Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp1468648rwd; Thu, 8 Jun 2023 19:24:54 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6wifI4gdIyTMI5u/6WYGjfo/Hxu0mUdXCXx9elz+KCSBzBqa1lN9OMlO3tVNN4INyA6vj1 X-Received: by 2002:a17:90a:ead0:b0:259:c4b3:880a with SMTP id ev16-20020a17090aead000b00259c4b3880amr183369pjb.31.1686277494543; Thu, 08 Jun 2023 19:24:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1686277494; cv=none; d=google.com; s=arc-20160816; b=PzLtYbSILNamsndp0NSeyD/gtJ/yLvqiOS/0eJIYgRYBqbqIZOGOL57Zk8mkZtZ8fD 8HfC4K8HEfsqb+14GnnB1Cj0lnaB55bN341IwC3zgNn5GILP4dxumojwwGKEBDQc0lZg Hb2QfzNakPD81SMZfcXk1n9nUNpUlz6mV3LISKqcuIXmlpGozApUF7/PWsndJ6lq0Vmp iPqvAA0OK39YPmyHBg0JoIX6CJGAH1n7Vgc6LhJMa0fMElemn+H2b9AzzebDzf8GzVBe MirldqyeCJFgA6uAxS3pOSlXnSgq3agUGuRsj1yu49NJcKWtUeTmVp3JTc2K9kvxEM0O 2nyw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=04Zu5Z7OJEa+9A3BruZap5vAuUoQe5F8F8fOhA3/4Ak=; b=XNgFg3ZV7zcpiomlT5HJalaNKSttQ2LHgPULiVTxE9Ed5zXjNGO2PoX958JZh95s0O cG+obd5sgcjvDKPZHrrREMugfqVi+BCZ1uSCiQ9u5pQEJkJ/mvJNC8vIQCfAXXA+QswW OJqtLt677Ls0BFbFrAUbok/s/PCVdHCEn73MpSrsGLXel48ne6KqLxixtQD05DfeenZw iBUz7p/QQB8c095+cxRiZ8CFHmTdJrlKHOsBgfnzkDg7jm3ZxZIVnraSQAIudiqaG42a mfQIjNNK2e5pFielooqW3jidwofT5vE/Ae1tTA0ZYR7enDC4mMwukO0gaMgXP+9xFfN5 OwjQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=LGyx92kE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s15-20020a63924f000000b0054507258ce0si1904167pgn.234.2023.06.08.19.24.41; Thu, 08 Jun 2023 19:24:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=LGyx92kE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237483AbjFIB6W (ORCPT + 99 others); Thu, 8 Jun 2023 21:58:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56008 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229787AbjFIB6P (ORCPT ); Thu, 8 Jun 2023 21:58:15 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8CB782D41 for ; Thu, 8 Jun 2023 18:57:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1686275847; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=04Zu5Z7OJEa+9A3BruZap5vAuUoQe5F8F8fOhA3/4Ak=; b=LGyx92kENX/aT2RP0uA9mSBxCCfYF/zUM0dC5H4Mssc6jsR0hZtAdlsPT7M9vNzuji4+KY +ly73vNI5hnp4rZU1SZP+gXruBhp5s/uvIYqlcYlhyMK4u53tzSbGtBCUYBKlCDUfiY60h h5Jrgtc7U5RMdmzr57ksAqxFnWXFBsQ= Received: from mail-pj1-f69.google.com (mail-pj1-f69.google.com [209.85.216.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-561-QGh67uEmNiKpysp0Eh0qdA-1; Thu, 08 Jun 2023 21:57:23 -0400 X-MC-Unique: QGh67uEmNiKpysp0Eh0qdA-1 Received: by mail-pj1-f69.google.com with SMTP id 98e67ed59e1d1-25642d15b40so272101a91.3 for ; Thu, 08 Jun 2023 18:57:23 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686275841; x=1688867841; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=04Zu5Z7OJEa+9A3BruZap5vAuUoQe5F8F8fOhA3/4Ak=; b=XM7AqTyHM17132Wcrf0Jn26VVzkO0ICmbXI9w+c/NxXGxZH4Daee18tHGI8hebmM7x M076QQqoE6AhixGy+U62EpD+OBg0IY67b+AkRmR68zIG9YiMIMZ8aBKXF0WspS2U4575 nJ9diHapdnkENQOdcwDJ41FWZbbmFpBSAI836d1lR4bkQnIFMdP0Qs2q2tcCMWADhG4X 8+OlexArrqfxJ3zRCbjfjVenc07d58sqS0LO57HCcH2yrtyEz9FVW3AGKizK/gsW1eaJ +IwY126KrcKrfasHmYo4kBZhzWai8L+jEtFmNGesgiBeFDj2l5SCA40UjphVt8vehqUP D5Hg== X-Gm-Message-State: AC+VfDxTYxeRSKEqetfN95vyui2aN7tUsofhh77R1cHzX+yyztZXr87S NxhedqtKbpMwhKkKP/vvHKk+i/b6izubnWwpub8aeqGGoKDzvkqr26oiGo212agdbWSZm6TP0Gs