On Wed, Jul 03, 2024 at 01:06:51PM -0400, Jeff Layton wrote: > The other problem with doing this is that if a server is running in a > container, how is it to know that the client is in different container > on the same host, and hence that it can give out a localio layout? We'd > still need some way to detect that anyway, which would probably look a > lot like the localio protocol. We'll need some way to detect that client and server are capable of the bypass. And from all it looks that's actually the hard and complicated part, and we'll need that for any scheme. And then we need a way to bypass the server for I/O, which currently is rather complex in the patchset and would be almost trivial with a new pNFS layout. > Can the client use its localio access to bypass that since it's not > going across the network anymore? Maybe by using open_by_handle_at on > the NFS share on a guessed filehandle? I think we need to ensure that > that isn't possible. If a file system is shared by containers and users in containers have the capability to use open_by_handle_at the security model is already broken without NFS or localio involved. > I wonder if it's also worthwhile to gate localio access on an export > option, just out of an abundance of caution. export and mount option. We're speaking a non-standard side band protocol here, there is no way that should be done without explicit opt-in from both sides.
