On Sep 20, 2010, at 3:56 PM, J. Bruce Fields wrote: > On Mon, Sep 20, 2010 at 03:28:00PM -0400, Chuck Lever wrote: >> >> On Sep 20, 2010, at 3:13 PM, Pavel Emelyanov wrote: >>> The nearest plan is >>> >>> 1. Prepare the sunrpc layer to work in net namespaces 2. Make >>> rpcpipefs and nfsd filesystems be mountable multiple times 3. Make >>> support for multiple instances of the nfsd caches 4. Make suuport >>> for multiple instances of the nfsd_serv >>> >>> After this several NFSd-s can be used in containers (hopefully I >>> didn't miss anything). >> >> Are you assuming NFSv4 only? Something needs to be done about NLM and >> NSM to make this work right. >> >> Is there an issue for idmapper and svcgssd? Probably not, but worth >> exploring. >> >> And, how about AUTH_SYS certs? These contain the host's name in them, >> and that depends on the net namespace. NLM uses AUTH_SYS, and I >> believe the NFS server can make NLM calls to the client. > > The client probably can't use the auth_sys cred on nlm callbacks in any > sensible way, so this may not be a big deal. I doubt anything looks at that hostname, really. My worry is that it could leak information (like the wrong hostname) onto the network. -- chuck[dot]lever[at]oracle[dot]com -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
