[Devel] Re: [RFC][PATCH] Improve NFS use of network and mount namespaces
Trond Myklebust
trond.myklebust at fys.uio.no
Tue May 12 17:13:24 PDT 2009
On Tue, 2009-05-12 at 17:04 -0700, Eric W. Biederman wrote:
> Trond Myklebust <trond.myklebust at fys.uio.no> writes:
>
> > Finally, what happens if someone decides to set up a private socket
> > namespace, using CLONE_NEWNET, without also using CLONE_NEWNS to create
> > a private mount namespace? Would anyone have even the remotest chance in
> > hell of figuring out what filesystem is mounted where in the ensuing
> > chaos?
>
> Good question. Multiple NFS servers with the same ip address reachable
> from the same machine sounds about as nasty pickle as it gets.
>
> The only way I can even imagine a setup like that is someone connecting
> to a vpn. So they are behind more than one NAT gateway.
>
> Bleh NAT sucks.
It is doable, though, and it will affect more than just NFS. Pretty much
all networked filesystems are affected.
It begs the question: is there ever any possible justification for
allowing CLONE_NEWNET without implying CLONE_NEWNS?
Trond
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
More information about the Devel
mailing list