Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp2046603yba; Thu, 25 Apr 2019 09:45:41 -0700 (PDT) X-Google-Smtp-Source: APXvYqxWsimmenl50OUit4u18GRD/A0a+Nbc8RRcjzQarUfc0Eknpaeg2nPWOvWEbQspdbZO+1lu X-Received: by 2002:a17:902:b589:: with SMTP id a9mr15921178pls.66.1556210741328; Thu, 25 Apr 2019 09:45:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556210741; cv=none; d=google.com; s=arc-20160816; b=cHt8iLt/LDW7hdpvUjR29qXuN8yDm+CxA5lkozESrjGHDv0Z3QYprPv7esfkIceKAP gL3UuaQVRsmpVhcrVbzY+b2WzJ0O93ej9W/QnggIJaTUneqoQnVLHA0E/HtoxkBHw23e 8OCPX4mgzJe7JRFWQxmF5eqdeXZctG843wYE0PqGLHMxfwqGSzw2NGBe6IJ3CyWt3QKE uN1YvfkqQMTTafnMWhVpj6W67k9Xl9beqgsWsSRD24cFwGGTbd5jGhSTkczWO1n7Tvjj RQP4thLGumlA+Q1jo3McDUDUK8xC86c86SjXkfPMF1BPpGa7384uAkUUdWGyP85spvcm eR9w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=Trk8Nbj3Ib4T0e9aMPwnd5bEXlTsw0Cb/t1/m08x7yk=; b=S2YRws7y64pWnVDjvI/x4r+7NFWDZOZty/5cNemwPYAnJnVFmtBxoV5uwJyLzQAODu NgbMx35ia2jYvZDtKjDQDhUOKNCgy5xI27vBADrhQiH5SnYysHy/oYfFyYy5h3VmqUOS 82T9RmrlYnpksIS8DEIg3sY6kF2u7IR5BPizGhnz3jXPsD/T7EyBECP6srNTvLtUolLn YLl0PqaMQxLDagD94S5FygX/sRbwYGwbqXGIZpZDroo437MZnc+tcIcaciIqK4tmZIcl Zy3/5LORb79cN+VUZc+7Dnfw/RcazbF/mua5io6JIRxZLMxccxW4gkhhz6YnRIEmAIeD dJXA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g8si22210470plt.4.2019.04.25.09.45.26; Thu, 25 Apr 2019 09:45:41 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726514AbfDYQpA (ORCPT + 99 others); Thu, 25 Apr 2019 12:45:00 -0400 Received: from fieldses.org ([173.255.197.46]:51202 "EHLO fieldses.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726071AbfDYQpA (ORCPT ); Thu, 25 Apr 2019 12:45:00 -0400 Received: by fieldses.org (Postfix, from userid 2815) id 1B2431C83; Thu, 25 Apr 2019 12:45:00 -0400 (EDT) Date: Thu, 25 Apr 2019 12:45:00 -0400 From: "bfields@fieldses.org" To: Trond Myklebust Cc: "linux-nfs@vger.kernel.org" , "Anna.Schumaker@netapp.com" Subject: Re: [PATCH 6/9] NFSv4: Convert the NFS client idmapper to use the container user namespace Message-ID: <20190425164500.GA9015@fieldses.org> References: <20190424214650.4658-2-trond.myklebust@hammerspace.com> <20190424214650.4658-3-trond.myklebust@hammerspace.com> <20190424214650.4658-4-trond.myklebust@hammerspace.com> <20190424214650.4658-5-trond.myklebust@hammerspace.com> <20190424214650.4658-6-trond.myklebust@hammerspace.com> <20190424214650.4658-7-trond.myklebust@hammerspace.com> <20190425143243.GA8133@fieldses.org> <20190425153339.GB8133@fieldses.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Thu, Apr 25, 2019 at 04:40:18PM +0000, Trond Myklebust wrote: > On Thu, 2019-04-25 at 11:33 -0400, bfields@fieldses.org wrote: > > On Thu, Apr 25, 2019 at 03:00:22PM +0000, Trond Myklebust wrote: > > > The assumption is that if you have enough privileges to mount a > > > filesystem using the NFS client, then you would also have enough > > > privileges to run a userspace client, so there is little point in > > > restricting the NFS client. > > > > > > So the guiding principle is that a NFS client mount that is started > > > in > > > a container should behave as if it were started by a process in a > > > "real > > > VM". That means that the root uid/gid in the container maps to a > > > root > > > uid/gid on the wire. > > > Ditto, if there is a need to run the idmapper in the container, > > > then > > > the expectation is that processes running as 'user' with uid 'u', > > > will > > > see their creds mapped correctly by the idmapper. Again, that's > > > what > > > you would see if the process were running in a VM instead of a > > > container. > > > > > > Does that all make sense? > > > > Yes, thanks! > > > > I thought there was a problem that the idmapper depended on > > keyring usermodehelper calls that it was hard to pass namespace > > information to. Did that get fixed and I missed it or or forgot? > > No, you are correct, and so we assume the container is using rpc.idmapd > (and rpc.gssd) if it is running NFSv4 with RPCSEC_GSS. > > If the keyring upcall gets fixed, then we may allow it to be used in > future kernels. OK, got it. Is there anything we lose by using idmapd? (IDMAP_NAMESZ might be a limitation?) --b.