I would expect killing the jail to *fail* if there any exports active. You can keep the counter of them in struct prison to avoid the need to scan anything.

With the assumption that nfsd in jail is *disabled* by default, this would not violate POLA.

In D38371#872242, @mjg wrote:

I would expect killing the jail to *fail* if there any exports active. You can keep the counter of them in struct prison to avoid the need to scan anything.

With the assumption that nfsd in jail is *disabled* by default, this would not violate POLA.

I don't want killing a jail to fail. At present, the only failures for jail_remove(2) are permission and nonexistent jail. Considering the most common situation for jail removal is system shutdown, its failure could be a problem best avoided.

I defined a function called vfs_exjail_delete(), which I currently
call from the nfsd'd OSD PR_MOETHOD_REMOVE which
releases credentials and set mnt_exjail NULL for all cases
matching the prison argument.
Maybe this function should be called from within kern_jail.c
via prison_cleanup()?

Yes, I think so. The OSD avenue worked, but since we can't have VNET nfsd in module form anyway (which is what the OSD is best suited for), you might as well avoid its extra locking layer and go with prison_cleanup.

In D38371#872249, @jamie wrote:

In D38371#872242, @mjg wrote:

I would expect killing the jail to *fail* if there any exports active. You can keep the counter of them in struct prison to avoid the need to scan anything.

With the assumption that nfsd in jail is *disabled* by default, this would not violate POLA.

I don't want killing a jail to fail. At present, the only failures for jail_remove(2) are permission and nonexistent jail. Considering the most common situation for jail removal is system shutdown, its failure could be a problem best avoided.

I think that's questionable. To illustrate consider 'rmdir' which fails if the directory is not empty -- I think it is a feature. Similarly, if appropriate (tm) clean up was not performed, killing the jail could fail too.

But if you insist on it, shutting the jail down should probably unexport everything and it does not with the proposed patch. It only cleans some creds.

Ok, I will try and address the various comments.

mountd(8) does not delete exports when it is terminated.
That was by design, so that, if mountd(8) died accidentally
(I did that with a typing error back when I was a sysadmin),
nfsd would continue to run and all a sysadmin had to do is
restart mountd. (It's even less of an issue for NFSv4, since
mountd(8) is not needed for new mounts to be done.)

In general, nothing gets rid of exports unless the file system
is dismounted (it actually leaks the structures, but that's a
bug for another day). mountd(8) will delete them when it
first starts up and will delete ones taken out of the exports(5)
file when it is relaoded (via a SIGHUP).

So, having exports at jail shutdown is normal and expected,
if mountd(8) has been running in the prison.

To get rid of the actual exports during shutdown is very messy.
You have to acquire a lockmgr() lock and you can't do that while
looping holding the moutnlist lock.
So, the patch clears mnt_exjail, which indicates that the exports
are now stale, then they go away when mountd(8) updates them
or the file system gets dismounted. This makes them non-usable,
only the structures have not been free'd yet, so it does "get rid of them".
If you don't get rid of the cred references, then the jail will get
stuck in dying state, as I understand it.
Note that the root fs for a jail will have been mounted outside of
the jail, so it doesn't get dismounted during "jail -r".

nfsd.ko does now load dynamically for the VNET_NFSD case.
It was fixed once I malloc'd the arrays and structures instead of
putting them in the vnet.
(kern_jail.c does need to be updated for this, but I was waiting
until everything else goes in main and then I was going to take
the defined(VNET_NFSD) and defined(NFSD) out of kern_jail.c
to enable it all.)

The only advantage of moving the vfs_exjail_delete() call to
prison_cleanup() is that the nfs cleanup function could them
be called from VNET_SYSUNIINIT() instead of OSD once it
is fixed so that it works. (Recall that "jail -r" on vnet prisons
does not currently work and leaves them in dying state.)

And, yes, adding a counter of exports to struct prison would
allow us to avoid (or break out of the scan) early, so I agree
that is a optimization worth coding for the next version of the patch.

So, having exports at jail shutdown is normal and expected,
if mountd(8) has been running in the prison.

This is a non-starter. Shutting down a jail has to be conceptually seen as shutting down the system, except with effects only limited to the jail at hand.

To get rid of the actual exports during shutdown is very messy.
You have to acquire a lockmgr() lock and you can't do that while
looping holding the moutnlist lock.

This bit is not a problem, see kern_getfsstat for an example.

Preferably there would be no linear scans to begin with, let alone over the global mount list.

Unfortunately there are several spots which open-code the traversal which makes it harder to introduce basic sanity in the area, but I'll look into it.

That said, I think the pragmatic course of action right now is to get another loan from the Technical Bank and copy the aforementioned traversal from kern_getfsstat, while damage-controlling it by counting per-jail exports (the counter should probably be modified in spots which ref/unref the mnt_exjail cred).

btw while grepping for mountlist I found this bit:

int
nfsrv_deldsserver(int op, char *dspathp, NFSPROC_T *p)
[..]
        mtx_lock(&mountlist_mtx);
        TAILQ_FOREACH(mp, &mountlist, mnt_list) {
                if (strcmp(mp->mnt_stat.f_mntonname, dspathp) == 0 &&
                    strcmp(mp->mnt_stat.f_fstypename, "nfs") == 0 &&
                    mp->mnt_data != NULL) {
                        nmp = VFSTONFS(mp);
                        NFSLOCKMNT(nmp);
                        if ((nmp->nm_privflag & (NFSMNTP_FORCEDISM |
                             NFSMNTP_CANCELRPCS)) == 0) {
                                nmp->nm_privflag |= NFSMNTP_CANCELRPCS;
                                NFSUNLOCKMNT(nmp);
                        } else {
                                NFSUNLOCKMNT(nmp);
                                nmp = NULL;
                        }
                        break;
                }
        }
        mtx_unlock(&mountlist_mtx);

The caller, nfssvc_nfsd, grabs the path from userspace and passes it through:

error = copyin(uap->argp, &pnfsdarg, sizeof(pnfsdarg));
if (error == 0 && (pnfsdarg.op == PNFSDOP_DELDSSERVER ||
    pnfsdarg.op == PNFSDOP_FORCEDELDS)) {
        cp = malloc(PATH_MAX + 1, M_TEMP, M_WAITOK);
        error = copyinstr(pnfsdarg.dspath, cp, PATH_MAX + 1,
            NULL);
        if (error == 0)
                error = nfsrv_deldsserver(pnfsdarg.op, cp, td);
        free(cp, M_TEMP);

this can't be correct in face of different jails running it?

vfs_exjail_delete() gets rid of the exports done within
the jail, just like shutting down the system gets rid of
them because the system goes away. (All that is left
are some malloc'd structures that will go away if/when
the file system is re-exported. Code that is not in this
commit checks that an export is for the correct jail
using mnt_exjail.)

I don't see any problem with this.

W.r.t. the pNFS case. Yes, a pNFS server is not supported
in a jail. It is not allowed, as coded in D37519.