On 10/20/21 9:33 AM, Olga Kornievskaia wrote:
On Wed, Oct 20, 2021 at 12:00 PM Chuck Lever III <chuck.lever@xxxxxxxxxx> wrote:
On Oct 20, 2021, at 11:54 AM, J. Bruce Fields <bfields@xxxxxxxxxxxx> wrote:
knfsd has supported server-to-server copy for a couple years (since
5.5). You have set a module parameter to enable it. I'm getting asked
when we could turn that parameter on by default.
I've got a couple vague criteria: one just general maturity, the other a
security question:
1. General maturity: the only reports I recall seeing are from testers.
Is anyone using this? Does it work for them? Do they find a benefit?
Maybe we could turn it on by default in one distro (Fedora?) and promote
it a little and see what that turns up?
I like the idea of enabling it in one of the technology
preview distributions.
But wrt the maturity question, is the work finished? Or,
perhaps a better question is do we have a minimum viable
product here that can be enabled, or is more work needed
to meet even that bar?
One thing that I recall is missing is support for Kerberos
in the server-to-server copy operation. Is that in plan,
or deemed unimportant?
Netapp has some code for gssv3 support which is required for
server-to-server and possibly some copy offload pieces (Andy's work
before his retirement). Anna was picking up the gssv3 work but hasn't
had the cycles yet to complete it. We can make it more of a priority
if that is a show stopper.
yes, afaik, the gssv3 support for server-to-server is the only
missing functionality (besides the potential security related issues
mentioned in this thread). It'd be good if we can implement this, or
as Steve suggested we can wait a little while for the technology
is stable before adding gssv3 support.
Do you consider this missing functionality as a show stopper?
2. Security question: with server-to-server copy enabled, you can send
the server a COPY call with any random address, and the server will
mount that address, open a file, and read from it. Is that safe?
The client already has write access to the share on the destination
server, it can write any data to the destination file. If the client
sends a COPY with random address of the source server, that source server
has to export the share in such a way that allows the destination
server to mount. If the share on the random source server is open for
everyone, then isn't it the same as the client writes random data from
its local file to the destination file without server-to-server copy?
-Dai
Normally we only mount servers that were chosen by root. Here we'll
mount any random server that some client told us to. What's the worst
that random server can do? Do we trust our xdr decoding? Can it DOS us
by throwing the client's state recovery code into some loop with weird
error returns? Etc.
A basic question is what is in distribution QE test suites
that could exercise this feature? Should upstream be tasked
with providing any missing pieces (as part of, say, pynfs,
or nfstests)?
There are server-to-server tests in the nfstest testing suite. I'm not
sure if any of the xfstest copy_ofload exercise server to server
capability. Anna wrote the tests.
Maybe it's fine. I'm OK with some level of risk. I just want to make
sure somebody's thought this through.
There's also interest in allowing unprivileged NFS mounts, but I don't
think we've turned that on yet, partly for similar reasons. This is a
subset of that problem.
--b.
--
Chuck Lever
