That sounds spooky to me as uid 15 inside the jail has nothing to do with uid 15 outside a jail and uid 0 inside a jail definitively is not uid 0 outside the jail.

Doesn't this also need the usermount check? I don't admit I have looked but I don't understand as-to yet why we'll need two cases and two PRIVs.

stray printf

This will hide the sysctls from the vnet jails as opposed to make them read-only but available? Which version do we really need?

Well, it is exactly what is done in vfs_suser(), except that
vfs_suser() fails automatically if a mount was done outside
of the jail.

This code is only executed if doing exporting while in the
jail.

What do you think is correct here?
Just a check for uid == 0, maybe, since I would expect that
root in the jail would run mountd.

This is handling the case of setting exports (normally
done by mountd) while in the jail.
I would not require this to expect vfs.usermount to
be set, but if you think that should be set to allow mountd
to run within a jail, I can add that.

The hassle is that mountd uses nmount(2) to do exporting,
although it really has nothing to do with doing a file system
mount, per se. It is kinda an update to the mount.

I figured that PRIV_NFSD_VIMAGE could be used to allow
exporting to be done from within the jail?

If you think some other PRIV_xx is appropriate, please let
me know.

I find it useful for testing at this time. It will go away before
any commit to main, but I think that is still a ways off.

By the way, I ifdef'd this because it was never being
executed before (MNT_EXPORTED is never set here in
the code in main, etc).
Also, PRIV_VFS_MOUNT_EXPORTED is defined in sys/priv.h,
but is never used except here. (I honestly don't know if that
means "priv_check(td, PRIV_VFS_MOUNT_EXPORTED)" will
always fail or always succeed. I plan to test to see which it
is, but it is not useful now and it is not obvious to me what
the original author's intent was?

Yea, I wasn't sure what to do with these.
They are in the krpc, so really don't apply to nfs
specifically and the minthreads/maxthreads get
set via the nfsd daemon without using them,
so I'm not sure they are useful.

I did it this way because I didn't know how to
make them work.
Note that "pool" is in the vnet, so they are vnet
specific, but I don't think anyone will want to change
them within a vnet. (Even I have to look at the code
for a while to remember what they do.)

I realized this is no different than PRIV_NFS_DAEMON, so I
have replaced PRIV_NFSD_VIMAGE with that and tested
PRIV_NFS_DAEMON inside prison_priv_check() now.

I have changed this check to simply cr_uid == 0.
If there is a better check, please let me know.

I have gotten rid of PRIV_NFSD_VIMAGE and now
just use PRIV_NFS_DAEMON for the case of loading
exports here. I don't see the vfs.usermount is relevant?

Is is the below all duplicated here?

Why would we need this @jamie if we ever only run with or w/o vnet but never allow this in a plain-old-jail?

Why would we need this @jamie if we ever only run with or w/o vnet but never allow this in a plain-old-jail?

That's exactly what we're testing for here, no? I'll admit I don't see the logic in prison_check_nfsd() disallowing non-jailed callers (this requiring the explicit jailed() check here). But then I don't know just how separated the vnet-nfsd and regular-nfsd code paths are.

Not sure what you are referring to w.r.t. duplicated.

There are macros for the VNET_NFSD case and macros
that basically do nothing for the non-VNET_NFSD case.
(The nfsstatsv1 structure has, correctly or not, both client
and server stats. For the VNET_NFSD case, I defined a
separate structure that is updated per-vnet and then the
contents are copied into nfsstatsv1 for output to userland.)

For the non-VNET_NFSD case, the macros basically just do
what the code did without the macros-->update nfsstatsv1.

Yea, when I first did prison_jail_nfsd() it allowed the
non-jailed case, but that seemed "inconsistent", so
I changed it to fail when not jailed.

I really don't care what the semantics is for the
non-jailed case, since the NFS code will probably
only call it when in a jail.

If you want me to change it, I can.

If you want me to change it, I can.

I think for consistency it should change then. prison_xxx() checks are typically "return true if the prison/cred is allowed to do the thing." Granted, that's not always what you want to know, but this seems like a case where it is.

