* Harry G. Coin ([email protected]) wrote: > > On 7/1/21 3:33 AM, Dr. David Alan Gilbert wrote: > > * Harry G. Coin ([email protected]) wrote: > >> If two or more instances of virtiofsd have a common full or partially > >> shared directory tree path -- how will those instances 'enforce' a > >> 'compatible' xattr map lest the host+guest(s) have quite the selinux > >> attribute salad? > > Virtiofsd instances are independent; it's upto whatever runs the daemons > > to pick the options in a sane way. > > While that's the current case, because the intention was to rely on the > underlying fs to manage contention among virtiofsds: the moment > xattrmaps happened virtiofsd entered the layer all network file system > daemons face. Roughly speaking: a shift from one process per client to > some IPC or threaded approach with a 'manager' process/thread that > coordinates 'compatible' xattrmaps, acl maps, 'root squashing' etc. etc..
I really want to stick with one process per client; it makes the security a lot easier; you never have to worry about accidentally leaking data between clients within the process. Now, that doesn't mean you can't have some coordination up a layer - i.e. something that starts all the qemu's and virtiofsd's (like libvirt etc) but that chose sane mappings. > >> How much does virtiofsd need to feel like nfsd...? > > What does nfsd do for this? > > A couple attempts over the last decade, the most landed in 5.9: > https://www.phoronix.com/scan.php?page=news_item&px=Linux-5.9-NFS-Server-User-Xattr So I saw that; but what I didn't see was a descriptionof what they actually do with their xattr's; do the NFS servers just pass them through or do they map? Dave > > > > > -- Dr. David Alan Gilbert / [email protected] / Manchester, UK _______________________________________________ Virtio-fs mailing list [email protected] https://listman.redhat.com/mailman/listinfo/virtio-fs
