Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
MIME-Version: 1.0
References: <20230726141026.307690-1-aleksandr.mikhalitsyn@canonical.com>
 <20230726141026.307690-4-aleksandr.mikhalitsyn@canonical.com>
 <6ea8bf93-b456-bda4-b39d-a43328987ac9@redhat.com> <CAEivzxeQubvas2yPFYRRXr3BP7pp1HNM3b7C-PQQWy-0FpFKuQ@mail.gmail.com>
 <20230727-bedeuten-endkampf-22c87edd132b@brauner>
In-Reply-To: <20230727-bedeuten-endkampf-22c87edd132b@brauner>
From:   Aleksandr Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Date:   Thu, 27 Jul 2023 11:48:04 +0200
Message-ID: <CAEivzxcx31k3M1jWhhDrx6jxYtw=VOd84N-cMNWc+BZjq6QuFQ@mail.gmail.com>
Subject: Re: [PATCH v7 03/11] ceph: handle idmapped mounts in create_request_message()
To:     Christian Brauner <brauner@kernel.org>
Cc:     Xiubo Li <xiubli@redhat.com>, stgraber@ubuntu.com,
        linux-fsdevel@vger.kernel.org, Jeff Layton <jlayton@kernel.org>,
        Ilya Dryomov <idryomov@gmail.com>, ceph-devel@vger.kernel.org,
        linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Precedence: bulk

