On Thu, 2021-10-21 at 10:13 -0400, Bruce Fields wrote: > On Wed, Oct 20, 2021 at 07:04:53PM +0000, Chuck Lever III wrote: > > Unprivileged mounting seems like a different question to me. > > Related, possibly, but not the same. I'd rather leave that > > discussion to another thread. > > Well, I'd be curious if client maintainers have any thoughts. > > The NFS client still disallows unprivileged mounts, right? Is it > something you think could be supported, and if so, do you have an > idea > what's left to do? > > Trond, I remember asking you about unprivileged mounts at a bakeathon > a > few years ago, and at the time you seemed to think it'd be a > reasonable > thing to do eventually, and the one obstacle you mentioned was that > the > client wasn't capable of maintaining separate state in different > namespaces. That's fixed, isn't it? > Yes, that's mostly fixed. As far as I'm concerned, there should be no major obstacles to allowing unprivileged mounts in their own private net namespace. The one thing to note, though, is that AUTH_SYS still required that the container be given a CAP_NET_BIND_SERVICE privilege to allow binding to a privileged port. -- Trond Myklebust Linux NFS client maintainer, Hammerspace trond.myklebust@xxxxxxxxxxxxxxx
