Re: [zones-discuss] Re: Zones on NFS
Dan Price wrote: On Mon 22 Jan 2007 at 11:03PM, Ben Rockwood wrote: Still looking for a quasi-official answer on this. Again, the questions that need specific answers to are: A) Why, specifically, can't Non-global roots be placed on NFS? The problem is with the attribution of the NFS traffic-- the zone root has to be mounted over NFS *by the zone itself*-- if mounted by the global zone, then all traffic will be interpreted as coming from the global zone. It's important to not let NFS traffic bleed through from one zone to another-- important enough that we have some fancy logic to detect and reject NFS-backed pages in zone_enter(). Anyway, it's hard to have the zone mount something if it isn't up and running. That is to say, we have a chicken-and-egg problem. It's not unsolvable. But it's not trivial. A second but also crucial problem is that we will also need to be able to cope with NFS-mounted zones at upgrade time (some of the thinking we've done around attach and detach over the past year makes this clearer, I think). Thank you Dan, this is the explanation I've been looking for. B) Is anyone tasked with solving this? Is there an ARC case that I'm unaware of? The core Zones team (Steve, Jerry, and I) own the problem but we are not currently doing work on it-- we're busy making sure the features in Duckhorn make it into the earliest possible Solaris 10 update. We'll be gathering in the next few weeks to sort out what we plan to tackle for 2007. We'll try to post a 2007 roadmap when we have a draft. Let me know if you want help with anything Duckhorn related. I've already done an internal evaluation of Jerry's putback Dec 18th and am starting to roll it into production, even pre-SXCR B56... we just can't wait any longer. Exciting stuff. If you like, we can add a call record for you for the appropriate RFE. No worries. Thanks Dan. benr. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Re: Zones on NFS
Ben Rockwood writes: Still looking for a quasi-official answer on this. Again, the questions that need specific answers to are: A) Why, specifically, can't Non-global roots be placed on NFS? Cross-zone NFS is currently not allowed; see PSARC 2004/357. You'd end up with a process in one zone making system calls that are resolved via an NFS client established in another zone. In more detail, you'd want the file system interface to work as though it's inside the non-global zone, but for the NFS network I/O to take place as though the client were actually in the global zone. Doing this requires a minor redesign of the NFS client side. What we need here is to have a split between the upper part that implements the file system itself, and the lower part that does network I/O, and some way of joining the two such that the system knows which zoneid and which credentials (cred_t) to use in which cases. Then we'd also need some way to map credentials between the zones. There's no guarantee that the UIDs and GIDs are the same between them. This likely causes some interesting problems with Kerberized NFS, at least. B) Is anyone tasked with solving this? Is there an ARC case that I'm unaware of? LOFI might provide a workaround but I need a rock solid solution thats integrated and I'm not going to bother implementation testing LOFI until I know that there is absolutely no alternative on the horizon. I think you should also take this up with the NFS community. I believe that they have talked about the problem, though I don't (immediately) see a related project on opensolaris.org. It definitely needs their input. See also CR 4963321. -- James Carlson, Solaris Networking [EMAIL PROTECTED] Sun Microsystems / 1 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677 ___ zones-discuss mailing list zones-discuss@opensolaris.org
RE: [zones-discuss] Re: Zones on NFS
I believe all Ben is looking for is the ability to put a local zone's root-fs on NFS. Especially with U3's zone-import/export feature, this becomes very powerful (without having to goof around with lofs and friends) If there isn't an official (Solaris 10) RFE on this already (I thought there was) please let me know and I'll have one opened. (others can then attach to it in order to hopefully influence its priority) Thanks, -- MikeE -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Carlson Sent: Tuesday, January 23, 2007 9:32 AM To: Ben Rockwood Cc: zones-discuss@opensolaris.org Subject: Re: [zones-discuss] Re: Zones on NFS Ben Rockwood writes: Still looking for a quasi-official answer on this. Again, the questions that need specific answers to are: A) Why, specifically, can't Non-global roots be placed on NFS? Cross-zone NFS is currently not allowed; see PSARC 2004/357. You'd end up with a process in one zone making system calls that are resolved via an NFS client established in another zone. In more detail, you'd want the file system interface to work as though it's inside the non-global zone, but for the NFS network I/O to take place as though the client were actually in the global zone. Doing this requires a minor redesign of the NFS client side. What we need here is to have a split between the upper part that implements the file system itself, and the lower part that does network I/O, and some way of joining the two such that the system knows which zoneid and which credentials (cred_t) to use in which cases. Then we'd also need some way to map credentials between the zones. There's no guarantee that the UIDs and GIDs are the same between them. This likely causes some interesting problems with Kerberized NFS, at least. B) Is anyone tasked with solving this? Is there an ARC case that I'm unaware of? LOFI might provide a workaround but I need a rock solid solution thats integrated and I'm not going to bother implementation testing LOFI until I know that there is absolutely no alternative on the horizon. I think you should also take this up with the NFS community. I believe that they have talked about the problem, though I don't (immediately) see a related project on opensolaris.org. It definitely needs their input. See also CR 4963321. -- James Carlson, Solaris Networking [EMAIL PROTECTED] Sun Microsystems / 1 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677 ___ zones-discuss mailing list zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
RE: [zones-discuss] Re: Zones on NFS
Ellis, Mike writes: I believe all Ben is looking for is the ability to put a local zone's root-fs on NFS. That boils down to the same problem. Processes inside that no-lgobal zone will issue system calls (such as open(2)) that reference these files. Somewhere in the middle of the stack, we need to realize that the mount itself (distinct from the process invoking the system call) is in a different zone, and switch to that zone for the underlying network operations. And we'll need to handle all the credential issues I mentioned before. That middle-of-the-stack magic doesn't currently exist, so what he's asking won't work. Especially with U3's zone-import/export feature, this becomes very powerful (without having to goof around with lofs and friends) If there isn't an official (Solaris 10) RFE on this already (I thought there was) please let me know and I'll have one opened. (others can then attach to it in order to hopefully influence its priority) I cited the RFE in my previous message -- it's CR 4963321. -- James Carlson, Solaris Networking [EMAIL PROTECTED] Sun Microsystems / 1 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677 ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Re: Zones on NFS
Jeremy Teo writes: I cited the RFE in my previous message -- it's CR 4963321. James, would you mind sharing the rest of the info in CR 4963321? b.o.o. says see comments :) Wretched, I know. I'll see what I can do with it. -- James Carlson, Solaris Networking [EMAIL PROTECTED] Sun Microsystems / 1 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677 ___ zones-discuss mailing list zones-discuss@opensolaris.org