On Thu, Jul 27, 2023 at 11:01=E2=80=AFAM Christian Brauner <brauner@kernel.=
org> wrote:
>
> On Thu, Jul 27, 2023 at 08:36:40AM +0200, Aleksandr Mikhalitsyn wrote:
> > On Thu, Jul 27, 2023 at 7:30=E2=80=AFAM Xiubo Li <xiubli@redhat.com> wr=
ote:
> > >
> > >
> > > On 7/26/23 22:10, Alexander Mikhalitsyn wrote:
> > > > Inode operations that create a new filesystem object such as ->mkno=
d,
> > > > ->create, ->mkdir() and others don't take a {g,u}id argument explic=
itly.
> > > > Instead the caller's fs{g,u}id is used for the {g,u}id of the new
> > > > filesystem object.
> > > >
> > > > In order to ensure that the correct {g,u}id is used map the caller'=
s
> > > > fs{g,u}id for creation requests. This doesn't require complex chang=
es.
> > > > It suffices to pass in the relevant idmapping recorded in the reque=
st
> > > > message. If this request message was triggered from an inode operat=
ion
> > > > that creates filesystem objects it will have passed down the releva=
nt
> > > > idmaping. If this is a request message that was triggered from an i=
node
> > > > operation that doens't need to take idmappings into account the ini=
tial
> > > > idmapping is passed down which is an identity mapping.
> > > >
> > > > This change uses a new cephfs protocol extension CEPHFS_FEATURE_HAS=
_OWNER_UIDGID
> > > > which adds two new fields (owner_{u,g}id) to the request head struc=
ture.
> > > > So, we need to ensure that MDS supports it otherwise we need to fai=
l
> > > > any IO that comes through an idmapped mount because we can't proces=
s it
> > > > in a proper way. MDS server without such an extension will use call=
er_{u,g}id
> > > > fields to set a new inode owner UID/GID which is incorrect because =
caller_{u,g}id
> > > > values are unmapped. At the same time we can't map these fields wit=
h an
> > > > idmapping as it can break UID/GID-based permission checks logic on =
the
> > > > MDS side. This problem was described with a lot of details at [1], =
[2].
> > > >
> > > > [1] https://lore.kernel.org/lkml/CAEivzxfw1fHO2TFA4dx3u23ZKK6Q+EThf=
zuibrhA3RKM=3DZOYLg@mail.gmail.com/
> > > > [2] https://lore.kernel.org/all/20220104140414.155198-3-brauner@ker=
nel.org/
> > > >
> > > > Cc: Xiubo Li <xiubli@redhat.com>
> > > > Cc: Jeff Layton <jlayton@kernel.org>
> > > > Cc: Ilya Dryomov <idryomov@gmail.com>
> > > > Cc: ceph-devel@vger.kernel.org
> > > > Co-Developed-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canon=
ical.com>
> > > > Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
> > > > Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonic=
al.com>
> > > > ---
> > > > v7:
> > > >       - reworked to use two new fields for owner UID/GID (https://g=
ithub.com/ceph/ceph/pull/52575)
> > > > ---
> > > >   fs/ceph/mds_client.c         | 20 ++++++++++++++++++++
> > > >   fs/ceph/mds_client.h         |  5 ++++-
> > > >   include/linux/ceph/ceph_fs.h |  4 +++-
> > > >   3 files changed, 27 insertions(+), 2 deletions(-)
> > > >
> > > > diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
> > > > index c641ab046e98..ac095a95f3d0 100644
> > > > --- a/fs/ceph/mds_client.c
> > > > +++ b/fs/ceph/mds_client.c
> > > > @@ -2923,6 +2923,7 @@ static struct ceph_msg *create_request_messag=
e(struct ceph_mds_session *session,
> > > >   {
> > > >       int mds =3D session->s_mds;
> > > >       struct ceph_mds_client *mdsc =3D session->s_mdsc;
> > > > +     struct ceph_client *cl =3D mdsc->fsc->client;
> > > >       struct ceph_msg *msg;
> > > >       struct ceph_mds_request_head_legacy *lhead;
> > > >       const char *path1 =3D NULL;
> > > > @@ -3028,6 +3029,16 @@ static struct ceph_msg *create_request_messa=
ge(struct ceph_mds_session *session,
> > > >       lhead =3D find_legacy_request_head(msg->front.iov_base,
> > > >                                        session->s_con.peer_features=
);
> > > >
> > > > +     if ((req->r_mnt_idmap !=3D &nop_mnt_idmap) &&
> > > > +         !test_bit(CEPHFS_FEATURE_HAS_OWNER_UIDGID, &session->s_fe=
atures)) {
> > > > +             pr_err_ratelimited_client(cl,
> > > > +                     "idmapped mount is used and CEPHFS_FEATURE_HA=
S_OWNER_UIDGID"
> > > > +                     " is not supported by MDS. Fail request with =
-EIO.\n");
> > > > +
> > > > +             ret =3D -EIO;
> > > > +             goto out_err;
> > > > +     }
> > > > +
> > >
> > > I think this couldn't fail the mounting operation, right ?
> >
> > This won't fail mounting. First of all an idmapped mount is always an
> > additional mount, you always
> > start from doing "normal" mount and only after that you can use this
> > mount to create an idmapped one.
> > ( example: https://github.com/brauner/mount-idmapped/tree/master )
> >
> > >
> > > IMO we should fail the mounting from the beginning.
> >
> > Unfortunately, we can't fail mount from the beginning. Procedure of
> > the idmapped mounts
> > creation is handled not on the filesystem level, but on the VFS level
>
> Correct. It's a generic vfsmount feature.
>
> > (source: https://github.com/torvalds/linux/blob/0a8db05b571ad5b8d5c8774=
a004c0424260a90bd/fs/namespace.c#L4277
> > )
> >
> > Kernel perform all required checks as:
> > - filesystem type has declared to support idmappings
> > (fs_type->fs_flags & FS_ALLOW_IDMAP)
> > - user who creates idmapped mount should be CAP_SYS_ADMIN in a user
> > namespace that owns superblock of the filesystem
> > (for cephfs it's always init_user_ns =3D> user should be root on the ho=
st)
> >
> > So I would like to go this way because of the reasons mentioned above:
> > - root user is someone who understands what he does.
> > - idmapped mounts are never "first" mounts. They are always created
> > after "normal" mount.
> > - effectively this check makes "normal" mount to work normally and
> > fail only requests that comes through an idmapped mounts
> > with reasonable error message. Obviously, all read operations will
> > work perfectly well only the operations that create new inodes will
> > fail.
> > Btw, we already have an analogical semantic on the VFS level for users
> > who have no UID/GID mapping to the host. Filesystem requests for
> > such users will fail with -EOVERFLOW. Here we have something close.
>
> Refusing requests coming from an idmapped mount if the server misses
> appropriate features is good enough as a first step imho. And yes, we do
> have similar logic on the vfs level for unmapped uid/gid.

Thanks, Christian!

I wanted to add that alternative here is to modify caller_{u,g}id
fields as it was done in the first approach,
it will break the UID/GID-based permissions model for old MDS versions
(we can put printk_once to inform user about this),
but at the same time it will allow us to support idmapped mounts in
all cases. This support will be not fully ideal for old MDS
 and perfectly well for new MDS versions.

Alternatively, we can introduce cephfs mount option like
"idmap_with_old_mds" and if it's enabled then we set caller_{u,g}id
for MDS without CEPHFS_FEATURE_HAS_OWNER_UIDGID, if it's disabled
(default) we fail requests with -EIO. For
new MDS everything goes in the right way.

Kind regards,
Alex