Received: by 2002:a05:7412:1e0b:b0:fc:a2b0:25d7 with SMTP id kr11csp610918rdb; Thu, 15 Feb 2024 09:42:01 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCXKHBZ0Gja8IGD0aVkh32B60H2Itw7zKNfYSUc0EC6IT+0aut/PJjbXV765Y+eDWTJXL4ovr8POTemyir2gNZF9XNIEt1gQS1dNie5wSA== X-Google-Smtp-Source: AGHT+IHmnm05UfoaV0YSUhGzIshVKF8hEyYETXRbGRvbGy1bgq/pk6GDwE2essY7Co1HgrGnHh70 X-Received: by 2002:a17:906:27d8:b0:a3d:b094:ced with SMTP id k24-20020a17090627d800b00a3db0940cedmr774210ejc.28.1708018921381; Thu, 15 Feb 2024 09:42:01 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1708018921; cv=pass; d=google.com; s=arc-20160816; b=hnpDm+L0E/oSooqbMzr77FzDg7/EmVbjCDGEG4TEeGhlVuaEAmCWqQmpsuUaJNN7Es MOjqbT7VNRAhfREePG9Nyt5UAtqC0FvSEqVCbFW4pvfcNqfnypeIyqTqg2JH9ipxffVu Eir4vDmpMUpgTh+NmyF0o+lglBlHTicwsO+4rBlmvljkwaD6X2g/dT9/0AFm156D5jVB SRppTfu9iRGzB+YwZR8qVxkibSapwjFuG6Ox8MKh1oQJ6QSMMXSZre5z//C+BpIWBgjS /sjDKyn+wOMhZG3q7XwY8GtoNxhg2nbSEPsfB0rWgt7ZnEHkJ5k9FU0zNjfTjGdXa+Xq kvmg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=thread-index:content-language:content-transfer-encoding :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :message-id:date:subject:in-reply-to:references:cc:to:from :dkim-signature; bh=3BglWeHrci/yxhZAoLxt57yBSoavWshFZO5bwD/tLLU=; fh=LAnFKXjGZGoL9/8uoL5BEA8E+pTAmwUOd6hOK7Zv6Xk=; b=vwtbjDO1/jzXMX9BALiz/JbJSVHq8Y2xgn8O06s3VYfMcJ0IJFuPfvUhNjGknseFRW 33V+uH25hJMPiaAgNJTp47iJiJ0oDNpZLGPVRPKMIJ1xA5HJvAdj0oI8UFhDJThq6OpN 0mplwlTriPxFbOQNrypWL75mib1peHmD+IpfLFd7WBpkBq7Uj12DPmdDpBfCxvETEzZ9 qzUqOohXNA8cYQbe8ylvS8rOxrY19uWyCLyvcctan75GhfVrmMGOqUn4cYLrlbVtAG3d PmQ1zA8GzFcUj+htmxdc/h1DcqMVxlskZ5VGt27RA4JT7+9PjLOq9P6gnUbeivr4+U5Z QTcA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=fail header.i=@earthlink.net header.s=dk12062016 header.b=iHqrQlrB; arc=pass (i=1 spf=pass spfdomain=mindspring.com dkim=pass dkdomain=earthlink.net dmarc=pass fromdomain=mindspring.com); spf=pass (google.com: domain of linux-nfs+bounces-1964-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-nfs+bounces-1964-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mindspring.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id lo27-20020a170906fa1b00b00a3ce9a2aec9si826036ejb.520.2024.02.15.09.42.01 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Feb 2024 09:42:01 -0800 (PST) Received-SPF: pass (google.com: domain of linux-nfs+bounces-1964-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=fail header.i=@earthlink.net header.s=dk12062016 header.b=iHqrQlrB; arc=pass (i=1 spf=pass spfdomain=mindspring.com dkim=pass dkdomain=earthlink.net dmarc=pass fromdomain=mindspring.com); spf=pass (google.com: domain of linux-nfs+bounces-1964-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-nfs+bounces-1964-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mindspring.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 8A51E1F26E43 for ; Thu, 15 Feb 2024 17:41:36 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 2B0BF13667A; Thu, 15 Feb 2024 17:41:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=earthlink.net header.i=@earthlink.net header.b="iHqrQlrB" X-Original-To: linux-nfs@vger.kernel.org Received: from mta-101a.earthlink-vadesecure.net (mta-101b.earthlink-vadesecure.net [51.81.61.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1D497136995 for ; Thu, 15 Feb 2024 17:41:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=51.81.61.61 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708018886; cv=none; b=LtayPfJpe2ti60VvqITUwziDnas2SFV97bedVHx3CGOJhwf9yRT+23X2CC3kiQDHvFZ/0OAFXiVDsttWNomqf5HZuV2TF30VIej7i1mS8YHfDI48gzemhSCgXXJedw8zfQ2olEyDxUCLr2VyIbncC7tJnv2Q6sqS4snp/ofhl2k= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708018886; c=relaxed/simple; bh=3BglWeHrci/yxhZAoLxt57yBSoavWshFZO5bwD/tLLU=; h=From:To:Cc:References:In-Reply-To:Subject:Date:Message-ID: MIME-Version:Content-Type; b=ok3Ud2YlkX0En3vEEeZszGq+IKgVnMSMo2EHWyOmvKe6VDCwUP8lI3H8agZBVo/MhozprsilDEMsEBXJsTj2BW+4WvOuv3g+u4ZtTwEqb6z5xUknOFmVbC/3FTh9WbvxS4CbnWKJmksEQq2473GxcSQvbvjdQ0xlaCDYl4UFV/o= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=mindspring.com; spf=pass smtp.mailfrom=mindspring.com; dkim=pass (2048-bit key) header.d=earthlink.net header.i=@earthlink.net header.b=iHqrQlrB; arc=none smtp.client-ip=51.81.61.61 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=mindspring.