeVCGvpTqQEi3TBW3umq20b9Vrf0sVUVdpzPvkzU1Zl9p1v0fUx T2Lozo2indE03G9ZSb20a6j7x2a6an0l/CtIyIwlj5WpQJ6h+Om0B4pzsLY+5QL8br69 v5AOh5M5ZUZXjwQJZ5yyaCSN61Fr3OmLG+HLXqo3S62uZlAT4WMMX3mhhGZTlxwelRD5 oFw/NsnSmWUwyM/DM++7od9heaKy6UAdl4J+/SQS2Wkc38iCCFTRzB/h9kEIHJJYr6Ix A+5A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-language:content-transfer-encoding :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=A9D5wip/7UzsP48lsG4dlIjjptcfG4NcBff3j6uyHfY=; b=YUh8xGVCJo+o4KNmJN3QKumOzlXMCg9JJxG0W23mSA2ywg1KP7BViNOVJATAxJFhLs xiQUCNtD4r7TzaFxO3+boPL19uRct4pKXjkIJY4Z3WwgT2xozRBuSAngNw097X5BtPQx 61b7e5DGZHfE0cSwdbWIDz1/IyF89sRr9AYgCWavyRPxsSO6LMPN0X4tDpMkwQy7Iglh A3XaLYS7DOjixXCjywU85ReF8uDtNMf6PR5cY2RcDBH9ZXCHLdWZspFxzTWcQVKy3FSl EC67WERibeSiECI0Zg5L63lf2DPkWa0YeUTzFQkJhdfcCKh/8DlD/LIIDE7SxesPaP9A ATKA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=dQE5qXUs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id o22-20020a63fb16000000b00448c6dd8fa9si10578449pgh.444.2022.10.09.19.47.31; Sun, 09 Oct 2022 19:47:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=dQE5qXUs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230362AbiJJCDI (ORCPT + 99 others); Sun, 9 Oct 2022 22:03:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46126 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230307AbiJJCDF (ORCPT ); Sun, 9 Oct 2022 22:03:05 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E34C253D17 for ; Sun, 9 Oct 2022 19:03:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1665367384; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=A9D5wip/7UzsP48lsG4dlIjjptcfG4NcBff3j6uyHfY=; b=dQE5qXUsl6JHhbsc4RO2wDzahWnikE+XqHxJoe7zwNFv7Xyvh/0OT2fOct3M1wVGzCLen7 E4fZNez8G6DAqDMRnf21CCekZ7CoHoXb9yLp00u7r1vkqKwFlxlr9WfoVxijGij70suYNr jK5Im7Wd5na5vFDK4a9U5vNtskCjMMc= Received: from mail-pl1-f199.google.com (mail-pl1-f199.google.com [209.85.214.199]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-320-Mjw0EbCpPH6kHSyYf6oYhQ-1; Sun, 09 Oct 2022 22:03:00 -0400 X-MC-Unique: Mjw0EbCpPH6kHSyYf6oYhQ-1 Received: by mail-pl1-f199.google.com with SMTP id p15-20020a170902e74f00b00181927a941fso2194308plf.17 for ; Sun, 09 Oct 2022 19:03:00 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-language:content-transfer-encoding:in-reply-to:mime-version :user-agent:date:message-id:from:references:cc:to:subject :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=A9D5wip/7UzsP48lsG4dlIjjptcfG4NcBff3j6uyHfY=; b=MMnlNrAaPuyA3Lt5769pknSdShXPh4uoU0vmmRnW4T6kgnAwMUmJFXwLki9C5NA5nF ET030z27p4flno7AWRvuuRwcwI9jDf7aNwGk+P47AuXXxjo4JqZR3FThYMTYkDnta8gZ BENkEhpFutlP/Uo7/nE+YUrkNMYNXUU71yWBYJ48h7PNSBu4sjSGZOby/W0xhWmkb6Qd a8x0lXcB6w0q+cZSIzFogzEu4PAUEizleNYAMc9UQF0AtpaG8pcd7Nq2jjCg9Umh2AKT pDQtXwcWUgRHA/FEe4mfd1iGiovepBn44MyP97QuTFbX3FhpdNQc6EXdY2qPexDuaxjE CmKQ== X-Gm-Message-State: ACrzQf0JAO7fji6A+t5NTno5b/5YrH5KGLlhXa4wICCRN0uclPhHTXko hRz1+wAuilC+VoLuAREJMxvoMgaKJK+66XY3EV8ZQIz6uSRd76trCdojtJi663+q9NVvBcidbTn 5145QdHqzjbcLRV1X/oORYHB4JGU6PqxaaYE07yUfD3RXFy6VX110+MRLtGNznvCUm9bNooySAQ == X-Received: by 2002:a17:903:11cc:b0:178:aec1:18c3 with SMTP id q12-20020a17090311cc00b00178aec118c3mr17054755plh.91.1665367379274; Sun, 09 Oct 2022 19:02:59 -0700 (PDT) X-Received: by 2002:a17:903:11cc:b0:178:aec1:18c3 with SMTP id q12-20020a17090311cc00b00178aec118c3mr17054717plh.91.1665367378848; Sun, 09 Oct 2022 19:02:58 -0700 (PDT) Received: from [10.72.12.247] ([209.132.188.80]) by smtp.gmail.com with ESMTPSA id n9-20020a170903110900b00176cdd80148sm5291984plh.305.2022.10.09.19.02.54 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 09 Oct 2022 19:02:58 -0700 (PDT) Subject: Re: [PATCH] fs/ceph/super: add mount options "snapdir{mode,uid,gid}" To: Max Kellermann , Jeff Layton Cc: idryomov@gmail.com, jlayton@kernel.org, ceph-devel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org References: <20220927120857.639461-1-max.kellermann@ionos.com> <88f8941f-82bf-5152-b49a-56cb2e465abb@redhat.com> <75e7f676-8c85-af0a-97b2-43664f60c811@redhat.com> From: Xiubo Li Message-ID: Date: Mon, 10 Oct 2022 10:02:51 +0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.10.