Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp1993571yba; Thu, 25 Apr 2019 08:58:10 -0700 (PDT) X-Google-Smtp-Source: APXvYqz80fYMQ92raSdTxlBVr0BLfrytLUhvWFETb/ijwDEpHSasTTd2rZCEiKtMh/9vpueqOd6b X-Received: by 2002:aa7:82cb:: with SMTP id f11mr42421720pfn.0.1556207890589; Thu, 25 Apr 2019 08:58:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556207890; cv=none; d=google.com; s=arc-20160816; b=01jdycJNOew7KFze3UymahxE6KzJt7CqaW7m8g7HxKSVFvza1Dhv4zGjaeos6/n6QQ aeCCHWhbeQLnR5hu1x30A9rpUe3zeIKRRYim/9ko9ErPSVtj4xZ2iWOtdfJVceh0lnJZ ixWGd67+S23VoQYC8vp686p19lWIdEqjJ9mMMOTmI9bSu9lMvyu0liA1i9C2CnpeX5ae m6b2LYFsx5bw8vVRCo6pYgkkvqwkpi59q6ibwrDhGJHMmEol3njdy2wOh0Xd5ZXWhh0d nxGK98sxPB58YUXuVSxyKnSp25CePfSN6ud2nw+xMU9zasvXoqvEO2t5TXHXL+t+7WFV vwDA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=rTm+NuSZWAnXRcFua4T0hGQ5dpY5rGCgBH+ndaMn6gI=; b=dKgSZ09okv1P7LJiTxkfqZxFc3a3o5xOxru2iHjJ0phqcKiLQCAjknZIxPxLkY/TU1 e1Vn5T13xl+Sl05xLQBOxkkPURuw/c12zFnxCB5AMEkOOII37u5ET99J7Me33+Rdf/vi tOerAQtlRxe+DBR3HgR9d6rX9eWpKoGIcCRVCuMLccGVW6s+SK+lH34NsRclUhCbRx3q 35kJCmuxpJW8dObn+E5MVDE2ycP/epAmHwTC3dC1dPHYqT7zJVKVoqwD2lejRDOPvlcA jBExXS7MSNUi9ez6H8BrhS1m9i9v8H758xf+J17Zj6bjyvJXME5Y9Q2kTkYTB1tLf9Bl j2xg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c9si20360966pgq.50.2019.04.25.08.57.47; Thu, 25 Apr 2019 08:58:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727814AbfDYPdk (ORCPT + 99 others); Thu, 25 Apr 2019 11:33:40 -0400 Received: from fieldses.org ([173.255.197.46]:51102 "EHLO fieldses.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727192AbfDYPdj (ORCPT ); Thu, 25 Apr 2019 11:33:39 -0400 Received: by fieldses.org (Postfix, from userid 2815) id 3D8931C98; Thu, 25 Apr 2019 11:33:39 -0400 (EDT) Date: Thu, 25 Apr 2019 11:33:39 -0400 From: "bfields@fieldses.org" To: Trond Myklebust Cc: "linux-nfs@vger.kernel.org" , "Anna.Schumaker@netapp.com" Subject: Re: [PATCH 6/9] NFSv4: Convert the NFS client idmapper to use the container user namespace Message-ID: <20190425153339.GB8133@fieldses.org> References: <20190424214650.4658-1-trond.myklebust@hammerspace.com> <20190424214650.4658-2-trond.myklebust@hammerspace.com> <20190424214650.4658-3-trond.myklebust@hammerspace.com> <20190424214650.4658-4-trond.myklebust@hammerspace.com> <20190424214650.4658-5-trond.myklebust@hammerspace.com> <20190424214650.4658-6-trond.myklebust@hammerspace.com> <20190424214650.4658-7-trond.myklebust@hammerspace.com> <20190425143243.GA8133@fieldses.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Thu, Apr 25, 2019 at 03:00:22PM +0000, Trond Myklebust wrote: > The assumption is that if you have enough privileges to mount a > filesystem using the NFS client, then you would also have enough > privileges to run a userspace client, so there is little point in > restricting the NFS client. > > So the guiding principle is that a NFS client mount that is started in > a container should behave as if it were started by a process in a "real > VM". That means that the root uid/gid in the container maps to a root > uid/gid on the wire. > Ditto, if there is a need to run the idmapper in the container, then > the expectation is that processes running as 'user' with uid 'u', will > see their creds mapped correctly by the idmapper. Again, that's what > you would see if the process were running in a VM instead of a > container. > > Does that all make sense? Yes, thanks! I thought there was a problem that the idmapper depended on keyring usermodehelper calls that it was hard to pass namespace information to. Did that get fixed and I missed it or or forgot? > > So this means that any orchestrator software which may be setting up > NFS mounts as part of setting up the container has 2 options: > > 1. Either perform the mount outside the container namespaces, in which > case the container process uids/gids are mapped from their > user_namespace into the user_namespace of the orchestrator, and the > uids/gids on the wire will reflect those mapped uids/gids (so uid 0 > in the container will be mapped to uid xxx where xxx is decided by > the orchestrator). > 2. Perform the mount inside the container namespaces, in which case the > container process uids/gids go on the wire as-is. OK, great, that sounds perfect. --b.