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=mindspring.com DKIM-Signature: v=1; a=rsa-sha256; bh=3BglWeHrci/yxhZAoLxt57yBSoavWshFZO5bwD /tLLU=; c=relaxed/relaxed; d=earthlink.net; h=from:reply-to:subject: date:to:cc:resent-date:resent-from:resent-to:resent-cc:in-reply-to: references:list-id:list-help:list-unsubscribe:list-subscribe:list-post: list-owner:list-archive; q=dns/txt; s=dk12062016; t=1708017956; x=1708622756; b=iHqrQlrBp6C0EMrX82EIXeqZV7aglGFkvNdNddC0INwjvyN2Swikucj tZEOuENFDQCo9l/2+ZeXfWbNnH7Bap6PVgqV3aKtx/Le4sxRMiflLzkOwZZRAV1I0pU1M9X L0RwC2505N1ofUsgF5B8QegjTxWkaX0aWN7HpyPpr2Asg3l8jJsQLkwqmzLT8jq4gj2a2Ot 1JAEkK85bDwuBkXHeOpUspYLt/0SO7UJQYQgw8AFaLTL9V2hWS+Cx0koqKTv+OQPguI4f0m gr8DwrAP98RUeqXJHjAlz1CDQM6QM0sWqc1AgdW+tBsrx1+J2bvs3TPgDiAkVohZjATI8pX l5A== Authentication-Results: earthlink-vadesecure.net; auth=pass smtp.auth=ffilzlnx@mindspring.com smtp.mailfrom=ffilzlnx@mindspring.com; Received: from FRANKSTHINKPAD ([174.174.49.201]) by vsel1nmtao01p.internal.vadesecure.com with ngmta id 8aa18a2e-17b419481230242b; Thu, 15 Feb 2024 17:25:56 +0000 From: "Frank Filz" To: "'Cedric Blancher'" , "'Trond Myklebust'" Cc: , , , References: <14e1e8c8613c74d07cb0cefbcebbf79a3a57311e.camel@kernel.org> <3fa863dc2c1ec75416704a9cdaa17bf1a2e447e4.camel@hammerspace.com> In-Reply-To: Subject: RE: Public NFSv4 handle? Date: Thu, 15 Feb 2024 09:25:56 -0800 Message-ID: <013f01da6034$0995a960$1cc0fc20$@mindspring.com> Precedence: bulk X-Mailing-List: linux-nfs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 15.0 Content-Language: en-us Thread-Index: AQFFDhjPWnhj6LNoGjIaUcmmZbCZKQG7Czk6Ak0SvGUA9wP+KgJURJGOAXdWb5IBde+k47HkPvcQ > From: Cedric Blancher [mailto:cedric.blancher@gmail.com] > On Tue, 13 Feb 2024 at 21:59, Trond Myklebust = > wrote: > > > > On Tue, 2024-02-13 at 21:28 +0100, Dan Shelton wrote: > > > [You don't often get email from dan.f.shelton@gmail.com. Learn why > > > this is important at https://aka.ms/LearnAboutSenderIdentification = ] > > > > > > On Fri, 9 Feb 2024 at 16:32, Jeff Layton = wrote: > > > > > > > > On Thu, 2024-02-08 at 21:37 -0500, Tom Talpey wrote: > > > > > On 2/8/2024 7:19 PM, Dan Shelton wrote: > > > > > > ? > > > > > > > > > > > > On Thu, 25 Jan 2024 at 02:48, Dan Shelton > > > > > > wrote: > > > > > > > > > > > > > > Hello! > > > > > > > > > > > > > > Do the Linux NFSv4 server and client support the NFS = public > > > > > > > handle? > > > > > > > > > > Are you referring the the old WebNFS stuff? That was a v2/v3 > > > > > thing, and, I believe, only ever supported by Solaris. > > > > > > > > > > > > > One more try! I think my MUA was having issues this morning. > > > > > > > > NFSv4.1 supports the PUTPUBFH op: > > > > > > > > = https://www.rfc-editor.org/rfc/rfc8881.html#name-operation-23-putp > > > > ubfh-set-p > > > > > > > > ...but this op is only for backward compatibility. The Linux > > > > server returns the rootfh (as it SHOULD). > > > > > > No, I do not consider this "backward compatibility". The "public" > > > option is also intended for public servers, like package mirrors > > > (e.g. > > > Debian), to have a better solution than http or ftp. > > > > > > > PUTPUBFH offers no extra security features over PUTROOTFH. It is > > literally just a way to offer a second point of entry into the same > > exported filesystem. Do any clients even provide a mechanism to mount using PUTPUBFH? > Right. It doesn't expose your "private" filesystem hierarchy. There are ways to avoid exposing the private filesystem hierarchy. I = have used bind mounts in the past and some servers may allow specifying = the pseudo path for exports to hide the filesystem hierarchy. > > A more modern approach would be to create 2 containers on the same > > host: one that shares the full namespace to be exported, and one = that > > shares only the bits of the namespace that are considered "public". > > That approach requires no extra patches or customisation to existing > > kernels. >=20 > Oh for god's sake. Please don't call "containers" a "modern approach". > It's just a sad waste of resources, aside from the other shitload of = problems they > cause. > Also in real life, we frog-eating backwards savages here in Europe do = not have > so many public IPv4 addresses available to put everything into = containers, and > changing everything to IPv6-only networks will take another 2 or 3 = decades > here. There are ways to do it without containers, though a container gives an = additional level of security. > Cedric Blancher > [https://plus.google.com/u/0/+CedricBlancher/] > Institute Pasteur Frank Filz