Re: [Vserver] nfs kernel server

From: Herbert Poetzl <herbert_at_13thfloor.at>
Date: Sun 30 Jul 2006 - 15:59:08 BST
Message-ID: <20060730145908.GA10199@MAIL.13thfloor.at>

On Sat, Jul 29, 2006 at 10:52:48AM -0700, Martin Fick wrote:
> I know that all the documentation says that you
> cannot run the nfs kernel server within a vserver and
> I was wondering why and what are the issues?

you cannot run it in a somewhat safe way ...

> I thought that I read somewhere that it would be
> hard to do in a secure fashion. So I have to ask:
> does that mean that if security were not an issue, it
> would be doable?

yes, given the necessary capabilities and using
the proper helpers (portmap, etc) it should work
quite fine, not sure what the advantage over a
host system would be though ...

> Would the vserver in question simply need to have all
> restrictions removed (all capabilities added?)

that would be one option

> Is there an easy way to add all capabilities, or not
> remove them in the first place, even if this involved
> hacking the vserver-start script?

yes definitely, it would be the simplest to 'just'
add them to the bcapabilities list

> If I cannot get it to work in an actual vserver,
> would there be away to get it to work it in some
> pseudo-vserver environment? What I mean is that, it
> seems to work in a simple chrooted environment, can I
> keep adding the various vserver abstractions (chbind
> ...) right up until the point before it no longer
> works? Has anyone tried anything crazy like that?

should work too, probably your boundaries are:

 - required caps to start kernel threads (nfsd)
 - enough ips/ports to communicate with portmap
   (including localhost)

> Is there an easy way to go about debugging such a setup?
> I don't have a very good understanding of what a
> vserver is, does what I am asking even make sense?

not sure it does, as I said, you are probably better
off if you run the kernel nfsd on the host system
not inside a guest ...

> Is there an effort to try and get an nfs-kernel server to
> work within a vserver already on going somewhere?

not that I know of ...

HTH,
Herbert

> -Martin
>
>
> Note: This is being asked from a hacking standpoint,
> so warnings about it being a bad thing are welcomed as
> long as they are accompanied by "but this is how you
> could do it". Please do not just tell me that it
> would be a bad idea.
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> _______________________________________________
> Vserver mailing list
> Vserver@list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Received on Sun Jul 30 15:59:46 2006

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Sun 30 Jul 2006 - 15:59:55 BST by hypermail 2.1.8