[Devel] [PATCH rh7 1/2] nfs, nfsd: Allow to mount fs from initial VE's user_ns

Konstantin Khorenko khorenko at virtuozzo.com
Thu Oct 8 03:28:40 PDT 2015 

JFYI: in PCS6 we have a separate sysctl which allows Containers to mount NFSv4 
inside a CT (it's required because we cannot migrate a CT with NFSv4 mount 
inside right now in PCS6).

In vz7 currently we don't have such a sysctl and CRIU at the moment don't 
support either of NFS mounts =>

we'll add a separate sysctl for NFSv4 later in case we really need it (i mean 
in case we have the same situation when we are able to migrate NFSv3 only).

--
Best regards,

Konstantin Khorenko,
Virtuozzo Linux Kernel Team

On 10/06/2015 08:02 PM, Kirill Tkhai wrote:
> Since VE's init starts in VE's own user_ns now, we should
> allow a CT programs to mount nfs and nfsd.
>
> https://jira.sw.ru/browse/PSBM-40047
>
> Signed-off-by: Kirill Tkhai <ktkhai at odin.com>
> ---
>
> [This series should go on top of "ve: Implement current_user_ns_initial() helper" series]
>
>   fs/nfs/super.c   |    6 ++++--
>   fs/nfsd/nfsctl.c |    4 +++-
>   2 files changed, 7 insertions(+), 3 deletions(-)
>
> diff --git a/fs/nfs/super.c b/fs/nfs/super.c
> index 4951b77..0465698 100644
> --- a/fs/nfs/super.c
> +++ b/fs/nfs/super.c
> @@ -297,7 +297,7 @@ struct file_system_type nfs_fs_type = {
>   	.mount		= nfs_fs_mount,
>   	.kill_sb	= nfs_kill_super,
>   	.fs_flags	= FS_RENAME_DOES_D_MOVE|FS_BINARY_MOUNTDATA|
> -			  FS_VIRTUALIZED,
> +			  FS_VIRTUALIZED|FS_USERNS_MOUNT,
>   };
>   MODULE_ALIAS_FS("nfs");
>   EXPORT_SYMBOL_GPL(nfs_fs_type);
> @@ -338,7 +338,7 @@ struct file_system_type nfs4_fs_type = {
>   	.mount		= nfs_fs_mount,
>   	.kill_sb	= nfs_kill_super,
>   	.fs_flags	= FS_RENAME_DOES_D_MOVE|FS_BINARY_MOUNTDATA|
> -			  FS_VIRTUALIZED,
> +			  FS_VIRTUALIZED|FS_USERNS_MOUNT,
>   };
>   MODULE_ALIAS_FS("nfs4");
>   MODULE_ALIAS("nfs4");
> @@ -2636,6 +2636,8 @@ struct dentry *nfs_fs_mount(struct file_system_type *fs_type,
>
>   	if (!(get_exec_env()->features & VE_FEATURE_NFS))
>   		return ERR_PTR(-ENODEV);
> +	if (!current_user_ns_initial())
> +		return ERR_PTR(-EPERM);
>
>   	mount_info.parsed = nfs_alloc_parsed_mount_data();
>   	mount_info.mntfh = nfs_alloc_fhandle();
> diff --git a/fs/nfsd/nfsctl.c b/fs/nfsd/nfsctl.c
> index 048d61d..1f06f7c 100644
> --- a/fs/nfsd/nfsctl.c
> +++ b/fs/nfsd/nfsctl.c
> @@ -1126,6 +1126,8 @@ static int nfsd_fill_super(struct super_block * sb, void * data, int silent)
>   static struct dentry *nfsd_mount(struct file_system_type *fs_type,
>   	int flags, const char *dev_name, void *data)
>   {
> +	if (!current_user_ns_initial())
> +		return ERR_PTR(-EPERM);
>   	return mount_ns(fs_type, flags, current->nsproxy->net_ns, nfsd_fill_super);
>   }
>
> @@ -1142,7 +1144,7 @@ static struct file_system_type nfsd_fs_type = {
>   	.name		= "nfsd",
>   	.mount		= nfsd_mount,
>   	.kill_sb	= nfsd_umount,
> -	.fs_flags	= FS_VIRTUALIZED,
> +	.fs_flags	= FS_VIRTUALIZED|FS_USERNS_MOUNT,
>   };
>   MODULE_ALIAS_FS("nfsd");
>
>
> _______________________________________________
> Devel mailing list
> Devel at openvz.org
> https://lists.openvz.org/mailman/listinfo/devel
>

More information about the Devel mailing list