From nobody Thu Dec 01 16:20:12 2022 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NNLsB2kkHz4jbm7 for ; Thu, 1 Dec 2022 16:20:30 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: from mail-ej1-x62c.google.com (mail-ej1-x62c.google.com [IPv6:2a00:1450:4864:20::62c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NNLsB28VNz4Kpx for ; Thu, 1 Dec 2022 16:20:30 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-ej1-x62c.google.com with SMTP id fy37so5358025ejc.11 for ; Thu, 01 Dec 2022 08:20:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bsdimp-com.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=9EEFY21+4BPEV2AQ1bAJO5U95DjljTflLRMbNhDmgJE=; b=IWRRYAx0UhLySyHlhDfkHs4fhe0aCgGat2O5HIweTcMfArhCZiWHhaQna2kKYo72Tc iD8T1PSpBVBvqkKcCMFBCDG+AfZSs/tP/5ELroCpD/UhHqjZPzUmQfO9el8cg/acE907 C5DzpM6ArbWGewUY4r39J7fb0AZsC3Xdhdnkc2JO3vj5R6qeA29jStljHDs+DVmF5Ms+ k18nvDNr9l2B30oVwAlTGKPB2QAwI31jpDpDTr8RbKt0eEld6ktbL6Veqm8Q1NbDb1z/ NLFjmQ5TVCFuZXRxaTfvlQFLVRyxVa8Cvi6lxy0eWFL7qUNZFgmQZ2wnmZ/mkhCGfDNW xmvw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=9EEFY21+4BPEV2AQ1bAJO5U95DjljTflLRMbNhDmgJE=; b=6dbVjk4+aoa9Ese9ciwG5d4EYgJSMdQV0iXeueOUnSvfr8oLf0NzWT05y/XvOOww2I VzI+pNzwGF3529Sr/y7xasWqxWbjCU2StFLO8kcGS0IV6TXxfcI5PJpGR/yfkfUi4vRS VDYFYcl6ohoUAP9W3hsZSETdpMT/pnnsAYrhgMrR52fZS+iDVC4Y/OahtzdNQZsOokWI ULvEkai2F2s4gnDk7t/Q+eQlr15/zBqmRsXjr3+EpXCzpNbdRrXg8aPj66b/h7rcaR6Y jC5X/ZY/h5DqhGTdYHWczDIWKLu34ZXUNjFqzstW6vZlmDNgxBsS3jeyB4ZbOfnVbblN JgDQ== X-Gm-Message-State: ANoB5plJM8Zm5lYLo72E+H9X2alOUZeB5CDizktcFzD3CnfMXSzm8+Y9 4XeMw0EJ1CbeYsXXZ2NNjkhNMylNGCey7APpxn5zWg== X-Google-Smtp-Source: AA0mqf6LWkG/PWrx64bePeEc/L9Txxz6iyJ8DnWJTVAx0pqPKUyJxSeouSOLUhQrXhoTq3xOQcWWwP9sjkJ1OEjIWkY= X-Received: by 2002:a17:906:f84d:b0:7b9:631b:7dfb with SMTP id ks13-20020a170906f84d00b007b9631b7dfbmr38267158ejb.32.1669911623895; Thu, 01 Dec 2022 08:20:23 -0800 (PST) List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org MIME-Version: 1.0 References: <82103A1E-9D39-47B0-9520-205583C8B680@lysator.liu.se> <20221201102925.Horde.uAC-87YyIRDDnqJTmvsFwNm@webmail.leidinger.net> In-Reply-To: <20221201102925.Horde.uAC-87YyIRDDnqJTmvsFwNm@webmail.leidinger.net> From: Warner Losh Date: Thu, 1 Dec 2022 09:20:12 -0700 Message-ID: Subject: Re: RFC: nfsd in a vnet jail To: Alexander Leidinger Cc: Alan Somers , Rick Macklem , Peter Eriksson , FreeBSD CURRENT , "Bjoern A. Zeeb" Content-Type: multipart/alternative; boundary="000000000000262f3805eec69916" X-Rspamd-Queue-Id: 4NNLsB28VNz4Kpx X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; TAGGED_RCPT(0.00)[]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N --000000000000262f3805eec69916 Content-Type: text/plain; charset="UTF-8" On Thu, Dec 1, 2022 at 2:30 AM Alexander Leidinger wrote: > > Quoting Alan Somers (from Tue, 29 Nov 2022 > 17:28:10 -0700): > > > On Tue, Nov 29, 2022 at 5:21 PM Rick Macklem > wrote: > > >> So, what do others think of enforcing the requirement that each jail > >> have its own file systems for this? > > > > I think that's a totally reasonable requirement. Especially so for > > ZFS users, who already create a filesystem per jail for other reasons. > > While I agree that it is a reasonable requirement, just a note that we > can not assume that every existing jail resides on its own file > system. The base system jail infrastructure doesn't check this, and > the ezjail port doesn't either. The iocage port does it. > I have several jails that all live on the same zfs data set that I setup ages ago before I understood the full benefits of ZFS... but I could migrate in a pinch. But they aren't in their own vnet, so maybe that doesn't apply. > Is there a way to detect this inside a jail and error out in nfsd/mountd? > Whatever we do, there will be people bitten by it, so we need to make the messaging around it good (the error messages from the system, as well as the documentation). Warner --000000000000262f3805eec69916 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


=
On Thu, Dec 1, 2022 at 2:30 AM Alexan= der Leidinger <Alexander@leid= inger.net> wrote:

Quoting Alan Somers <asomers@freebsd.org> (from Tue, 29 Nov 2022=C2=A0
17:28:10 -0700):

> On Tue, Nov 29, 2022 at 5:21 PM Rick Macklem <rick.macklem@gmail.com> wrote= :

>> So, what do others think of enforcing the requirement that each ja= il
>> have its own file systems for this?
>
> I think that's a totally reasonable requirement.=C2=A0 Especially = so for
> ZFS users, who already create a filesystem per jail for other reasons.=

While I agree that it is a reasonable requirement, just a note that we=C2= =A0
can not assume that every existing jail resides on its own file=C2=A0
system. The base system jail infrastructure doesn't check this, and=C2= =A0
the ezjail port doesn't either. The iocage port does it.

I have several jails that all live on the same zfs da= ta set that I setup ages ago before
I understood the full benefit= s of ZFS... but I could migrate in a pinch. But they aren't in
their own vnet, so maybe that doesn't apply.
=C2=A0
Is there a way to detect this inside a jail and error out in nfsd/mountd?

Whatever we do, there will be people bit= ten by it, so we need to make the messaging around
it good (the e= rror messages from the system, as well as the documentation).
Warner=C2=A0
--000000000000262f3805eec69916--