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-Spam-Status: No, score=-6.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 09/10/2022 18:27, Max Kellermann wrote: > On Sun, Oct 9, 2022 at 10:43 AM Xiubo Li wrote: >> I mean CEPHFS CLIENT CAPABILITIES [1]. > I know that, but that's suitable for me. This is client-specific, not > user (uid/gid) specific. > > In my use case, a server can run unprivileged user processes which > should not be able create snapshots for their own home directory, and > ideally they should not even be able to traverse into the ".snap" > directory and access the snapshots created of their home directory. > Other (non-superuser) system processes however should be able to > manage snapshots. It should be possible to bind-mount snapshots into > the user's mount namespace. > > All of that is possible with my patch, but impossible with your > suggestion. The client-specific approach is all-or-nothing (unless I > miss something vital). > >> The snapdir name is a different case. > But this is only about the snapdir. The snapdir does not exist on the > server, it is synthesized on the client (in the Linux kernel cephfs > code). This could be applied to it's parent dir instead as one metadata in mds side and in client side it will be transfer to snapdir's metadata, just like what the snapshots. But just ignore this approach. >> But your current approach will introduce issues when an UID/GID is reused after an user/groud is deleted ? > The UID I would specify is one which exists on the client, for a > dedicated system user whose purpose is to manage cephfs snapshots of > all users. The UID is created when the machine is installed, and is > never deleted. This is an ideal use case IMO. I googled about reusing the UID/GID issues and found someone has hit a similar issue in their use case. >> Maybe the proper approach is the posix acl. Then by default the .snap dir will inherit the permission from its parent and you can change it as you wish. This permission could be spread to all the other clients too ? > No, that would be impractical and unreliable. > Impractical because it would require me to walk the whole filesystem > tree and let the kernel synthesize the snapdir inode for all > directories and change its ACL; No, it don't have to. This could work simply as the snaprealm hierarchy thing in kceph. Only the up top directory need to record the ACL and all the descendants will point and use it if they don't have their own ACLs. > impractical because walking millions > of directories takes longer than I am willing to wait. > Unreliable because there would be race problems when another client > (or even the local client) creates a new directory. Until my local > "snapdir ACL daemon" learns about the existence of the new directory > and is able to update its ACL, the user can already have messed with > it. For multiple clients case I think the cephfs capabilities [3] could guarantee the consistency of this. While for the single client case if before the user could update its ACL just after creating it someone else has changed it or messed it up, then won't the existing ACLs have the same issue ? [3] https://docs.ceph.com/en/quincy/cephfs/capabilities/ > Both of that is not a problem with my patch. > Jeff, Any idea ? Thanks! - Xiubo