Re: [PATCH v2 00/13] ceph: support idmapped mounts

From: Aleksandr Mikhalitsyn
Date: Wed Jun 07 2023 - 11:26:47 EST


version 3 was sent
https://lore.kernel.org/lkml/20230607152038.469739-1-aleksandr.mikhalitsyn@xxxxxxxxxxxxx/

On Wed, May 24, 2023 at 5:33 PM Alexander Mikhalitsyn
<aleksandr.mikhalitsyn@xxxxxxxxxxxxx> wrote:
>
> Dear friends,
>
> This patchset was originally developed by Christian Brauner but I'll continue
> to push it forward. Christian allowed me to do that :)
>
> This feature is already actively used/tested with LXD/LXC project.
>
> v2 is just a rebased version of the original series with some small field naming change.
>
> Git tree (based on https://github.com/ceph/ceph-client.git master):
> https://github.com/mihalicyn/linux/tree/fs.idmapped.ceph.v2
>
> Original description from Christian:
> ========================================================================
> This patch series enables cephfs to support idmapped mounts, i.e. the
> ability to alter ownership information on a per-mount basis.
>
> Container managers such as LXD support sharaing data via cephfs between
> the host and unprivileged containers and between unprivileged containers.
> They may all use different idmappings. Idmapped mounts can be used to
> create mounts with the idmapping used for the container (or a different
> one specific to the use-case).
>
> There are in fact more use-cases such as remapping ownership for
> mountpoints on the host itself to grant or restrict access to different
> users or to make it possible to enforce that programs running as root
> will write with a non-zero {g,u}id to disk.
>
> The patch series is simple overall and few changes are needed to cephfs.
> There is one cephfs specific issue that I would like to discuss and
> solve which I explain in detail in:
>
> [PATCH 02/12] ceph: handle idmapped mounts in create_request_message()
>
> It has to do with how to handle mds serves which have id-based access
> restrictions configured. I would ask you to please take a look at the
> explanation in the aforementioned patch.
>
> The patch series passes the vfs and idmapped mount testsuite as part of
> xfstests. To run it you will need a config like:
>
> [ceph]
> export FSTYP=ceph
> export TEST_DIR=/mnt/test
> export TEST_DEV=10.103.182.10:6789:/
> export TEST_FS_MOUNT_OPTS="-o name=admin,secret=$password
>
> and then simply call
>
> sudo ./check -g idmapped
>
> ========================================================================
>
> Alexander Mikhalitsyn (1):
> fs: export mnt_idmap_get/mnt_idmap_put
>
> Christian Brauner (12):
> ceph: stash idmapping in mdsc request
> ceph: handle idmapped mounts in create_request_message()
> ceph: allow idmapped mknod inode op
> ceph: allow idmapped symlink inode op
> ceph: allow idmapped mkdir inode op
> ceph: allow idmapped rename inode op
> ceph: allow idmapped getattr inode op
> ceph: allow idmapped permission inode op
> ceph: allow idmapped setattr inode op
> ceph/acl: allow idmapped set_acl inode op
> ceph/file: allow idmapped atomic_open inode op
> ceph: allow idmapped mounts
>
> fs/ceph/acl.c | 2 +-
> fs/ceph/dir.c | 4 ++++
> fs/ceph/file.c | 10 ++++++++--
> fs/ceph/inode.c | 15 +++++++++++----
> fs/ceph/mds_client.c | 29 +++++++++++++++++++++++++----
> fs/ceph/mds_client.h | 1 +
> fs/ceph/super.c | 2 +-
> fs/mnt_idmapping.c | 2 ++
> include/linux/mnt_idmapping.h | 3 +++
> 9 files changed, 56 insertions(+), 12 deletions(-)
>
> --
> 2.34.1
>