Btw. If jamie is ok with only enabling "allow.nfsd" when
VIMAGE is defined, we could just drop the first two
tests.

NFS is only going to be called when it is in a jail and
if PR_ALLOW_NFSD is set, VIMAGE must have been defined
so all prisons are vnet prisons, I think?

It is the test for PR_ALLOW_NFSD and pr_root being a file
system mount point that matter to the NFS code.
(Or I can just put the test in the NFS code and throw this
function away. I just thought it was cleaner to have a function
here in kern_jail.c to do the tests.)

Btw. If jamie is ok with only enabling "allow.nfsd" when
VIMAGE is defined, we could just drop the first two
tests.

I'm fine with that, or only when VNET_NFSD is defined.

NFS is only going to be called when it is in a jail and
if PR_ALLOW_NFSD is set, VIMAGE must have been defined
so all prisons are vnet prisons, I think?

No - they are allowed to be, but it's controlled on a per-prison basis.

It is the test for PR_ALLOW_NFSD and pr_root being a file
system mount point that matter to the NFS code.
(Or I can just put the test in the NFS code and throw this
function away. I just thought it was cleaner to have a function
here in kern_jail.c to do the tests.)

Allowing non-jails to pass would then mean that prison0 isn't constrained to the pr_root test. It doesn't really matter if it's never called in the prison0 case, but I like it there for neatness/safety.

This CTASSERT is bogus and should be deleted.

@jamie I never envisioned this to possibly work without vnets.

And if that is what we want, plain-old-jail support as well, then some if these VNET changes highly likely need to be handled differently as well.

I just think we need to be very clear about this very quickly as a lot of abstractions and security checks will highly depend on one or the other.

No, it will never work in a non-vnet jail.

The first test:

if (!jailed(cred))
     return (false);

was only there to simplify the code that calls it:
without this clause, all calling cases change from:

if (...!prison_check_nfsd())

to

if (... jailed() && !prison_check_nfs())

but I have no problem with making the change.
Do you prefer replacing it with..

if (!jailed())
   return (true);

OR

• just deleting the check?

@jamie I never envisioned this to possibly work without vnets.

And if that is what we want, plain-old-jail support as well, then some if these VNET changes highly likely need to be handled differently as well.

No, I don't want it to work without vnets - that part of prison_check_nfsd() would remain as it. The only thing I was considering was if it allows prison0.

The first test:

if (!jailed(cred))
     return (false);

was only there to simplify the code that calls it:
without this clause, all calling cases change from:

if (...!prison_check_nfsd())

to

if (... jailed() && !prison_check_nfs())

I'm all for simplifying the code in multiple locations, so I'll just let this rest. It was only ever a minor nit at most.

Okay, the comment has long been moved with updates; if we only do vnet can someone explain to me why we need OSD? Why are vnet abstractions not good enough?

Ok, I am assuming you are referring to the use
of osd_jail_register() down at line#7195.

The reason is that VNET_SYSUNINT() did not work.
As I said, it registered the function, but that function
nfsrv_cleanup() never got called when I did "jail -r <jid>",
although the jail went away.

When I use osd_jail_register(), the function does get called
and works fine.

Is VNET_SYSUNINT() broken? Maybe, but I'm not the guy to
figure that out.

The solution to the jail sticking around was to move the nfsd cleanup from the end of prison_deref() to prison_cleanup(), which happens when the jail starts dying instead of when it finishes.

It would have sufficed to just add ifdef'd code to prison_cleanup itself, but since nfsd is dynamically loadable, OSD was the canonical way to go. It's not necessary to do it that way, given that VNET_NFSD already has its fingers all over the place; and since the dynamically loading part seems not to work, it may no longer be the right paradigm. But it still works.

I have a feeling that if you want that VNET_NFSD option (apart from that it'll be a big kernel compile mess in the future) we should not re-define VNET macros for parts of headers. If that leaks into anything else it'll just be weird stuff. Can you call them VNET_NFSD_XXX and either define them to their VNET_XXX counterparts or to nothing (still some duplication) but at least the VNET_XXX macros will not be affected in any way.

