Page MenuHomeFreeBSD
Differential D37777

Add VNET_NFSD support to the rpcsec_tls so NFS-over-TLS works in vnet prisons
AbandonedPublic
Actions

Authored by rmacklem on Dec 22 2022, 1:20 AM.
Tags
None
Referenced Files
F102961331: D37777.diff
Tue, Nov 19, 5:55 AM
Unknown Object (File)
Sat, Nov 16, 3:25 PM
Unknown Object (File)
Wed, Oct 30, 1:54 PM
Unknown Object (File)
Tue, Oct 22, 10:14 AM
Unknown Object (File)
Oct 8 2024, 11:42 PM
Unknown Object (File)
Oct 7 2024, 10:40 PM
Unknown Object (File)
Oct 7 2024, 1:43 PM
Unknown Object (File)
Oct 6 2024, 2:52 PM
View All 72 Files
Subscribers
imp

Details

Reviewers
bz
jamie
Summary

D37519 adds support for mountd/nfsd to run in a vnet prison.
This patch adds the same support to the rpcsec_tls, so that
rpc.tlsservd can run in a vnet prison. This allows nfsd in a
vnet prison to support NFS-over-TLS client mounts.

I used KRPC_VNETxxx macros similar to NFSD_VNETxxx macros
to do the conversion.

Please do not review this until you have had a chance to look
at D37519, since this change is of no use until D37519 is
committed to main.

Test Plan

NFS-over-TLS mounts to vnet prisons running mountd/nfsd
worked. Starting rpc.tlsservd in a vnet prison that does not
have allow.nfsd was tested and did not start up, as expected
for this case.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

rmacklem created this revision.Dec 22 2022, 1:20 AM
Herald added a subscriber: imp. · View Herald TranscriptDec 22 2022, 1:20 AM
rmacklem requested review of this revision.Dec 22 2022, 1:20 AM
jamie added inline comments.Dec 22 2022, 7:05 PM
sys/rpc/rpcsec_tls/rpctls_impl.c
163

I though prison_check_nfsd was made to return true for prison0, so the "jailed() &&" isn't needed. I suppose this gives a quicker path for the usual case though.

rmacklem added inline comments.Dec 22 2022, 8:01 PM
sys/rpc/rpcsec_tls/rpctls_impl.c
163

Nope. There is no check for jailed() in prison_check_nfsd().
(I had it checking this and returning true, so I didn't need
to do a separate "if (jailed() &&", but you guys didn't like
that semantics.

Currently, for prison0, prison_check_nfsd() first checks
for jailed_without_vnet(), which returns 0 for not in a jail,
so the check fails.
Then it does "if (!prison_allo(cred, PR_ALLOW_NFSD))"
which does succeed and makes prison_check_nfsd() return
false.
--> So a check for jailed() is needed here.

jamie added inline comments.Dec 23 2022, 5:53 PM
sys/rpc/rpcsec_tls/rpctls_impl.c
163

VNET adds its bit to the prison0 spec, and perhaps VNET_NFSD could as well. I have no idea if there's ever a situation where real root isn't an actual root mountpoint, but there are some weird systems out there.

The prison_check_nfsd semantics I was in favor of were "can my prison do the thing":
prison0: true
prison with permission bits and root mount: true
other prison: false
But the other argument of what it should be is "what works best where it's used," and overall I'm not sure what that is.

Sorry about the bikeshed. It'll look nice once it's painted.

rmacklem updated this revision to Diff 114519.Dec 23 2022, 10:06 PM

I was a bit lazy and did not malloc two arrays
of length 16 that went in the vnet.

This version of the patch does malloc these
arrays, so that the size of the vnet is kept small.

rmacklem updated this revision to Diff 114560.Dec 26 2022, 11:46 PM

This version replaces the bogus jailed_without_vnet() call
in the osd remove method with a check for the PR_VNET
flag.

rmacklem updated this revision to Diff 114616.Dec 28 2022, 9:27 PM

Replace KRPC_CURVNET_SET() with KRPC_CURVNET_SET_QUIET()
in rpctls_server(), since it will recurse.

rmacklem abandoned this revision.Jan 27 2023, 1:01 AM

These changes are now a part of D37519.

Revision Contents
Changeset List

PathSize
sys/
rpc/
rpc_generic.c
rpc_generic.c.vnet
15 lines
rpcsec_tls.h
rpcsec_tls.h.vnet
29 lines
rpcsec_tls/
rpctls_impl.c
rpctls_impl.c.vnet
178 lines

Diff 114616

View Options

sys/rpc/rpc_generic.c

Loading...
View Options

sys/rpc/rpcsec_tls.h

Loading...
View Options

sys/rpc/rpcsec_tls/rpctls_impl.c

Loading...