[RFC][PATCH] Improve NFS use of network and mount namespaces
Matt Helsley
matthltc at us.ibm.com
Tue May 12 17:44:52 PDT 2009
On Tue, May 12, 2009 at 08:13:24PM -0400, Trond Myklebust wrote:
> On Tue, 2009-05-12 at 17:04 -0700, Eric W. Biederman wrote:
> > Trond Myklebust <trond.myklebust at fys.uio.no> writes:
> >
> > > Finally, what happens if someone decides to set up a private socket
> > > namespace, using CLONE_NEWNET, without also using CLONE_NEWNS to create
> > > a private mount namespace? Would anyone have even the remotest chance in
> > > hell of figuring out what filesystem is mounted where in the ensuing
> > > chaos?
> >
> > Good question. Multiple NFS servers with the same ip address reachable
> > from the same machine sounds about as nasty pickle as it gets.
> >
> > The only way I can even imagine a setup like that is someone connecting
> > to a vpn. So they are behind more than one NAT gateway.
> >
> > Bleh NAT sucks.
>
> It is doable, though, and it will affect more than just NFS. Pretty much
> all networked filesystems are affected.
>
> It begs the question: is there ever any possible justification for
> allowing CLONE_NEWNET without implying CLONE_NEWNS?
There are so many filesystem-based kernel APIs that this is a pervasive
problem IMHO -- not just with CLONE_NEWNET. However, even if we required
CLONE_NEWNET|CLONE_NEWNS network namespaces still present a problem to
network filesystems in general.
-Matt
More information about the Containers
mailing list