XXX-BZ also if we should ever decide to make this a vnfs proper (depending on vnet) (like I once did vproc stuck in other reviews and outdated) then that'll be easier and I have a suspicion that even now that would help us get rid of VNET_NFSD entirely but let's do it step by step.

If the jail went away entirely (and wasn't stuck dying on other things which makes jls by default no longer to show it but it can with an option) the VNET_SYSUNINT function should have been called. If it wasn't there is a problem somewhere which must be solved.

@jamie forgive me for asking as all of the #ifdef options and loadable of the module shouldn't make a difference, was the real problem that the NFS code would hold references somewhere which prevented the jail from actually dying?

You two seem to have an implicit understanding of something I missed (never learnt) in the original patch and I am trying to understand that.

@jamie forgive me for asking as all of the #ifdef options and loadable of the module shouldn't make a difference, was the real problem that the NFS code would hold references somewhere which prevented the jail from actually dying?

You two seem to have an implicit understanding of something I missed (never learnt) in the original patch and I am trying to understand that.

Yes, it all comes to holding references somewhere, and I don't think there's anything you're not getting - I don't know what reference this might be or anything like that.

So part of why I suggested an earlier cleanup was partly practical: it seems to solve the issue. It could be that whatever reference is held open shouldn't be at that point, or it could be that there's something working completely as it should, which includes that reference not going away until the NFS stuff is shut down. Either way, moving the NFS shutdown earlier avoids the problem, even if it doesn't really identify it.

The other half of my reasoning is jail philosophy: I'd like to get rid of this idea of a dying jail being anything other than the last blip while it finishes disposing of itself, and as long as something isn't needed to exist during the orderly shutdown, I'd like it to go away as soon as possible (when it enters dying state). That's what prison_cleanup() is about.

Okay, then my main concern probably is (was) mixing the two techniques to abstract things (I would still hope the vnet bits were enough but that's investigate this once we are done here).
@rmacklem can you add a /* XXX-BZ OSD to VNET? */ comment to the osd_jail_register() call for me?

I have added the comment, as requested.

Here's a script of killing the vnet jails with
mountd/nfsd running in them:
Script started on Fri Dec 16 17:38:05 2022
root@freebsd-mds:~ # jls

JID  IP Address      Hostname                      Path
  1                  foo                           /foo
  2                  foo2                          /foo2

root@freebsd-mds:~ # jail -r 1
2
Stopping sshd.
Waiting for PIDS: 1973.
Stopping cron.
Waiting for PIDS: 1986.
Stopping nfsd.
Waiting for PIDS: 1943 1957.
.
Terminated
foo2: removed
root@freebsd-mds:~ # jls

JID  IP Address      Hostname                      Path
  1                  foo                           /foo

root@freebsd-mds:~ # jail -r 1
Stopping sshd.
Waiting for PIDS: 1969.
Stopping cron.
Waiting for PIDS: 2003.
Stopping nfsd.
Waiting for PIDS: 1916 1925.
.
Terminated
foo: removed
root@freebsd-mds:~ # jls

JID  IP Address      Hostname                      Path

root@freebsd-mds:~ # ^D

Script done on Fri Dec 16 17:38:39 2022

After this, a "ps ax" does not show any processes
marked with "J", so how do I see what is still holding
a reference, since you both seem to think that is why
VNET_SYSUNINT() doesn't work?

After this, a "ps ax" does not show any processes
marked with "J", so how do I see what is still holding
a reference, since you both seem to think that is why
VNET_SYSUNINT() doesn't work?

jls -d

That will list "dying" jails in addition to others. The definition of a dying jail is one that's not yet gone only because there are still references held to it somewhere. The "somewhere" is almost always a cred, but the list of creds that may be sitting around on a system is huge.

When there are no processes left (or child jails, or "persist"), i.e. when there are no user references (pr_uref), that's when the jail starts to die. Or you can force that with jail_remove(2). Then when there are no references at all (pr_ref), it is finished dying.