ZODTXWZbHDC5ZJuwL7E3BulFIGqe1H1eTM5o= X-Received: by 2002:a17:90a:1999:b0:253:3a2c:df52 with SMTP id 25-20020a17090a199900b002533a2cdf52mr113393pji.39.1686275841672; Thu, 08 Jun 2023 18:57:21 -0700 (PDT) X-Received: by 2002:a17:90a:1999:b0:253:3a2c:df52 with SMTP id 25-20020a17090a199900b002533a2cdf52mr113385pji.39.1686275841342; Thu, 08 Jun 2023 18:57:21 -0700 (PDT) Received: from [10.72.13.135] ([209.132.188.80]) by smtp.gmail.com with ESMTPSA id g1-20020a17090a828100b00256504e0937sm3598532pjn.34.2023.06.08.18.57.17 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 08 Jun 2023 18:57:20 -0700 (PDT) Message-ID: Date: Fri, 9 Jun 2023 09:57:13 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.11.0 Subject: Re: [PATCH v5 00/14] ceph: support idmapped mounts Content-Language: en-US To: Alexander Mikhalitsyn Cc: brauner@kernel.org, stgraber@ubuntu.com, linux-fsdevel@vger.kernel.org, Ilya Dryomov , Jeff Layton , ceph-devel@vger.kernel.org, linux-kernel@vger.kernel.org References: <20230608154256.562906-1-aleksandr.mikhalitsyn@canonical.com> From: Xiubo Li In-Reply-To: <20230608154256.562906-1-aleksandr.mikhalitsyn@canonical.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 6/8/23 23:42, Alexander Mikhalitsyn wrote: > Dear friends, > > This patchset was originally developed by Christian Brauner but I'll continue > to push it forward. Christian allowed me to do that :) > > This feature is already actively used/tested with LXD/LXC project. > > Git tree (based on https://github.com/ceph/ceph-client.git master): Could you rebase these patches to 'testing' branch ? And you still have missed several places, for example the following cases:    1    269  fs/ceph/addr.c <>              req = ceph_mdsc_create_request(mdsc, CEPH_MDS_OP_GETATTR, mode);    2    389  fs/ceph/dir.c <>              req = ceph_mdsc_create_request(mdsc, op, USE_AUTH_MDS);    3    789  fs/ceph/dir.c <>              req = ceph_mdsc_create_request(mdsc, op, USE_ANY_MDS);    ... For this requests you also need to set the real idmap. Thanks - Xiubo > v5: https://github.com/mihalicyn/linux/commits/fs.idmapped.ceph.v5 > current: https://github.com/mihalicyn/linux/tree/fs.idmapped.ceph > > In the version 3 I've changed only two commits: > - fs: export mnt_idmap_get/mnt_idmap_put > - ceph: allow idmapped setattr inode op > and added a new one: > - ceph: pass idmap to __ceph_setattr > > In the version 4 I've reworked the ("ceph: stash idmapping in mdsc request") > commit. Now we take idmap refcounter just in place where req->r_mnt_idmap > is filled. It's more safer approach and prevents possible refcounter underflow > on error paths where __register_request wasn't called but ceph_mdsc_release_request is > called. > > Changelog for version 5: > - a few commits were squashed into one (as suggested by Xiubo Li) > - started passing an idmapping everywhere (if possible), so a caller > UID/GID-s will be mapped almost everywhere (as suggested by Xiubo Li) > > I can confirm that this version passes xfstests. > > Links to previous versions: > v1: https://lore.kernel.org/all/20220104140414.155198-1-brauner@kernel.org/ > v2: https://lore.kernel.org/lkml/20230524153316.476973-1-aleksandr.mikhalitsyn@canonical.com/ > tree: https://github.com/mihalicyn/linux/commits/fs.idmapped.ceph.v2 > v3: https://lore.kernel.org/lkml/20230607152038.469739-1-aleksandr.mikhalitsyn@canonical.com/#t > v4: https://lore.kernel.org/lkml/20230607180958.645115-1-aleksandr.mikhalitsyn@canonical.com/#t > tree: https://github.com/mihalicyn/linux/commits/fs.idmapped.ceph.v4 > > Kind regards, > Alex > > Original description from Christian: > ======================================================================== > This patch series enables cephfs to support idmapped mounts, i.e. the > ability to alter ownership information on a per-mount basis. > > Container managers such as LXD support sharaing data via cephfs between > the host and unprivileged containers and between unprivileged containers. > They may all use different idmappings. Idmapped mounts can be used to > create mounts with the idmapping used for the container (or a different > one specific to the use-case). > > There are in fact more use-cases such as remapping ownership for > mountpoints on the host itself to grant or restrict access to different > users or to make it possible to enforce that programs running as root > will write with a non-zero {g,u}id to disk. > > The patch series is simple overall and few changes are needed to cephfs. > There is one cephfs specific issue that I would like to discuss and > solve which I explain in detail in: > > [PATCH 02/12] ceph: handle idmapped mounts in create_request_message() > > It has to do with how to handle mds serves which have id-based access > restrictions configured. I would ask you to please take a look at the > explanation in the aforementioned patch. > > The patch series passes the vfs and idmapped mount testsuite as part of > xfstests. To run it you will need a config like: > > [ceph] > export FSTYP=ceph > export TEST_DIR=/mnt/test > export TEST_DEV=10.103.182.10:6789:/ > export TEST_FS_MOUNT_OPTS="-o name=admin,secret=$password > > and then simply call > > sudo ./check -g idmapped > > ======================================================================== > > Alexander Mikhalitsyn (5): > fs: export mnt_idmap_get/mnt_idmap_put > ceph: pass idmap to __ceph_setattr > ceph: pass idmap to ceph_do_getattr > ceph: pass idmap to __ceph_setxattr > ceph: pass idmap to ceph_open/ioctl_set_layout > > Christian Brauner (9): > ceph: stash idmapping in mdsc request > ceph: handle idmapped mounts in create_request_message() > ceph: pass an idmapping to mknod/symlink/mkdir/rename > ceph: allow idmapped getattr inode op > ceph: allow idmapped permission inode op > ceph: allow idmapped setattr inode op > ceph/acl: allow idmapped set_acl inode op > ceph/file: allow idmapped atomic_open inode op > ceph: allow idmapped mounts > > fs/ceph/acl.c | 8 ++++---- > fs/ceph/addr.c | 3 ++- > fs/ceph/caps.c | 3 ++- > fs/ceph/dir.c | 4 ++++ > fs/ceph/export.c | 2 +- > fs/ceph/file.c | 21 ++++++++++++++----- > fs/ceph/inode.c | 38 +++++++++++++++++++++-------------- > fs/ceph/ioctl.c | 9 +++++++-- > fs/ceph/mds_client.c | 27 +++++++++++++++++++++---- > fs/ceph/mds_client.h | 1 + > fs/ceph/quota.c | 2 +- > fs/ceph/super.c | 6 +++--- > fs/ceph/super.h | 14 ++++++++----- > fs/ceph/xattr.c | 18 +++++++++-------- > fs/mnt_idmapping.c | 2 ++ > include/linux/mnt_idmapping.h | 3 +++ > 16 files changed, 111 insertions(+), 50 deletions(-) >